Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—EU

The Regulation, Its Future and Questions on Profiling: A Roundup (May 31, 2013)

A look through EU headlines from the past week yields a consistent theme: the proposed data protection regulation. Reports highlight concerns voiced by European Data Protection Supervisor Peter Hustinx and German Rapporteur Jan Philip Albrecht as well as worries from charitable organizations that the regulation could impact their ability to reach donors. As Field Fisher Waterhouse’s Eduardo Ustaran, CIPP/E, notes in his recent blog on the regulation and the issue of profiling, “The Working Party appears to sit somewhere in the middle between the commission’s proposal and Albrecht’s approach. That is still a very strict position to adopt, clearly aimed at eliminating the perceived risks of profiling...” This roundup for The Privacy Advisor highlights concerns from officials and organizations.
Full Story

ONLINE PRIVACY—U.S.

Congress Wants Answers on Google Glass (May 31, 2013)

Eight members of Congress have sent Google CEO Larry Page a letter requesting answers on the privacy implications of Google Glass, National Journal reports. “We are curious whether this new technology could infringe on the privacy of the average American,” said Rep. Joe Barton (R-TX), chairman of the bipartisan privacy caucus, on behalf of his colleagues. Google has until June 14 to respond to the inquiry, though a spokesman has written, “We are thinking very carefully about how we design Glass because new technology always raises new issues.”
Full Story

PRIVACY LAW—EU

Working Party Explains BCRs for Processors (May 31, 2013)

The Article 29 Working Party has issued an explanatory document on Binding Corporate Rules for processors in response to the outsourcing industry's request for a legal tool that reflects data-transfer practices today. The document includes clarity on such issues as onward transfers, cooperation and legal enforceability. In this exclusive for The Privacy Advisor, Jan Dhont and Emily Hay of Lorenz break down the document.
Full Story

ONLINE PRIVACY—U.S.

P&G Partners with Eye-Tracking Firm (May 31, 2013)

Proctor & Gamble (P&G) has announced a European-based partnership with eye-tracking firm Sticky. The company has been trialing the eye-tracking service and making decisions to cancel ads based on those that aren’t getting seen, Adweek reports. “Applying Sticky’s tracking to our digital media campaigns will help us to optimize and increase our ROI on digital marketing investments in some campaigns up to 25 percent,” said P&G’s head of digital. Sticky uses webcams to record eye movements from page to page.
Full Story

CHILDREN’S PRIVACY—NEW ZEALAND

Commish: School Sites Lack Data-Use Info (May 31, 2013)

After sweeping a number of websites as part of the Global Privacy Enforcement Network, New Zealand Privacy Commissioner Marie Shroff has announced that many schools and some popular children’s websites “show there is often no information given to users about how their personal information collected via the site will be used and shared.” According to a press release, “We found that in a selection of the larger New Zealand schools’ websites we looked at, very few had any sort of policy at all.” In contrast, many children’s gaming websites had privacy policies that “were usually extremely detailed and lengthy, and the references were often to U.S. or European law.”
Full Story
 

PERSONAL PRIVACY

A Networked World Calls for Brave New Thinking (May 30, 2013)

With increased distribution of wearable computing devices, Field Fisher Waterhouse Partner Phil Lee, CIPM, CIPP/E, writes that the “depth of relationship” individuals will have “with their device...far exceeds any previous relationship between man and computer.” In this latest Privacy Perspectives post, Lee examines what effect these wearable devices and the oncoming Internet of Things will have on individuals’ and business’ privacy expectations—from consent mechanisms to Privacy by Design initiatives.
Full Story

PRIVACY LAW—U.S.

ME Cellphone Bill Could Be Nation’s First (May 30, 2013)

The Maine legislature is set to pass what would be a first-in-the-nation bill requiring law enforcement to obtain a warrant prior to accessing an individual’s cellphone location history, The Portland Press Herald reports. Following last week’s vote by the Senate, the House voted 113-28 on Wednesday in favor of the bill. If passed, the bill would require the warrants with exceptions for emergencies such as bodily harm and would require police to notify individuals within three days that their data has been accessed. LD 415 now goes back to the Senate for enactment.
Full Story

PRIVACY LAW—U.S.

Fed Court Oks Best Buy’s ID Check (May 30, 2013)

A federal appeals court has determined that Best Buy’s driver’s license requirement for returning purchases does not contravene the Drivers’ Privacy Protection Act, Bizjournals reports. The 11th Circuit Court of Appeals agreed with a Florida court ruling that tossed out a potential class-action lawsuit filed by Steven Siegler. The suit alleged the company’s practice of collecting and retaining driver’s license data during a purchase return is not a “normal course of business” use.
Full Story

STUDENT PRIVACY—U.S.

States Drop Out of Tracking Database (May 30, 2013)

Officials in several states are backing away from a $100 million database intended to track students from kindergarten through high school. The database was launched this spring and stores student data including test scores, learning disabilities and discipline records. But parents and civil liberties groups have raised concerns about potential privacy breaches, Reuters reports. Louisiana’s superintendent of education withdrew student data from the database in April and plans to hold public hearings on data retention and security. New York, Illinois and Colorado are active participants. The mother of a 10-year-old public school student said the thought of her son’s medical treatments being stored on the cloud indefinitely “feels like such a violation.”
Full Story

ONLINE PRIVACY—U.S.

Do College Kids Care About Privacy? (May 30, 2013)

USA TODAY explores whether college students are concerned about the personal information businesses access about them as online games, streaming services and social networking sites increasingly give third parties access to the online data they’ve collected. Woody Hartzog, assistant law professor at Alabama’s Samford University, said, “Young people don’t think about privacy of information to third parties. When they get older, it becomes more real. It largely stems from young people not thinking about their information being given to third parties, and maybe not caring.” Editor’s Note: Hartzog will speak at the IAPP’s Navigate, June 21, in Portsmouth, NH.
Full Story

PRIVACY LAW—EU

Hustinx, Albrecht: Lobbying Puts Proposal At Risk (May 30, 2013)

European Data Protection Supervisor Peter Hustinx highlighted the need to “distinguish the proposal from the rhetoric” in light of the lobbying around the proposed data protection directive, reports EurActive. Hustinx addressed the media after delivering his annual report to the European Parliament’s Civil Liberties, Justice and Home Affairs Committee in order to acknowledge the importance of passing the legislation. Failure to do so before the end of Parliament’s tenure would “have serious repercussions in terms of economic development,” said Hustinx. German Rapporteur Jan Philip Albrecht told EUObserver of his concerns that the EU may end up with weaker legislation than it has now—contravening a 2011 vote to create a law at least as strong as, if not stronger than, the 1995 directive.
Full Story

PRIVACY LAW—ITALY

DPA Defines Obligations for Data Breaches (May 30, 2013)

In this exclusive for The Privacy Advisor, Stefano Taglibue, CIPP/E, reports on the Italian Data Protection Authority’s (Garante) recent decision defining obligations for telephone companies and Internet service providers regarding potential data breaches. Under the definition, providers must notify the Garante of a breach within 24 hours. Fines of up to 100,000 euros may be issued for failure to notify and of up to 1,000 euros per individual involved for failure to communicate the event to those involved, Taglibue writes.
Full Story

FINANCIAL PRIVACY—SWITZERLAND & U.S.

Swiss Bend to U.S. Will on Banking Data (May 30, 2013)

Following requests by the U.S. government for information about potential tax cheats, the Swiss government has agreed to ease its privacy laws and allow banks to disclose information on U.S.-based clients to the Internal Revenue Service (IRS). Swiss banks will now be able to deliver client details to the IRS, along with any fines that might be appropriate, in exchange for amnesty from further U.S. indictments. In order for the agreement to proceed, The Boston Globe reports, the U.S. would have to ratify a new taxation treaty between the two countries. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—AUSTRALIA

Gov’t Introducing Breach Notification Bill (May 30, 2013)

Privacy Commissioner Timothy Pilgrim has voiced support for mandatory breach legislation, CSO reports. Attorney-General Mark Dreyfus has announced the government will introduce legislation to take effect in March that will require companies to disclose data breaches. The legislation, which the Australia Law Reform Commission has been proposing since 2008, will “require notification of serious data breaches that will result in a real risk of serious harm,” a Gizmodo report states, noting Dreyfus used the announcement of the legislation as an opportunity to chastise organizations for recent data breaches. As current legislation does not require companies to disclose breaches, the report questions “the data breaches we haven’t heard about over the last decade.”
Full Story

PRIVACY LAW—U.S.

IRS Probe Brings Section 6103 Into Limelight (May 30, 2013)

As U.S. lawmakers investigate actions by the Internal Revenue Service (IRS) that may have targeted conservative nonprofit groups, some of the fact-finding, reports Bloomberg, is being hampered by Section 6103 of the tax code, which establishes taxpayer privacy rights. Passed by Congress in 1976 after it came to light that Richard Nixon wanted to audit his political opponents, 6103 creates an assumption that taxpayer information is private unless it is needed for a specific investigation targeted at that individual. In the case of the current probe, since it is the IRS, itself, that is under investigation, many congressional questions can’t be answered directly by the IRS, as the answers involve private taxpayer information.
Full Story

PRIVACY LAW—U.S.

Texas Likely To Enact Nation’s Strongest E-Mail Privacy Law (May 29, 2013)
After unanimously passing both houses of the Texas state legislature, HB 2268 has landed on Gov. Rick Perry’s desk for enactment, Ars Technica reports. If signed, Texas would host the nation’s strongest e-mail privacy bill. The proposed bill would require state law enforcement to obtain a warrant prior to accessing any e-mails, regardless of age of the electronic documents. Though the bill would give residents protections from state-level snooping, the bill would not prevent federal investigations. Perry has until June 16 to sign or veto the bill. If he does neither, the bill would automatically go into effect on September 1, the report states.

PRIVACY LAW—EU & U.S.

Will New Trade Agreement Sidestep Regs? (May 29, 2013)

Reuters reports on developments regarding the Transatlantic Trade and Investment Partnership (TTIP), a proposed free-trade agreement between the EU and U.S. Consumer groups have called language in the agreement a “backdoor way” for U.S. businesses to sidestep EU data protection law. Roughly 60 supporters and opponents of the agreement will address a panel convened by the Trade Representative’s office to discuss TTIP this week. Editor’s Note: Hogan Lovells’ Christopher Wolf has written about the convergence of trade and privacy law in a blog post for the IAPP’s Privacy Perspectives.
Full Story

DATA PROTECTION—EU & U.S.

Why Investors Must Care About It (May 29, 2013)

As data increasingly becomes the lifeblood of many businesses, the ability to shield and protect that data from mismanagement, hackers and cyberespionage is not only “vital to consumers” but also “critical to investors in publicly held U.S. companies,” write three business experts for The Guardian. “We believe boards have a fiduciary and social responsibility to protect company assets,” they write, “including personal information.” Meanwhile, a new survey reveals that 31 percent of European businesses have experienced a cyberattack in the last year. Consero Group Founder and CEO Paul Mandell says, “Confidence in information security is likely diminished by the high level of publicity surrounding recent cyberattacks and will likely continue to decline before it gets better.”
Full Story

BIG DATA

From Beavers to Smart Cars to Ivory Coast with Sandy Pentland (May 29, 2013)

Alex “Sandy” Pentland has worked using data to solve any number of problems--enough to realize that privacy issues can be overcome when working with Big Data. The MIT and World Economic Forum researcher addressed the Center for Geographic Analysis annual conference recently to discuss “data commons” and the power they may hold for public good. Editor’s Note: Pentland will address the audience at Navigate, June 21, as part of a cast of provocative thinkers.
Full Story

MOBILE PRIVACY—U.S.

NAI Working On New Mobile Privacy Rules (May 29, 2013)

The Network Advertising Initiative (NAI) is moving forward with plans to eventually issue a set of mobile privacy rules, MediaPost News reports. A draft version is being circulated among members to help provide a code of conduct for data collected from mobile apps. The draft rules cover behavioral targeting and are expected to be finalized by next month, NAI Executive Director Marc Groman, CIPP/US, has said. The rules would require participating companies to provide consumers with an opt-out for behavioral targeting ads but allows ad networks to continue to collect “non-personally identifiable” data for certain purposes, such as analytics, ad optimization and frequency capping. 
Full Story

PRIVACY LAW—U.S.

Hacker Pleads Guilty, Faces 10 Years (May 29, 2013)

A member of hacker group “Anonymous” has pleaded guilty to hacking a private intelligence firm and several websites, The Huffington Post reports. Twenty-eight-year-old Jeremy Hammond has admitted to assisting in the December 2011 attack on Stratfor Global Intelligence Service as well as hacking the Arizona Department of Public Safety, the Boston Police Patrolmen’s Association, the FBI’s Virtual Academy and an Alabama sheriff’s office. He faces up to 10 years in prison. Hammond said he committed the acts, which gathered the credit card and other personal information of more than one million people, in the name of greater transparency because people “have a right to know what governments and corporations are doing behind closed doors.”
Full Story

TRAVELERS’ PRIVACY—CANADA & U.S.

Border Data-Sharing Plan To Expand (May 29, 2013)

Postmedia News reports on privacy advocates’ concerns over data sharing between the U.S. and Canada. Since the 2011 Canada-U.S. Beyond the Border action plan, the two countries have shared biometric data on 756,000 border crossers considered third-country nationals and permanent residents. Next year, the data shared will expand to include all travelers. Advocates are concerned the data could be used for secondary purposes. “We have provided questions to Canada Border Services Agency seeking information on how personal information collected may be used and by what other federal organizations and for what possible secondary uses outside of monitoring travel and immigration,” said a spokesman for Canada’s privacy commissioner.
Full Story

MOBILE PRIVACY

Website Shows Just How Private Snapchat Really Is (May 29, 2013)

If recent stories showing the permanence of Snapchat’s supposedly ephemeral photo sharing didn’t convince you, perhaps the launch of the new SnapchatLeaked.com will. As Beta Beat reports, the startup website allows users to upload photos that have been sent to them, despite the senders’ assumption that they would be deleted after only 10 seconds of viewing. While the site covers up “naughty bits” and doesn’t display a Snapchat ID, there is still some speculation as to whether the site will lead to lawsuits. “All images are user-submitted,” the site’s creators told UK tabloid Metro, “if the person asks to take them down, we do. Most see it as fun and getting ‘Facebook famous’.” Editor’s Note: Jed Bracy, CIPP/US, CIPP/E, wrote about how Snapchat plays into cyberstalking and cyberbullying recently for Privacy Perspectives.
Full Story

PERSONAL PRIVACY—GERMANY

Commissioner Dislikes Xbox’s View Into the Living Room (May 29, 2013)

Germany’s federal data protection commissioner says he’s “unsettled” by Microsoft’s new Xbox One console, launched by the company last week. Commissioner Peter Schaar says the box “records all sorts of personal information” that could be recorded and transferred to third parties, Slate reports. “The fact that Microsoft is now spying on my living room is just a twisted nightmare,” Schaar said. Microsoft says it is not using the box’s system to “snoop on anybody at all.”
Full Story

DATA RETENTION—DENMARK

Industry, Advocates Want Change to Law (May 29, 2013)

Five years ago, Denmark passed a law requiring telecommunication companies to retain and store customers’ personal data for up to one year. Now, the telecom industry and advocates are calling for changes to the law, citing “an unjustifiable invasion of privacy,” TECHPRESIDENT reports. Police say the law hasn’t helped them track criminals, but the Danish government wishes to delay a review of the law for two years.
Full Story

PRIVACY LAW—U.S.

Schnucks: Class-Action Suit Should Be Federal (May 28, 2013)
Schnucks Markets claims a potential class-action lawsuit filed against it in an Illinois state court belongs in federal court because of the case’s scope and damages involved, Computerworld reports. The St. Louis-based grocer has filed a motion for removal. The motion notes the damages the plaintiffs claim exceeds the $5 million threshold for a federal case and that the number of people involved in the claim, from various states, means the case should be federal. Schnucks announced a breach earlier this year resulting in the exposure of 2.4 million credit and debit cards. The lawsuit claims the store was negligent and didn’t inform those affected quickly enough

PRIVACY LAW—EU

Regulation’s Territorial Scope Debated Behind the Scenes (May 28, 2013)

EUObserver reports on behind-the-scenes debates between EU legislators on the territorial scope of the proposed EU data protection reform. The European Commission backs legislation that covers non-EU entities that process EU citizen data, but according to the report, deputies have not been able to reach an agreement on the regulation's eventual scope. UK MEP Sarah Ludford said there is a need to “get legal clarity on which individuals are covered by the proposed regulation, whether it is people when they are present in the EU or those outside the EU.” Meanwhile, a new analysis by KPMG reveals that 51 percent of UK organizations, in both public and private sectors, have failed to comply with the EU Directive on Privacy and Electronic Communications, also known as the Cookie Directive.
Full Story

PERSONAL PRIVACY

How Data Access May Improve Consumer Confidence (May 28, 2013)

With the increasing data collection capabilities by mobile carriers and household energy suppliers, among others, The New York Times reports on the difficulties consumers have accessing their personal data. “Never mind all the hoopla about the presumed benefits of an ‘open data’ society,” the article states, “In our day-to-day lives, many of us are being kept in the data dark.” Future of Privacy Forum Director Jules Polonetsky, CIPP/US, said consumers may feel more comfortable about having their personal data mined if businesses demonstrate direct consumer benefits arising from collection. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—EU & U.S.

Wolf on the Latest from France and Belgium (May 28, 2013)

“A variety of client and professional meetings in France and Belgium have me here for an extended stay,” writes Hogan Lovells’ Christopher Wolf in this latest installment of the IAPP’s Privacy Perspectives. “I have heard many interesting things about privacy and data protection issues,” Wolf notes. Among them, Wolf details what he’s hearing about the EU data protection reform, the right to be forgotten, U.S. governmental access to cloud data and the need for more privacy professionals in Europe.
Full Story

ONLINE PRIVACY

Estate Planning for Digital Assets (May 28, 2013)

The New York Times reports on the issue of end-of-life planning for online data. “Digital assets have value, sometimes sentimental and sometimes commercial, just like a boxful of jewelry,” one lawyer notes, suggesting they can result in “painful legal and emotional issues for relatives unless you decide how to handle your electronic possessions in your estate planning.” The report highlights options available to online users—including Google’s Inactive Account Manager, which allows users to “decide exactly how they want to deal with the data they’ve stored online with the company”—as well as expert recommendations for getting “your Internet house in order.” (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY

Opinion: What About Those Who Don’t Want To Be Recorded? (May 28, 2013)

In an opinion piece for The New York Times, Nick Bilton discusses a recent experience with Google Glass, the wearable computer capable of recording everything occurring in its view with a click or a wink. “But what about people who don’t want to be recorded?” Bilton asks. At a recent social gathering, Bilton notes, “I was startled by how much Glass invades people’s privacy, leaving them two choices: Stare at a camera that is constantly staring back at them, or leave the room.” Meanwhile, a startup is preparing to launch a facial recognition API for developers of Google Glass apps, to be available within a week. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Senator Introduces Bill To Bolster Fourth Amendment Rights (May 28, 2013)

Sen. Rand Paul (R-KY) has introduced a bill aiming to ensure adequate Fourth Amendment rights when it comes to electronic communications. “The Fourth Amendment Preservation and Protection Act of 2013” requires specific warrants granted by judges for law enforcement to obtain electronic communications data. “In today’s high-tech world, we must ensure that all forms of communication are protected. Yet government has eroded protecting the Fourth Amendment over the past few decades, especially when applied to electronic communications and third-party providers,” Paul said.
Full Story

PRIVACY LAW—ITALY

Garante Issues Fines Totaling 800,000 Euros (May 24, 2013)
The Italian Data Protection Authority (Garante) has issued three orders of injunction against two IT companies—specialized in the data bank sector—and a telecom operator obliging them to pay fines equal to 800,000 euros for violating prescriptive measures already adopted toward them in 2008. “The two companies specialized in the data bank creation had created and sold data banks containing tens of millions of people’s personal data, without having both informed data subjects and acquired their consent,” explains Rocco Panetta in this exclusive for The Privacy Advisor. The companies will have to pay fines of 100,000 euros and 400,000 euros, respectively, and the telecom will pay a fine of 300,000 euros. Further orders of injunction are expected against other companies.

DATA PROTECTION—CANADA & U.S.

Fredland on Social Media and Healthcare (May 24, 2013)

Valita Fredland, CIPP/US, associate general counsel and chief privacy officer at Indiana University Health, detailed the types of social networking breaches faced by healthcare institutions for the crowd at the IAPP Canada Privacy Symposium. This feature for The Privacy Advisor highlights Fredland’s insights, including that education and training should be part of the privacy team’s operations not only to avoid embarrassing breaches but also the social engineering scams that could lead employees to voluntarily give information to nefarious actors without realizing it.
Full Story

ONLINE PRIVACY

Lynch Sees Job Security for Privacy Pros (May 24, 2013)

Threat Post reports on “one of the most challenging jobs in the technology industry, chief privacy officer at Microsoft.” The post is held by IAPP Board Chairman Brendon Lynch, CIPP/US, who said the rise of ubiquitous computing is one of the most challenging trends for companies to handle when it comes to protecting user privacy. But, he said, technology challenges are actually an opportunity for companies to gain a competitive edge by giving their users more control of their privacy options, being transparent with data use and communicating all of this to users in laymen’s terms. He added, “I see job security for privacy people.”
Full Story

EMPLOYEE PRIVACY—GERMANY

Schaar: Busting Employees Online Is Illegal (May 24, 2013)

German Federal Data Protection Commissioner Peter Schaar says job centers that search online for employees abusing unemployment benefits are breaking the law, reports The Local. “Job center employees are under no circumstances allowed to log into social networks or even under false pretenses become online friends with people in order to gain access to their data,” Schaar told a magazine. The report states, only if someone receiving unemployment benefits “is uncooperative and refuses to give out relevant data” can a center turn to the Internet—and, even then, the employee must be notified of the data collection, Schaar added.
Full Story

PRIVACY LAW—U.S.

State Legislative Roundup (May 24, 2013)

Over the past two weeks, several states have enacted or initiated privacy legislation. California has moved forward on a security breach notification law, and Maine has considered a 911 privacy bill. Topping state legislative action, however, are social media privacy laws. From Utah to New Jersey, states are clamping down on the employer practice of requiring employees and applicants to disclose social media passwords. In this roundup, we take a look at these initiatives and some concerns that these social media laws could conflict with the Financial Industry Regulatory Authority. Editor's Note: For more information on FINRA's intersection with social media law, see our upcoming web conference, Employee Social Media Accounts--Financial Regulators Want Access.
Full Story

ONLINE PRIVACY

Google Unveils Object-Recognition Feature (May 24, 2013)

The Huffington Post reports on Google’s latest rollout, an object-recognition feature that has thus far flown under the radar. “Photo Search with Visual Recognition” allows users to search for an object on Google’s network and view all photos taken of that object by people in their Google+ circles, the report states. “Of course, the privacy-invading nature of social network ‘upgrades’ has now become such old news that the Google+ feature may go off without a hitch,” the report states, noting, however, that the feature does somewhat mitigate privacy concerns by only allowing searches within established circles.
Full Story

HEALTHCARE PRIVACY—U.S.

What Should You Do If the OCR Sends You a Letter? (May 24, 2013)

With the Final HIPAA Omnibus Rule compliance deadline right around the corner, the number of organizations that will be considered covered entities will rise. Since 2003, the Office for Civil Rights (OCR) has received nearly 80,000 complaints. But that number will likely increase, and organizations not accustomed to receiving investigatory letters from the OCR may be getting a surprise in the mail. In this latest installment of Privacy Perspectives, Align Technology Privacy Counsel K Royal, CIPP/US, CIPP/E, explores the steps you should take to make this “daunting” process more manageable.
Full Story

FINANCIAL PRIVACY—EU

Data-Sharing Deadline Set (May 24, 2013)

“EU leaders have agreed that the automatic sharing of individuals' bank account data, a key measure to prevent tax evasion, should become law across all member states by the end of the year,” AAP reports. The report references EU President Herman Van Rompuy’s comments at a press conference calling for “member states to complete adoption of regulation covering private savings aimed at ending bank secrecy.” The report follows comments by French President Francois Hollande noting EU countries will start working on an automatic exchange of tax information.
Full Story

PRIVACY LAW—CANADA

Stoddart: PIPEDA Reform, Enforcement Powers Needed (May 23, 2013)
Privacy Commissioner Jennifer Stoddart, wrapping up 10 years in her office this year, used her keynote address at the IAPP Canada Privacy Symposium this morning in Toronto to lay out her recommendations for reforming the Personal Information Protection and Electronic Documents Act. In short, amendments should include stronger enforcement powers, mandatory data breach reporting, teeth behind accountability and increased transparency measures.

DATA PROTECTION—UK

Commissioner: Serious Breach Offenders Deserve Prison Time (May 23, 2013)

UK Information Commissioner Christopher Graham says people who misuse personal information should face tougher penalties, including prison time, Public Service reports, citing a recent case in which a community health manager took personal data from the health center to use for his own fitness company. The man e-mailed data on 2,471 patients to his personal account, and soon thereafter, patients approached by the man began to complain. The man was fined 3,000 GBPs and ordered to pay other legal costs. Graham said the government “must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.”
Full Story

DATA LOSS—U.S.

Tens of Thousands at Risk in Recent Breaches (May 23, 2013)

The U.S. Department of Homeland Security (DHS) has revealed that a vulnerability in a vendor’s system may have exposed the Social Security numbers and dates of birth of tens of thousands of its employees, reports Federal News Radio. A DHS spokeswoman said the data was stored in the vendor's database of background investigations and may have been accessible as far back as July 2009. Meanwhile, the Maine Attorney General’s Office has issued an alert to people who have purchased tickets through online service Vendini. According to the company, a server containing the names, addresses, e-mail addresses, credit card numbers and expiration dates of tens of thousands of people—including many Maine residents—was breached.
Full Story

BIG DATA

Privacy Hampers Research Outcomes (May 23, 2013)

Professors at the Massachusetts Institute of Technology say privacy remains a “big stumbling block” to effectively using Big Data, The Wall Street Journal reports. MIT’s Andrew Lo, Dimitris Bertsimas and Alex “Sandy” Pentland are building Big Data models to predict financial market shifts and crime and improve healthcare outcomes, the report states, but run into privacy issues when it comes time to analyze the data. There are also concerns about individuals being profiled based on Big Data findings. Meanwhile, Amsterdam’s ZyLAB has published a whitepaper warning IT decision-makers about “the dark side of Big Data.” (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

ISU To Pay $400,000 Breach Fine (May 23, 2013)

The Department of Health and Human Services (HHS) has released a resolution agreement following Idaho State University’s (ISU) HIPAA violations dating back to August 2011, Health IT Security reports. ISU will pay $400,000 in penalties for exposing data on 17,500 patients by disabling a firewall for at least 10 months, the report states. HHS found ISU committed violations including failing to conduct a risk analysis of the confidentiality of its electronic personal health records and failing to implement sufficient security measures to reduce risk. ISU has entered into a corrective action plan agreement with HHS.
Full Story

ONLINE PRIVACY—CANADA

Report: Gov’t Plan Would Have Been “Digital Key” (May 23, 2013)

The Canadian Press reports on a new study by the Office of Privacy Commissioner Jennifer Stoddart indicating that a bill that would have given police more information about Internet users would have “unlocked numerous revealing personal details.” The report found that the online surveillance bill would have acted as “a digital key” to an individual's details, Stoddart said, adding, “In general, the findings lead to the conclusion that, unlike simple phonebook information, the elements examined can be used to develop very detailed portraits of individuals, providing insight into one’s activities, tastes, leanings and lives.” The government dropped the bill earlier this year following widespread criticism.
Full Story

EMPLOYEE PRIVACY—U.S.

Washington Passes Password-Protection Bill (May 23, 2013)

Washington’s governor has signed a law prohibiting employers from asking potential employees for passwords to social media accounts, the Associated Press reports. The bill was sponsored by state Sen. Steve Hobbs (D-Lake Stevens), who said he was pleased the bill passed. “Privacy shouldn’t be a thing of the past that we are forced to sacrifice every time technology moves forward,” he said. Maryland, Illinois, California, Michigan, Utah, New Mexico, Arkansas, Colorado and New Jersey have similar laws.
Full Story

SOCIAL NETWORKING

Facebook Joins Advocacy Group (May 23, 2013)

Facebook announced on Wednesday that it has joined the online privacy and freedom advocacy group Global Network Initiative (GNI), reports The Wall Street Journal. The affiliation may help to show users that Facebook is taking privacy concerns seriously and also help it navigate expansion in developing countries, the report states. GNI provides guidance on protecting online privacy against government intrusions and reviews members’ practices to ensure they are in line with GNI’s goals. Meanwhile, Facebook CEO Mark Zuckerberg was in Poland on Wednesday meeting with Polish Minister for Administrative Affairs and Digitisation Michal Boni about the global significance of the Polish IT industry. (Registration may be required to access this story.)
Full Story

DATA RETENTION—U.S.

Opinion: Are Fines Effective in Changing Practices? (May 23, 2013)

In an op-ed for IT World, Paul Kapustka wonders whether fines are any incentive at all for large corporations to change their data retention practices. While acknowledging the importance of protecting data and allowing government access to it when necessary, Kapustka writes, “I don't see how dinging a company a million bucks for losing a laptop is going to make corporations comply. If it's easier and cheaper to circumvent the process, like water, they'll find that path. Isn't it better to figure out now how to have rules that make sense for a more-mobile world where locking down data may be next to impossible?”
Full Story

SOCIAL NETWORKING

Teens Post More but Manage Privacy Settings (May 22, 2013)
A new Pew Research Center survey indicates that teens are posting more about themselves on social networking sites but are also taking formal and informal steps to manage their online privacy and reputation, USA TODAY reports. The research canvassed 802 individuals between ages 12 and 17 and their parents. Sixty percent of Facebook users used the highest privacy setting while 14 percent said their Facebook pages are public. ConnectSafely.org Co-director Larry Magid said, “The idea that young people will post anything is not true” and many are “thinking about whether this is something I’d want my grandmother, a college administrator, an employer or a future boyfriend or girlfriend to see.”

BIG DATA

Service Would Sell Phone Data on Consumers (May 22, 2013)

European software firm SAP has announced a new service that will pull data from its “extensive partner network”—which includes “over 990 mobile operators”—collect and analyze it “without drilling down into user-specific information,” CNET News reports, and disclose the results to subscribers via web portal. SAP said of its Consumer Insight 365 mobile service that “this market intelligence will ultimately allow brands to strengthen relationships with consumers through more targeted and context-specific marketing efforts.” The Wall Street Journal reports on the potential privacy concerns from a service that will “broaden the range of data about individuals’ habits and movements that law enforcement could subpoena.”
Full Story

ONLINE PRIVACY—U.S.

Ohlhausen Questions FTC Report (May 22, 2013)

Federal Trade Commissioner Maureen Ohlhausen expressed concerns Tuesday about privacy recommendations laid out in last year’s FTC privacy report. According to MediaPostNews, Ohlhausen said the FTC “did not address the possible competitive effects of its recommendation” in the privacy report, adding, “New privacy restrictions may have an effect on competition by favoring entrenched entities” over newer, smaller businesses. She also said she doesn’t “currently support a baseline privacy bill, but am not against privacy legislation per se,” and she indicated that some data-collection practices have “raised concerns.”
Full Story

BIG DATA

Creating a Data Empire (with Uncle Enzo and Steve Sneak) (May 22, 2013)

With gamification making its way further and further into mainstream marketing and corporate efforts, it only makes sense that privacy-awareness advocates would get into the game. Privacy professionals should get a kick out of Data Dealer, a new browser-based game, which will eventually be integrated into Facebook like the popular Zynga games (et al) and takes a satirical and ironic approach to the world of data collection and sale. The Privacy Advisor gives it a spin and gives you a full review.
Full Story

HEALTHCARE PRIVACY—U.S.

PHI Practice Notices May Be Under the Radar (May 22, 2013)

With the compliance deadline for the new HIPAA Omnibus Rule rapidly approaching, HealthITSecurity reports that one critical area “that may fly under the radar” is new requirements for an organization’s notice of privacy practices for protected health information (PHI). Other than healthcare clearinghouses, correctional institutions and group health plans not touching PHI, the Office for Civil Rights says organizations must make the notices available upon request and prominently post them on their websites. Covered entities must also provide such information to patients during their first service encounter, the report states.
Full Story

PRIVACY BIZ—U.S.

Web-Security Firm Acquires Web-Privacy Firm (May 22, 2013)

Web-security firm AVG has purchased web-privacy firm PrivacyChoice, Venturebeat reports. PrivacyChoice offers a browser extension that analyzes a user’s web activity and indicates their exposed personal information. “Since founding, our mission has been to deliver more effective and more informed choices about how your data is collected, used and shared,” said PrivacyChoice founder Jim Brock. “We saw strong synergies between our approach and the efforts AVG continues to make in empowering people when it comes to their online privacy.”
Full Story

PRIVACY LAW—UK

Court: Compensation Only If Damages Are Due To Breach of DPA (May 22, 2013)

The England and Wales Court of Appeal recently ruled that businesses “do not have to pay compensation for causing distress to consumers if they break data protection laws unless the distress suffered by consumers is linked to the breach itself,” reports Out-law.com. The ruling stemmed from a customer’s complaint that upon receiving damages from a breach case, the finance company involved placed his settlement in a closed account and entered incorrect information about him in their systems indicating his account was in arrears—which was shared with a credit scoring agency. The customer claimed the company had breached the terms of the district court order and asked the court for further damages, prompting the court’s ruling.
Full Story

DATA LOSS—U.S.

Investigative Reporting or Hacking? (May 22, 2013)

Two telecoms are calling Scripps Howard News Service reporters hackers after the reporters discovered the personal data of some 170,000 users of a subsidized cell phone program online, reports Ars Technica. The telecoms claim the reporters violated the Computer Fraud and Abuse Act by using sophisticated and “automated” means to uncover the records, but the reporters say they found the data through a Google search. The data included applications for the Federal Communications Commission’s (FCC) Lifeline program—which contained Social Security numbers—collected for telecoms YourTel and TerraCom by Vcare. FCC regulations bar telecom providers from retaining this data, but, according to the report, Vcare had the applications stored on its servers and posted to an open file-sharing area.
Full Story

PRIVACY LAW—U.S.

Apple Seeks Tracking Suit’s Dismissal (May 22, 2013)

Apple has filed a motion for summary judgment in a privacy class-action lawsuit, Courthouse News Service reports. The company argues the plaintiffs in the suit—which claims the company uses third-party iPhone applications to access and track users’ personal information—admit suffering “no harm whatsoever” and “still have no idea whether their personal information or location data was actually tracked.” The court dismissed the plaintiffs’ first complaint in September 2011 and dismissed all but two claims of an amended complaint in June 2012. A hearing in this case is set for November 7.
Full Story

DATA LOSS—JAPAN

Breach May Have Exposed 22M IDs (May 21, 2013)
Yahoo Japan released a statement on Friday that a file with 22 million login names may have been exposed, InformationWeek reports. “We don't know if the file was leaked or not, but we can't deny the possibility, given the volume of traffic between our server and external terminals,” the statement notes. The company has posted information related to the breach on its homepage and is contacting those affected, the report states, noting the unauthorized access was discovered on Thursday and could affect 10 percent of the company’s user base.

DATA LOSS—CANADA

When Your USB Goes Missing (May 21, 2013)

Recent data breaches have rocked Canadian-based public-sector institutions with hundreds of thousands of compromised personal files. “How did this happen?” Daniel Horovitz asks in this latest installment of the IAPP’s Privacy Perspectives. An expert in privacy and records management, Horovitz points out that both incidents were not a problem of cybersecurity but were under scrutiny for “a much dumber, simpler reason.”
Full Story

SOCIAL NETWORKING—IRELAND

Facebook Appoints New Privacy Counsel, Gets OK from DPA (May 21, 2013)

Irish Data Protection Commissioner Billy Hawkes says he’s satisfied with the work Facebook has done to meet a four-week deadline to comply with recommendations on improving user privacy, the Independent reports. Had the company failed to comply, it would have faced fines of up to 100,000 euros. Following an audit by Hawkes’ office, the company had implemented changes to transparency and user controls, but a number of the office’s recommendations had not been met, prompting the four-week deadline. Facebook has also announced the appointment of a lead data protection and privacy counsel to its Dublin headquarters. (Editor’s Note: The IAPP recently chatted with Hawkes on life as a privacy enforcer and how companies can avoid his attention.)
Full Story

GEO PRIVACY—U.S.

Opinion: Judge’s Phone Ruling Is “Ridiculous” (May 21, 2013)

Federal Judge Gary Brown has ruled that “phone users who fail to turn off their cell phones do not exhibit an expectation of privacy,” Ashley Feinberg writes in an ACLU op-ed republished by Gizmodo. Feinberg quotes Brown as saying, “Given the ubiquity and celebrity of geolocation technologies, an individual has no legitimate expectation of privacy in the prospective location of a cellular telephone where that individual has failed to protect his privacy by taking the simple expedient of powering it off.” Feinberg calls the opinion “ridiculous,” citing the difference between location data that is knowingly shared and that which is collected “without your knowledge or consent.”
Full Story

SURVEILLANCE—U.S.

How the FBI Obtained Warrant To Track Reporter (May 21, 2013)

Mashable reports on how the FBI was able to obtain a search warrant in 2010 for a reporter’s Gmail account without his knowledge. The Justice Department was investigating Fox News reporter James Rosen for allegedly violating the Espionage Act after Rosen’s 2009 report on North Korea’s planned nuclear tests. The department obtained the warrant by analyzing the communications  of one of Rosen’s sources, Stephen Jin-Woo Kim, a government advisor. “Search warrants like these have a severe chilling effect on the free flow of important information to the public,” said a First Amendment lawyer.
Full Story

BIG DATA—U.S.

SIIA Releases Whitepaper on Balancing Innovation and Privacy (May 21, 2013)

The Software and Information Industry Association (SIIA) on Monday released a whitepaper on balancing innovation with privacy in Big Data, reports The Washington Post. In the paper, the SIIA cautions against over-legislation, recommending instead that companies take the initiative to build privacy into their Big Data policies. SIIA Senior Director David LeDuc says there are ways for companies to benefit from Big Data and still protect user privacy, adding that anonymizing consumer data as quickly as possible would be a good step. The SIIA and other industry groups would like to see policy-makers, consumer advocates and other stakeholders come together to create policy. (Registration may be required to access this story.)
Full Story

RFID

Chips Pose ID Theft and Privacy Concerns (May 21, 2013)

The Washington Post reports on rising identity theft of travelers stemming from access to RFID chips in passports and credit cards. Criminals can also access personal data from smartphones via WiFi networks. To help curb such attacks, some luggage companies are inserting RFID-blocking compartments in luggage. Meanwhile, Bruce Schneier, a security expert, writes about the rise of the Internet of Things and surveillance in his latest blog post, noting that “any illusion of privacy we maintain” is “about to get worse.” (Registration may be required to access this story.)
Full Story

PRIVACY—U.S.

Bloomberg Appoints Privacy Czar (May 20, 2013)
In light of revelations that some of Bloomberg’s journalists were using private client data for reporting, the company has announced it has hired former IBM CEO Samuel Palmisano “to serve as an independent advisor regarding the company’s privacy and data standards,” Forbes reports. According to Bloomberg’s press release, Palmisano “will immediately undertake a review of the company’s current practices and policies for client data and end-user information, including a review of access issues recently raised by the company’s clients.” Palmisano will report directly to the Board of Directors and will be assisted by representatives from Hogan Lovells and Promontory Financial Group.

PRIVACY LAW—EU & U.S.

The Transatlantic Data Privacy Divide (May 20, 2013)

With increased tensions between U.S. tech companies and EU lawmakers and regulators, Wilson, Sonsini, Goodrich & Rosati Senior of Counsel Christopher Kuner explores the “the root of many of the differences between the EU and U.S. approaches to data privacy” in this latest installment of the IAPP’s Privacy Perspectives. Kuner writes that the “differing status of privacy as a constitutional or human right underlies how this question is dealt with in the two systems.”
Full Story

HEALTHCARE PRIVACY—U.S.

Hospital Creates Portal To Protect Teens’ Data (May 20, 2013)

In an effort to address concerns over children’s privacy when it comes to their personal health records (PHR), Boston Children’s Hospital (BCH) has developed a custom-built PHR portal with separate accounts for patients and their parents, InformationWeek reports. While children’s PHRs are generally controlled by their parents, teenagers have a right to privacy regarding the information they share with physicians, according to BCH’s Fabienne Bourgeois. “The parent has sole access to the patient’s portal until the patient turns 13, at which point both the parent and the patient can have access,” Bourgeois reports. At 18, access is restricted to the patient.
Full Story

DATA LOSS—U.S.

Health Centers, Low-Income Assistance Program See Breaches (May 20, 2013)

Two companies participating in the federal program Lifeline, which subsidizes phone service for low-income households, exposed more than 170,000 records online, reports Scripps Howard News Service. The records belong to residents of at least 26 states, and the Indiana attorney general has launched an investigation. LSU Health Shreaveport has also begun notifying patients that a third-party contractor sent bills—including names and treatment information—to the wrong recipients. An investigation showed that the breach was the result of a data-entry error. And a Speedway, IN, community health center has notified about 180 patients that a former employee may have accessed their electronic health records in order to steal their identities.
Full Story

PRIVACY LAW—SINGAPORE

Data Protection Act Comes Into Effect Next Summer (May 20, 2013)

Singapore’s Personal Data Protection Act will come into effect on July 2, 2014, ZDNet reports, and “organizations will need to complete data inventory mapping, process audits, staff training and publication of various processes” by that date. The Personal Data Protection Commission has introduced tools and trainings to assist small- and medium-size businesses, the report states, noting, “There is very significant effort involved in data mapping…Similarly, process audits needed to sync across business units and different offices may involve process re-engineering and relearning by staff members. Organizations should not underestimate this task.”
Full Story

SURVEILLANCE—U.S.

Congressional Committee Discusses Drones (May 20, 2013)

The Subcommittee on Crime, Terrorism, Homeland Security and Investigations conducted a hearing on Friday discussing the future of drone use and what that means for citizens, reports Fox News. Questions at the hearing ranged from, “Can you shoot down a drone over your property?" to "If you were watching traffic and you saw a drug deal, what then?" Gregory McNeal, an associate professor at Pepperdine University School of Law, recommends defining the scope of acceptable surveillance activities and timeframes rather than the types of devices, noting that the pace of drone technology could quickly make any congressional action obsolete.
Full Story

DATA PROTECTION—EU & U.S.

Group Criticized for Lack of Transparency (May 20, 2013)

The European Privacy Association (EPA) has revealed that several U.S.-based tech companies are backers, IDG News Service reports. Last Thursday, the Corporate Europe Observatory (CEO)—a watchdog that “works to expose privileged access in EU policy making”—filed a complaint stating the EPA, while working to represent industry interests in EU data protection reforms, did not list any backers on the EU Transparency Register, the report states. A CEO representative said the group’s name conflicts with its pro-industry stance, creating a “confusing…mismatch.” In a press release, the EPA said, “We are immediately clarifying such discrepancies” to ensure that they’re “in line with the guidelines of the European Union.”
Full Story

PRIVACY LAW—U.S.

Swire: FBI Initiative Threatens Secure Communications on the Internet (May 17, 2013)
Recent moves by the FBI to persuade the Obama administration “to support major changes” to the Communications Assistance to Law Enforcement Act of 1994 (CALEA) have prompted a new report from the Center for Democracy & Technology and this latest Privacy Perspectives installment from Peter Swire, CIPP/US, who formerly served as chief counselor for privacy in the Office of Management and Budget under President Bill Clinton. The new changes could open up a range of risks and “harm cybersecurity.”

ONLINE PRIVACY

Firefox Cookie Blocking By Default on Pause (May 17, 2013)

Mozilla has postponed default cookie-blocking in its Beta version of Firefox 22 “to collect and analyze data on the effect of blocking some third-party cookies,” PC World reports. The default setting has been criticized by the online advertisement industry. The nonprofit is currently testing a patch created by Jonathan Mayer. In a blog post, Mozilla Chief Technology Officer Brendan Eich wrote, “Our next engineering task is to add privacy-preserving code to measure how the patch affects real websites,” adding, “We will also ask some of our Aurora and Beta users to opt in to a study with deeper data collection.”
Full Story

GENETIC PRIVACY

Making Art of the DNA We Leave Behind (May 17, 2013)

What if someone could take your mundane, discarded items—chewing gum, a stray hair and other things with traces of DNA—and turn them into a portrait of you? Heather Dewey-Hagborg has already started doing just that. This Privacy Perspectives blog post explores her work and the broader implications, both creepy and courageous, for our fledgling personal privacy in light of advancing DNA capabilities.
Full Story

PERSONAL PRIVACY—U.S.

Does “Neighbors” Photo Exhibit Violate Privacy? (May 17, 2013)

The Associated Press reports on photographs taken by a New York City artist that have residents infuriated. “In one photo, a woman is on all fours, presumably picking something up, her posterior pressed against a glass window. Another photo shows a couple in bathrobes, their feet touching beneath a table. And there is one of a man, in jeans and a T-shirt, lying on his side as he takes a nap,” the report states, noting the photos were taken through their windows by Arne Svenson from his nearby apartment. Although their faces are not shown, the residents “had no idea they were being photographed, and they never consented to being subjects," raising questions of whether any privacy law has been violated. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—RUSSIA

Nation Ratifies Commitment to Convention 108 (May 17, 2013)

NewEurope reports that on May 15, Russia ratified a treaty to join Convention 108—the “Convention for the protection of individuals with regard to Automatic Processing of Personal Data.” Council of Europe Secretary General Thorbjørn Jagland said he received Russia’s accession from Permanent Representative and Ambassador of the Russian Federation to the Council Alexander Alekseev. The treaty will enter into force on September 1. Russia will become the 46th state to join Convention 108.
Full Story

PERSONAL PRIVACY—U.S.

Reps Question Google Glass; Mapping Gets Upgrade (May 17, 2013)

Rep. Joe Barton (R-TX) has written a letter asking Google questions related to concerns he and other lawmakers have about its latest product, Glass, reports TheNextWeb. Questions include whether facial recognition abilities will allow users to access personal information about people and objects they view through Glass; will Google be able to collect any device-specific information without users’ consent, and will the Glass device be able to store data? The company has also rolled out changes to its mapping service, “more deeply mining” users’ personal data obtained through Google services to customize maps to users’ preferences and behaviors.
Full Story

MOBILE PRIVACY—U.S.

An App That Can Tell Doctors You’re Sick (May 17, 2013)

MIT Technology Review reports today on Ginger.io, a company spun out of the MIT Media Lab, whose app of the same name is in trials with hospitals across the country. The Ginger.io smartphone app logs all activity on a patient’s phone and transmits the data to the hospital, where it can be monitored. “Now,” says cofounder and CEO Anmol Madan, “the doctor or nurse can get a sense of the patient’s life and help as needed.” The app automatically notes changes in phone-use patterns and sends alerts when they are detected, which can keep patients who generally care for themselves at home from suffering dire consequences if they deviate from prescribed medication or therapy.
Full Story

DATA PROTECTION—U.S.

When Cars Are Connected, Will Privacy Sit Shotgun? (May 17, 2013)

CNN reports on “the dark side of connected cars.” In a recent forum, panelists discussed the risks of the technology, including that a driver’s location could be identified at any time. Panelist Geoff Hollingworth, head of business innovation at Ericsson, said, "So all these cars are connected. They all know how fast they are going. They all know the speed zones they are running in," he said. "Should the car issue a ticket? Should it tell the police to issue a ticket if you are breaking the speed limit?"
Full Story

CHILDREN’S PRIVACY—U.S.

FTC Sends Biz COPPA Education Letters (May 16, 2013)
In light of upcoming rule changes to COPPA and recent pushback from industry, the FTC has issued more than 90 letters to app developers. The letters were sent to companies whose online services “appear” to collect personal information from children under the age of 13. “While the letters do not reflect an official evaluation of the companies’ practices by the FTC, they are designed to help businesses come into compliance” with the impending changes, an FTC press release states. Meanwhile, The Washington Post reports on comments made by Center for Digital Democracy’s Joy Spencer, who said, “Facebook is not doing enough to ensure children under 13 don’t have access to the site,” adding, “That raises a number of concerns about safety and because Instagram then is able to collect personally identifiable information on children, which can be used to target ads toward them in the future.”

PRIVACY

When Buying Cyberinsurance, Semantics Matter (May 16, 2013)

At yesterday’s Pre-Breach Preparedness IAPP KnowledgeNet in Dedham, MA, Joe Burgoyne of Osram Sylvania, opened the “privacy panel” with a somewhat startling prompt: Raise your hand if you know where all of your company’s data is. Of the 100-plus attendees, maybe two hands went up—hesitantly. In this exclusive for The Privacy Advisor, Burgoyne offers advice on how to prepare for a data breach and attorney Nancy Kelly discusses the importance of negotiating when it comes to buying standalone cyber insurance.
Full Story

EMPLOYEE PRIVACY—U.S.

“Experts” Discuss Employees on Corporate Devices (May 16, 2013)

As part of The Wall Street Journal’s “The Experts” series, representatives from Boston University, Harvard Business School, Jones Day and State Street answer this question: “How much privacy should employees expect when using corporate devices, especially e-mail?” Their answers might be summarized this way: “Employees should expect some rights but not all that much privacy.” See if you, as a privacy professional, agree with their conclusions.
Full Story

PRIVACY LAW—CANADA

Did We Get the Right Privacy Tort? (May 16, 2013)

With last year’s Ontario Court of Appeals decision on Jones v. Tsige, Michael Power, a Toronto-based lawyer, consultant and author, writes, “2012 saw a significant development in Canadian tort law with respect to privacy.” In this Privacy Perspectives post, Power questions whether the “intrusion upon seclusion” tort is enough in a world “where ‘surreptitious genetic testing’ and ‘revenge porn’ are not TV plotlines and where the latest thing to be hyped is Big Data.”
Full Story

INFORMATION ACCESS—U.S.

Police Implement Policy To Keep Report Details Confidential (May 16, 2013)

Edgerton, WI, police have implemented a policy to release only the last name of anyone identified in a police report, reports The Janesville Gazette. The policy is in response to Senne v. The Village of Palatine, Ill, a case surrounding the printing of a person’s full name on a parking ticket that was left on the person’s windshield overnight. Last year, an appeals court ruled the village violated the citizen’s right to privacy, and while that decision is now under appeal again, Edgerton Police Chief Tom Klubertanz says the city’s attorney recommended the policy change. “If it’s personal identity information, we have been told we can’t release it when people come in to look at” police reports, said Klubertanz.
Full Story

PRIVACY LAW—U.S.

Plaintiffs Revive Pandora, Google Lawsuits (May 15, 2013)
MediaPost News reports on two separate privacy lawsuits that have been revived by plaintiffs. A group of Android users have “beefed up” privacy claims in a lawsuit against Google, alleging the company wrongly transferred users’ names and contact information to app developers. The move comes six weeks after a federal judge dismissed an earlier iteration of the lawsuit because the plaintiffs didn’t “allege certain facts to support their claims,” the report states. Meanwhile, a plaintiff who previously filed a potential class-action lawsuit against Pandora is asking the Ninth Circuit Court of Appeals to reverse an earlier decision that disclosure of the plaintiff’s music-listening history on Facebook did not contravene Michigan’s Video Rental Privacy Act.

DATA LOSS

Experts Discuss Bloomberg Privacy Implications (May 15, 2013)

As Bloomberg News continues to answer questions about the actions of reporters who appear to have, on more than one occasion, used the company’s desktop data terminals to monitor activity at financial institutions, privacy experts are weighing in on the long-term implications. This exclusive for The Privacy Advisor examines the most recent developments and the reactions from experts like Lisa Sotto, CIPP/US, who told GovInfoSecurity Bloomberg must “toughen its IT security and privacy governance process…It is critically important to have a stringent set of access controls, but the integrity and ethics issues really go beyond privacy and data security."
Full Story

DATA PROTECTION—EU & UK

ICO: Biz Lacks Understanding of EU Reforms (May 15, 2013)

The UK Information Commissioner’s Office (ICO) has released a new report highlighting “a clear lack of understanding across business around proposed EU data reforms.” According to an ICO press release, 40 percent of businesses “don’t fully understand any of the 10 main provisions being proposed,” and 87 percent are “unable to estimate likely costs of draft proposals to their business.” Information Commissioner Christopher Graham said, “Debate must be based on valid evidence. This reform is too important for guesswork.”
Full Story

HEALTHCARE PRIVACY—U.S.

Unions: Commission Went Behind Marathon Victims’ Backs (May 15, 2013)

Unions for Boston’s first responders have accused the Boston Public Health Commission “of going behind the backs of bombing victims to collect private medical information about those who sought ‘primary care and other outpatient’ help days and weeks after the bombings,” Boston Herald reports. The commission sent letters to 38 medical providers seeking such data, outraging the city’s first responders, the report states. Boston Public Health Commission Executive Director Barbara Ferrer has said the commission is exempt from HIPAA in this case as “it is the only way to offer victims city services.”
Full Story

PRIVACY IN POP CULTURE

Going Gaga for Google Glass (May 15, 2013)

While it’s unquestionably true that the advent of Google Glass has created all manner of interesting privacy discussions, Glass may end up being as much a boon to comedy writers as to privacy professionals. In this exclusive for The Privacy Advisor, we round-up all of the best send-ups and look at the way being creepy may keep Glass users from being creepy.
Full Story

STUDENT PRIVACY—U.S.

Opponents Call Database “Invasion of Privacy” (May 15, 2013)

Information on nearly 85,000 Colorado students will soon be gathered in one database, sparking cheers from supporters about this “breakthrough” and concerns from opponents that it constitutes “an invasion of privacy,” 9news.com reports. Jeffco Public Schools is working with inBloom, a pilot program that places the information in a “single data cloud or dashboard,” to streamline student information. “Some parents have serious concerns that student grades, test scores, even health records will be vulnerable to cyber attack,” the report states. JeffCo has noted the program is fully compliant with FERPA.
Full Story

CYBERSECURITY

More Data Leads to More Risk (May 15, 2013)

In the sixth part of The Wall Street Journal’s series on compliance issues in cybercrime, Nicholas Elliot writes about the connection between Big Data and big risk. While many companies, the report says, continue to gather more and more data about their customers, those same companies do not increase their security measures and privacy policies in lock-step. The result? “Sloppy data management can mean that even small breaches have disproportionately large impacts on a company.”
Full Story

DATA LOSS—CANADA & U.S.

Victims Suing for $40M; Other Breaches Announced (May 14, 2013)
Montfort Hospital patients whose personal information was lost have filed a $40 million lawsuit, Toronto Sun reports. The breach involved the loss of a USB stick containing data on 25,000 patients back in November. Although it was eventually recovered, plaintiffs are accusing the hospital of “breach of contract, negligence, breach of privacy and violating its own bylaws and the Personal Health Information and Protection Act” in connection with the loss of the memory stick, the report states. Meanwhile, in the U.S., Indiana University Health has notified 10,300 patients of a health data breach; Presbyterian Anesthesia reports a data breach affecting nearly 10,000, and Memphis Regional Medical Center has reported a breach involving three e-mails.

SURVEILLANCE—U.S.

DoJ Obtains Journalists’ Phone Records (May 14, 2013)

The Associated Press is crying foul after discovering the Department of Justice (DoJ) had secretly obtained two months of telephone records for more than 20 corporate and personal phone lines used by as many as 100 AP journalists. In a letter of protest to U.S. Attorney General Eric Holder, AP CEO Gary Pruitt said, “There can be no possible justification for such an overbroad collection of the telephone communications of the Associated Press and its reporters.” DoJ officials would not tell the AP why or how the records were obtained. The DoJ simply notified the AP via letter on Friday the records were in hand. The Obama administration denied knowledge of the investigation. Sen. Patrick Leahy (D-VT) pronounced himself “concerned” by the DoJ actions, as did Sen. Rand Paul (R-KY) and groups like the ACLU and American Society of News Editors.
Full Story

DATA RETENTION

An Archivist’s View of the Right To Be Forgotten (May 14, 2013)

As Europe considers implementation of “the right to be forgotten,” Archivist Cherri Ann Beckles writes, “From a bird’s eye view, this proposal would have an undeniable effect on the preservation of the individual and collective memory of society.” In this latest Privacy Perspectives blog post, Beckles lays out the issues that could lead from a right to be forgotten to a “society that was forgotten.”
Full Story

PRIVACY LAW—U.S.

Researchers: Hold Off on APPS Act (May 14, 2013)

Research reports on calls to hold off on the proposed Application Privacy, Protection and Security (APPS) Act. The Marketing Research Association (MRA) is concerned the act would empower the Federal Trade Commission (FTC) “to define what the term ‘personal data’ meant, as the MRA had already seen in a previous act’s amendment debate that the FTC thought this meant that almost any piece of information could be personally identifiable,” the report states. The MRA is also concerned about the FTC being able to decide the meaning of de-identified data, the act’s mobile app transparency notice requirements and the legislation “not giving industry attempts to introduce a workable privacy code of conduct a chance.”
Full Story

MOBILE PRIVACY

In-App Advertisers Beware: Lookout Announces Deadline (May 14, 2013)

With adware targeting the Android operating system up 61 percent over last year, by Bitdefender’s estimate, mobile security firm Lookout has decided to take a firmer stance with in-app advertisers. The company has announced “rules and standards for acceptable advertising practices that promote good user experience and privacy best practices” and has given advertisers 45 days from May 10 to comply or be otherwise classified as adware. If advertisers don’t get explicit user consent for display advertising outside the normal in-app experience, harvesting PII or performing unexpected actions in response to ad clicks, Lookout’s product will block them from users.
Full Story

DATA PROTECTION—EU

Industry, Lobbyists Converge To Discuss Directive (May 14, 2013)

Representatives from European banking, auto, aeronautics and technology industries met in Berlin this week to discuss the proposed EU Data Protection Regulation, The New York Times reports. One communications expert says that industries having “nothing to do with social media” are showing concern about the likelihood of “a whole new layer of regulation,” noting that one motivation for the proposal is to rein in the use of social media data by big tech firms. Thomas Lehnert, director of data protection for EADS Deutschland, said he expects an increased need for data protection officers in his organization—which currently employs eight full-time officers. “I think we are talking about a multiple of what we have now,” Lehnert said. (Registration may be required to access this story.) Editor's note: For insight into the European Regulation, see our coverage of Peter Hustinx's and Richard Thomas's talks at the IAPP's recent London event.
Full Story

DATA PROTECTION—EU & U.S.

Exploring the ABCs of BCRs (May 13, 2013)
As more organizations move toward using Binding Corporate Rules (BCRs), there are lessons that can be gleaned from the experience of others. Align Technology Privacy Counsel K Royal, CIPP/US, CIPP/E, helped lead her organization toward BCR adoption. In this Privacy Perspectives post, Royal reveals some of the top lessons and tips she learned from this process, which she describes as “not being for the faint of heart.”

CYBERSECURITY—U.S.

The Implications of FTC v. Wyndham (May 13, 2013)

The Wall Street Journal reports on the current “high-stakes legal battle over whether a federal agency can use its consumer-protection powers to police cybersecurity practices at American companies.” Wyndham Worldwide Corp. has asked a federal judge to throw out the Federal Trade Commission’s (FTC) complaint, arguing there is no precedent for holding a company responsible for the actions of hackers. The company has also stated that the FTC has never provided businesses with security-practice guidelines. Morrison & Foerster’s D. Reed Freeman, CIPP/US, said, “If the FTC loses, it’s going to have a hard time bringing these cases.” The FTC is expected to file a response to Wyndham’s dismissal later this month, the report states. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

What Info Did Bloomberg Reporters Access? (May 13, 2013)

After an acknowledgement by Bloomberg News last week “that its reporters used the company’s terminals to access personal information about subscribers, including Wall Street traders and other financial professionals,” The Washington Post is reporting that “the Federal Reserve, Treasury Department and some of the nation’s largest financial firms are assessing whether their use of Bloomberg News’ ubiquitous financial data terminals has exposed them to a potential privacy breach.” Bloomberg has indicated the reporters’ practice was “to retrieve mundane facts” and not sensitive data. Bloomberg ceased reporter access to such information last week, the report states. (Registration may be required to access this story.)
Full Story

BIOMETRICS—U.S.

Privacy Groups Fear National ID System (May 13, 2013)

WIRED reports on concerns that immigration reform being debated in the Senate Judiciary Committee could eventually result in “a ubiquitous national identification system.” The proposed legislation includes a mandate to create a database of names, ages, Social Security numbers and photographs “of everyone in the country with a driver’s license or other state-issued photo ID,” to be maintained by the Department of Homeland Security. The American Civil Liberties Union has raised concerns, and David Bier of the Competitive Enterprise Institute said, “The most worrying aspect is that this creates a principle of permission basically to do certain activities and it can be used to restrict activities,” he said. “It’s like a national ID system without the card.”
Full Story

ONLINE PRIVACY

Protecting Our Online Profiles (May 13, 2013)

Last week, the Today Show reported on one person’s struggles to get a job in light of an ex-girlfriend’s online posting of disparaging personal material, allegedly out of revenge. This Privacy Perspectives post delves into the difficulties of maintaining a reputable online profile and the legal and technical complexities around combating such negative and vengeful actions.
Full Story

ONLINE PRIVACY

LinkedIn Revises Policy for User Clarity (May 13, 2013)

LinkedIn is updating its privacy policy within the next week, the company reports in its blog. The updates will clarify and simplify language to make it easier for members to read and understand. The policy will be located on a page that will become the company’s “Privacy Portal” where users can access all of their LinkedIn data.
Full Story

PRIVACY—UK

Britain Struggles with Info Access vs. Privacy (May 13, 2013)

In a recent case involving the theft of 113,000 GBPs from a building in Warwickshire, police refused to identify the man charged with the crime. His identity was only disclosed after free speech campaigners made hay, and it was then learned the suspect was a former police officer. “The incident is indicative of rising tensions between journalists and authorities in Britain” when it comes balancing privacy and freedom of information, The New York Times reports. “The police are in a real bind about this, because they have to balance the right to privacy against the public interest,” said one journalist. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Are Airlines Above Privacy Law? (May 10, 2013)
Delta Air Lines has won its request for dismissal of claims it violated California’s Internet privacy law because it didn’t notify mobile app users that their data was being collected, Bloomberg reports. California Attorney General Kamala Harris sued the company in December, alleging its “Fly Delta” app didn’t clearly post its privacy policy. But Judge Marla Miller said the federal Airline Deregulation Act “bars states from imposing regulations on airlines related to price, routes or services,” the report states.

CYBERSECURITY

A Global View of Integrating Privacy and Security (May 10, 2013)

“From Maryland to Ireland, Slovakia to Florida, privacy professionals and their industry colleagues are working on integrating Privacy by Design into business models and functionality,” writes Jenner & Block’s Mary Ellen Callahan, CIPP/US, in this latest Privacy Perspectives post. Amidst her “whirlwind tour” across continents and industry sectors—from marketing to security to government—Callahan assesses a growing effort to implement privacy into business and national security strategies.
Full Story

DATA PROTECTION—U.S.

Obama to Agencies: Make Data More Public (May 10, 2013)

President Barack Obama has “directed agencies to make their data easy to find and use by the public,” Federal Times reports, as agencies increasingly face requests and pressure to release government data to the public. The Office of Management and Budget has issued an open data policy requiring agencies to meet goals on improving data gathering, management and sharing. Agencies must create updated data set inventories, provide public listings of all public data and ensure the data is created and stored in “machine-readable and open formats, whether collected electronically, by phone or on paper,” the report states.
Full Story

PRIVACY—IRELAND

Commissioner Hawkes On Increasing Complaints and How To Avoid His Attention (May 10, 2013)

At the IAPP’s Data Protection Intensive in London last month, the IAPP sat down with Irish Data Protection Commissioner Billy Hawkes to discuss the ins and outs of a regulator’s daily life on the job, the impending EU regulation, do-not-track and how he relaxes when he’s not regulating multinational giants headquartered in Ireland.
Full Story

DATA LOSS

This Week’s Breach Roundup (May 10, 2013)

Data breaches continue to affect private and public organizations across all sectors. Among this week's incidents, the biggest news may be that the state of Washington’s court system may have been hacked, potentially affecting millions of residents. Several healthcare organizations announced breaches this week, including a North Carolina-based clinic. The incident may have compromised the health records of more than 17,000 patients. A Pennsylvania-based senior-housing organization was also breached, exposing more than 7,300 records. More on these and additional data incidents can be found in this roundup for The Privacy Advisor.
Full Story

ONLINE PRIVACY—U.S.

Bill Requiring Data-Use Disclosure, Others Introduced (May 10, 2013)

Ars Technica reports on a new bill that would require app developers to have privacy policies detailing how they share user data. Rep. Hank Johnson (D-GA) has introduced the bill, which would require users to sign off on the privacy policy before using an app, the report states. The user would also be able to ask for data to be deleted upon ceasing to use the app. Politico reports that support for privacy legislation is gaining momentum from the right side of the political aisle; four Republican congressman have introduced two bills that would require law enforcement to obtain warrants before accessing individuals’ e-mail data.
Full Story

SURVEILLANCE—U.S.

Gov’t: Warrantless E-mail Access OK; Legislators Intro Bills (May 9, 2013)
The U.S. Department of Justice and the FBI have said they don’t believe they need search warrants for access to Americans’ electronic communications, CNET reports. That’s according to internal documents obtained by the American Civil Liberties Union. U.S. Reps. Tom Graves (R-GA) and Kevin Yoder (R-KS) have introduced a bill aimed at protecting consumer privacy by updating protections for electronic communications stored by third-party service providers, reports The Chattanoogan.com. The E-mail Privacy Act would extend protections for regular mail to e-mail and cloud data. Meanwhile, Sen. Rand Paul (R-KY) has introduced a bill that would repeal the anti-privacy provisions in the Foreign Account Tax Compliance Act, The Wall Street Journal reports.

SURVEILLANCE—U.S.

Why Privacy Pros Ought To Pay Attention to the PCLOB (May 9, 2013)

With this week’s Senate confirmation of David Medine as chairman of the Privacy and Civil Liberties Oversight Board (PCLOB), a new check will soon be in action on the U.S. government’s anti-terror activities. In this latest installment of Privacy Perspectives, former White House Deputy Chief Technology Officer for Internet Policy Daniel Weitzner writes, “We can expect the PCLOB to be one of the first expert bodies to give careful consideration to a new class of Big Data capabilities that offer the ability to discover sensitive information about individuals.”
Full Story

PRIVACY—U.S.

The Impact of SP 800-53 (May 9, 2013)

Why would the release of a National Institute of Standards and Technology document have privacy pros “popping the champagne bottles?” Because the placement of privacy controls side by side with IT security controls puts privacy professionals on more equal footing with their colleagues and sets up the possibility for better working relationships. The Privacy Advisor examines what federal privacy officers need to do now and the affects on the privacy landscape.
Full Story

ONLINE PRIVACY

Suspect Returned to Native Country Pending Web Attack Investigation (May 9, 2013)

A man suspected of involvement in a large-scale online attack against an Internet spam-fighting service has been returned to his home country of The Netherlands and ordered to remain in custody, The New York Times reports. Svan Olaf Kamphuis was transferred from Spain to the Netherlands Monday after being arrested in Barcelona, the report states. He is suspected of delivering denial-of-service attacks, which “slowed Internet service globally for several days in April, especially in Russia and other European countries,” the report states. A judge ordered Kamphuis remain in custody as an investigation proceeds. (Registration may be required to access this story.)
Full Story

EMPLOYEE PRIVACY—U.S.

Sens. To Debate Bill To Mandate, Expand E-Verify (May 9, 2013)

The Senate Judiciary Committee today begins the markup of immigration legislation that includes a provision to mandate the use of the employment verification E-Verify, Politico reports. E-Verify checks employees’ Social Security or other identification numbers against Department of Homeland Security records. The proposed bill would also expand the tool to include photos and offer grants to states that provide access to driver’s license information, the report states. Privacy activists and civil rights organizations have voiced concern over the bill. “We worry that it will expand to all these other purposes the same way the Social Security number has expanded and been used for 70-odd years,” said Chris Calabrese of the American Civil Liberties Union.
Full Story

SURVEILLANCE—INDIA

Central Database Has Advocates “Up in Arms” (May 9, 2013)

Privacy advocates are concerned after the Indian government introduced a central monitoring system (CMS) designed to give authorities access to citizens’ phone calls and online communications. The plan aims to thwart terrorism attempts, but the CMS will be accessible by law enforcement and tax authorities and allows the government “a single point of access to ‘lawfully’ intercept voice calls and texts, e-mails, social media and the geographical location of individuals,” The Register reports. Activists claim privacy laws aren’t strong enough to protect citizens against such powers.
Full Story

PRIVACY LAW—U.S.

Medine confirmed to lead PCLOB (May 8, 2013)
The Senate on Tuesday confirmed President Barack Obama nominee David Medine as chairman of the Privacy and Civil Liberties Oversight Board (PCLOB). This ends a two-year process and finally allows the PCLOB to go forward “at full strength,” said Judiciary Chairman Patrick Leahy (D-VT). However, questions remain as to the jurisdictional and scope-of-authority issues that Medine and the agency must decide. Editor's Note: Look soon for former White House Deputy Chief Technology Officer Daniel Weitzner to present commentary on what the "now-living" PCLOB will mean for the larger privacy community in a post for the IAPP's Privacy Perspectives.

PRIVACY COMMUNITY—U.S.

Will the White House Soon Have a CPO or Not? (May 8, 2013)

While a report circulated yesterday that the White House was poised to announce a first-ever chief privacy officer (CPO), it appears that report may have jumped the gun. Is the White House about to get a new CPO? Will it be Twitter’s current legal director? We get you up-to-date on the latest news.
Full Story

PRIVACY LAW—EU

Regulation Vote Delayed Again (May 8, 2013)

PC World reports on the European Parliament Civil Liberties Committee’s decision to delay a planned vote on the draft data protection regulation that had been scheduled for May 29. “German MEP Jan Philipp Albrecht, who is charged with steering the legislation through to the final vote, explained that although several meetings have been held and some agreements have been reached, more rounds of discussions are still needed,” the report states. Meanwhile, small- and medium-sized businesses remain concerned as the proposal would require those with 500 or more customers to have a data protection office, resulting in “additional expense in an economy where many are struggling.” Albrecht has said a vote is still possible before July.
Full Story

SURVEILLANCE—U.S.

Obama May Back FBI Internet Wiretapping (May 8, 2013)

The New York Times reports that the Obama administration “is on the verge of backing” an FBI initiative for “a sweeping overhaul of surveillance laws that would make it easier to wiretap people who communicate using the Internet rather than by traditional phone services.” The original FBI proposal would have required Internet communications services to build in a means to wiretap, but the revised proposal, pending a White House review, would fine businesses that do not comply, the report states. The Center for Democracy & Technology’s Greg Nojeim said, “I think the FBI’s proposal would render Internet communications less secure and more vulnerable to hackers and identity thieves.” FBI General Counsel Andrew Weissmann said, “This doesn’t create any new surveillance authority” and would require a court order. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—U.S.

FTC’s Secret Data Shoppers Uncover FCRA Violators (May 8, 2013)

The Federal Trade Commission (FTC) has announced it sent warning letters to 10 data brokers warning they may be in violation of the Fair Credit Reporting Act (FCRA), Ad Age reports. The potential violators were discovered by an undercover FTC data shopper in a sting operation; part of a Global Privacy Enforcement Network initiative. In it, the FTC approached 45 companies seeking financial data, citing reasons such as checks for employment eligibility or creditworthiness. Of those, “10 appeared willing to sell information without complying with the requirements of the FCRA.”
Full Story

ONLINE PRIVACY

Google Chairman: Lack of Internet Delete Button Is “Significant Issue” (May 8, 2013)

Google Executive Chairman Eric Schmidt believes the “lack of a delete button on the Internet is in fact a significant issue.” That’s according to a Fast Company report on Schmidt’s comments to economist Nouriel Roubini at New York University’s Stern Business School this week. The discussion focused in part on the privacy implications of the “endless troves of personal user data” being amassed by online companies. Schmidt said, “Let me be very clear that Google is not tracking you,” adding that in terms of that lack of an online delete button, “There are times when erasure is the right thing...and there are times when it is inappropriate. How do we decide? We have to have that debate now."
Full Story

PRIVACY LAW—GERMANY

Court Says Apple Must Revise Data-Handling Rules (May 8, 2013)

A German court has told Apple to change its data-handling rules, Bloomberg reports. The court struck down eight of 15 provisions in the company’s data-use terms, stating they deviate too far from German law, the report states. The court also ruled Apple can’t seek “global consent” from consumers on the use of data, including geolocation information. “The ruling shows the high importance of data protection for consumers in a digital world,” said Gerd Billen, head of consumer group Verbraucherzentrale Bundesverband.
Full Story

ONLINE PRIVACY

Internet of Things and Privacy a “Cat-and-Mouse Game” (May 8, 2013)

Wireless technology company Qualcomm is working on enabling the impending “Internet of Things” while maintaining user privacy. That’s according to CEO Paul Jacobs, who said in a recent speech that technology will certainly make it possible for “nearly everything people interact with” to be connected to the Internet in time, but companies must work to make such capabilities less intrusive, CNET reports. “Privacy is something that’s going to be a little bit like a cat-and-mouse game,” he said.
Full Story

ONLINE PRIVACY

GPEN Launches First Internet Privacy Sweep (May 7, 2013)
A total of 19 privacy enforcement authorities are participating in the Global Privacy Enforcement Network’s first Internet Privacy Sweep initiative. In announcing the launch of the weeklong initiative, the Office of the Privacy Commissioner of Canada said participating authorities will dedicate individuals to search the Internet in a coordinated effort to assess privacy issues related to the theme, Privacy Practice Transparency. “Privacy issues have become global and they require a global response,” noted Canadian Privacy Commissioner Jennifer Stoddart. “It is critical that privacy enforcement authorities work together to help protect the privacy rights of people around the world.” This exclusive for The Privacy Advisor takes a closer look at the new initiative.

ONLINE PRIVACY

Can DNT Save the Online Ad Industry? (May 7, 2013)

With this week’s last face-to-face meeting between members of the World Wide Web Consortium’s Tracking Protection Working Group as the backdrop, Center for Democracy & Technology Consumer Privacy Director Justin Brookman responds to doubts about a Do-Not-Track standard in this second point-counterpoint installment of Privacy Perspectives. “I remain perplexed,” Brookman writes, “that Do Not Track remains a controversial proposition in some quarters.”
Full Story

CHILDREN’S PRIVACY—U.S.

FTC Denies Group’s Request for Delay in COPPA Date (May 7, 2013)

The Federal Trade Commission (FTC) has voted to keep July 1 as the scheduled implementation date for the update to COPPA, ADWEEK reports. The decision denies a request from 20 groups including the Interactive Advertising Bureau and the Application Developers Alliance that the date be pushed up by six months, citing “insufficient time” between the FTC’s issued guidance on the new rules and the required compliance date. The groups say they need more time to make changes to their products. But the FTC responded that the groups had enough time and didn’t provide sufficient reasons for the requested change in date.
Full Story

BYOD

What’s Yours and What’s Theirs? (May 7, 2013)

Despite standards that are beginning to emerge, such as the UK ICO’s recent guidance for BYOD policies, issues surrounding employees’ use of personal devices for corporate work remain a fairly sticky wicket. At the IAPP Europe Data Protection Intensive in London, a panel discussion and presentation, “BYOD: What’s All the Fuss,” sought to provide a bit of clarity through personal experiences at the likes of Vodafone, the BBC and global medical research firm Beckman Coulter.
Full Story

SOCIAL NETWORKING—CANADA

OPC Survey and Demise of Data Farm Deal Highlight Privacy Issues (May 7, 2013)

Winnipeg Free Press reports on the end of a deal that would have resulted in a Facebook “data farm…full of high-powered servers necessary to store information from billions of users worldwide” being built in Manitoba. Facebook considered the province due to such factors as land prices and renewable energy but ultimately “cited concerns about Canadian privacy laws in making its decision to pull out of Manitoba,” the report states. In other news, an Office of the Privacy Commissioner survey indicates, “Privacy concerns are driving Canadians away from smartphone apps and online services,” SC Magazine reports.
Full Story

PRIVACY LAW—EU

Albrecht Leads the Charge (May 7, 2013)

EUObserver reports on the man behind the European Parliament’s update to its data protection legislation. Thirty-year-old Jan Philipp Albrecht, a German Green MEP, is lead negotiator on the regulation. He says he understands small- and medium-sized businesses’ concerns about the regulation’s requirements that they hire data protection officers and says the amendment calling for up to two percent of a company’s global turnover for failing to comply with the regulation is “reasonable.” Meanwhile, ZDNet reports on the regulation’s potentially far-reaching effects on data centers around the globe.
Full Story

PERSONAL PRIVACY—U.S.

Rights Groups File Suit Over Plate-Readers (May 7, 2013)

The American Civil Liberties Union Foundation of Southern California (ACLU) and the Electronic Frontier Foundation have asked a judge to order Los Angeles police and sheriff’s departments to provide details on their use of license-plate scanning technology, Los Angeles Times reports. The departments have refused to produce the information as requested under the Public Records Act, stating the information is investigative material. The groups are seeking a week’s worth of data from the readers. The sheriff's department responded, saying, "The public interest served by not disclosing the record clearly outweighs the public interest served by disclosure of the record," but an ACLU lawyer notes, "Nothing will demonstrate to people the threat to their privacy as clearly as the release of this data."
Full Story

ONLINE PRIVACY

The Struggling Do-Not-Track Negotiations (May 6, 2013)
The New York Times reports on the friction between industry and privacy advocates leading up to what will be the final face-to-face negotiations within the World Wide Web Consortium (W3C) on establishing a Do-Not-Track (DNT) standard. On Friday, Mozilla posted a new report on the “State of Do Not Track in Firefox.” Yet, if the W3C cannot come to an agreement this week, the proposed standard may go the way of the dodo. Two main sticking points revolve around default settings and what data may be collected after a DNT signal is activated. Jonathan Mayer, a Stanford University graduate student and participant in the W3C talks, said, “I think it’s right to think about shutting down the process and saying we just can’t agree,” adding, “We gave it the old college try. But sometimes you can’t reach a negotiated deal.” Editor’s Note: Mercatus Center Senior Research Fellow Adam Thierer recently wrote about Do Not Track in the first installment of a point-counterpoint with the Center for Democracy & Technology’s Justin Brookman for the IAPP’s Privacy Perspectives. (Registration may be required to access this story.)

GEO-LOCATION

What’s the Equivalent of Shouting “Fire!” in a Crowded Theater? (May 6, 2013)

The Center for Geographic Analysis held its annual conference at Harvard’s Tsai Auditorium last week, focusing on the challenges and thoughts surrounding policy-making for a location-enabled society. The benefits of location technology are hard to deny—identifying influenza outbreaks, getting necessary transportation to people in remote locations, providing emergency services to people who call 911 from cell phones, heck, even just figuring out how to get home without being stuck in rush-hour traffic—but the collection, analysis and use of this data bring risks, too.
Full Story

PERSONAL PRIVACY

Did Andy Warhol Get It Wrong? (May 6, 2013)

In 1968, Andy Warhol famously quipped, “In the future, everyone will be world-famous for 15 minutes.” But what if the opposite is becoming true? In his recent Privacy Perspectives blog post, IAPP Associate Editor Jedidiah Bracy, CIPP/US, CIPP/E, writes, “We could also say it this way, ‘In the future, everyone will have anonymity for 15 minutes.’” A recent TED Talk, given by Juan Enriquez, further illustrates this point by looking at “the obvious combination of Big Data, tattoos, immortality, the Ancient Greeks…and, of course, Jorge Luis Borges.”
Full Story

DATA LOSS—U.S.

AGs Want Details on Website’s Breach; Suit Filed Over Missing Laptop (May 6, 2013)

Connecticut Attorney General George Jepsen and Maryland Attorney General Doug Gansler have asked coupon website LivingSocial for information about a recent data breach affecting approximately 29 million U.S. customers, Legal Newsline reports. The two AGs have asked the company for details including its data storage, security and password protection systems, as well as its plan for preventing future incidents. Meanwhile, in South Carolina, a lawsuit has been filed in federal court after a laptop containing unencrypted data on more than 7,000 veterans went missing. The suit seeks unspecified damages.
Full Story

DATA PROTECTION—UK

Former ICO Talks Lagging Regs (May 6, 2013)

Data protection regulations aren’t keeping pace with technology. That’s according to former UK Information Commissioner Richard Thomas, who said recently that significant advances in the capacity to store data have left a gap, SC Magazine reports. “I made myself a bit of a reputation during the last three or four years of my time as information commissioner saying that the...European directive…was not fit for purpose and it was a mainframe directive that didn’t accommodate the modern world at all,” he said. Editor's Note: Thomas made similar remarks at the Data Protection Intensive in London.
Full Story

CCTV—AUSTRALIA

Cameras Shut Down Over Privacy Incident (May 6, 2013)

New South Wales Premier Barry O’Farrell has said the government will move to enact legislation to ensure the continued use of closed-circuit television cameras (CCTV) on public streets after an invasion-of-privacy incident prompted officials to turn off the cameras, The Sydney Morning Herald reports. O’Farrell said CCTV “has proven essential in assisting police” and cameras are “a vital tool in the fight against crime, and I am determined to ensure they remain so.” O’Farrell also has asked the attorney general “to seek urgent advice on the implications and whether legislative amendments are required to validate the continued use of CCTV.” In the U.S., meanwhile, during Sunday’s airing of Meet the Press, a U.S. lawmaker discussed the importance of camera surveillance to curb terrorism in the context of the Boston Marathon bombings.
Full Story

DATA PROTECTION—UK

Trade Group Issues Insurance Guidelines (May 6, 2013)

The Association of British Insurers (ABI) has published guidance for insurance companies on obtaining consent for data-sharing, Out-Law.com reports. ABI advises companies obtain opt-in consent to share data with firms that are not “directly involved in managing or delivering a policy, handling a claim, setting premiums, detecting and preventing fraud” or involved in customer service, the report states, adding that companies collecting data must respect UK data protection laws.
Full Story

SURVEILLANCE—U.S.

NYC Police Chase Smartphone Thief (May 6, 2013)

“The closest comparison that leaps to mind is a classic chase scene from a 1971 thriller,” is how The New York Times describes a case where New York City police tracked down an individual who stole an iPhone. Law enforcement was able to track the suspect’s movements by using the “Find My Phone” feature. According to the report, 16,000 smartphone devices are stolen per year in New York City. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Is Do Not Track the Silver-Bullet Solution? (May 3, 2013)
“If there’s one lesson I’ve learned in 21 years of covering information technology policy, it’s that there are no simple silver-bullet solutions to complex issues like online safety, hate speech, spam, cybersecurity, data breaches or digital privacy,” writes Adam Thierer, senior research fellow at the Mercatus Center. In this first point/counterpoint installment in Privacy Perspectives, Thierer presents reasons for “why we should be careful about placing all our eggs in one basket…”

PRIVACY LAW—U.S.

State Legislative Roundup (May 3, 2013)

A number of U.S. states have passed or are working on various types of privacy legislation—from employee privacy to breach notification. Most notably, California has pulled a bill that would have required businesses to disclose to consumers data they have collected on them. The Pennsylvania Senate has passed a law that would require state agencies to notify residents of a breach “as soon as possible.” And the Texas House has also “tentatively” approved similar social media legislation.
Full Story

DATA LOSS—U.S.

Reputation Protection Biz Announces Breach (May 3, 2013)

Reputation.com announced to its customers this week that it had been hacked, reports Dark Reading. The information compromised included customer names, e-mail addresses and mailing addresses, though no financial data was stolen. The company reports it has hired third-party security experts to inspect and improve its current operations. Law enforcement is also investigating. Meanwhile, HealthIT Security reports on how the Kmart data breach could have been avoided.
Full Story

PRIVACY LAW—EU

BCR for Processors Endorsed (May 3, 2013)

“The fact that with everything that is going on in the world of data protection right now, the Article 29 Working Party has devoted a thorough 19-page explanatory document to clarifying and endorsing the role of BCR for Processors or Binding Safe Processor Rules (BSPRs) is very telling,” Eduardo Ustaran, CIPP/E, writes for Field Fisher Waterhouse’s Privacy and Information Law Blog. Ustaran’s post highlights key elements in the Working Party’s document and notes that “despite the detailed requirements that must be met, the overall approach of the Working Party is very ‘can do’ and pragmatic.”
Full Story

SURVEILLANCE—U.S.

Which Rules Will Regulate Drones? (May 3, 2013)

Obtaining overhead images via drones has become easy and inexpensive, raising new privacy concerns, reports Slate. It’s essential these concerns are addressed by legal frameworks such as the U.S. Constitution and existing state and federal laws, the report states. Last year, President Barack Obama signed a Federal Aviation Administration bill that addresses the integration of drones into airspace by late 2015. “It’s still far too early to know exactly how FAA rules designed to provide safety and efficiency will affect unmanned aircraft privacy,” the report states.
Full Story

DATA LOSS—U.S.

Ex-Employee Charged in Hacking Case (May 3, 2013)

The New York Times reports on a software programmer who now finds himself pleading not guilty in a federal court over charges of computer hacking. Michael Meneses worked for Spellman High Voltage Electronic Corporation and, after resigning, allegedly used stolen passwords and his knowledge of the company’s computer systems to wreak havoc. He faces up to 10 years in prison, the report states. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—FRANCE

CNIL Report: Record-Breaking Year for Complaints (May 2, 2013)
The French data protection authority (CNIL) has published its annual report, which indicates a “significant increase in complaints, audits and sanctions,” reports Hogan Lovells’ Chronicle of Data Protection. The CNIL processed a record-breaking number of complaints in 2012—more than 6,000—mostly from private individuals. It conducted 458 audits, up 20 percent from 2011. In the report, the authority notes “the challenges of regulating Big Data and cloud computing” and recommends “the right to be forgotten” within the proposed EU data protection regulation be enhanced.

ONLINE PRIVACY—U.S.

U.S. Companies Fight EU-like Proposals (May 2, 2013)

U.S. Internet companies are pushing back against California privacy bills that closely resemble EU proposals, Bloomberg reports. One such bill would require companies to disclose what information they share with third parties and provide them with the corresponding contact information. Another would require social networking sites to remove user information within four days of such a request, akin to Europe’s “right to be forgotten” provision in the draft data protection regulation. Companies have argued the provisions would be detrimental to ad revenues.
Full Story

HEALTHCARE PRIVACY—U.S.

HIPAA Update Poses Tech Problems for Privacy (May 2, 2013)

The move toward electronic health records and new federal rules set to give patients more control over their data are posing technical and administrative obstacles, The Wall Street Journal reports. One CEO of an electronic records system firm said, “The reality is, our ability to exchange electronic information is already well beyond our ability to control it.” Beth Israel Deaconess Medical Center Chief Information Officer John Halamka said, “It’s a technology problem and a work-flow problem and a policy problem.” Patient Privacy Rights Founder Deborah Peel said she’s concerned patients won’t be candid with their doctors over privacy fears. “Nobody knows who is using their health information and for what purpose,” she added. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Reddit Rewrites Policy for Usability (May 2, 2013)

Reddit has rewritten its privacy policy “from the ground up” in order to be clearer and more accessible to the average user, WebProNews reports. The policy goes into effect May 15. “For some time now, the reddit privacy policy has been a bit of legal boilerplate,” said the announcement. “This new policy is a clear and direct description of how we handle your data on reddit and the steps we take to ensure your privacy.”
Full Story

PRIVACY LAW—AUSTRALIA

Draft Breach Notification Bill Being Circulated (May 2, 2013)

SC Magazine reports on draft data breach notification legislation from the Australian government that is being circulated among a “small number of stakeholders.” Circulated by the Australia Attorney-General’s Department, the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013 “appears to take a conservative approach in its demand for data breaches to be reported, with only classifications of serious data breaches considered,” and the report states the legislation could come into force this July with an undisclosed grace period for compliance.
Full Story

BIG DATA

Who Stands To Profit from the Quantified Self Movement? (May 2, 2013)

Details Magazine reports on the explosion of wearable devices and wellness apps that are often transmitting potentially sensitive data to the cloud. As many as five million Americans currently use wearable devices, and as much as $700 million was invested by venture capital firms in creating such devices in the first half of last year. As a result, one digital tracking group, Quantified Self, has been formed and abides by the credo, “Self-knowledge through numbers.” Others, however, are concerned about the privacy ramifications of transmitting personal health data to the cloud. One computer scientist worries the data could be used against an individual. “It might mean that if your health is looking shaky, all of a sudden you won’t be able to get a loan,” he said. Meanwhile, a California-based programmer has raised concerns that Google Glass could easily be compromised by hackers.
Full Story

ONLINE PRIVACY

Doc Causes Stir Before W3C Meeting (May 1, 2013)
There are rumblings within the World Wide Web Consortium (W3C) leading up to next week’s Do-Not-Track (DNT) meeting after a document was distributed among members “rendering the meeting practically moot,” AdWeek reports. The “Draft Framework for DNT Discussions Leading Up to Face-to-Face” has been called a “framework,” but privacy groups have called it a “proposal” from the Digital Advertising Alliance (DAA). In the document, DNT would be off by default. W3C Co-Chair Peter Swire, CIPP/US, said, “As the name states, it is a framework for discussion, to help frame a possible agenda for next week’s face-to-face meeting in California.” DAA Counsel Stu Ingis said the document is the result of input from the DAA, consumer groups and other stakeholders. “It’s hard for stuff to happen if there’s no agenda,” said Ingis, adding, “There are a lot of cats to herd.”

CYBERSECURITY—U.S.

NIST Releases “Major Revision” of SP 800-53, Emphasizes Privacy (May 1, 2013)

In what the National Institute of Standards and Technology describes as its most significant revision of the U.S. federal government’s foundational computer security guide since it was first released in 2005, eight new families of privacy controls, based on the international accepted Fair Information Practice Principles, have been added. Security and Privacy Controls for Federal Information Systems and Organizations, known generally as SP 800-53, now includes an Appendix J, the Privacy Control Catalog, and the name of the document as a whole now has “privacy” in it for the first time. Look for an IAPP report on this development in the near future.
Full Story

IDENTITY THEFT—U.S.

The Consumer Cost of a Data Breach (May 1, 2013)

New research has revealed the consumer costs of last year’s breach of the Utah Department of Health. The New York Times’ Ann Carrns noted that on average, according to Javelin Strategy & Research, “each incident will result in more than $3,300 in losses” and each victim “will spend about 20 hours and $770 on lawyers and time lost from work to resolve the case.” Meanwhile, Bloomberg reports that more clinics and hospitals are investing in biometric technology—such as iris scans—to improve patient safety and curb identity theft. U.S.-based data breaches may have cost the healthcare industry as much as $7 billion a year, according to a Ponemon Institute study. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Putting Privacy in Your Organization’s DNA (May 1, 2013)

In the latest installment of Privacy Perspectives, GMAC Corporate Counsel and Chief Privacy Official Allen Brandt, CIPP/US, CIPP/E, writes, “How much time, effort and resources do we all spend on staff training, and yet, we still see many of the same mistakes get repeated,” asking, “So how might we change an organization’s privacy culture and DNA?”
Full Story

HEALTHCARE PRIVACY—U.S.

Parents Say HIPAA Risks Public Safety (May 1, 2013)

HealthIT Security reports on the risks to public safety when it comes to HIPAA privacy standards. At a recent hearing at the House Oversight and Investigation Subcommittee of the Energy and Commerce Committee, parents articulated concerns about HIPAA’s “limiting nature.” One parent, whose son died of a heroin overdose, testified that HIPAA rules prevented him from obtaining his child’s medical data—data that could have contributed to the child’s wellbeing. Some experts say the problem isn’t with HIPAA but with how some organizations interpret it, the report states.
Full Story

DATA PROTECTION

Report: Firms Improving, But Data Sharing Still “Sobering” (May 1, 2013)

In its annual review of tech companies’ sharing of user data with law enforcement and government, the Electronic Frontier Foundation (EFF) says companies have improved markedly since last year, but the San Francisco Chronicle reports the results may still be “sobering.” The EFF grades companies on six categories, including whether they require a warrant to share data, inform users of requests and publish transparency reports. “When you use the Internet, you entrust your conversations, thoughts, experiences, locations, photos and more to companies like Google, AT&T and Facebook,” the EFF wrote. “But what do these companies do when the government demands your private information? Do they stand with you? Do they let you know what’s going on?”
Full Story

SMART GRID—EU

Working Party Dislikes EC’s Impact Assessment Template (May 1, 2013)

The Article 29 Working Party has criticized the European Commission’s recommended template for data protection impact assessments (DPIA) on smart meter use, Out-Law.com reports. “The submitted DPIA Template does not directly address the actual impacts on the data subjects, such as, for example, financial loss resulting from inaccurate billing, price discrimination or criminal acts facilitated by unauthorized profiling,” said the Working Party. Smart metering is due to take effect in the UK in 2014, but privacy concerns have been raised.
Full Story

FINANCIAL PRIVACY—U.S.

Class-Action Incites Music Industry Privacy Concerns (May 1, 2013)

A proposed class-action lawsuit has some in the music industry concerned that artists’ financial privacy will be breached, according to Hollywood Reporter. The proposed class-action was launched against Universal Music Group (UMG) by two musicians seeking damages based on treating income from online downloads as “sales” instead of “licenses.” The plaintiffs’ lawyers want UMG to disclose download revenue tied to particular artists to calculate potential damages. Lawyers for UMG said, “Under plaintiffs' proposal, plaintiffs’ attorneys and music-industry professionals could review the private financial information of thousands of recording artists with whom they may have adverse relationships and who have not indicated any desire to be part of any class or to be represented by these attorneys or professionals."
Full Story