Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

TRAVELERS’ PRIVACY—EU

EC Presents, Albrecht Against “Smart Borders” Plan (February 28, 2013)

The European Commission has presented plans for a border initiative that would use automated technology to monitor non-EU citizens’ travel in and out of the EU, and MEP Jan Philip Albrecht has come out against it, reports IDG News Service. The plan would create a database of registered travelers who would use automated gates that would record their comings and goings and alert authorities if they haven’t left by an expiry time. Albrecht, with fellow politician Ska Keller, has begun a campaign urging citizens to fight the plan, saying the initiative would create an “e-fortress Europe” and infringe on civil liberties.
Full Story

CONSUMER PRIVACY—U.S.

Edith Ramirez Named FTC Chairwoman (February 28, 2013)
The Obama administration has designated Federal Trade Commissioner Edith Ramirez as the next chair of the Federal Trade Commission (FTC), replacing outgoing Chairman Jon Leibowitz, POLITICO reports. A White House official said, “Over the past few years, Ramirez has been instrumental in ensuring there is robust competition and innovation in the high-tech marketplace and has worked hard to protect the most vulnerable communities.” It is not yet known when Ramirez will officially take up the position, and the selection will require Senate approval. The move will also create an opening for a new FTC commissioner.

SURVEILLANCE—U.S.

Supreme Court Dismisses FISA Lawsuit (February 28, 2013)

The Supreme Court has ruled that a group of U.S. citizens and U.S.-based organizations did not have standing to challenge the constitutionality of a provision within the Foreign Intelligence Surveillance Act (FISA), Hogan Lovells’ Chronicle of Data Protection reports. In 2008, the American Civil Liberties Union (ACLU) challenged the FISA Amendments Act—a provision authorizing the National Security Agency “to conduct dragnet surveillance of Americans’ international e-mails and phone calls without identifying its targets to any court,” according to an ACLU press release. The Hogan Lovells report states, “Outside of the FISA context, the court’s decision likely will make it more difficult for private plaintiffs in privacy and data breach litigation cases to establish standing based merely on a dignity interest or potential future harm.”
Full Story

PRIVACY LAW—U.S.

Court Approves $9.5 Million Settlement (February 28, 2013)

A majority of judges on the U.S. Court of Appeals for the Ninth Circuit has approved a $9.5 million Facebook privacy settlement stemming from its Beacon program that affected the privacy of approximately 3.6 million users, Ars Technica reports. A portion of the settlement funds will go to the newly created Digital Trust Foundation (DTF) to support Internet privacy initiatives, the report states. The remaining $2.3 million will go to plaintiffs’ attorney fees. Six of the judges on the panel dissented from the decision, arguing Ninth Circuit judges have traditionally not approved settlements “where the selected charity lacks ‘a substantial record of service’ in remedying the types of wrongs alleged.” A Facebook spokesman said the DTF “will fund worthy projects that will help protect and improve Internet users’ privacy, safety and security.”
Full Story

DATA PROTECTION—U.S.

House To Focus on ECPA Reform, Cybersecurity (February 28, 2013)

The House Judiciary Committee will consider legislation that would require law enforcement to obtain a warrant before accessing individuals’ electronic communications, including e-mail and Facebook messages, The Hill reports. Committee Chairman Bob Goodlatte (R-VA) said the committee will look at modernizing the Electronic Communications Privacy Act in light of technological advances. Additionally, it will focus on cybersecurity and “make it a priority to enhance our nation’s vulnerable systems to protect our networks and computers and ensure our national security and economic wellbeing,” Goodlatte said.
Full Story

ONLINE PRIVACY

Tech Firms Discuss DNT, Data Currency (February 28, 2013)

A panel of privacy experts from some of the Internet’s top technology companies—including Microsoft, Mozilla, Facebook and Google—discussed Do Not Track, mobile privacy and third-party data transfers, NETWORKWORLD reports. According to SC Magazine, Microsoft Chief Privacy Officer Brendon Lynch, CIPP/US, said, “It hasn’t yet been defined on a broad level what a service should do when they receive a Do-Not-Track signal,” adding, “It’s going to be confusing for people if there’s not a common understanding of what Do-Not-Track means.” Meanwhile, author Cory Doctorow questions whether personal information sharing for free services overlooks the value of an individual’s personal data.
Full Story

STUDENT PRIVACY—U.S.

In the Digital Age, Data Collection Prompts Concerns (February 28, 2013)

InformationWeek looks at the privacy risks that have proliferated as data collection and analysis in education grows. Advocacy organizations have expressed concerns that “a number of data-sharing initiatives violate student and teacher privacy,” the report states. Others worry about the security of the vast amount of data being aggregated because the Family Education Rights and Privacy Act, which regulates the use of student data, was created before digital advances such as e-mail and cloud computing. Questions persist in student data-gathering initiatives such as who owns the data and who has access to it.
Full Story

DATA LOSS—U.S.

Lawmakers: State’s Breach Response Lagging (February 28, 2013)

Four months after the South Carolina Department of Revenue’s data breach, the department is months away from fully encrypting its data, USA Today reports. The breach exposed data on millions of taxpayers. State Sen. Kevin Bryant (R-Anderson) said his takeaway is that state agencies will need to be “forced to protect their data,” the report states. “One would think they would be scrambling and rushing to get their data protected, but they’re not,” he said. Meanwhile, Bank of America says a data breach that reportedly affected its systems in fact affected a third-party affiliate.
Full Story

BIOMETRICS—U.S.

Supreme Court Weighs DNA Collection (February 27, 2013)
The Supreme Court has heard arguments on whether the government is violating the Constitution when it collects DNA from an arrested individual, Bloomberg reports. Justice Samuel Alito characterized it as “perhaps the most important criminal procedure case that this court has heard in decades.” Justice Elena Kagan said, “Just because you’ve been arrested doesn’t mean that you lose the privacy expectations in things you have that aren’t related to the offense that you’ve been arrested for.” According to the report, the decision may come down to Chief Justice John Roberts. At one point he queried, “How legitimate is it for you to expect privacy in something that the police can access without you even knowing about it?”

PRIVACY LAW—EU

Spain Takes Search Engine to Court (February 27, 2013)

CNET News reports on a European Court of Justice case between Google and Spain’s data protection authority (DPA) over whether Google must delete data that could infringe upon a person’s privacy. Google says it is not required to do so and starting to could create a slippery-slope effect. “There are clear societal reasons why this kind of information should be publicly available,” said Google’s head of free expression. “The substantive question before the court today is whether search engines should be obliged to remove links to valid legal material that still exists online.” The court is expected to rule by the end of the year, and its advocate-general will publish an opinion June 25.
Full Story

SMART GRID—U.S.

Stakeholders Aim To Build a Voluntary Code (February 27, 2013)

At the U.S. Department of Energy’s first meeting on a voluntary code of conduct (VCC) for the smart grid, stakeholders discussed what a VCC should look like and who it should regulate. The stakeholder discussions come following widespread consumer and advocate concerns on smart grid data use as smart meters are increasingly rolled out, energy data becomes digitized and third parties focus on using it for marketing and other purposes. Some said, even with a code, it will be impossible to regulate what third parties do with consumer data. Others voiced concern over how utilities operating in various jurisdictions will comply with a one-size-fits-all code. “Can you adopt pieces of it?” Duke Energy’s Mark Hollis queried. Read more in this exclusive for The Privacy Advisor.
Full Story

DATA PROTECTION—U.S.

Cyberattacks Scare Investors; Should Companies Share Breach Data? (February 27, 2013)

Network World reports data breaches aren’t just bad news for consumers, they scare away potential investors. That’s according to a study released Monday in which the 405 investors surveyed said they would be skeptical of companies targeted by cyberattacks one or more times. At the RSA Conference in California yesterday, Chairman Arthur Coviello said companies should start sharing information on hacks with each other and use Big Data to thwart future attacks. Meanwhile, California’s Crescent Healthcare has begun notifying patients and employees of a data breach that occurred late last year. Social Security numbers may be among the stolen data.
Full Story

STUDENT PRIVACY—U.S.

University Shared Student Data with Sheriff (February 27, 2013)

Records indicate the University of Iowa (UI) has been providing confidential data on students to the county sheriff “even when UI officials thought the students posed no threat to campus safety,” the Press-Citizen reports. A newspaper article released last week indicated UI had been providing the Johnson County Sheriff’s Office with “confidential, education-related information on students who have applied for gun permits” over several years. “E-mails obtained from the sheriff’s office this week under Iowa’s open records law raised new questions,” the report states, noting the data-sharing practice has been “temporarily suspended” in the wake of concerns from students and privacy advocates.
Full Story

ONLINE PRIVACY—U.S.

Opinion: Privacy Has a Deeper Purpose (February 27, 2013)

Beginning with the premise that the last major privacy law in the U.S., the Electronic Communications Privacy Act, was passed in 1986 and calls for changes to it persist, The Atlantic examines the question of why privacy matters. “Privacy should have a deeper purpose than the one ascribed to it by those who treat it as a currency to be traded for innovation,” the report suggests, referencing Georgetown University Law Prof. Julie E. Cohen’s forthcoming Harvard Law Review article. Cohen suggests privacy is not a "fixed condition or attribute…whose boundaries can be crisply delineated by the application of deductive logic. Privacy is shorthand for breathing room to engage in the process of...self-development."
Full Story

BIG DATA

Facebook To Partner With Data Brokers (February 26, 2013)
NBC News reports that Facebook is planning to announce partnerships with three data marketing firms to deliver online targeted ads gleaned from offline information. Acxiom, Epsilon and Datalogix will all partner with the social networking company and allegedly upload customer lists to Facebook, which will then find matches among its users to create “custom audiences,” the report states. Facebook will not know the identity of the customers because the data will be hashed. The combination of the online and offline databases has raised privacy concerns. “There needs to be limits on Facebook’s growing use of outside data broker information,” Jeffrey Chester of the Center for Digital Democracy. Meanwhile, a security specialist was able to access any Facebook account through an authentication flaw. The company says it has since fixed the problem. Editor’s Note: The breakout session Big Data, Not Big Brother: Best Practices for Data Analytics will be part of next week’s IAPP Global Privacy Summit in Washington, DC.

MOBILE PRIVACY—U.S.

Companies “Gird for Fines,” Rules from FTC (February 26, 2013)

Businessweek reports that as the Federal Trade Commission (FTC) “clamps down on alleged privacy violations by mobile applications…legions of software developers are girding for fines and rules that analysts say threaten to stifle growth.” Referencing the FTC’s recent $800,000 settlement with social network Path, the report suggests such moves “could boost costs for small companies whose apps are fueling demand for mobile advertising, tablets and smartphones,” resulting in “big implications for Google and Apple, which together account for 91 percent of smartphone operating systems.” Meanwhile, IDG News Service reports on concerns Consumer Watchdog has brought to the FTC over Google's sharing of app purchasers’ information with developers.
Full Story

SMART GRID—U.S.

Smart Grid Privacy Code of Conduct Process Begins (February 26, 2013)

The Federal Smart Grid Task Force, led by the U.S. Department of Energy, is today conducting its first meeting in Washington, DC, on a voluntary code of conduct for energy utilities and third parties. The code aims to address privacy and smart grid technologies. Stakeholders will discuss concerns and propose solutions in a consensus-driven process. Federal Trade Commission (FTC) Attorney Ruth Yodaiken of the Federal Smart Grid Task Force said this morning that the FTC will look favorably at companies engaged in the voluntary code in cases where it must open an investigation into privacy violations, especially “strong codes…codes that are significant and say more than ‘We are gonna try to be good with our consumer data.’”
Full Story

ONLINE PRIVACY

Web Tracking Tags Raise Concerns; Ad Industry Reacts to Browser Changes (February 26, 2013)

Financial Times reports on the rise of website tracking tags and corresponding security and privacy concerns. According to an Evidon report that surveyed 7.5 million Internet users, 55 percent of tracking devices used by major websites were placed by third parties rather than the first-party publisher. One Evidon representative said, “If you’re unaware of the companies injecting scripts into your page, it makes it hard to keep your users safe.” Meanwhile, AdvertisingAge reports on the ad industry’s reaction to news that Mozilla will block third-party tracking by default in its latest version of Firefox. Mozilla’s Alex Fowler said “strong user support for more control is driving our decision to move forward with this patch.” An industry representative said “the unintended consequences may outweigh the benefit that’s achieved.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Calls for ECPA Changes Persist (February 26, 2013)

While most people may consider their e-mail communications to be private, the reality—for the most part—is quite different, NPR reports. Speaking about the Electronic Communications Privacy Act at New York University's Brennan Center for Justice, Google’s David Lieber noted, “As users become more aware of where the law is versus where their expectations are, they'll become more interested." He added Google supports changes to the law where the "same procedural protections that apply when police want to search your home" would be in effect for electronic records, the report states.
Full Story

ONLINE PRIVACY

Opinion: Be Aware of Game System Data Collection (February 26, 2013)

In a column for Forbes, Larry Magid writes about the unveiling of Sony's Playstation 4, noting, "I was struck by how much data the new device would be collecting from its users.” A company official said the network “will get to know you by understanding your personal preferences and the preferences of your community and turns this knowledge into useful information that will help to enhance the future game play, so like when your friends purchase a new game you’ll know immediately so you can join into the action,” the report states. Magid writes that “parents need to educate their children about privacy, safety and security” with all online gaming.
Full Story

ONLINE PRIVACY

Browser To Block Third-Party Cookies; Web-Tracking Tags Increasing (February 25, 2013)
Firefox will block third-party cookies by default when it rolls out version 22 of its browser in early April, ADWEEK reports. The news could “put a crimp in the growing online behavioral advertising business but give privacy advocates a victory in their attempts to give users more control over their online information,” the report states. Interactive Advertising Bureau Senior Vice President and General Counsel Mike Zaneis said the new policy is “a nuclear first strike against the ad industry.” Meanwhile, MediaPost News reports Evidon has found that the number of web-tracking tags from ad servers and other third parties is up 53 percent and only 45 percent of those tracking tools were added directly by the publisher.

ONLINE PRIVACY

Lobbyists Want Data on Skype Disclosures (February 25, 2013)

A coalition of digital rights groups and individuals are calling on Microsoft to release regular transparency reports on data collected from Skype users, including whether it’s been shared with third parties such as advertisers and law enforcement agencies. Microsoft purchased Skype in 2011, The New York Times reports. “We need to know how Microsoft and Skype cooperate with law enforcement and others around the world,” said Prof. Paul Bernal, a lawyer who is one of the 61 individuals to sign the open letter to Microsoft. “People living under authoritarian regimes need to know what kinds of personal risks they are taking when using Skype.” The coalition also wants to know whether Skype’s headquarters have changed from the EU since it was purchased by a U.S.-based company. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Deputies Intro Amendments to Weaken Draft Regulation (February 25, 2013)

A group of euro-deputies in the industry committee has introduced amendments to the EU draft regulation on data protection that would exempt industry from having to obtain user consent before engaging in behavioral targeting. The committee has also introduced an amendment on pseudonymous data, freeing industry from the obligation, EUobserver reports, reasoning that pseudonymous data isn’t appealing to industry because it disables the ability to pinpoint the individual and, therefore, market to them specifically. European Digital Rights said in a statement that the amendments voted through by the committee would “effectively rip up decades of privacy legislation in Europe, undermining trust and confidence—to the detriment of both citizens and business.”
Full Story

MOBILE PRIVACY—EU

App Developers Prepare for New Rules (February 25, 2013)

The Article 29 Working Party is slated to discuss privacy as it pertains to mobile apps at its meeting this week in Brussels, EurActiv reports. Mobile app developers and regulators have thus far disagreed on topics such as rules around geolocation; while European policymakers work to strengthen rules on privacy, app developers say they need access to data on users’ whereabouts—even if it’s anonymous—in order to ensure the best service. App developers also have concerns that new rules could force small developers to hire additional staff in order to comply with data management mandates. Editor’s Note: The breakout session Privacy Engineering: Bridging the Gap Between Privacy and Code will be part of the IAPP Global Privacy Summit next week in Washington, DC.
Full Story

PRIVACY—FRANCE

Personal Data: It Fuels the Economy, Why Not Tax It? (February 25, 2013)

The New York Times reports on the proposal to tax data collection with the goal of promoting sound practices for gathering and protecting information. French auditor Nicolas Colin introduced the idea based on European countries’ frustrations with their inability to collect tax revenue from Internet companies generating significant income each year, especially as budget deficits loom. “Every government needs revenues,” Colin said, adding the individual taxpayer and small companies carry the burden if large corporations do not. A spokesman for the French data protection authority said given that personal data fuels the digital economy, “it would seem like a natural idea to envision taxing the use of them.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Hacking, Privacy Resonate in New Video Games (February 25, 2013)

The Washington Post reports on new video game titles "that center on constant data threats and government surveillance” and one such game that puts “the player in the role of the…hacker.” Recent disclosures of cyberattacks on institutions ranging from Apple to The Post, “combined with growing awareness of the amount of data users are putting into cyberspace, have brought privacy and security issues into sharp focus,” the report states, adding, “Video game makers are taking advantage of leaps in processing technology to sculpt increasingly realistic alternate worlds that reflect the fears players face in their own lives.” (Registration may be required to access this story.)
Full Story

BIG DATA

Opinion: Is Big Data All It’s Cracked Up To Be? (February 25, 2013)

In a column for MACLEANS.CA, Julia Belluz writes that, despite claims it can “cure cancer, transform business and government, foretell political outcomes, even deliver TV shows we didn’t know we wanted,” Big Data’s “big promises” may not have the research community sold. “Some say vast data collections—often user-generated and scraped from social media platforms or administrative databases—are not as prophetic or even accurate as they’ve been made out to be,” Belluz writes. In the example of Big Data genomics, Belluz states that "it’s hard to tell the signal from the noise.” And some are questioning the “integrity of Big Data,” Belluz writes, noting that a recent article showed that Google Flu Trends “massively overestimated the year’s flu season.”
Full Story

MOBILE PRIVACY—U.S.

FTC Settles With Mobile Device Manufacturer (February 22, 2013)
Mobile device maker HTC America has agreed to settle with the Federal Trade Commission (FTC) over charges that it did not take “reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk,” according to an FTC press release. The settlement requires the company to create software patches to fix the vulnerabilities, establish a comprehensive security program and undergo security audits over the next 20 years. A description of the consent agreement will be published in the Federal Registry shortly and will be up for public comment until March 22.

PRIVACY LAW—U.S.

Supreme Court To Determine Genetic Privacy Rules (February 22, 2013)

The U.S. Supreme Court will hear arguments next week in a case that questions whether Maryland is violating the Constitution by collecting DNA samples from those arrested for serious crimes, Bloomberg reports. Its ruling, which is expected in June, will be the first on genetic information privacy and will affect laws on DNA collection upon arrest in 25 states. Two genetic scientists involved in the case say DNA samples allow for profiling that, with technological advances, “will become even more intrusive and will reveal more personal information about individuals,” the report states. Meanwhile, a California lawmaker has introduced a bill that would prohibit “unauthorized collection, analysis or transfer of a person’s genetic information.”
Full Story

PRIVACY LAW—EU & U.S.

In ‘t Veld: Regulation Could Give EU “Competitive Advantage” (February 22, 2013)

Dutch MEP Sophie In ‘t Veld said pending EU data protection rules will “push companies to innovate” and could provide the region with a “competitive advantage,” TheParliament.com reports. She noted the debate surrounding the proposed regulation “has been heating up in recent weeks” and cited concerns that the “U.S. will reap the benefits of not having to work under the burden of so much regulation.” In ‘t Veld said, “Rules can force companies into innovating” and added, “privacy is the new green.”
Full Story

TRAVELLERS’ PRIVACY—CANADA & U.S.

Rights Have Limits at the Border (February 22, 2013)

Kashmir Hill writes for Forbes about the ability of U.S. customs officials to search digital devices—including looking through e-mails and social media posts. Using the experience of a Canadian actor, Hill explores what an American Civil Liberties Union attorney calls border crossers’ “limited ability to say no,” adding, “You can say no but there are consequences. They might not let you in. They might detain you for 25 hours while they get a warrant. Or they might just seize your property.” The U.S. Department of Homeland Security’s privacy head has recently voiced support of warrantless searches of digital devices at the border, but the Electronic Frontier Foundation is pushing for a warrant requirement, the report states.
Full Story

DATA PROTECTION—U.S.

Fed Privacy Regs Confuse State Agencies (February 22, 2013)

GovInfoSecurity reports on a new report from the U.S. Government Accountability Office (GAO) examining selected state and local agencies employing automated data sharing systems for improving various management processes. The report identifies challenges to data sharing based on differing interpretations of federal privacy requirements. A GAO representative said, “Potential inconsistencies in federal privacy requirements that apply to data sharing across multiple programs are a challenge.” Recommendations from state and local agencies include clarifying and harmonizing federal requirements, creating model sharing agreements and reexamining requirements to ensure consistency among privacy rules.
Full Story

DATA PROTECTION—U.S.

Lawmaker Queries Tech Company Over Privacy (February 22, 2013)

Rep. Hank Johnson (D-GA) has written an open letter to Google with privacy concerns about the company’s online store and digital payments system, The Verge reports. The issue arose after an app developer claimed Google was sending him consumers’ account names, e-mail addresses and locations without their consent. “Please clarify the scope and nature of information sharing so that I may better understand consumers’ expectations and protection when purchasing apps through Google Play,” Johnson wrote. Meanwhile, Google wrote on its blog last month that it will take a three-pronged approach to technology privacy and stated it would support updating the Electronic Communications Privacy Act.
Full Story

DATA PROTECTION—U.S.

Are Do-Not-Track Efforts on the Right Track? (February 22, 2013)

MediaPost News reports on the uncertainty of the World Wide Web Consortium’s (W3C) Do-Not-Track (DNT) effort. The W3C’s Tracking Protection Committee had worked on an agreement on how website operators should respond to DNT headers—to no avail—when Peter Swire, CIPP/US, was appointed as its chair. Following a committee meeting in Boston, MA, last week, Swire said things are looking up and that he hopes to publish a document for public comment by summer. Privacy advocate Jonathan Mayer, however, said the group is “still gridlocked.” Meanwhile, Forbes reports privacy advocates prefer President Barack Obama’s recent executive order on cybersecurity to the current version of the Cyber Intelligence Sharing and Protection Act.
Full Story

DATA LOSS—U.S.

Patient, Customer Records Breached (February 22, 2013)

Florida’s Orlando Health has reported one of its medical assistants has illegally accessed patient records, HealthITSecurity reports. Meanwhile, a hacker gained access to information on three of Zendesk’s customers, PCWorld reports. It appears that a hacker downloaded e-mail addresses, and the affected customers have been notified. Zendesk’s CEO said the company is working with law enforcement on the breach and will “continue to build even more robust security systems.” Pinterest, Twitter and Tumblr were also affected by the breach.
Full Story

CYBERSECURITY—U.S.

More Firms Disclose Online Hacking Incidents (February 21, 2013)
It is becoming more common for American corporations to publicly disclose that they have been victims of hackers, The New York Times reports. Most firms have traditionally treated “online attacks as a dirty secret best kept from customers, shareholders and competitors, lest the disclosure sink their stock price and tarnish them as hapless,” the report states. In recent weeks, more companies—including Twitter, Facebook and Apple—have announced they have been attacked by sophisticated cybercriminals and “some can’t help noticing that those that make the disclosures are lauded…for their bravery,” according to the report. One expert said, “This is a particularly good time to get out the fact that you got hacked, because if you are one of many, it discounts the starkness of the announcement.” Meanwhile, Hogan Lovells Partner Harriet Pearson, CIPP/US, discusses pressing cybersecurity issues in a new podcast. Editor’s Note: The preconference workshop Surviving a Data Breach in the Digital Age will be part of this year’s IAPP Global Privacy Summit in Washington, DC. (Registration may be required to access this story.)

DATA PROTECTION—U.S.

Auditor Recommends Ramped Up Controls (February 21, 2013)

Minnesota’s Legislative Auditor has recommended the state strengthen controls on law enforcement use of driver’s license databases after determining 88 law enforcement employees accessed data for non-work purposes, Minnesota Public Radio reports. The auditor’s report suggests law enforcement agencies audit employee use of such data and introduce better training on appropriate use. One state enforcement employee was recently fired and faces criminal charges and privacy lawsuits after he accessed a database thousands of times when he was off duty. Meanwhile, Johns Hopkins is investigating whether patient privacy was compromised after a former gynecologist was accused of recording and saving images of patients with his own cameras.
Full Story

PRIVACY LAW—U.S.

Plaintiff Wants Suit Reinstated Against Provider (February 21, 2013)

A Yahoo user has asked a federal appellate court to reinstate a class-action lawsuit claiming the company violated users’ privacy by intentionally concealing that it discloses the names of e-mail senders, reports MediaPost News. The suit was dismissed last year by U.S. District Court Judge Edward Davila who ruled that Albert Rudgayzer couldn’t both represent himself “pro se” and represent a class, and that the case couldn’t stand alone because he didn’t show economic damages. According to the report, Rudgayzer says he should have been allowed to proceed and seek a lawyer for the class at a later date and that Yahoo users are entitled to nominal damages for the alleged breach.
Full Story

PRIVACY

Ubiquitous Computing Product Raises Concerns (February 21, 2013)

The New York Times reports on the introduction of Google Glass and some of the concerns and obstacles in launching it. The wearable glasses feature a computer processor connected to the Internet and allow the user to see a computer screen and use voice command for a number of applications, including virtual reality gaming, directions and e-mail. Google has begun accepting applications for a small group of potential users and hopes to sell them to the public later this year, the report states. The potential for such “ubiquitous computing” has some privacy advocates concerned about use of facial recognition to identify strangers in public or to record and broadcast private conversations, the report states. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING

How Our Online Experiences Affirm What We Already Believe (February 21, 2013)

Based on companies’ abilities to collect data on individuals online in order to send targeted ads based on behaviors, “99 percent of us live on the wrong side of a one-way mirror, in which the other one percent manipulates our experiences,” reports Scientific American. Unseen hands “curate your entire experience” and predetermine the news you see and even the people you meet, which serves to “affirm, instead of challenge, what we already believe to be true.” Meanwhile, Eric Clemens reports for the Huffington Post on the “myth of anonymization” and the misconception that targeted ads mean a better online experience—and for free.
Full Story

PERSONAL PRIVACY

The Implications of Automotive Data Collection (February 20, 2013)
Forbes’ columnist Kashmir Hill reports on the takeaways from the recent confusion between Tesla Motors and The New York Times regarding a reporter’s negative review of an electronic car. This incident reveals that “cars can know a lot about us,” Hill observes. Collected data included temperature settings, speed and location. Security expert Bruce Schneier notes the back-and-forth “gives you an idea of the sort of things that will be collected once automobile black boxes become the norm,” and “even intense electronic surveillance of the actions of a person in an enclosed space did not succeed in providing an unambiguous record of what happened.” According to Hill’s report, Tesla customers are informed of the data collection, must give consent prior to being monitored and data is shared with third parties only in certain situations, such as research or legal defense.

DATA PROTECTION—EU

Parliament To Vote on Proposed Regulation (February 20, 2013)

Members of European Parliament’s industry committee will vote today on the European Commission’s proposed data protection regulation. Parliament must endorse the proposal for it to move forward. MEPs have thus far tabled more than 900 amendments to the original proposal, the Irish Times reports. “The proposals by and large are well-balanced,” said Fine Gael MEP Seán Kelly. “We won’t be changing the fundamentals. We don’t see any contradiction between protecting the fundamental rights of the individual and allowing businesses to develop.” He added administrative burdens on small businesses must be reduced.
Full Story

PRIVACY

“Privacy Tax” Proponent Now Wants To Tax Data (February 20, 2013)

Nicolas Colin, a tax inspector for the Ministry of the Economy and Finance in France who recently suggested a “privacy tax” there, has an idea that is “every bit as radical as the invention of income or sales taxes,” NBC News reports. Colin wants to tax data. “What we do leaves traces, generates data. This data can be leveraged to create value…In the digital economy, users create part of the value alongside employees, contractors, capital and companies’ assets,” he said. The suggestion comes as countries express frustration on how to collect taxes from large digital companies generating income in countries but paying no taxes there.
Full Story

DATA LOSS—UK & U.S.

Loss of Devices Compromises Council, Hospital (February 20, 2013)

The UK Information Commissioner’s Office (ICO) has fined Nursing and Midwifery Council 150,000 GBP for the loss of three DVDs containing unencrypted, sensitive personal data of two vulnerable children, Publicservice.co.uk reports. ICO Deputy Commissioner David Smith said the council’s “underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk,” adding, “no policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered.” Meanwhile, U.S.-based Heyman HospiceCare has reported that an unencrypted laptop containing personal health information was stolen from an employee’s car.
Full Story

BEHAVIORAL TARGETING

TV-Monitoring Patent Prompts Privacy Concerns (February 20, 2013)

A patent application for infrared cameras and microphones proposes using a “detection zone” that would allow a television system to cue an advertisement based on a viewers’ actions prompted privacy concerns. In this exclusive for The Privacy Advisor, Mathew Schwartz looks at the application, which was rejected in November, and considers managing consumer privacy expectations and the “creepiness factor” when it comes to consumer behavior-based advertising.
Full Story

PRIVACY

Information Privacy Trailblazer Alan Westin Passes Away (February 19, 2013)
Alan Westin, a groundbreaking scholar of information privacy who helped influence a generation of privacy study and the privacy profession itself, passed away Monday at the age of 83. “Today, literally tens of thousands of statutes, court decisions, regulations and company best practice standards, throughout the globe, are based upon” principles set forth by Westin, said friend and Arnall Golden Gregory Privacy Partner Bob Belair. The Privacy Advisor explores Westin’s legacy in this exclusive feature, including commentary from privacy notables. As Indiana University Prof. Fred Cate told The Privacy Advisor, “Alan's passing is especially hard to come to grips with because he was such a larger-than-life figure who not only helped to create and define the modern field of privacy law but welcomed, included and mentored so many of us who followed in his giant footsteps. I wouldn't be in privacy law if it weren't for Alan, and I suspect that is true--directly or indirectly--for many IAPP members.”

PRIVACY LAW—EU

Regulators Move Toward Privacy Crackdown (February 19, 2013)

The Article 29 Working Party is expected to vote at the end of the month on a new proposal by European data protection regulators to “coordinate their repressive action” against Google unless it “makes dramatic changes to how it manages user data,” reports CNET News. The French data protection authority, CNIL, says that Google “did not provide any precise and effective answers” about its privacy policy, which allows the company to pool user data from across all its services, adding, “the EU data protection authorities are committed to act and continue their investigations.” Google says its privacy policy “respects European law,” adding, “We have engaged fully with the CNIL throughout this process, and we'll continue to do so going forward."
Full Story

CYBERSECURITY—U.S.

Advocates: CISPA Won’t Pass Without Privacy (February 19, 2013)

Unless privacy provisions are added, the recently reintroduced Cyber Intelligence Sharing and Protection Act (CISPA) will have a difficult time passing through Congress. That’s according to privacy groups, including the American Civil Liberties Union and the Center for Democracy and Technology, which are concerned about “broad language” in CISPA that would allow companies to send their customers’ personal information and communications data to law enforcement agencies, The Hill reports. Advocates say the bill should require companies to strip the data of personal information before sharing it. Meanwhile, a new report by American computer-security group Mandiant identifies a Chinese military unit’s headquarters as the source of many cyberattacks.
Full Story

CHILDREN’S PRIVACY—U.S.

COPPA Enforcement To Get a New Home (February 19, 2013)

Broadcasting & Cable reports that the Federal Trade Commission is in the process of moving enforcement of the Children's Online Privacy Protection Act (COPPA) from its Advertising Practices division to its Privacy and Identity Protection division. "The idea is to centralize the privacy programs under one roof so that the COPPA side can take advantage of the expertise that the privacy division already has," a source stated. The move was launched by outgoing Chairman Jon Leibowitz and will take several months to complete, the report states.
Full Story

SOCIAL NETWORKING

Features Spark Privacy Worries (February 19, 2013)

While IDG News Service reports on Facebook’s efforts “to assure users that Graph Search, its new search engine…does not compromise the privacy rights of minors,” The Guardian reports on privacy concerns prompted by the social network’s new promote-post feature. “Facebook announced the launch of a new feature on Friday that allows users to pay to promote their friends' posts,” the report states, noting that while the feature is governed by the site’s privacy settings, it “has already sparked privacy concerns” because users do not have to give permission to have their posts promoted by their friends.
Full Story

PERSONAL PRIVACY—U.S.

Vehicle Black Box Proposal Incites Questions (February 19, 2013)

The National Highway Traffic Safety Administration wants to make black box data recorders mandatory for all vehicles, to the ire of privacy advocates who say there are no limits on the amount or kinds of data that would be collected, reports the Los Angeles Times. “The car manufacturers can use that data at will, including location, which has significant privacy implications,” said Nate Cardozo, staff attorney for the Electronic Frontier Foundation. The black box proposal currently making its way through Congress could require all cars sold by September 1, 2014 to contain such recorders. One law professor predicts insurance companies would likely want access to the device before agreeing to pay a claim.
Full Story

DATA LOSS—U.S.

Lawsuits Abound; Lawmakers Vow Crackdown (February 19, 2013)

ABC 5 Eyewitness News reports on efforts by lawmakers in Minnesota to “increase the penalties for public employees using the state's DVS database improperly” after a former Department of Natural Resources employee was charged with using the driver’s license database “to view personal data belonging to federal politicians, state judges and celebrities.” The case is the most recent to be added to the list of “several legal battles over the issue now winding through federal court.” Meanwhile, a Kentucky pharmacist pleaded guilty to “using patient and doctor names as well as Drug Enforcement Agency numbers to create fraudulent prescriptions for controlled substances” and has been sentenced to 25 months in prison.
Full Story

ONLINE PRIVACY

File-Sharing Service Calls Itself “The Privacy Company” (February 19, 2013)

The Telegraph reports on Megaupload founder Kim Dotcom’s goal of making his new file-sharing service, Mega, “a standard-bearer for online privacy.” Mega was unveiled during a recent event in New Zealand. “The decryption keys for uploaded files are held by the users, not Mega, which means the company cannot see what is in the files being shared,” the report states, noting Dotcom has indicated the site will “be expanded to include secure e-mail, mobile services as well as chat, voice and video-messaging.”
Full Story

DATA LOSS—U.S.

Opinion: NASA Breach “Perfectly Cautionary Tale” (February 19, 2013)

An Electronic Frontier Foundation lawyer says last year’s breach of NASA employees’ personal information is an “unfortunate but perfectly cautionary tale of not only how we should look more carefully at protecting data after it is collected but also how the data is to be safeguarded before we collect it to make sure it isn’t used improperly or disclosed accidentally.” The New York Times outlines incidents leading up to the breach, including a Government Accountability Office report urging the agency to institute whole-disk encryption for all of its laptops and a lawsuit filed by 28 scientists at NASA’s Jet Propulsion Laboratory aimed at stopping it from conducting open-ended background checks on researchers who worked on non-military space projects. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—GERMANY

Facebook Wins Pseudonym Case (February 15, 2013)
Facebook has won its case against Schleswig-Holstein’s data protection authority, the Associated Press reports. The authority had challenged Facebook’s policy that users must use real names rather than pseudonyms, alleging the policy breaches German privacy laws and European rules. The court ruled German laws don’t apply because Facebook’s headquarters are in Ireland. Meanwhile, Facebook is assuring users that special privacy protections will apply for minors employing the site’s new Graph Search tool. Details on gender, birthday, school, hometown and current city for users under 18 will only be available to those users’ friends and their “friends of friends.”

FINANCIAL PRIVACY—SWITZERLAND & U.S.

Nations Sign New FATCA Agreement (February 15, 2013)

The U.S. and Switzerland have signed a bilateral agreement “to improve tax compliance, combat international tax evasion and implement” the Foreign Account Tax Compliance Act (FATCA), Forbes reports. FATCA was signed in 2010, and this new agreement will tighten its grip, the report states. “While inking the deal is no surprise,” writes Forbes contributor Robert W. Wood, “it’s one more sign that FATCA is a steamroller.” The U.S. is also working with 50 other nations to curb offshore tax evasion.
Full Story

SURVEILLANCE—U.S.

Lawmakers Introduce Drone Privacy Bill (February 15, 2013)

Reps. Ted Poe (R-TX) and Zoe Lofgren (D-CA) are introducing legislation that would limit the domestic use of unmanned aerial vehicles (UAVs), The Hill reports. The bill would require law enforcement to obtain warrants for UAV use in criminal cases, except in emergency situations, the report states. Poe said, “Any form of snooping or spying, surveillance or eavesdropping goes against the rights that are outlined in the Constitution.” The American Civil Liberties Union (ACLU) has applauded the legislation. ACLU Legislative Counsel Chris Calabrese said, "By requiring that law enforcement secure judicial approval before using drones, this legislation achieves the right balance for the use of these eyes in the sky.”
Full Story

DATA RETENTION—DENMARK

Gov’t Postpones Retention Law Implementation (February 15, 2013)

The Danish government wants a two-year extension to implement the Data Retention Directive (2006/24/EC), EDRI reports. The review process was postponed in 2010 and 2012, and in the coming months, the Danish Parliament plans to evaluate and revise the nation’s data retention law, the report states. The government wants the extension in order to coordinate with any changes in the directive at the EU level. According to the report, there has been extensive debate in the Danish Parliament about whether the nation was over-implementing the Data Retention Directive. Upon instructions from Parliament, the Danish Ministry of Justice published an evaluation report last December.
Full Story

PERSONAL PRIVACY—U.S.

Texas DMV Sells Drivers’ Information (February 15, 2013)

The Texas DMV sells drivers’ information to hundreds of companies and makes $2.1 million per year doing so, Tech Dirt reports. More than 2,400 companies purchased the information from the DMV last year, including debt collectors, towing companies and insurance agencies, the report states. Texas DMV Director Randy Ellison says that all driver information is protected by the Driver Privacy Protection Act, but, the report contends, Texas didn’t adopt the part of the law that requires an opt-in/out provision.
Full Story

MOBILE PRIVACY

Developer Raises App Store Privacy Policy Concerns (February 15, 2013)

An Australian-based app developer has raised concerns that Google’s app store policies allow for the sharing of users’ personal information—including e-mails, names and addresses—without consent, Reuters reports. Electronic Privacy Information Center Executive Director Marc Rotenberg said the company buries the notice explaining how it shares users’ personal data and does not clearly obtain express consent. “In a situation like this,” he said, “where people just don’t know what information is being transferred or who it’s going to or for what purpose, it seems ridiculous to say that Google has consent.” Google has said, “Google Wallet shares the information needed to process transactions, and this is clearly stated in the Google Wallet Privacy Notice.”
Full Story

HEALTHCARE PRIVACY—U.S.

PHI of 43,000 At Risk; Report: Breaches Up, Those Affected Down (February 15, 2013)

The personal data of approximately 43,000 patients of a Milwaukee hospital may be at risk after it was discovered a hacker may have gained access to an employee’s work computer account, FierceHealthIT reports. A computer forensics company hired to investigate the incident said it “could not definitively rule out the possibility that the virus was able to obtain information stored in the employee’s work computer account.” Data stored in the account included contact information, medical record numbers and diagnoses, the report states. Meanwhile, a recently released report has found that large-scale health data breaches increased from 2011 to 2012, but the number of patients affected decreased.
Full Story

CYBERSECURITY—U.S.

Advocates Support Exec Order, Not CISPA (February 14, 2013)
NationalJournal reports on President Obama’s cybersecurity executive order and why some privacy advocates support it. As it stands, government can notify the private sector of targeted cyberattacks, but businesses will not have to disclose any data to the government in return, the report states. American Civil Liberties Union (ACLU) Legislative Counsel Michelle Richardson said, “Greasing the wheels of information-sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information.” Meanwhile, the ACLU and other privacy advocates warn the reintroduced Cyber Intelligence Sharing and Protection Act (CISPA) will compromise Internet privacy. Rep. Dutch Ruppersberger (D-MD), one of two lawmakers who reintroduced CISPA, said, “People ask me all the time, 'What keeps you up at night?' And I say, 'Spicy Mexican food, weapons of mass destruction and cyber attacks.’”

MOBILE PRIVACY

Developer Releases Privacy Locker App (February 14, 2013)

A Thai developer has released an app that allows users to import photos and videos from their cameras into a secured folder, CNET Asia reports. The Private Locker for Photo & Video is designed to be unnoticeable unless a user actively seeks it out, the report states. If an individual enters an incorrect password on a smartphone, its front-facing camera takes a picture of the user, and any secured data is deleted after five failed attempts to access the locker. Editor’s Note: The breakout session The Mobile Majority: Building Privacy by Design into Mobile Apps will be part of this year’s IAPP Global Privacy Summit in Washington, DC.
Full Story

DATA PROTECTION—EU

The Assets and Drawbacks of the Regulation (February 14, 2013)

When the EU adopts its new regulation on data protection, organizations will have two years to comply or else face significant fines. The European Union is at a turning point when it comes to protecting its citizens’ privacy, write attorneys Gaetan Cordier and Adeline Jobard of Eversheds in this exclusive for The Privacy Advisor that examines the assets and drawbacks of the proposed regulation.
Full Story

DATA LOSS—U.S.

Bluetooth Manufacturer Reports Info Hack (February 14, 2013)

A maker of Bluetooth headsets has warned customers of a data breach affecting their personal information, NBC News reports. The Jawbone breach saw the theft of information including e-mail addresses, encrypted passwords and customer names, though not all customers were affected and there is no evidence the information is being used for identity theft, according to the company. “The attack was identified within hours, and we blocked the attack and reset passwords of all compromised accounts,” said a company statement.
Full Story

PERSONAL PRIVACY—U.S.

Pistol-Permit Holders May Now Opt Out (February 14, 2013)

New York police say pistol-permit owners in New York will be able to opt out of having their information made public by the end of this week, USA Today reports. Opt-out forms will be available at county clerks’ and sheriffs’ departments as part of a gun-control law passed last month after a newspaper published an interactive map indicating the locations of pistol-permit holders in two New York counties.
Full Story

DATA RETENTION—AUSTRALIA

Report Indicates Early Tensions Over Proposal (February 14, 2013)

As the Australian government considers a data retention proposal that would see Internet service providers (ISPs) storing customer data for up to two years, ZDNet reports on early discussions indicating concerns. The Attorney General’s Office began meeting with telecommunications companies in 2010 based on a government consultation paper, publicly released this week, explaining the proposal, which would allow law enforcement to access the data for investigations. Minutes from one such meeting indicate tense moments regarding the kind of data retention model ISPs would agree to adopt.
Full Story

CYBERSECURITY—U.S.

Executive Order Facilitates Data Sharing; CISPA To Return (February 13, 2013)
In his State of the Union address last night, President Barack Obama released a cybersecurity executive order outlining new policies aimed at thwarting attacks on American companies’ and government agencies’ online infrastructures, Forbes reports. “We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets…We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy,” Obama said. The order requires government agencies to share data on cybersecurity threats with the public sector. Meanwhile, the controversial Cyber Intelligence Sharing and Protection Act is expected to be reintroduced in the U.S. House of Representatives today. Editor’s Note: The breakout session Demystifying SEC Guidance on Cybersecurity Risk will be part of this year’s IAPP Global Privacy Summit in Washington, DC.

CONSUMER PRIVACY—U.S.

FTC Releases Credit Report Study Results (February 13, 2013)

The Federal Trade Commission (FTC) has released a congressionally mandated study of the U.S. credit reporting industry and found that five percent of consumers had errors in their credit reports “that could lead to them paying more for products such as auto loans and insurance.” FTC Bureau of Economics Director Howard Shelanski said, “The results of this first-of-its-kind study make it clear that consumers should check their credit reports regularly. If they don’t, they are potentially putting their pocketbooks at risk.” Participants were encouraged to use the Fair Credit Reporting Act to resolve potential errors, and nearly one in four participants found errors that might have affected their credit scores.
Full Story

PRIVACY LAW—MEXICO

Ministry Publishes Guidelines (February 13, 2013)

Mexico’s Ministry of Economy has published its Privacy Notice Guidelines, reports Hunton & Williams’ Privacy and Information Security Law Blog. The guidelines are the result of a collaboration with the Mexican data protection authority and “introduce heightened notice and opt-out requirements for the use of cookies, web beacons and similar technology,” the report states. They also impose requirements for privacy notices. They will go into effect in April.
Full Story

PRIVACY LAW—EU & U.S.

Website: Proposals Taken Word-for-Word from Lobbyists (February 13, 2013)

A website has revealed that some MEPs are taking direction from U.S. lobbyists with the intent to soften the EU’s proposed privacy framework, TechWorld reports. The site compared amendment language with text submitted by certain U.S.-based lobbyists and found that many of the alterations were copied word-for-word, the report states. Europe Versus Facebook’s Max Schrems said though there are legitimate business interests, a majority of the lobbying seeks “to push through small changes in key points that make the whole structure of the law unstable.”
Full Story

ONLINE PRIVACY—U.S.

Opinion: Privacy’s Shared Responsibility (February 13, 2013)

In a column for Forbes, Larry Magid compares online privacy and security—and the corresponding user control—to driving cars and flying in planes. “When driving,” he writes, “there are things you can do to increase your safety, whereas when flying, there’s not much you can do to protect yourself, but we do rely on the airline industry and government regulators to do all they can to protect us.” The same is true online, he notes, adding we can control our passwords and what we say on social media but have little or no control over large data breaches. As a result, he opines, users, governments and industry all play a role in sharing the responsibility of protecting online privacy and security. Meanwhile, Alex Wawro writes that our personal data is a hot commodity, and “if you’re willing to play ball, you can share data on your own terms for fun and profit.”
Full Story

PRIVACY LAW—CANADA

Gov’t Halts Internet Surveillance Bill (February 12, 2013)
CBC News reports Federal Justice Minister Rob Nicholson has announced Bill C-30 will not go ahead due to public opposition. The bill, also known as the Protecting Children from Internet Predators Act, had been opposed by civil liberties and privacy groups as well as the federal privacy commissioner. Nicholson said, “We will not be proceeding with Bill C-30, and any attempts that we will continue to have to modernize the Criminal Code will not contain the measures contained in C-30, including the warrantless mandatory disclosure of basic subscriber information or the requirement for telecommunications service providers to build intercept capability within their systems.”

DATA PROTECTION

Evolution of the CPO: From Compliance To Strategy (February 12, 2013)

When Harriet Pearson, CIPP/US, was appointed to the position of IBM’s first chief privacy officer in 2000, she didn’t have much company. Few organizations had privacy officers. But as the regulatory landscape on privacy and data protection has shifted, the number of privacy professionals has increased dramatically, DataInformed reports. Pearson, now a partner at Hogan Lovells, says in its infancy, the profession focused mainly on complying with healthcare and other regulations, but now, “It’s all about the data,” which brings a new set of questions. She adds that if the role of CPO evolves successfully, “it will become a much more strategic one.” (Registration may be required to access this story.)
Full Story

DATA LOSS

Report: Hacking Caused Majority of Breaches (February 12, 2013)

CSO reports a new survey by Open Security Foundation has found hacking was the most common source of data breaches in 2012. There were 2,644 known data breaches last year, slightly more than double the number of breaches reported in 2011, the report states. Hacking was the reason for 68.2 percent of breaches. Meanwhile, a nonprofit organization in Maine inadvertently posted to its website a database containing details on a portion of its membership. The details included each member's donation amount, address, telephone number, birthday and emergency contact information.
Full Story

BIG DATA—U.S.

Political Party Says It Won’t Sell Voter Data (February 12, 2013)

After it was reported certain state political parties were considering selling voter data collected from past campaigns to private companies, ProPublica reports those parties have said they will not sell voter data. Democrat National Voter File Co-op Board Chairman Ray Buckley said, “While such a sale is certainly a hypothetical possibility, it’s not one we intend to explore.” Another member of the co-op said, “There’s certainly other private firms and consulting firms that already do collect political data and then sell that out to corporations, and the question is…whether other state parties, whether Democrats or Republicans, actually participate in that.”
Full Story

HEALTHCARE PRIVACY—U.S.

Opinion: Privacy Rules May Distract Doctors (February 12, 2013)

In a column for Forbes, Peter Lipson, a physician, worries the new HIPAA modifications will divert doctors’ attention away from patient care. Lipson is concerned his “practice will be responsible for a risk assessment program for health data…and we must somehow insure that other people who handle our data” are being careful. How will small practices understand and comply with the rules, particularly since fines “could easily close a practice for good,” he asks, adding, “Where do you want your doctor’s focus?...I want my doctor’s attention focused squarely on me. I don’t want him spending a lot of time worrying...if his ‘data risk assessment,’ which is not well defined, is up to date and proper.” Editor’s Note: The daylong preconference workshop Healthcare Privacy Super Day, sponsored by PricewaterhouseCoopers, will be featured at this year’s IAPP Global Privacy Summit in Washington, DC.
Full Story

ONLINE PRIVACY

Glitch Overrides User Privacy Settings (February 12, 2013)

A privacy bug reversed some Flickr users’ privacy settings to become ineffective, causing their private images to become public, Digital Trends reports. In response, Flickr set all public photos to private and e-mailed affected members of the glitch. The exposed photos were not indexed by search engines, however.
Full Story

PRIVACY LAW—EU & U.S.

Rhetoric Between Brussels and DC Heats Up (February 11, 2013)
Financial Times reports on comments made by EU Commissioner for Justice Viviane Reding responding to efforts by U.S. lobbyists to influence the EU’s proposed data protection regulation. “Exempting non-EU companies from our data protection regulation is not on the table,” said Reding, adding, “one thing is clear: if companies want to tap into the European market, they have to apply European standards.” According to the report, Reding’s comments will likely ignite a diplomatic tussle between Brussels and Washington. Meanwhile, the EU’s largest telecom industry group is backing the region’s privacy overhaul. Reworking the EU’s privacy framework “is a major move toward establishing a truly level playing field,” the chairman of the European Telecommunications Network Operators’ Association said. (Registration may be required to access this story.)

SOCIAL NETWORKING

Self-Destructing App Grows; Software Mines Social Media (February 11, 2013)

The New York Times reports on the growing popularity of Snapchat, a service that allows users to send messages that self-destruct seconds after they’re viewed. According to the report, “Snapchat is being embraced as an antidote to a world where nearly every feeling, celebration and life moment is captured to be shared, logged, liked, commented on, stored, searched and sold.” Meanwhile, The Guardian reports on Riot—software capable of tracking individuals’ movements and predicting their behaviors by mining social media data. EPIC Attorney Ginger McCall said, “Users may be posting information that they believe will be viewed only by their friends, but instead, it is being viewed by government officials or pulled in by data collection services like the Riot search.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Tech Firms Not Worried About Privacy Legislation (February 11, 2013)

The Hill reports that despite efforts by advocates and policymakers, including President Barack Obama, lobbyists for Internet and technology companies don’t expect Congress to pass online privacy legislation in the near future. “It’s not a front-burner issue right now,” said one lobbyist. Justin Brookman of the Center for Democracy & Technology says he doesn’t expect “in the first six months we’ll see much movement on comprehensive privacy legislation.” He added he’s optimistic baseline privacy regulations will be enacted. Lawmakers are reportedly planning to push bills on online tracking opt-outs and the use of mobile location data.
Full Story

PRIVACY LAW—U.S.

SCOTUS Weighs Parking Ticket Privacy (February 11, 2013)

The Supreme Court may soon decide whether it will review or reject a case involving personal information on municipal parking tickets, UPI reports. A citizen of a Chicago-based suburb filed an $80 million civil suit against the village for alleged privacy violations, made up of “$2,500 in damages for each of the tens of thousands of parking tickets (the village) issued over a four-year period.” A federal circuit court of appeals ruled any information contained on the ticket not necessary to processing the fine violated the Driver’s Privacy Protection Act, the report states. The village petitioned the Supreme Court for review, stating, “The extent to which state and local governments respect their citizens’ privacy in carrying out quintessentially local functions…is not an obvious source of federal concern or power.”
Full Story

HEALTHCARE PRIVACY—U.S.

Hospitals Allow Digital Access to PHI During Crisis (February 11, 2013)

As a meningitis outbreak in Tennessee grew to the point that state health department workers were having trouble keeping up with patient records, many of the hospitals involved granted the agency digital access to patient files, reports The Tennessean. The access allowed the department to more quickly monitor the treatments and conditions of patients, and the state’s epidemiologist called it “a lifesaver in terms of dealing with the complexity of the information that we were trying to handle.” Health department officials are now considering pushing legislation that would allow the agency to make similar arrangements with hospitals in cases of public health emergencies going forward.
Full Story

PRIVACY LAW—EU

EC Explains “Backstop” Powers (February 11, 2013)

The European Commission (EC) has claimed, “It would be ‘bad for businesses’ if (it) did not have ‘backstop’ powers to intervene whenever it felt that regulators across the EU were enforcing data protection laws inconsistently,” Out-Law.com reports. The EC has issued an explanatory note regarding the enforcement role it would have under the EU’s proposed data protection framework. The EC has “said that there is no way to ‘reconcile’ decisions made by the various data protection authorities based in the trading bloc under the existing regime and said that the role it would perform under the proposed new system would change that,” the report states.
Full Story

DATA PROTECTION

Opinion: Bush Hack Should Be Reminder (February 11, 2013)

In a column for CNN, Hogan Lovells’ Christopher Wolf discusses a recent hack affecting the Bush family. Hackers tapped into six e-mail accounts and posted some of the contents online, including exchanges involving “contingency planning for the funeral of President George H.W. Bush.” The incident is only one of many recently reported hacks at various institutions, Wolf writes, meaning that government and businesses will take heed and “up their game” when it comes to information infrastructure. But that will take time. Meanwhile, people have options to help protect their own personal information. “Privacy and data security is a shared responsibility, after all, and users have a role to play,” Wolf writes.
Full Story

MOBILE PRIVACY

“Godfather of Encryption” Introduces Smartphone Service (February 8, 2013)
The New York Times reports on the release of a new technology that provides encryption for smartphone users. Phil Zimmermann, “widely considered the godfather of encryption software,” has introduced Silent Circle, which allows users to make encrypted phone calls, send encrypted texts and conduct videoconferencing. Zimmermann’s company has planted its servers in Canada, known to have stronger privacy laws than the U.S. or the EU, the report states. The company has said it will not cooperate with law enforcement requests for data. (Registration may be required to access this story.)

DATA PROTECTION—EU

Experts Examine Proposed Cybersecurity Directive (February 8, 2013)

The European Commission (EC) has released a cybersecurity strategy "to ensure a high common level of network and information security (NIS) across the union," reports Harriet Pearson, CIPP/US, in Hogan Lovells' Chronicle of Data Protection. Announcing the strategy on Thursday, EC Vice-President Neelie Kroes noted, "We need to protect our networks and systems, and make them resilient…Cyber threats are not contained to national borders; nor should cybersecurity be.” The proposal includes requiring member states to develop national NIS strategies and data breach notification obligations. In Field Fisher Waterhouse’s Privacy and Information Law Blog, Partner Stewart Room, CIPP/E, examines the draft regulation and highlights “the core legal pillars for data and cybersecurity in the EU, now and coming.” Meanwhile, V3.co.uk reports “huge firms like Apple, Facebook, Google, Microsoft, Amazon and Twitter would have to report breaches publicly, which could cause major security and trust concerns among consumers.”
Full Story

BIOMETRICS—GERMANY & IRELAND

Regulators Confirm Facial Recognition Data Deletion (February 8, 2013)

Irish and German data protection authorities have independently confirmed that Facebook has deleted facial recognition data it had collected on European users, CFOWorld reports. The social networking site said last September it would delete the facial recognition data of Europeans. Office of the Irish Data Protection Commissioner Spokeswoman Ciara O’Sullivan said, "We recently reviewed the source code and execution process used in the deletion process and can confirm that we were satisfied with the processes used by Facebook to delete the templates in line with its commitment.” A representative from the Hamburg Commissioner for Data Protection and Freedom of Information’s technical department also said a review of Facebook’s source code revealed the company did delete the data, but he could only speak about the German part of the case, the report states.
Full Story

DATA LOSS—U.S.

Patients Sue Over Hospital Breach (February 8, 2013)

Twelve hospital patients affected by a breach at North Shore University Hospital are suing both the hospital and its parent company, North Shore-Long Island Jewish Health System, HealthIT Security reports. The suit alleges the hospital was negligent, misrepresentative, breached its fiduciary duty and contract and violated HIPAA, the report states. Some of the 12 patients who’ve filed suit say they’ve had their identities stolen. The hospital says it has “taken aggressive steps to strengthen the security protocols we have in place to protect patient information.”
Full Story

BIG DATA—U.S.

Political Party May Sell Voter Data (February 8, 2013)

ProPublica reports on potential plans by state Democratic parties to sell information gathered from voters to credit card companies and retailers. In 2011, state party leaders formed the National Voter File Co-op to sell voter data to approved organizations such as the NAACP. The collected data tends to include voters’ names, addresses and party affiliation, but, the report states, local political parties have also collected additional data over several campaign cycles on voters’ views and preferences. Now the co-op is reportedly looking into potential commercial markets. One member of the co-op’s board said, “What the co-op is doing is saying, ‘Look, there’s a wealth of information here, that potentially benefits your corporation or your business' interests…It’s up to us to figure out what (data) there’s a market for and whether there’s a comfort level among state parties for selling that information.”
Full Story

IDENTITY THEFT—AUSTRALIA

Tax Workers’ IDs Stolen To Access ATO Data (February 8, 2013)

Criminals have stolen the identities of four tax agents at the Australian Taxation Office (ATO) in order to create “AUSkeys—digital security tokens that allow tax agents to interact with the ATO securely,” reports The Australian. The ATO says using the digital keys, the criminals would be able to access the accounts of the tax agents whose identities were stolen—disputing earlier reports stating they could gain more widespread access. A warning has been issued to tax agents to ensure their accounts haven’t been compromised. An ATO spokesman said it isn’t clear whether other agents have been affected. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Judge Approves CBR Settlement (February 8, 2013)

A federal judge has tentatively approved a settlement between CBR Systems and nearly 300,000 clients whose data was breached, Reuters reports. The incident occurred when a laptop storing data from the blood bank was stolen from an employee’s car. U.S. District Judge Michael Anello of the Southern District of California granted preliminary approval to an agreement that would require CBR to improve its data protection policies and offer those affected two years of credit monitoring services. The company recently settled with the FTC over the breach.
Full Story

PRIVACY LAW—U.S.

CISPA May Return; CA Aims To Limit Privacy Policy Length (February 8, 2013)

The Hill reports that Rep. Dutch Ruppersberger (D-MD) has said he plans to re-introduce the Cyber Intelligence Sharing and Protection Act (CISPA) this year. “We’re working on some things,” Ruppersberger said, “working with the White House to make sure that hopefully they can be more supportive of our bill than they were the last time.” Meanwhile, a California lawmaker is proposing legislation requiring privacy policies be at an eighth-grade reading level and remain under 100 words, CBS Sacramento reports. Assemblyman Ed Chau (D-Monterey Park) wants the language to be simple enough for a child to read, the report states. Chau said the problem with privacy policies is that “these documents are very lengthy…they can contain a lot of technical terminologies people do not understand.”
Full Story

GENETIC PRIVACY—U.S.

SCOTUS To Hear DNA Sampling Case (February 7, 2013)
The U.S. Supreme Court is set to hear a Maryland case involving the warrantless sampling of DNA from an individual who was arrested but not convicted of a crime, ABC News reports. A lawyer involved in the case said, “Our DNA is our blueprint” and contains “deeply personal information…” In a filing, the Obama administration told the justices that “DNA fingerprinting is a minimal incursion on an arrestee’s privacy interests.” The Electronic Privacy Information Center said, “Once an individual’s DNA sample is in a government database, protecting that information from future exploitation becomes more difficult.” The court is expected to hear the case on February 26. Meanwhile, a column in Nature analyzes genetic privacy and the risks and advantages to sharing such data.

ONLINE PRIVACY—U.S.

Ad Networks Aim To Bolster Self-Regulation (February 7, 2013)

The Network Advertising Initiative (NAI) has released its annual compliance report detailing how its members—made up of nearly 100 third-party digital advertising firms—have complied with the NAI Code. NAI Executive Director Marc Groman, CIPP/US, said he hopes the report, along with a new website, will help educate consumers and change policymakers’ perceptions of ad networks and behavioral targeting, AdWeek reports. “We will make a point of sharing this report with relevant policymakers in order to demonstrate the scope of the compliance program and show it’s working,” said Groman. “What policymakers call for is self-regulation with teeth, enforcement and accountability. This is real and very tangible.”
Full Story

DATA PROTECTION—UK

Commissioners: Draft Proposal Should Be Scrapped (February 7, 2013)

Wired reports that former and current UK information commissioners say proposed changes to the European Data Protection Directive would have a negative effect on commerce and have called for the draft to be discarded. Current Information Commissioner Christopher Graham said the proposed regulation would harm the average business more than it would those who are “truly taking advantage of personal data.” Former Commissioner Richard Thomas said the entire draft “should be taken back to the drawing board.” U.S. lobbyists have also been pushing for significant changes to the draft. Meanwhile, a survey has found 68 percent of Internet users “would select a Do-Not-Track feature if it was easily available when using a search engine.” Editor’s Note: Commissioner Graham will be a speaker in the breakout session A Side-by-Side Comparison of EU-U.S. Data Transfer Options at this year’s IAPP Global Privacy Summit in Washington, DC.
Full Story

ONLINE PRIVACY—EU & U.S.

Do Privacy Regulations Harm the Internet? (February 7, 2013)

The European Union has proposed several new regulations directed at giving Internet users control of their online footprint, including the ability to completely delete digital records, The Wall Street Journal reports. In the U.S., President Barack Obama’s “Privacy Bill of Rights” includes the default setting of Do Not Track in web browsers. Many argue that these kinds of regulations could harm advertising revenue, which is what largely funds free content. “Do Not Track is a detrimental policy that undermines the economic foundation of the Internet,” says Daniel Castro, a senior analyst with the Information Technology & Innovation Foundation. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

States Mull Bills on Geolocation, Drones, RFID (February 7, 2013)

An Oklahoma lawmaker and the American Civil Liberties Union of Oklahoma are pushing three privacy bills, Insurance Journal reports. House Bill 1559 would prohibit the Department of Public Safety from installing RFID tags in a driver’s license or state ID card; House Bill 1557 would require law enforcement to obtain a warrant before accessing a cell phone user's geolocation information, and House Bill 1556 would require law enforcement to obtain a warrant before using drones for surveillance, the report states. Meanwhile, Maryland is considering a bill that would allow law enforcement to access geolocation information from mobile devices without a search warrant. Last week, a similar package of proposed legislation was introduced in Maine.
Full Story

ONLINE PRIVACY

Firm Using Privacy As Competitive Advantage (February 7, 2013)

The competitive battlefield over privacy is heating up as Microsoft unveils a new print, television and online advertising campaign against Google’s privacy practices, The New York Times reports. The advertisements will reportedly reveal research showing consumers are unaware of e-mail monitoring practices for personalized advertising and their disapproval once they find out. A Microsoft representative said, “There’s a lot of fear out there. We can bring these issues to light without fear.” Google said in a statement, “We work hard to make sure that ads are safe, unobtrusive and relevant,” adding, “No humans read your e-mail…in order to show you advertisements or related information.” (Registration may be required to access this story.)
Full Story

DATA LOSS—UK & U.S.

Warning Preceded Breach; How To Prevent Others (February 7, 2013)

The recent breach at the U.S. Department of Energy came weeks after two reports from the department’s inspector general which detected vulnerabilities, FCW reports. The inspector general wrote the department “had not developed and deployed an effective and/or efficient enterprise-wide cybersecurity incident management program” and had not always “appropriately reported successful incidents such as infection by malicious code and potential disclosure of personally identifiable information.” Meanwhile, Public Service reports on ways UK organizations can defend against breaches as the number reported steadily climbs, and Mathew Schwartz opines in InformationWeek that the U.S. Congress must overhaul existing privacy and computer-abuse laws.
Full Story

SOCIAL NETWORKING—U.S.

How To Enhance Your Privacy (February 7, 2013)

The New York Times reports on ways Facebook users can protect their privacy online given recent changes to the site’s privacy settings and the unveiling of a new search tool. Users can select who can view their information; edit the personal information visible on their profile page; block web trackers, and decide who to include in their “friends” group. “It is more important than ever to lock down your Facebook privacy settings now that everything you post will be even easier to find,” said Sarah Downey, a Boston lawyer. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Facebook To Join Ranks, Employ AdChoices Icon (February 6, 2013)
Following pressure from ad agencies and advertisers, Facebook has agreed to start displaying the “AdChoices” icon on its FBX display ads. The symbol will appear only when users move their mouse over an “x” displayed over the ads, however. The move will likely appease advertisers who choose not to invest in behavioral targeting campaigns without the icon, Ad Age reports, but whether the move satisfies the Digital Advertising Alliance is yet to be seen. Genie Barton of the Online Interest-Based Advertising Accountability Program, who worked with Facebook to come to the icon agreement, says if a business feels this solution isn’t sufficient, “they only have to let me know.”

PRIVACY LAW—SINGAPORE

Commission Seeks Feedback on Privacy Act (February 6, 2013)

The Personal Data Protection Commission (PDPC) is seeking public consultation on the Personal Data Protection Act 2012, Channel News Asia reports. Over the next six weeks, the PDPC is looking for feedback on the regulatory aspects of the law, including age definition for minors, what constitutes personal data and means by which organizations can notify consumers of data collection, the report states. PDPC Chairman Leong Keng Thai said that in order for the act to be implemented, “we will need the next level of details so that companies and organizations know exactly what to do to prepare for compliance.” The deadline for comment is set for March 19.
Full Story

MOBILE PRIVACY

App Vetting Service Alerts Users of Privacy Issues (February 6, 2013)

BlackBerry has rolled out a new privacy notification service to warn app developers and users when an app may collect more data than it states, USA Today reports. Any apps approved for distribution in the BlackBerry World online store are vetted for privacy and security issues. The company’s privacy notices “are for applications that do not appear to have malicious objectives or aim to mislead customers but rather don't clearly or adequately inform users about how the app is accessing and possibly managing customers' data,” the BlackBerry website states. Lockheed Martin Director of Cybersecurity Steve Adegbite said the new service “gives power back to the user to protect important information.” A BlackBerry representative said, “We believe this is the way forward for the entire mobile ecosystem.”
Full Story

DATA PROTECTION—UK

ICO: Compulsory Data Protection Audits Needed (February 6, 2013)

BBC News reports on comments made by UK Information Commissioner Christopher Graham promoting the need for compulsory data protection audits of public agencies. Compulsory audits would help local councils and the NHS mitigate incidents of sensitive personal data “being sent to the wrong fax machine or dropped in the street or left on an unencrypted memory stick.” The Information Commissioner’s Office currently has power to audit central government agencies and can only audit local departments after acquiring consent. “Until local government gets the message,” Graham said, “local council taxpayers will continue to be hit by civil monetary penalties for really basic, stupid errors.”
Full Story

PRIVACY LAW—U.S.

$3 Million Settlement Announced in FCRA Suit (February 6, 2013)

Kmart Corporation has agreed to a $3 million settlement “stemming from allegations that it violated the Fair Credit Reporting Act (FCRA) when using background checks to make employment decisions,” the Hunton & Williams Privacy and Information Security Law Blog reports. The class-action suit alleged Kmart violated the FCRA by failing to provide “certain specific disclosures before it use[d] the report for an adverse action,” the report states. Kmart has denied “any fault, wrongdoing or liability whatsoever,” the report states, but “will pay $3 million and will be granted a ‘narrow release’ covering only the FCRA claims.”
Full Story

PRIVACY LAW—U.S.

Women File Suit For License Records Breach (February 6, 2013)

Four women have filed a lawsuit against a Minnesota Department of National Resources employee who allegedly accessed their driver’s license information, Minnesota Public Radio reports. The lawsuit is the third filed in response to the department’s announcement that the employee accessed records on 5,000 people. The employee has since been terminated. Meanwhile, a former Minnesota police officer who sued the Minnesota Department of Public Safety after fellow officers allegedly looked at her private data has reached an agreement with the state that would change how the driver’s license database is monitored, Pioneer Press reports.
Full Story

MOBILE PRIVACY—U.S.

FTC Rules Affect Mobile Banking (February 6, 2013)

American Banker reports the Federal Trade Commission (FTC) is “toughening its stance on consumer privacy protection,” noting it “directly affects the mobile applications banks offer their customers.” Referencing the release of the FTC’s “Mobile Privacy Disclosures: Building Trust Through Transparency,” the report highlights “four main things the FTC would like mobile application developers to do to protect consumers' privacy as they bank, shop and surf the web on their mobile devices.” Carnegie Mellon Prof. Jason Hong offers insights on those recommendations, noting that users “could be inundated with notifications and warnings, some of which will be useful, and many of which won’t be.”
Full Story

DATA LOSS—FRANCE & U.S.

Breaches Affect Gov’t Agencies, Hospital, Bakery (February 6, 2013)

Two U.S. government agencies, several French hospitals and a bagel café have experienced data breaches. The U.S. Department of Energy reports unidentified malicious hackers have breached 14 of its servers and 20 of its workstations, accessing personal information on several hundred employees, InfoWorld reports. The U.S. Department of Health and Human Services’ Office for Civil Rights has reported a data breach at Westerville Dental Center in Ohio, and a journalist has uncovered personal health documents from various health clinics and hospitals in France retrievable through a Google search query. Meanwhile, a café with multiple locations in New Hampshire is working with federal investigators after customers’ credit and debit card information was allegedly hacked.
Full Story

PRIVACY LAW—U.S.

Court: Song-Beverly Applies Only To Brick-and-Mortars (February 5, 2013)
California’s Supreme Court has ruled Apple did not violate state law by requiring customers to provide personally identifiable information (PII) to complete online credit card transactions, CNET News reports. Plaintiff David Krescent filed a proposed class-action suit in June 2011 after he was allegedly required to provide his telephone number and address for an online purchase from Apple. The majority found California’s Song-Beverly Credit Card Act, forbidding the collecting of PII for transactions, applies only to brick-and-mortar businesses. “The statutory language suggests that the legislature…did not contemplate commercial transactions conducted on the Internet,” said Justice Marvin Baxter in the ruling.

PRIVACY LAW—MALAYSIA

Law’s Implementation Lags (February 5, 2013)

Malaysia’s Personal Data Protection Act 2010 was slated to be in effect January 1, but the law has not come into force, ZDNet reports. An official notification in the Government Gazette is required before the act can become formalized, the report states, and many companies are not prepared for its implementation. Some Malaysians have expressed doubt in the law’s efficacy. “Enacting an act is simple, but placing it into the actual corporate world and making sure that it’s followed is another story altogether,” said IT systems engineer Ranjeeta Kaur. The bill, first drafted in 2001, forbids disclosing or processing personal data without consent, selling data and unlawful collection of data.
Full Story

PRIVACY LAW—EU & U.S.

Advocates Request Meeting With Officials (February 5, 2013)

More than a dozen privacy groups have requested a meeting with top-ranking U.S. officials in an effort to push back against the reported lobbying by U.S. industries during the EU’s update to its privacy framework, The Hill reports. The groups state that many of the EU’s proposals are similar to proposals recommended in the Obama administration’s Privacy Bill of Rights. In a letter, the groups wrote that during meetings in Brussels, European Parliament members and staff “reported that both the U.S. government and U.S. industry are mounting an unprecedented lobbying campaign to limit the protections that European law would provide.” They added, “We expect leadership from those who represent the United States overseas, and we expect that the views of American consumers and privacy advocates, not simply business leaders, will be conveyed to your counterparts.”
Full Story 

BEHAVIORAL TARGETING—U.S.

Smart Cameras Give Retailers OBA-Like Access (February 5, 2013)

Marketplace reports on the advent of smart cameras in various stores to help retailers glean consumer data as accurate and specific as that of online behavioral advertising. Using facial detection, the cameras can detect gender and age and how long a customer “dwells” in a certain area. The collected information can help stores decide what to stock, where to place it and how much to price goods. “We can actually look at your movements,” said Experian’s Roseanne McCauley. With the help of Experian Footfall—a new business started by consumer credit reporting agencies—a participating store can use Experian’s vast database to find out age and credit history without finding out the customer’s actual name. McCauley added, “what we can do is profile groups of people and give people a demographic code.”
Full Story

DATA LOSS—U.S.

Subcontractor Responsible for Clinic Breach (February 5, 2013)

Wisconsin’s River Falls Medical Clinic has notified 2,400 clients of a data breach after a subcontractor stole patient records in 2012, HealthIT Security reports. River Falls Police found health records at the suspect’s home. They included Social Security numbers, names, dates of birth and billing account information. The subcontractor was working as a cleaning service employee and stole the records from clinic bins headed for the shredder. The clinic says only clinic employees and the shredding company should have had access to the documents. The Department of Health and Human Services’ new HIPAA rules contain language with specific requirements on subcontractors. Editor’s Note: The breakout session Lessons Learned from OCR Privacy and Security Audits will be part of the IAPP Global Privacy Summit this March. And PricewaterhouseCoopers (PwC) will be hosting a daylong preconference workshop dedicated to healthcare privacy’s key themes. Details on PwC’s daylong session are forthcoming.
Full Story

BIG DATA

Data May Help Credit Scores, Cancer Treatment (February 5, 2013)

The increased and improved use of data may help individuals get loans and more accurate credit histories, but there are privacy and free-will concerns, Slate reports. In the past, the lack of reliable data about individuals without credit histories forced banks to put them in high-risk categories. Now, more data—from social networks and other sources—and smarter algorithms can improve that accuracy. One company uses as many as 8,000 indicators to assess loan worthiness—including geolocation data, social graphs, behavioral analytics and consumers’ shopping habits. Meanwhile, cancer researchers in the UK are using Big Data on tumor genes to improve cancer treatment. The researchers face regulatory and privacy obstacles, however, around sharing such sensitive data with colleagues and drugmakers, InformationWeek reports.
Full Story

PRIVACY LAW—EU & U.S.

Continental Privacy Divide May Be Widening (February 4, 2013)
The New York Times reports on what may be a widening “data-control divide” between the EU and the U.S. “The sum of the parts of U.S. privacy protection is equal to or greater than the single whole of Europe,” said the U.S. Commerce Department’s Cameron Kerry. European Data Protection Supervisor Peter Hustinx said, “Yes, we share the basic idea of privacy. But there is a huge deficit on the U.S. side.” In a Q&A , European Commission Vice President Viviane Reding said the White Houses' Privacy Bill of Rights “shows that we have much in common. Convergence is springing up and synergies are possible.” And a Times op-ed supports “federal legislation backed by regulatory enforcement” in the U.S. Meanwhile, a group of U.S.-based advocacy groups has written to top U.S. politicians seeking assurances that U.S. policymakers in Europe will “advance the aim of privacy,” and Financial Times reports that Article 29 Working Party Chair Jacob Kohnstamm said that EU lawmakers are “fed up” with lobbying efforts from U.S. tech firms. (Registration may be required to access this story.)

DATA THEFT

Hackers Compromise 250,000 Twitter Accounts (February 4, 2013)

Twitter has said nearly 250,000 user accounts may have been breached in what it called a “sophisticated attack,” The New York Times reports. In a blog post, the company said it detected out-of-the-ordinary access patterns and that user data—including user names, e-mail addresses and encrypted passwords—may have been compromised. Twitter Director of Information Security Bob Lord said, “This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.” Both the Times and The Wall Street Journal announced last week that hackers infiltrated their internal networks. (Registration may be required to access this story.)
Full Story

LOCATION PRIVACY

Researcher: Loophole Leaks Location Data (February 4, 2013)

The New York Times reports that Path’s recently announced settlement with the FTC may not be the end of its legal woes. A security researcher has found a loophole allowing the social media site to share location data even if an iPhone user has opted out. The company responded to the researcher’s blog post on the matter stating it was unaware of the flaw and has since issued a new version of the app to Apple. The company recently agreed to pay $800,000 to settle charges it violated COPPA rules and will also create a privacy program and undergo independent privacy audits for 20 years on charges it deceived users. (Registration may be required to access this story.) Editor’s Note: The breakout session The Mobile Majority: Building Privacy by Design into Mobile Apps will be part of the IAPP Global Privacy Summit this March.
Full Story

ONLINE PRIVACY—U.S.

Maryland AG’s Privacy Unit To Monitor Compliance (February 4, 2013)

Maryland Attorney General Doug Gansler says his office’s new unit, aimed at addressing privacy online, was created to “ensure that Marylanders who use the Internet every day have someone on their side.” The unit will monitor companies’ compliance with state and federal consumer protection laws and will educate citizens of their privacy rights, Gazette.Net reports. Gansler says Internet privacy is “one of the most essential consumer protection issues of the 21st century.” When he was elected president of the National Association of Attorneys General in June, he selected “Privacy in the Digital Age” as the organization’s main initiative for the year.
Full Story

SURVEILLANCE—U.S.

Drone Concerns May Thwart Deployment (February 4, 2013)

The Federal Aviation Administration anticipates as many as 30,000 drones to operate within the U.S. by 2020, but public concerns about police use of drone data could slow their proliferation, The Denver Post reports. "If we don't fix the privacy problems for civil liberties, we'll never realize the benefits from drones," said Ryan Calo of the University of Washington. "Folks will be afraid and object." Meanwhile, a Texas lawmaker has introduced legislation to protect Texans’ privacy when it comes to drones. “Why should the government or anyone else be able to watch my every move?” said Rep. Lance Gooden (R-Terrell).  Editor’s Note: the breakout session Who’s Watching the Drones? will be part of the IAPP Global Privacy Summit this March and will feature insights from the ACLU’s Christopher Calabrese and the Department of Homeland Security’s Christopher Lee, CIPP/US, CIPP/G.
Full Story

CONSUMER PRIVACY—U.S.

FTC Announces $800,000 Settlement, Releases Mobile App Report (February 1, 2013)
The Federal Trade Commission (FTC) today announced that it has settled with “smart journal” site Path over charges it deceived users by collecting personal information from their mobile devices’ address books without their knowledge and consent. The company is required to establish a privacy program and undergo biennial privacy assessments for 20 years. The company will also pay $800,000 to settle charges it violated the Children’s Online Privacy Protection Act by collecting children’s data without parental consent. Path issued a blog post today stating it hopes the experience can help other developers “as a reminder to be cautious and diligent” when building products. The FTC also today released both a report on mobile privacy disclosures and an education guide for app developers. The report recommends ways for “key players in the rapidly expanding mobile marketplace” to gain consumer trust by better informing them of their data practices, and the guide “encourages developers to aim for reasonable data security” and includes tips for doing so. During a media call announcing the releases, outgoing FTC Chairman Jon Leibowitz said that while some companies are doing a good job at data stewardship and consumer transparency, “if other companies don’t wake up and do the right thing, my sense is industry is far more likely to face more prescriptive policies down the road, and I don’t think it’s very far down the road.”

CONSUMER PRIVACY—U.S.

FTC Chairman Leibowitz To Resign (February 1, 2013)

Federal Trade Commission Chairman Jon Leibowitz has said he plans to resign effective mid-February, The New York Times reports. Leibowitz has chaired the federal agency for four years and “pushed for online privacy protections and sought to restrain unfair competition,” the report states. “I felt like it was a good time to leave because we got through a number of things that I wanted the commission to address,” he said. Leibowitz helped bring privacy cases against Google and Facebook and helped expand the Children’s Online Privacy Protection Act, among others. An FTC successor could come from within the agency, the report states, with possibilities including current commissioners Julie Brill or Edith Ramirez. (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY—U.S.

App Suit Complainant Files Again (February 1, 2013)

A New Jersey resident has filed a second, more detailed complaint against Apple, claiming that it violated her privacy by allowing app developers to access information held on her iPhone, reports MediaPost News. Maria Pirozzi filed a case last year that was dismissed by U.S. District Court Judge Yvonne Gonzalez Rogers in December. In the ruling, Rogers granted Pirozzi the opportunity to add more allegations and file again. Pirozzi alleges that she "relied on Apple's reputation for safety," adding that had she known iPhones were designed to be “vulnerable to unauthorized access from third-party apps,” she wouldn’t have downloaded apps and therefore would have paid less for her phone.
Full Story

PRIVACY LAW—U.S.

State Lawmakers Proposing Package of Privacy Bills (February 1, 2013)

Maine state legislators have outlined a set of proposed bills aimed at protecting individuals’ private information. The five proposed bills include requiring commercial websites to notify consumers when data is being collected; protecting employees’ social media passwords at work; limiting domestic drone use, and requiring law enforcement to obtain warrants prior to tracking cellphone data, according to the Maine Public Broadcasting Network. Speaking at a press conference with several legislators and the Maine Chapter of the ACLU, IAPP Chief Technology Officer Jeff Northrop, CIPP/US, CIPP/IT, highlighted the growing tension between people’s fears of losing control of their personal information and the “ever-present march of technology,” adding, “How can you at once resolve somebody’s fears…while not stifling innovation?”
Full Story

SURVEILLANCE—U.S.

Cameras Incite Concerns (February 1, 2013)

Residents and advocates are voicing concerns about new surveillance cameras recently installed along Seattle’s waterfront, The Seattle Times reports. The 30 cameras are slated to be operational by March 31, but the American Civil Liberties Union (ACLU) says laws should be drafted for law-enforcement use of data obtained from the cameras. A representative from the Seattle Police Department said there will be “strict controls” on data access, use and storage. But Doug Honig of the ACLU says the cameras are “another step toward a surveillance society where the government is increasingly using technology to monitor people’s actions and movements without having a warrant or specific reason to do so.”
Full Story