Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

DATA PROTECTION—U.S.

FBI Allows for Real-Time Breach Reports; University Breach Affects 72,000 (July 31, 2013)
An FBI program launched this week will allow companies to report cybersecurity attacks in real time, Federal Times reports. The program rolled out this week to 58,000 companies in the FBI’s InfraGard network. Meanwhile, the University of Delaware is alerting 72,000 past and present employees of a breach affecting their personal information. The breach involved names, addresses and Social Security numbers among other data and was due to a “vulnerability in software acquired from a vendor.” In another incident, US Airways has notified its employees that a programming error at its payroll vendor may have allowed other employees to view their paystub information. And SC Magazine reports a vulnerability in BlackBerry 10 allowed user credentials to be sent in plain text.

PRIVACY IN CONTEXT

Tell the Authors: What Should We Expect? (July 31, 2013)

In response to The New York Times’ story describing the arrival of our “contextualized” existence—brought forth by predictive search apps—IAPP President and CEO Trevor Hughes, CIPP, asks how we can manage such contextualized environments. At the IAPP Privacy Academy, Robert Scoble and Shel Israel will provide a keynote on their upcoming book on our contextual future and are asking for input on what we should expect with regard to privacy. You are invited to share comments on privacy in context in our Privacy Perspectives discussion to help Scoble and Israel finish their book.
Full Story

CHILDREN’S PRIVACY—U.S.

FTC Updates COPPA FAQs (July 31, 2013)

The Federal Trade Commission (FTC) has updated its Frequently Asked Questions (FAQs) about changes to the Children’s Online Privacy Protection Act (COPPA). Updates include share buttons, actual knowledge and information collected from child-redirected sites. If an app includes a share button that allows children to send or post information, “verifiable parental consent” is required; clarity on the actual knowledge standard is provided, and best practices are offered to third parties that discover personal information from a child-directed site has been collected. Recent COPPA revisions by the FTC went into effect on July 1.
Full Story

PRIVACY LAW—U.S.

Court: Gov’t Doesn’t Need Search Warrant for Location Data (July 31, 2013)

A federal appeals court has decided that government authorities can extract historical location data directly from telecommunications carriers without a search warrant, The New York Times reports. The court ruled that such searches are constitutional because location data is a “business record” and so is not protected by the Fourth Amendment, the report states. The decision could have implications for other government initiatives to collect metadata under the premise that it constitutes a business record. “It doesn’t make it a slam dunk, but it makes a good case for the government to argue that position,” said one expert. This follows a decision Monday on the searches of cell phones in general where judges said they believe it’s a matter for the Supreme Court. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—U.S.

Facebook Publishes Guide for Domestic Abuse Victims Online (July 31, 2013)

San Francisco Chronicle reports on Facebook’s new guide for survivors of domestic abuse, suggesting how to protect privacy and safety while using the social network. Facebook was advised on the guide by the National Network to End Domestic Violence (NNEDV), which sits on Facebook’s advisory board. “It’s not acceptable to tell survivors of domestic violence just to give up their technology,” said NNEDV Vice President Cindy Southworth. “What she really needs is that he not be able to contact her, and if he does, that he is held accountable.” Editor’s Note: The IAPP recently published an exclusive interview with the NNEDV’s Southworth. Check out “Where Technology and Domestic Violence Collide.”
Full Story

SURVEILLANCE—U.S.

Americans More Worried About Privacy Than Terrorism (July 31, 2013)

Americans are now more concerned about privacy than terrorism. That’s according to a new poll by Pew Research, Reuters reports. Meanwhile, in a letter to Senate Judiciary Committee leaders earlier this week, a judge from the Foreign Intelligence Surveillance Court revealed that “no telephone company or other service provider has ever resisted” court orders under the USA PATRIOT Act’s Section 215. U.S. News & World Report says National Security Agency (NSA) surveillance is “just one of a growing number of programs in which government is pressing forward with new technology to compile immense amounts of new data on individuals,” and The Guardian reports on the program used by the NSA to gather intelligence from the Internet.
Full Story

BIOMETRICS—U.S.

With Facial Recognition, What About Guests’ Privacy? (July 31, 2013)

In a blog post for 4Hoteliers, Joseph Fischer writes about privacy concerns that stem from hotel use of facial recognition. Fischer notes that, though the system is intended for recognizing VIPs, it could expand to recognize “black-listed guests,” hotel critics and reporters, “problematic” reviewers and other guests from classification organizations. “There are clearly some advantages in having such a system,” he writes, “but one of the key questions that comes to my mind is what about our guests’ privacy?” He also notes such a system could be misused or hacked. Intel has also reportedly dropped a facial recognition feature from an upcoming TV service out of lighting and privacy concerns.
Full Story

HEALTH PRIVACY

The Digital Health Revolution: Promises and Privacy Concerns (July 31, 2013)

The move to electronic health records has been underway for years but has picked up considerable steam of late. Accompanying this sea change are technologies that bring both the promise of increased efficiency and quality of healthcare as well as concerns about the protection and appropriate use of sensitive and personal information. Join Proteus Digital Health Co-Founder and CMO George Savage, Field Fisher Waterhouse Partner Phil Lee, CIPP/E, CIPM, and CDT Health Privacy Project Director Deven McGraw in an IAPP web conference exploring the benefits and risks involved in processing data with a fascinating new technology and its creators’ preemptive moves to address privacy issues.
Full Story

INTERNET OF THINGS

Privacy and the Quantified Self (July 31, 2013)

Deutsche Welle reports on the Quantified Self Movement, noting that many users in Europe log and upload their personal information to the cloud, which raises privacy and data protection concerns. One developer said, “You have to distinguish between a fitness tracking application and wearable sensors and health sensors,” adding, “These fitness tracking apps, and their data, are not as sensitive as diabetes data, and they are also treated differently by the regulatory bodies.” Meanwhile, Venture Beat reports on Saga, a “life-blogging app,” used to passively capture data about users’ daily activities “to learn about your habits and preferences and track your behavior over time.”
Full Story

PRIVACY IN CONTEXT

Just How Creepy Is Predictive Search? (July 30, 2013)
In a front-page story today, The New York Times reports on the new trend of apps utilizing predictive search to alert users to information they didn’t know they needed. From Google Now to Evernote to MindMeld, these apps scan users’ e-mail, calendar, notes and other items in the cloud or on a device to predict which information will be useful in the near future. A user might receive an alert that traffic is bad between midtown and the suburbs because the app knows that’s where the 10 a.m. meeting is. However, some observers are calling the services invasive and creepy, while others point to issues around context. “What works for a group of 30-something engineers in Silicon Valley may not be representative of the way that 60-year-old executives in New York tend to use their phones,” says UPENN Wharton School Prof. Andrea M. Matwyshyn. (Registration may be required to access this story.) Editor's Note: Context will be front-and-center at the IAPP's Privacy Academy 2013 this September when Shel Israel and Robert Scoble, co-authors of Age of Context: How Mobile, Sensors & Data Will Change Your Life, offer their keynote address.

PRIVACY BUSINESS

Privacy Predicted To Be Next Competitive Differentiator (July 30, 2013)

GigaOm has early access to a Forrester survey that finds 62 percent of consumers say they would be “not at all likely” to do business again with a company known to have shared their PII with a data broker. Further, 37 percent report that they’ve abandoned a transaction online due to something they didn’t like in the terms of service, including the privacy policy. Finally, the study commissioned by analytics firm Neustar finds more than a quarter of respondents now using ad-blocking software. This leads Forrester to conclude that privacy is “the new green movement,” but the GigaOm author is skeptical. Also today, GigaOm reports on the new trends in data-driven remote healthcare in the U.S.
Full Story

DATA PROTECTION—U.S.

Commission To Mull Safety of Safe Harbor (July 30, 2013)

Vice President of the European Commission Vivane Reding said the commission will present a “solid assessment” of the current Safe Harbor agreement between the EU and U.S. by the end of the year, Out-Law.com reports. The European Parliament has called on the commission to conduct such a review following revelations that Safe Harbor parties were involved in the U.S. National Security Agency’s surveillance program. Reding has said, “The Safe Harbor agreement may not be so safe after all.”
Full Story

DATA PROTECTION—EU & U.S.

Parallel Privacy Universes and PRISM (July 30, 2013)

“The U.S. and Europe seem locked in their own separate, parallel universes in the way they view PRISM and other recent revelations concerning law enforcement data access, as demonstrated by differences in transatlantic media coverage,” writes Wilson Sonsini’s Christopher Kuner. With discussion in Europe of reviewing the legality of the U.S. Safe Harbor agreement, some in the U.S. say these reactions “are just an excuse for protectionism.” In this Privacy Perspectives post, Kuner delves into the differing reactions on each side of the Atlantic, writing that both sides need to “find some common ground in order to better understand each other’s positions and avoid a political meltdown.”
Full Story

PRIVACY LAW—U.S.

Appeals Judges: Supreme Court Should Decide Cell Search Case (July 30, 2013)

Following the First U.S. Circuit Court of Appeals’ decision Monday not to rehear a case involving whether warrants are needed to search cell phones, “two First Circuit judges said they voted against rehearing the case in order to speed its path to the U.S. Supreme Court,” The Wall Street Journal reports. In May, the Appeals Court decided 2-1 that Boston police needed a warrant to search a suspect’s cell phone, and earlier this month, Justice Department lawyers asked the court to rehear the case. “Ultimately this issue requires an authoritative answer from the Supreme Court, and our intermediate review would do little to mend the growing split among lower courts,” wrote Judge Jeffrey R. Howard, and Chief Judge Sandra Lynch wrote, “The preferable course is to speed this case to the Supreme Court for its consideration.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Sen. Leahy Introduces FISA Privacy Act (July 30, 2013)

Senate Judiciary Chairman Patrick Leahy (D-VT) has introduced legislation to reform America’s surveillance powers, Slate reports. The FISA Accountability and Privacy Protection Act of 2013—which is cosponsored by nine additional senators—would narrow the scope of Section 215; allow for judicial review of “gag orders” provisions; move up the FISA Amendments Act sunset clause by two years; require the inspector general of the intelligence community to conduct a comprehensive review of the current law and its impact on citizens’ privacy, and mandate the release of an unclassified report for the public on the impact of the surveillance programs on individual privacy, the report states. The Senate Judiciary will host a hearing on privacy and the NSA disclosures on Wednesday.
Full Story

DATA LOSS—U.S.

OHSU Reports 3,000 Records Breached (July 30, 2013)

The Oregon Health & Science University has notified more than 3,000 patients their personal data was compromised after it was discovered the data was placed by resident physicians on two information-sharing services, ModernHealthcare reports. Compromised data included patient names, medical record numbers, dates of service, diagnoses and providers’ names. The school said, “There is no evidence that the data were accessed or used by anyone who did not have a legitimate patient-care need to view the information.” (Registration may be required to access this story.)
Full Story

TRAVELERS’ PRIVACY—JAPAN

Railway Company Apologies for Sharing PII (July 30, 2013)

Japan’s national railway system has apologized for sharing its passengers’ travel habits and other personal information with a pre-paid fare card system without user consent, The Wall Street Journal reports. East Japan Railway admitted to selling the data to Suica—one of the pre-paid card businesses. The data included card holders’ ID numbers, ages, genders and where and when passengers got on and off the train. A transportation ministry official, however, said they will not investigate the issue for privacy violations because the railway company “told us that it wasn’t personal information, as it didn’t include names and addresses of users.” The Ministry of Internal Affairs and Communications is looking into the issue and has set up a team to research the matter, the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Woman Awarded $1.44M; Company To Appeal (July 29, 2013)
Indianapolis Star reports a Marion Superior Court jury has awarded a plaintiff “$1.44 million after finding Walgreens and a pharmacist violated her privacy when the pharmacist looked up and shared the woman’s prescription history.” The lawsuit alleged, “As a provider of pharmaceutical service, defendant Walgreens Co. owes a non-delegable duty to its customers to protect their privacy and confidentiality of its customers’ pharmaceutical information and prescription histories.” In a statement, Walgreens has said it will appeal, stating it is “a misapplication of the law to hold an employer liable for the actions of one employee who knowingly violates company policy.”

INTERNET OF THINGS—U.S.

The Good, the Bad and the Ugly of the IoT (July 29, 2013)

In anticipation of a roundtable discussion on the Internet of Things this November, the Federal Trade Commission has released submitted comments—coming from industry, privacy advocates, academics and regulators. This Privacy Perspectives post explores the potential benefits and drawbacks of this nascent phenomenon as well as the privacy discussions that need to be hashed out. Meanwhile, Kashmir Hill of Forbes writes about hacking into a smart home. Editor’s Note: Look out for an upcoming IAPP web conference on the health privacy implications of IoT.
Full Story

PRIVACY LAW

Developments in the U.S., UK, China and the UAE (July 29, 2013)

In this week’s Privacy Tracker Global News Roundup, read about court decisions, hearings and proposals that may affect the future of privacy legislation in the U.S.; the declaration by the UK Information Commissioner’s Office that one town violated privacy law; China’s latest privacy rule, and a United Arab Emirates law that forbids photographing or videoing individuals without their permission. (IAPP member login required.)
Full Story

GEO PRIVACY—U.S.

Legislator Calls on FTC To Curb Brick-and-Mortar Tracking (July 29, 2013)

Sen. Charles Schumer (D-NY) has called on the Federal Trade Commission to institute rules to allow shoppers to opt out of smartphone tracking at brick-and-mortar retail stores, CBS New York reports. Schumer said that participating stores are “going to know a lot about you by following you around, even if you don’t purchase, even if you’re just browsing.” He also added that children can be tracked, and collected data may be stored indefinitely.
Full Story

ONLINE PRIVACY

Pinterest To Honor DNT Settings (July 29, 2013)

Pinterest has added new site-personalization features for users drawn from their web-browsing activities but has also provided users with an opt-out choice, GigaOm reports. The company also announced it will support and honor users’ who select Do-Not-Track settings. “We’re excited to give everyone a more personalized experience,” Pinterest wrote in a blog post on Friday, “but we also understand if you’re not interested! We support Do Not Track, and you can change your account settings anytime.” The Electronic Frontier Foundation (EFF) supported the moves, which are similar to that of Twitter. “Hopefully, the decisions of Twitter and Pinterest are the vanguard of a new industry standard around respecting Do Not Track and soon this will be the default of all major websites,” the EFF wrote.
Full Story

SURVEILLANCE—U.S.

Senators Seek Changes to FISC, Section 215 (July 29, 2013)

Speaking on ABC’s This Week, Sen. Richard Durbin (D-IL) said changes to foreign intelligence surveillance court proceedings are needed and proposed adopting “a real court proceeding” to approve wiretapping requests, The Wall Street Journal reports. “Let’s have an advocate for someone standing up for civil liberties to speak up about the privacy of Americans when they make each of these decisions,” Durbin said, along with proposing the release of redacted FISA court transcripts. In a special to The Washington Post, Sens. Mark Udall (D-CO) and Ron Wyden (D-OR) urge the White House to “end the bulk collection of Americans’ phone records and instead obtain information directly from phone companies, using regular court orders based on individual suspicion.” The prevailing sentiment, The New York Times reports, is that momentum is building in Congress to alter NSA surveillance. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—U.S.

CIO Council Issues Social Media Guidance (July 29, 2013)

GovInfoSecurity reports the CIO Council has issued guidance calling on government agencies to be transparent about their use of social media. The guide, Privacy Best Practices for Social Media, states, “By being transparent about what type of information the agency is collecting and how it is collecting it, the agency can help minimize the public's concern that the government is monitoring individual speech and actions on social media.” The guide offers best-practice advice on establishing a social media program and using social media for information sharing, among others. The guide recommends limiting “information gathering to facts surrounding an event” and collecting PII only “in very limited situations,” the report states.
Full Story

DATA LOSS—U.S.

Stanford Breached; Recognizing Bank Breaches (July 29, 2013)

Stanford University has announced that its information technology infrastructure has been breached, “similar to incidents reported in recent months by a range of companies and large organizations in the United States,” according to a Stanford press release. Though the school does not yet “know the scope of the intrusion,” an investigation is underway. “We are not aware of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.” Meanwhile, Bank Systems & Technology writes, “we have found that many employees, even those who are technically savvy, do not recognize as reportable events the situations that commonly result in a data breach.”
Full Story

PRIVACY ENGINEERING

PbD Being “Widely Adopted” in IT (July 29, 2013)

IT Business writes this week about the growing acceptance among software developers and others in IT of Privacy by Design (PbD) as an industry standard. The article uses by way of example the increasingly powerful G2 software from IBM, which analyzes data and is adding a “data anonymizer” module in its latest iteration. Similarly, even smaller firms like Toronto’s Route1, Inc., are beginning to view security and privacy as equally valuable and building their products accordingly. All of this is leading up to an expected PbD guidebook for software engineers, to be released in the next eight to 10 months by the Organization for the Advancement of Structured Information Standards and penned by PbD’s chief advocate, Ontario Information and Privacy Commissioner Ann Cavoukian. Meanwhile, Cavoukian’s involvement in the “scrapped gas plants” controversy is leading to partisan bickering in Canada.
Full Story

STUDENT PRIVACY—U.S.

Advocates Support Banning Biometrics in Schools (July 29, 2013)

As more schools explore and adopt security systems for identification purposes, WFSU reports that such a move “recently caused a stir in Florida when Polk County Schools decided to incorporate biometric data systems.” The use of technology such as iris scans could soon be banned in the state’s schools, the report states, noting the school district launched a pilot program “allowing a security company to install iris scanners on school buses” without notifying parents in advance. The security company has said it deleted all information gathered, but concerns remain and the ACLU of Florida says a bill is in the works to ban such systems, the report states.
Full Story

ONLINE PRIVACY—U.S.

Digital Advertiser Settles Privacy Violation (July 26, 2013)
Digital marketing company PulsePoint has agreed to settle charges by the acting New Jersey attorney general and the New Jersey Division of Consumer Affairs that it bypassed consumers’ privacy settings in Safari browsers, The New York Times reports. The company allegedly used cookies to bypass settings that are designed to block targeted ads. Acting New Jersey Attorney General John J. Hoffman said, “This settlement puts online advertisers on notice that they must respect consumers’ privacy settings, or end up paying far more in penalties than any violations would generate in ad revenue.” Another provision of the settlement requires PulsePoint to post its data collection practices on its website. A company spokeswoman said PulsePoint took “user privacy very seriously” and that the cookies in question had been “primarily limited to technical purposes such as fraud detection” and not for targeted ads. (Registration may be required to access this story.)

MOBILE PRIVACY

NTIA-Led Group Releases Code of Conduct (July 26, 2013)

After a year of meetings and deliberations, the multi-stakeholder group organized by the National Telecommunications and Information Administration released yesterday statements showing general support for its Short Form Notice Code of Conduct, along with concrete examples of what the “nutrition label”-like short-form privacy notice might look like. These new notices won’t replace long-form privacy notices, but will serve as quick guides to which information is being collected by mobile apps and for what purpose. However, use of the short-form notices remains voluntary, and, noted Adweek, only two of the stakeholders committed concretely to use of the code of conduct. Other groups, such as the ACLU and EFF, voted to support the short form notices, but without committing to a full endorsement. And another 17 groups voted for more consideration. “It is not a consensus and not done," said Stu Ingis, of the Direct Marketing Association.
Full Story

DATA LOSS

Bank Glitch Exposes Data on 150,000 Customers (July 26, 2013)

“In a case that could serve as a warning to other banks that contribute customer data to public storehouses,” Citigroup said it improperly protected consumer data—including Social Security numbers, birth dates and other sensitive information—when it shared nearly 150,000 records with the government’s legal document system, otherwise known as the Public Access to Court Electronic Records (PACER), American Banker reports. The bank reached a settlement with a division of the Justice Department to redact the customer data at its own expense, notify those affected and offer one year of free credit monitoring. In a statement, the bank said, “The redaction issues primarily resulted from a limitation in the technology Citi had used to redact personally identifiable information in the filings.”
Full Story

ONLINE PRIVACY

Mozilla Unveils Personalization Project, Catches Flak (July 26, 2013)

Mozilla yesterday announced on its Labs blog it has begun testing a new personalized browsing experience with Firefox, whereby users choose with which Web sites to share which PII in exchange for personalized content. Elsewhere, the company explained how this fits with its philosophy of “Personalization with Respect.” However, while TechCrunch noted this is still just in the testing stages, AdWeek called the announcement “ironic” in light of the company’s Do Not Track stance, and lined up advertising representatives to say worse: "So the takeaway is that it's OK for Mozilla to track, but not third parties?" asked Alan Chapell, CIPP/US, of Chapell & Associates, co-chair of the Mobile Marketing Association's privacy committee.
Full Story

SURVEILLANCE—U.S.

Razor-Thin House Vote Prompts Privacy Action (July 26, 2013)

The Guardian reports on the “razor-thin defeat” of a congressional measure to curb domestic surveillance and the subsequent reaction from lawmakers and privacy advocates. One former NSA analyst-turned-whistleblower said, “It doesn’t mean the end of it. It’s the beginning.” Sen Patrick Leahy (D-VT) announced the Senate Judiciary Committee will hold a hearing next week entitled, “Strengthening Privacy Rights and National Security: Oversight of FISA Surveillance Programs.” Rep. Adam Schiff (D-CA) is crafting legislation to create a special privacy advocate to appear in front of the FISA court as an “adversary.” The New York Times delves into the FISA court judges and the role played by Chief Justice John Roberts in choosing them.
Full Story

ONLINE PRIVACY

Next Gen Video Game Consoles Raise Privacy Concerns (July 26, 2013)

NBC News reports on growing concern about the privacy and data collection capabilities of the next generation of video game consoles. With more integration planned between consoles and social networking sites and video chat platforms, including Skype, “consoles are becoming as connected as the other devices we use every day,” the report states. The new systems will also feature motion- and voice-controlled technology used for recognizing users. Electronic Frontier Foundation Senior Staff Technologist Seth Schoen said, “Video game consoles pose problems akin to those of mobile phones because users often have very little visibility into what devices are doing and very little control over the software running on the devices.”
Full Story

ONLINE PRIVACY—U.S.

Judge Orders Google To Reveal Blogger (July 26, 2013)

A Manhattan judge says there is compelling enough evidence to unveil the identity of an anonymous blogger who has created blogs titled frederickschulmancrookedattorney.com and stopfrederickschulman.blogspot.com, reports The Wall Street Journal. “The web blogs…are causing actual, pecuniary injury to Mr. Schulman’s reputation as a zealous advocate for consumers against debt collection companies,” states Schulman’s court petition. Google questioned the necessity of revealing the bloggers identity, but the judge has ordered them to do so, though Schulman has yet to even file a defamation suit. The blogger has an opportunity to challenge the discovery, according to the report. Unless that happens, Google has two weeks to comply. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—EU

Hawkes Says Google, Facebook Safe from Audit (July 26, 2013)

While Irish DPA Billy Hawkes announced last week he was beginning a formal audit of LinkedIn, the Office of the Data Protection Commissioner (ODPC) has said in e-mail correspondence with advocate group Europe-v-Facebook.org it will not be investigating Facebook and Google in relation to the NSA revelations, according to The Independent. "We do not consider that there are grounds for an investigation under the Irish Data Protection Acts given that 'Safe Harbor' requirements have been met," the ODPC wrote. However, that Safe Harbor agreement is now consistently under fire. Earlier this week, EU Justice Commissioner Reding said she would be reviewing the agreement, and now German privacy officials are calling on Chancellor Merkel to push for suspension of the Safe Harbor agreement.
Full Story

DATA LOSS—U.S.

Feds Arrest Five in Largest Hacking Scheme Ever Prosecuted (July 25, 2013)
U.S. Attorney Paul Fishman announced today the indictment of four Russians and a Ukranian in what he is calling “the largest hacking and data breach scheme ever prosecuted in the United States.” From 2005 to 2012, reports The Star Ledger, Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov, Mikhail Rytikov and Dmitriy Smilianets allegedly uploaded malware into the computer systems of large institutions like Dow Jones, NASDAQ, JetBlue and 7-Eleven, then used that access to download and sell as many as 160 million credit and debit card numbers, along with other PII. Stolen funds reached into the many hundreds of millions.

PRIVACY LAW—U.S.

Ballot Initiative Could Establish “Very Different Set of Privacy Rules” (July 25, 2013)

A former California state senator and a trial lawyer have filed a “potentially revolutionary draft ballot initiative” with the California Attorney General’s Office, writes DLA Piper’s Jim Halpert for Technology’s Legal Edge. The initiative would restrict business and government disclosures of a broad range of personally identifiable information, Halpert writes, which could only be disclosed in narrow circumstances. If voters approve the initiative, California’s constitution would be amended to include “a very broad opt-in privacy regime with narrow exceptions…bringing to California a very different set of privacy rules than apply anywhere in the United States.” It would result in major cost increases for both business and government operations, Halpert writes.
Full Story

CLOUD COMPUTING—EU & U.S.

Opinion: Euro Providers Use PRISM To Cloud the Truth (July 25, 2013)

“European cloud providers have tried for years to gain a competitive advantage in the European market over U.S.-based counterparts by claiming that content stored with European providers is more protected from government access than data stored with U.S. companies,” writes Steptoe & Johnson Partner Jason Weinstein. In this Privacy Perspectives post, Weinstein asks, “So as European providers seek to exploit the PRISM controversy to further cloud the truth, what should U.S. providers, and the U.S. government, do?”
Full Story

PRIVACY COMMUNITY

Where Domestic Violence and Technology Collide (July 25, 2013)

The National Network to End Domestic Violence (NNEDV), comprising some 200 shelters and 56 state-level non-profit organizations, holds its annual Technology Summit next week, July 29 through 31, in San Jose, California. There, law enforcement will be trained on such topics as cell-phone spoofing, computer/cellphone spyware, phone location, the legal and safety responses to images posted without consent—an increasingly common form of Web harassment—and abuse employed by perpetrators to intimidate victims. In this Privacy Advisor exclusive, we talk with Cindy Southworth, who merges social work and technology in running Safety Net, which works with state agencies to address the ways in which technology issues impact the safety—including privacy and accessibility rights—of domestic violence victims.
Full Story

MOBILE PRIVACY

DAA, NAI Each Release Mobile Privacy Rules (July 25, 2013)

The Digital Advertising Alliance (DAA) has unveiled its long-anticipated mobile privacy code. The rules state that ad networks and other related third parties should provide notification for online behavioral advertising—also known as cross-app advertising—with a provided opt-out. Additionally, ad networks and app developers must obtain opt-in consent from users for geolocation and address-book data collection, MediaPost News reports. The grace period for implementation is expected to be nine to 12 months, potentially longer. The DAA is also working on an AdChoices opt-out icon for mobile apps. DAA counsel Stu Ingis said, “We envision that there will be an app that has the AdChoices icon in it, that consumers can download…Through the app, consumers can exercise choice with respect to all of the third parties.” The Network Advertising Initiative has released its final version of mobile privacy rules as well.
Full Story

SURVEILLANCE—U.S.

NSA Amendment Voted Down In House (July 25, 2013)

In a close vote, the U.S. House of Representatives defeated an amendment that would have prevented the National Security Agency from collecting large volumes of phone records. The 205-217 vote followed “impassioned debate over citizens’ right to privacy and the steps government must take to protect national security,” The New York Times reports. Rep. Jerrold Nadler (D-NY) said of Section 215, the provision under which the NSA collects phone metadata, “It’s going to end—now or later…The only question is when and on what terms.” Rep. Mike Rogers (R-MI) said he would draft legislation in the coming months to add more privacy protections to government surveillance programs. In an op-ed for The Times, David Brin writes of increased surveillance: “You can either fight this new era, or embrace it.” (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

SEC, Retailer Announce Breaches (July 25, 2013)

The Securities and Exchange Commission (SEC) has announced a data breach after a former SEC employee “inadvertently and unknowingly” downloaded the names, birthdates and Social Security numbers of employees on to a thumb drive and then transferred the data to another agency. The SEC did not learn of the incident until 10 months after it occurred. It is unclear how many employees were affected. Meanwhile, retailer Lakeland has warned customers of a potential data breach after two encrypted databases were accessed.
Full Story

PRIVACY RESOURCES

Help with Privacy Impact Assessments (July 25, 2013)

The IAPP online Resource Center has templates, checklists, samples, long forms, short forms, event presentations, guidance—even an evaluation of guidance documents…pretty much anything you need to get going on your own privacy impact assessment. Check out the IAPP member-only resource Close-Up: Conducting a Privacy Impact Assessment. (IAPP member login required.)
Read Now

DE-IDENTIFICATION—U.S.

Hulu: “Anonymous” Data Not Covered By VPPA (July 24, 2013)
In new court papers filed last week, Hulu argues that sharing “anonymous” data about its users’ viewing habits with third parties is not a violation of the Video Privacy Protection Act (VPPA), MediaPost News reports. Filed with U.S. District Court Judge Laurel Beeler in San Fransisco, the company wrote, “Hulu cannot be liable for disclosing anonymous user ID to comScore or Nielsen or to any other service provider.” Hulu acknowledges it shares users’ viewing histories, but removes names and any other identifying information. Instead, it assigns each user with an anonymous user ID prior to transmitting the data. In the class-action lawsuit filed against the company, users allege that third parties with whom the data is shared can re-identify the information. Hulu said it stopped the practice allowing such re-identification two years ago.

PRIVACY IN POPULAR CULTURE

Dressing To Beat Big Brother (July 24, 2013)

Sitting in the closing “Quiz Show” session at the IAPP Canada Privacy Symposium a couple of months back, Ontario Privacy Commissioner Ann Cavoukian got a bit of a laugh with her call for “privacy glasses” or other “Star Trek”-like privacy technology to defeat Google Glass and other wearable computing technologies that might make covert surveillance omnipresent. But wearable privacy technology is already here and hardly a joke (though it is sort of funny).
Full Story

SURVEILLANCE—U.S.

House To Vote on Limiting Gov’t Surveillance (July 24, 2013)

A vote could take place as early as this evening on Congressman Justin Amash’s (R-MI) amendment to a U.S. Defense Department funding bill that would end authority “for the blanket collection of records under the PATRIOT Act,” The Guardian reports. “This is an opportunity to vote on something that will substantially limit the ability of the NSA to collect (the people’s) phone records without suspicion,” Amash said. In response, NSA head General Keith Alexander held four hours of Congressional briefings. Meanwhile, Sen. Ron Wyden (D-OR) said at a recent event that the NSA’s “essentially limitless” surveillance capabilities “could lead us to a surveillance state that cannot be reversed.”
Full Story

DATA PROTECTION

Soltani: CFAA Puts Researchers, Consumers at Risk (July 24, 2013)

In an opinion piece for Wired, Ashkan Soltani discusses why the Computer Fraud and Abuse Act (CFAA) puts security and privacy researchers at risk and is also bad policy for consumers. Soltani recently joined an amicus brief filed by Stanford’s Center for Internet and Society articulating the risk the CFAA places on researchers. A CFAA violation depends on whether “an action allows a user to gain ‘access without authorization.’” The “scary part,” Soltani writes, “is when these actions involve everyday behaviors like clearing cookies, changing browser reporting, using VPNs and even protecting one’s mobile phone from being identified.”
Full Story

DATA LOSS—U.S.

Citibike Notifies 1,200 of Breach (July 24, 2013)

NYC Bike Share, the company that designs and manages the Citibike sharing system, has notified nearly 1,200 customers that their credit card numbers, names and addresses were mistakenly posted on the back pages of its website for approximately 24 hours. The glitch reportedly occurred between April 15 and late May. One customer notified by the company said she was glad to have been notified directly, though she was surprised the incident happened, reports the New York Post. Some businesses just post cryptic messages on their websites, she said, adding, “I felt in a way they handled it more responsibly.”
Full Story

ONLINE PRIVACY

Germany Wants UN Privacy Charter (July 24, 2013)

In response to the NSA disclosures, senior German government officials are lobbying for expansion of the 1966 UN human rights treaty to cover modern forms of communication such as e-mail and social networks, the Associated Press reports. German foreign and justice ministers sent a letter—which was released more broadly on Wednesday—to their European Union counterparts last week: “We want to use the current debate to launch an initiative that would outline the inalienable privacy rights under current conditions.” The letter also suggests convening all 167 parties to the International Covenant on Civil and Political Rights. German data protection authorities have also called for suspension of a key data-sharing agreement between the EU and U.S.
Full Story

INTERNET OF THINGS

Researchers Hack Into Car Computer (July 24, 2013)

Forbes reports on the work of two security experts who have demonstrated how they can hack into an automobile’s computer network to control essential functions, including shutting off the brakes. Charlie Miller, a security engineer at Twitter, and Chris Valasek, an intelligence security director at IOActive, have received a grant from the Pentagon to discover security vulnerabilities in automobiles. “When you lose faith that a car will do what you tell it to do,” Miller said, “it really changes your whole view of how the thing works.” Miller and Valasek plan to share their finding at next month’s Defcon hacker meeting in Las Vegas. A representative from Toyota said the real concern isn’t physically hacking into a car, as the duo have done, but wirelessly hacking into a car. “We believe our systems are robust and secure,” the representative said.
Full Story

PRIVACY LAW—U.S.

Google To Make $8.5 Million Donation in Settlement (July 23, 2013)
Google will make an $8.5 million donation to nonprofit organizations in order to settle a class-action lawsuit alleging it leaked the names of search users, MediaPost News reports. Google will also revise the “frequently asked questions” section of its privacy policy, the report states. Recipients of the settlement include the World Privacy Forum, Carnegie-Mellon, Harvard Law’s Berkman Center for Internet and Society and Stanford Law’s Center for Internet and Society.

PRIVACY ENGINEERING

Communicating Data Collection to Brick-and-Mortar Consumers (July 23, 2013)

In this Privacy Perspectives post, Ilana Westerman and Gabriela Aschenberger, both of Create with Context, explore consumer perceptions of how their data is collected while shopping in brick-and-mortar retail stores. According to their research, only 33 percent of consumers surveyed realized their location data was being collected in participating stores. “The resulting design challenge,” they write, “is to communicate to consumers that data is being collected, provide controls if consumers care to opt out and showcase how data collection can create value for the consumer.”
Full Story

ONLINE PRIVACY—U.S.

Reddit Joins Lobbying Group (July 23, 2013)

Link-sharing and discussion website Reddit has announced that it has joined the Internet Association, a Washington lobbying group. The association was founded last year and lobbies on topics including surveillance laws, privacy, regulation and cybersecurity, The Hill reports. “In spite of reddit being an incredibly effective way to lower workplace productivity, we’ve also seen how online communities can have a transformative economic impact,” said Reddit’s general manager. The Internet Association recently wrote to the U.S. Executive branch and congressional leaders calling for greater transparency on national security-related requests for user data from Internet service providers.
Full Story

SURVEILLANCE

Australian Gov’t Considers Joining Merkel’s Agreement (July 23, 2013)

The Australian government is considering participating in a global data protection agreement put forward by German Chancellor Angela Merkel following revelations of the U.S. National Security Agency’s (NSA) PRISM surveillance program, ZDNet reports. Meanwhile, Australian Federal Police Commissioner Tony Negus says there is no link between the NSA revelations and Australia’s push for a mandatory data retention regime. In an opinion piece for CNN, Sen. Al Franken (D-MN) writes he’s working on legislation that would require the U.S. government to report annually how it uses surveillance programs, including how citizens’ data is being collected and who sees it. And in another op-ed, former head of the U.S. Justice Department’s Office of Legal Counsel writes that NSA data collection shouldn’t be constrained.
Full Story      

CYBERSECURITY—U.S.

Obama Seeks Industry Incentives, Including Limited Liability (July 23, 2013)

POLITICO reports on a “preliminary” presentation set forth by the Department of Homeland Security that looks into offering incentives to industries that adopt voluntary cybersecurity standards. Potential incentives include tax breaks, cyberinsurance “perks” and protection against legal liability. A White House representative noted the presentation is a “snapshot in time” and it only “reflects some preliminary analysis.” Cybersecurity legislation failed to pass Congress last year so the Obama administration’s cybersecurity executive order relies on industry cooperation. The DHS and National Institute for Standards and Technology are working with business to create a framework. Meanwhile, cybersecurity experts weigh in on the recent announcement that DHS Secretary Janet Napolitano will retire. (Editor’s Note: The White House's Ari Schwartz talks about his work intersecting cybersecurity and privacy here.)
Full Story

DATA LOSS—U.S.

VA Seeks Breach Lawsuit Dismissal (July 23, 2013)

The VA has motioned to dismiss a lawsuit filed by patients affected by a breach earlier this year at William Jennings Bryan Dorn VA medical center, HealthITSecurity reports. The VA filed the motion on grounds that plaintiffs have failed to prove the breached records were improperly disclosed. More than 7,400 patient records were on a laptop that was stolen last April. The government is now arguing that with lack of evidence that an unauthorized person viewed the records, the breach should not be considered improper disclosure under the Privacy Act, the report states.
Full Story

PRIVACY LAW—U.S.

Judge Allows Orgs To Seek Dismissal of Wyndham Lawsuit (July 22, 2013)
In a closely watched case, a federal judge in New Jersey will allow the U.S. Chamber of Commerce and other organizations to seek dismissal of a lawsuit filed by the Federal Trade Commission (FTC) against Wyndham Worldwide Corp, Computerworld reports. TechFreedom’s Berin Szoka said, “The FTC has this broad authority to make what is known as common law for information security not unlike the common law where courts make a decision and others can study and understand that law.” As a consequence, companies do not have much by way of guidance from the FTC for what constitutes deceptive and unfair practices. University of California Berkeley Prof. Chris Hoofnagle said the dismissal is a “Hail Mary effort to stop the FTC from enforcing its unfairness power.”

PRIVACY COMMUNITY

Should We Be Thinking of Data as the New Oil? (July 22, 2013)

Big Data is driving the information economy, giving it the increasingly common moniker of "the new oil.” For data artist Jer Thorpe, such a comparison may not be such a good thing. Thorpe was among several artists who presented new ways of visualizing data at the IAPP’s “un-conference,” Navigate. This Privacy Perspectives post, which includes video of his presentation, explores Thorpe’s call for changing the conversation around data.
Full Story

DATA PROTECTION—EU & U.S.

Reding Has Doubts about Safe Harbor (July 22, 2013)

EU Justice Commissioner Viviane Reding said the European Commission will be reviewing the EU’s data-sharing agreement with the U.S., EU Observer reports. The agreement, now 13 years old, is based on a clause in the current EU Data Protection Directive and binds the 3,000 or so companies that have voluntarily signed up to a set of data transfer rules regarding notice, choice and onward transfer, among other provisions. But Reding said, “We do have the impression that the Safe Harbor Agreement might not be so safe after all.” She will present the commission’s findings by the end of this year.
Full Story

DATA LOSS

1.8m Affected by Ubuntu Breach, Apple Hacked (July 22, 2013)

Ubuntu Forums has suffered a massive data breach, the company announced on its site. Every user’s local username, password and e-mail address were stolen from the company’s database. Approximately 1.82 million users are subscribed, ZDNet reports. Meanwhile, the University of Virginia has notified 18,700 students of a recent data breach after a third-party mailing vendor accidentally sent the students’ Social Security numbers in brochures mailed to home addresses, and Apple says its website for developers has been breached, but says customer information is encrypted and was not affected.
Full Story

ONLINE PRIVACY

W3C To Miss July Deadline for DNT (July 22, 2013)

The World Wide Web Consortium (W3C) will not meet its “last call” deadline for putting out a Do-Not-Track proposal for public comment, MediaPost News reports. W3C Co-Chair Peter Swire, CIPP/US, said, “There is not a way to get to last call by the end of July,” adding, “Next Wednesday, we will have a discussion about where we are and next steps.” According to the report, the group still has the opportunity to work on the proposals, but “the talks have turned so acrimonious that it seems unlikely the group will ever agree” on a Do-Not-Track standard for headers sent to browsers.
Full Story

HEALTHCARE PRIVACY—U.S.

States Reviewing Policies Due to Anonymity Concerns (July 22, 2013)

Some U.S. state are reviewing their policies on the collection and sale of health information based on concerns around patient anonymity in publicly available databases of hospital records, Bloomberg reports. Washington, for example, has suspended distribution of such information and requires buyers to sign a confidentiality agreement, after it was revealed some patients of hospitals in the state could be identified by name and their conditions exposed. Tennessee, Nevada and Arizona have begun privacy audits, and California, Illinois, New Jersey, Massachusetts, Connecticut, Nebraska and Alaska already have reviews under way. While health care providers are forbidden from releasing patient information under HIPAA, states are exempt from the law.
Full Story

ONLINE PRIVACY

Are Consumers Changing Their Browsing Habits? (July 22, 2013)

The Associated Press reports on the changing browsing habits of consumers in light of the recent NSA disclosures. Meanwhile, a new browser add-on has been introduced on Monday that aims to shield consumers from data mining by preventing users from disclosing contact information, CNET News reports. MaskMe, created by Abine, creates and manages “dummy” accounts for a user’s e-mail, phone number, credit card and website logins. According to the company, consumers tend to lose out in the “data-for-service exchange,” while companies win. Abine’s Sarah Downey said, “The real lesson is, 'Stop: Don’t give out your personal information.'”
Full Story

PRIVACY LAW

EU, Brazil and U.S. State and Federal Changes Afoot (July 22, 2013)

Privacy Tracker reports on Europe and Brazil looking at possible changes to their data protection enforcement regimes, as well as potential changes to U.S. state and federal laws. The Senate hearing discussing NSA surveillance practices indicated possible changes to the USA PATRIOT Act, California is considering a digital license plate bill, the New Jersey Supreme Court ruled warrants are needed for cell phone data and one report suggests the landscape for privacy class-actions may be changing. (IAPP member login required.)
Full Story

PRIVACY COMMUNITY

The Privacy (and Security) Pro in the White House (July 19, 2013)
Much has been made of Nicole Wong’s appointment to work on privacy matters in the White House under U.S. CTO Todd Park, but there’s another privacy pro in the White House who actually has “privacy” in his title: Ari Schwartz, Director for Cybersecurity Privacy, Civil Liberties and Policy, National Security Staff, who started in the job this past month. The Privacy Advisor gets the first interview with him about his new position. Meanwhile, Politico talks about growing pains for the PCLOB, with which Schwartz will be working closely.

PRIVACY LAW—U.S.

Industry Groups Push for Federal Breach Notification Law (July 19, 2013)

At a House hearing on Thursday, industry groups called on Congress to move toward a federal data breach notification law, The Hill reports. According to some witnesses, the current patchwork of state notification laws are burdensome for business. Though the hearing was mostly informative, according to the report, House Energy and Commerce Subcommittee Chairman Lee Terry (R-NE) expressed interest in pursuing legislation. Rep. Henry Waxman (D-CA) warned that federal legislation should not undercut state standards that already “have strong breach notification laws.” The Senate last month introduced federal legislation.
Full Story

ONLINE PRIVACY—U.S.

State AGs Want Ability To Prosecute ISPs for Third-Party Content (July 19, 2013)

“If you want to run a European Internet company dealing with user-generated content, be prepared to put your personal liberty at stake,” reports Forbes. The analysis is based on recent cases involving ISP executives charged with various crimes due to the content their users posted. But Europe isn’t the only place such dangers lurk. At a meeting of the National Association of Attorneys’ General last week, it was revealed that some state AGs are drafting a letter to Congress that would exclude state criminal prosecutions from Section 230, a provision that says websites aren’t liable for user-generated content or other third-party content. Essentially, the change would allow state AGs to prosecute Internet companies, including their executives, for violating state law via publication of third-party content.
Full Story

INTERNET OF THINGS—U.S.

FTC Releases Public Input for Roundtable (July 19, 2013)

In anticipation of a roundtable hosted by the Federal Trade Commission (FTC) on the Internet of Things (IoT) this fall, the agency has released the input it received on IoT’s security and privacy implications. In all, 27 public comments were submitted from industry associations to privacy advocacy groups to academics to government regulators. The FTC will host the roundtable in Washington, DC, this November.
Full Story

MOBILE PRIVACY—U.S.

Study Says Short-Form Notice Can Be Ambiguous (July 19, 2013)

A new study conducted by Carnegie Mellon University (CMU) reveals that the U.S. Commerce Department short-form notice proposal, as it currently defines data collection notice categories, has the potential to confuse consumers, Online Media Daily reports. The proposal calls for app developers to describe data types that will be collected—such as “biometrics”—and what types of third parties receive collected data—such as “ad networks.” The study surveyed 800 consumers and four experts about which terms they would use to categorize collection practices. Lorrie Cranor, a CMU computer scientist who oversaw the study, said the terms are “not well-defined, even the experts weren’t sure how to apply them,” and added, “When you have a bunch of lawyers and policy people coming up with the consumer tools, they’re not going to come up with something that is necessarily usable.”
Full Story

PRIVACY LAW—U.S.

Cybersecurity Bill Draft Is Circulating (July 19, 2013)

There is no shortage of guidance for privacy and security professionals charged with designing and implementing a secure information infrastructure; existing regulations, ISO standards 27001 and 27002 as well as industry-wide practices are just the most prominent sources. But if congressional leaders get their wish, there will soon be yet another source of guidance: the Cybersecurity Framework from the National Institute of Standards and Technology. Privacy Tracker has a breakdown of what to expect. (IAPP member login required.)
Full Story

PRIVACY LAW—U.S.

NJ Supreme Court: Get a Warrant for Cellphone Info (July 19, 2013)

The New Jersey Supreme Court ruled on Thursday that law enforcement must acquire a warrant prior to obtaining tracking information from a suspect’s cellphone. The ruling “puts the state at the forefront of efforts to define the boundaries around a law enforcement practice” that has divided courts around the country, and, The New York Times reports, the issue will likely end up before the U.S. Supreme Court. Meanwhile, a House appropriations panel has unanimously adopted an amendment that would require law enforcement to get a warrant before accessing e-mail and other online messages. The amendment was added to the Fiscal Year 2014 Financial Services and General Government Appropriations bill and the privacy requirement covers the Internal Revenue Service, the Securities and Exchange Commission and other regulatory agencies. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—EU & U.S.

European Parliament Wants NSA Chief To Testify (July 19, 2013)

Slate reports that the European Parliament is set to initiate an investigation into the NSA surveillance program disclosures and is amassing “an interesting list of witnesses” to testify about the issue, including U.S. National Security Agency Chief Gen. Keith Alexander, whistleblower Edward Snowden and The Guardian’s Glenn Greenwald. European Parliament plans to hold the series of hearings about the programs in September. A Deutsche Welle report asks if European Union interior ministers are partly responsible for collaborating with U.S. security agencies. European Home Affairs Commissioner Cecilia Malmström said that the EU is not solely responsible for data protection as security agency activities generally come under the jurisdiction of member states.
Full Story

DATA PROTECTION—IRELAND

Commissioner Begins Inquiry Into LinkedIn (July 19, 2013)

Irish Data Protection Commissioner Billy Hawkes has launched an audit of social networking firm LinkedIn, reports The Independent, adding it could have ramifications worldwide. Hawkes has confirmed his team has begun the audit as part of a process that will look into all social media firms based in Ireland. LinkedIn suffered a data breach earlier this year.
Full Story

SURVEILLANCE

Cavoukian Discusses Dangers of Metadata (July 19, 2013)

In an opinion piece for the Toronto Star, Ontario Information and Privacy Commissioner Ann Cavoukian discusses the term “metadata,” frequently used since revelations of the U.S. National Security Agency’s surveillance program. While government officials defend the use of metadata, claiming it isn’t privacy invasive because it doesn’t access telecommunications content, Cavoukian says this is “fanciful thinking–perpetuating a myth that is highly misleading. The truth is that collecting metadata can actually be more revealing than accessing the content of our communications.” Cavoukian has also published a white paper on the topic.
Full Story

DATA LOSS—U.S.

Details Emerge on Monroeville Breach (July 19, 2013)

Health IT Security reports on a situation involving the Office for Civil Rights (OCR) and the Monroeville, PA, 911 dispatch center in which the OCR told the center is had 30 days to conduct an investigation on protected health information that was exposed for a former police chief. Details obtained by the Pittsburgh Post-Gazette reveal that details on Monroeville 911 records were available to unauthorized individuals for an extended period of time, among other revelations. Meanwhile, a programming error has led to a data breach at Indiana Family and Social Services Administration.
Full Story

BYOD

Survey: Employees Mistrust Policies; Some Orgs Don’t Have Them At All (July 18, 2013)
An online survey of almost 3,000 employees in the U.S., UK and Germany showed that when it comes to “bring your own device (BYOD),” only 30 percent said they trust their employer to keep personal information private and not use it against them, The Telegraph reports. The survey indicated a level of confusion over what constitutes personal information. Meanwhile, ZDNet cites Acronis' 2013 Data Protection Trends Research report indicating the majority of Australian organizations don’t have a BYOD policy and 33 percent don’t allow personal devices into the corporate network.

SURVEILLANCE—U.S.

PCLOB To Meet With Private Sector; Coalition To Petition for Expanded Disclosures (July 18, 2013)

The Privacy and Civil Liberties Oversight Board (PCLOB) is slated to meet with Internet and telecommunications companies to determine what data and access to company servers they’ve provided to the U.S. government, Bloomberg reports. The move comes after the PCLOB held a hearing last week with privacy experts and former government officials. “It’s valuable to hear company perspectives on how the programs operate,” said PCLOB Chairman David Medine. “We want to hear both sides of it. We want to hear the government side, but we also want to hear the private-sector side.” Also, the PCLOB is getting reinforcements: Sharon Bradford Franklin is leaving The Constitution Project to join the board as executive director, The Hill reports. Meanwhile, a coalition of Internet companies and civil liberties groups are calling on the Obama administration and Congress to expand the disclosure of U.S. government surveillance programs.
Full Story

SURVEILLANCE—U.S.

Committee Hears Testimony; USA PATRIOT Act Must Change (July 18, 2013)

At a House Judiciary hearing yesterday exploring the Obama administration’s use of Foreign Intelligence Surveillance Act (FISA) authorities, representatives from the Justice Department, National Security Agency (NSA), Office of National Intelligence and the Federal Bureau of Investigation were questioned by lawmakers, specifically on Section 215 of the USA PATRIOT Act and Section 702 of FISA. This exclusive for The Privacy Advisor reports on new revelations from the NSA and the varying reactions from lawmakers, including warnings about the future of Section 215, possible data retention obligations and the Justice Department’s plans for allowing companies to disclose FISA requests to the public.
Full Story

DATA LOSS—U.S.

Medicaid Patient Records Potentially Compromised Via E-mail (July 18, 2013)

The Office of the Medicaid Inspector General (OMIG) has announced an internal employee in New York sent 17,743 Medicaid patient records to a personal e-mail account in October 2012. The employee did not have OMIG consent to send the e-mail and has been placed on administrative leave, Health IT Security reports. The potentially compromised information may have included patients’ first and last names, dates of birth, Medicaid client information numbers and Social Security numbers, the report states.
Full Story

CLOUD COMPUTING

Get Some Guidance in the Resource Center (July 18, 2013)

“Businesses continue to be responsible for protecting their customers’ data, regardless of the cloud services they may engage,” write Megan Brister and Alain Rocan, CIPP/C, in their exclusive for The Privacy Advisor. If you’re considering using—or you’re already using—cloud computing, take a look at the tools, guidance and articles in the IAPP’s Close-Up: Cloud Computing to make sure you’re covering your bases. With guidance from organizations including the UK ICO, NIST, PCI DSS and the Cloud Security Alliance, as well as IAPP exclusive content, you’ll find the information you need to make the best choices for your data. (IAPP member login required.)
Read More

GEO PRIVACY—U.S.

ACLU: Police Tracking Innocent People’s License Plate Data (July 18, 2013)

The Hill examines an ACLU report revealing that police departments across the U.S. are using license-plate readers to capture and store information about individuals’ whereabouts—without their knowledge. The report found that data on even those who have not been accused of a crime is stored in the database. The ACLU says rules must be enacted to restrict how such technology is used and for how long such data is retained. Meanwhile, the Center for Investigative Reporting writes local officials are moving forward with a federally funded project that aims to combine data on surveillance cameras, gunshot detectors, license-plate readers, Twitter feeds and alarm notifications into a single tool for law enforcement.
Full Story

PRIVACY LAW

Warning Bells for an Enforcement Tsunami? (July 17, 2013)
In recent weeks, various European regulators have come down on Google for its policy on data collection. The UK’s Information Commissioner even went so far as to tell the company it had until September 20 to revise the policy or face “formal enforcement action.” In this exclusive for The Privacy Advisor, CPOs and regulators weigh in on whether recent actions against Google are a sign that enforcement actions are about to increase significantly. The message: "Accountability is required, and the big and small should prepare."

CYBERSECURITY—U.S.

Baker Outlines Testimony for Judicial Hearing (July 17, 2013)

Former General Counsel for the National Security Agency (NSA) Stewart Baker is testifying today to the House Judiciary Committee about the Foreign Intelligence Surveillance Act (FISA), NSA and the “Snowden flap.” On the Skating on Stilts blog, Baker posts his prepared testimony, questioning the “wisdom of trying to regulate intelligence use of Big Data tools” and discusses the “hostage” position that U.S. IT companies have been put in by the government, noting “whenever Europe has a beef with U.S. use of data in counterterrorism programs, it threatens not the U.S. government but U.S. companies.” Editor’s Note: Stewart Baker will deliver a keynote address at the IAPP Privacy Academy in Seattle, WA, this fall.
Full Story

PRIVACY LAW—COLOMBIA

Outline of the Newly Enacted Data Protection Law (July 17, 2013)

Pablo Palazzi of the Argentine law firm Allende & Brea offers an overview of the Colombian data protection law in this Privacy Tracker blog post. With new definitions of sensitive data, public data and privacy notice, and requirements for privacy policies and children’s data, among others, the law “followed closely the European regulatory model on data protection matters,” Palazzi writes. Colombia joins Argentina, Mexico, Uruguay, Peru, Costa Rica and Nicaragua in Latin American countries whose regulations have followed the EU model. (IAPP member login required.)
Full Story

PRIVACY LAW—SPAIN

Spanish Cookie Guidance Explained (July 17, 2013)

Earlier this year, the Spanish Data Protection Authority, in conjunction with industry representatives, released the "Guía sobre el uso de las cookies,” or the Spanish cookie guidance. The guide contains recommendations on how to satisfy the requirements of Spanish law on electronic commerce. In this exclusive for The Privacy Advisor, two experts outline who must comply and requirements on consent and cookie installation, among other details.
Full Story

SURVEILLANCE—U.S.

Microsoft to Justice Dept.: Let Us Talk! (July 17, 2013)

In a letter to Attorney General Eric Holder, Microsoft General Counsel Brad Smith called for his “personal involvement” to allow the company to share national security data requests, The Hill reports. “It’s time to face some obvious facts,” Smith wrote, “Numerous documents are now in the public domain…As a result, there is no longer a compelling government interest in stopping those of us with knowledge from sharing more information, especially when this information is likely to help allay public concerns.” In the letter, Smith also said the government rejected Microsoft’s request to “publicly explain practices” described in an article by The Guardian. The practices referred to in the article “have now been misinterpreted in news stories around the world,” Smith wrote.
Full Story

ONLINE PRIVACY

What Thriving Cities Can Teach Us About Online Privacy (July 17, 2013)

Pointing to Edward Glaeser’s book, Triumph of the City: How our Greatest Invention Makes Us Richer, Smarter, Greener, Healthier and Happier, David Hoffman, CIPP/US, equates the Internet to “myriad ‘virtual cities'” in its need for policies that protect individuals but also foster collaboration and innovation. “Given the close connection between our online and physical interactions, there is much we can learn about encouraging successful online collaboration and innovation from the policies that have supported growth of the world’s great cities,” Hoffman writes for Privacy Perspectives.
Full Story

CONSUMER PRIVACY

FPF, Industry Team Up for Retail Location Analytics Best Practices (July 17, 2013)

The Future of Privacy Forum (FPF) announced yesterday it will work with a group of retail location analytics technology firms, including Euclid, WirelessWERX and others, to develop privacy best practices. The firms have been the subject, lately, of unflattering press articles, and have come under scrutiny by lawmakers including Sen. Al Franken (D-MN). “By being transparent about what is going on, location companies and retailers can make sure shoppers understand the benefit of the bargain,” said Jules Polonetsky, CIPP/US, Director of the FPF.
Full Story

HEALTHCARE PRIVACY—U.S.

Study: Mobile Health Apps Carry Privacy Risk (July 17, 2013)

According to a new study released yesterday by Privacy Rights Clearinghouse, many mobile health apps carry privacy and security risks, GigaOm reports. The report surveyed 43 free and paid apps—including the top 20 paid apps in health and fitness categories—and found several did not have privacy policies, transmit data without encryption and send user data to third parties such as ad networks and analytics companies. Privacy Rights Clearinghouse Founder Beth Givens said, “Data security and privacy—from a technical standpoint—is abysmal.”
Full Story

HEALTHCARE PRIVACY—U.S.

New “Hub” Database Raises Privacy Concerns (July 17, 2013)

As part of the massive overhaul of America’s healthcare system, databases from seven U.S. agencies—from the Internal Revenue Service to the Peace Corps—will be tied together in one $267 million computer system called the Hub to determine which U.S. citizens can purchase medical coverage, Bloomberg reports. The size and breadth of the system is raising red flags from some who are concerned about privacy and security risks, as the system will include data such as identity, citizenship, income and family size. One lawmaker queried, “It’s information on 300 million Americans, all compiled in one place—what could go wrong?” Others note, however, that the system can only access data on potential enrollees and there’s not a central storage center for the data.
Full Story

PRIVACY LAW—ASIA

Asia Pacific Privacy and Data Protection: Recent Developments (July 17, 2013)

Just a few years ago there were only a few Asia Pacific countries with standalone data protection or privacy laws in force. The landscape, however, is changing, with an increasing number of jurisdictions introducing new laws and regulations—and changing existing ones—and more are sure to follow. Ken Chia, CIPP/IT, and Jacqueline Wong of Baker & McKenzie, and James Kim at Kim, Choi & Lim, are putting together a free teleconference for IAPP members, looking at new responsibilities and requirements your organization must undertake in this part of the world. Click through to register and get your questions answered.
Full Story

DATA PROTECTION—U.S.

Breach Prevention: Policing Your Own People (July 16, 2013)
“The recent reports of terminations at Cedars-Sinai Medical Center following inappropriate review of celebrity medical records should serve as a reminder to every healthcare entity—and any company with sensitive information,” writes Wiley Rein partner Kirk Nahra, CIPP/US, that organizations must have “a plan to make sure that your own people aren’t the cause of privacy and security breaches.” In this Privacy Perspectives,/i> post, Nahra outlines what privacy pros need to do within their organization to help curb this problem that “is not going away.” (Editor's Note: See also "If Nine of 10 Employees Knowingly Breach Policy, How Is Privacy Possible?")

ONLINE PRIVACY—U.S.

Judge Grants Chevron Access to Activists’ Online Data (July 16, 2013)

A U.S. federal judge has ruled to allow Chevron, via subpoena to Microsoft, Google and Yahoo, access to the IP usage records of more than 100 environmental activists, journalists and attorneys, according to Common Dreams. The company has requested the records to piece together a lawsuit alleging the oil company was the victim of a conspiracy ending up in an $18.2 billion judgment against it for the dumping of 18.5 billion gallons of oil waste in the Ecuadorean Amazon, the report states. The Electronic Frontier Foundation’s Marcia Hoffman said, “These sweeping subpoenas create a chilling effect among those who have spoken out…” The subpoena, according to ERI, requests personal information of each account holder and every login over a nine-year period.
Full Story

SURVEILLANCE—U.S.

FISA Court Wants Obama to Declassify Yahoo Case (July 16, 2013)

The U.S. Foreign Intelligence Surveillance Court has ordered the Justice Department to review a 2008 secret court opinion—allegedly requiring Yahoo to turn over online communications of its consumers—to determine how much it can publicly release, The Washington Post reports. Judge Reggie B. Walton also called on the Justice Department to review the arguments Yahoo and the government made in the case. Walton would then publicly release the court’s justification. Meanwhile, the Electronic Frontier Foundation has recognized Yahoo “with a star of special distinction” in their Who Has Your Back survey "for fighting for its users in (secret) courts.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE—U.S.

Can Gov’t Safely Use FISA To Justify Surveillance? (July 16, 2013)

The U.S. government maintains that its massive acquisition of information concerning the telephone communications of millions of Americans complies with the Foreign Intelligence Surveillance Act. In this exclusive for The Privacy Advisor, David Bender examines whether such surveillance does in fact fall within FISA’s legal framework. While the government “may have a non-frivolous argument for needing the universal database or something resembling it” there is also an argument “against permitting such a database, as far too often the government’s right to collect information has been abused,” Bender says. Meanwhile, The Washington Post discusses the NSA chief’s desire to look not for the needle in the haystack, but instead to collect “the whole haystack.”
Full Story

ONLINE PRIVACY—U.S.

W3C Rejects Ad Industry’s DNT Proposal (July 16, 2013)

The World Wide Web Consortium (W3C) has rejected the Digital Advertising Alliance’s (DAA) draft proposal for a universal Do-Not-Track standard, AdAge reports. W3C said the DAA proposal was “less protective of privacy and user choice than their earlier initiatives.” The group says it will instead work from the “June draft,” though even privacy advocates say the draft faces “insurmountable obstacles to adoption by the deadline at the end of this month.”
Full Story

DATA PROTECTION—EU

Reding Wants Movement on Bill (July 16, 2013)

EUObserver reports on EU Justice Commissioner Viviane Reding’s call to accelerate movement on the data protection bill currently stuck in the European Parliament’s civil liberties committee. “I would find it helpful if the European Council in October, which will deal with the European single market, could address this matter and speed up the work in the council on this important file,” said Reding in her appeal on Monday. Meanwhile, Hogan Lovells’ Christopher Wolf opines in Financial Times that “it is wrong to assume the U.S. is the worst regarding surveillance,” arguing that Europe does its fair share.
Full Story

DATA PROTECTION—U.S.

Complaint Filed Over Jay-Z/Samsung App (July 16, 2013)

The Electronic Privacy Information Center (EPIC) has filed a complaint on Jay-Z and Samsung’s Magna Carta Holy Grail app, Arts Technica reports. “Samsung failed to disclose material information about the privacy practice of the App, collected data unnecessary to the functioning of the Magna Carta app, deprived users of meaningful choice regarding the collection of their data, interfered with device functionality and failed to implement reasonable data minimization procedures,” EPIC said in its complaint, filed July 12.
Full Story

GENETIC PRIVACY

Debate Lacking in Nascent DNA Collection (July 16, 2013)

The Associated Press reports on the flourishing collection of DNA by governments around the world and the lack of public debate about the privacy and ethical issues raised by such collection. Yaniv Erlich of MIT’s Whitehead Institute for Biomedical Research said there is a lot of upside to having DNA databases, but said, “our work shows there are privacy limitations.” Others have warned of “mission creep” where law enforcement use DNA to gather data on racial origins, medical history and psychological profiles. A University of Baltimore forensics professor said, “There’s got to be a debate… Do we want to have a society where 5 percent of the crime is unsolved, or do we want to have a society where 100 percent of the crime is solved" but privacy goes extinct? "What's the trade-off?"
Full Story

FINANCIAL PRIVACY—KENYA

Privacy Concerns out of M-Pesa Mobile Banking (July 16, 2013)

The mobile phone-based money transfer system M-Pesa, which has brought mobile banking to the poor in Kenya, can be used to identify unsuspecting users, potentially compromising their privacy, Deutsche Welle reports. Grace Githaiga, a Nairobi-based ICT expert, said in order to use the system, a user must submit their ID card number and address, which in turn are transferred to an M-Pesa agent. According to Githaiga, it’s not clear where the data ends up. Additionally, a loophole in the system means users can identify other users who might otherwise wish to remain anonymous. She notes that Kenya does have pending data protection legislation, though not an existing law, “but that tells you that there’s debate around data protection, and some of these things are going to be raised in that bill.”
Full Story

PRIVACY LAW—U.S.

The Future of Consumer Privacy Class Actions (July 15, 2013)
The New York Law Journal explores the potential future of consumer privacy class-action lawsuits in light of the recent comScore decision, noting that it and “other recent decisions allowing privacy cases to proceed in the absence of actual damages suggest that the legal landscape may be changing, and that privacy could be the next significant frontier in class-action litigation.” Meanwhile, The Sun Sentinel reports malpractice lawyers have argued that a new Florida law, Ch. 2013-108, may violate patient privacy.

PRIVACY LAW—EU & U.S.

German Chancellor Calls for New ISP Agreement; NSA Fallout Continues (July 15, 2013)

German Chancellor Angela Merkel has called for a strict European agreement on data protection that would require all Internet service providers operating in Europe to reveal the personal information they keep and with whom they share it, CNN reports. Merkel has suggested that the requirement could be codified within the International Covenant on Civil and Political Rights, but there’s some doubt as to the feasibility of that. Meanwhile, EU Justice Commissioner Viviane Reding said revelations surrounding the U.S. National Security Agency’s surveillance program helped add momentum to the case of those already calling for stronger data protection measures in the EU. Meanwhile, Politico reports on privacy issues’ impact on U.S.-EU trade talks.
Full Story

DATA PROTECTION—U.S.

No Feds at DEF CON, What Comes Next? (July 15, 2013)

The founder of the hacking conference DEF CON has asked government officials not to attend this year’s conference—the first such request in its 21-year history—because the recent NSA disclosures “have made many in the community uncomfortable about” the long-standing relationship between hackers, pros and academics and federal authorities. This Privacy Perspectives post explores what this “disintegrating trust and increased division” may mean for privacy moving forward.
Full Story

ONLINE PRIVACY—U.S.

AG Wants Answers on Health Sites’ Data Mining Practices (July 15, 2013)

The New York Times reports on Illinois Attorney General Lisa Madigan’s recent inquiry into the data-mining practices of popular health websites such as WebMD and Health.com. Madigan has sent letters to the sites’ executives citing concerns about the dissemination of data related to web surfers’ health-related searches, the report states. “Health-related information, which would be protected from disclosure when said in a doctor’s office, can be captured, shared and sold when entered into a Web site,” Madigan wrote, adding that consumers likely overlook such concerns if information on disclosures is buried in privacy policies. One researcher recently found third-party entities often track patients searching health-related terms. (Registration may be required to access this story.)
Full Story

CONSUMER PRIVACY—U.S.

Brick-and-Mortar Tracking on the Rise (July 15, 2013)

Last year, department store Nordstrom sought to learn more about its customers by testing a new technology that allowed it to track customers’ movements via the WiFi signals from their cell phones. But when it posted a sign telling customers they were being tracked, it heard complaints and eventually ended the program, The New York Times reports. “The creepy thing isn’t the privacy violation, it’s how much they can infer,” said one shopper. An increasing number of businesses now offer the technology for brick-and-mortar shops to track users like digital shops can. Meanwhile, the ACLU has criticized AT&T’s plans to sell anonymous customer location data, saying customers can be identified. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Industry’s Proposed DNT Solution Stirs Controversy (July 15, 2013)

AdAge reports on a recent proposal from the ad industry on the Worldwide Web Consortium’s Do-Not-Track signal that would allow firms to continue collecting data on users even after a user opted out of tracking. The tradeoff is that the firms would agree to strip the data of certain information. One expert says such a proposal “ignores the fact that if you collect multiple data points about a unique identifier, you can eventually determine…personal characteristics.” Mike Zaneis of the Interactive Advertising Bureau (IAB) said IAB publishers have seen the number of users sending Do-Not-Track signals “creeping up” to about 20 percent “because anybody could send a DNT flag.” But Mozilla Chief Privacy Officer Alex Fowler has asked for proof on those numbers.
Full Story

DATA LOSS—U.S.

Workers Fired Over Kardashian Breach (July 15, 2013)

Five healthcare workers from Cedars-Sinai Medical Center—a common destination for celebrities seeking medical treatment—have been fired for unauthorized access to 14 patient records, including those of Kim Kardashian, Reuters reports. Representatives from the organization said they have a “high standard for security” and “in this case that standard was violated.” In other breach news, the personal records of as many as 277,000 former patients of a North Texas hospital were found in a Dallas park and included contact details and Social Security numbers. And Long Beach Memorial Medical Center has notified 2,864 patients their medical records have been compromised. Reports state the breach stems from an internal employee but no further details have been issued thus far.
Full Story

PRIVACY LAW—U.S.

Will: Census Should Not Be Collateral Damage (July 15, 2013)

In a column for The Washington Post, George Will writes that privacy concerns are threatening valuable census data. The recent IRS and NSA scandals have prompted some to distrust the American Community Survey (ACS), and although “instinctive suspicion of government…is healthy,” Will argues, “the ACS should not become collateral damage.” Will notes that making the survey voluntary would cause compliance to “plummet” and “the cost of gathering the information would soar.” He also says the ACS provides valuable data for economic growth and can improve the efficiency of markets and the government. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—U.S.

NSA Files Show Encryption Was Bypassed (July 12, 2013)
The Guardian reports on documents obtained from Edward Snowden on the U.S. National Security Agency’s (NSA) surveillance programs that indicate encryption was bypassed to access documents. The documents show “Microsoft helped the NSA to circumvent its encryption” and the NSA had “pre-encryption stage access to e-mail on Outlook.com, including Hotmail,” the report states. Microsoft has responded, "When we upgrade or update products, we aren't absolved from the need to comply with existing or future lawful demands," noting customer information is only provided “in response to government demands, and we only ever comply with orders for requests about specific accounts or identifiers.” Meanwhile, The New York Times reports that Sen. Ron Wyden (D-OR) has said he believes the NSA may soon abandon the practice of collecting bulk phone records.

SOCIAL NETWORKING—FRANCE

Twitter Gives Anti-Semitic Posts to Authorities (July 12, 2013)

Microblogging site Twitter has complied with a French court’s request to hand over tweets related to a number of racist and anti-Semitic messages that were posted on its site, CNET News reports. An appeals court ruled last month that the company must hand over the names of the users propagating the anti-Semitic messages, raising the thorny issue of online anonymity and hate speech. Twitter said in a statement that handing over the data will “put an end to the dispute” and that it will work with the Union of Jewish French Students to “fight racism and anti-Semitism.”
Full Story

PRIVACY LAW

Regulating Technology or Behavior? (July 12, 2013)

“An absolute certainty on which everybody seems to agree is that legislating takes longer than programing,” writes Eduardo Ustaran, CIPP/E, in this Privacy Perspectives blog post. According to one survey, the average time it takes to develop a mobile app is less than five months. “However you look at it, it is difficult to imagine a law being devised, crafted and passed at the same speed at which software developers and engineers do their work,” Ustaran writes, adding, “but whilst technology is always changing, there is something that has not really changed that much for thousands of years: human behavior.”
Full Story

PRIVACY COMMUNITY

Harris To Step Down at CDT: A Conversation (July 12, 2013)

Leslie Harris, who has headed the Center for Democracy & Technology (CDT) since 2005, announced this month that she will resign from her post in March of 2014, just as the CDT celebrates its 20th anniversary. In a conversation with The Privacy Advisor, Harris made it clear that she is not retiring but rather “right-sizing,” and she is hardly done with her work in the privacy arena. Hear her thoughts on CPOs' human rights obligations, the status of current legislation, where CDT goes from here and more.
Full Story

ONLINE PRIVACY

W3C To Vote on DNT Solutions (July 12, 2013)

The World Wide Web Consortium is slated to vote on some possible solutions for the long-debated Do-Not-Track standard today, MediaPost reports. The proposals would then move to the group’s chairs to be voted on. One proposal, put forth by the Digital Advertising Alliance, would allow companies to continue to track and advertise to users even after they’ve clicked “do not track” so that behavioral advertising will continue to thrive. It’s a proposal privacy advocates dislike, but the ad industry says opting out is problematic because, for one reason, when users delete their cookies, they also delete their preferences on tracking.
Full Story

DATA LOSS—U.S.

Health Insurance Company Fined $1.7 Million (July 12, 2013)

The U.S. Department of Health and Human Services (HHS) has announced that insurance provider WellPoint has agreed to pay a $1.7 million fine for inadequately protecting a database containing more than 600,000 personal records, according to an HHS press release. Between October 2009 and March 2010, the health data of 612,402 individuals—including names, addresses, birth data and Social Security numbers—was accessible online. IT World reports the investigation revealed WellPoint “did not have adequate policies and procedures for access to the online application database” that was breached and did not have “technical safeguards” in place for access verification.
Full Story

PRIVACY LAW—U.S.

Wyndham, LabMD Cases Challenging FTC (July 12, 2013)

News of Wyndham Worldwide’s pushback against the Federal Trade Commission (FTC) has made headlines for months now, but SC Magazine reports that a second case also “could disrupt the FTC's data security authority.” Wyndham and “medical testing provider LabMD are two companies that are pushing back against separate investigations launched by the consumer protection agency, which asserts that the two companies experienced data breaches that exposed sensitive client information,” the report states, noting the outcome of these cases “could decide whether the FTC can continue to punish companies that have been breached.”
Full Story

PRIVACY

Crowdsourced App Allows for Secret Communications; Kremlin Returns to Typewriters (July 12, 2013)

It took 36 hours for users to contribute $100,000 to fund an app designed to avoid government spy agencies, Al Jazeera reports. The app, called Heml.is, is Swedish for “secret.” It aims to give users an alternative to major tech companies. “We’re building a message app where no one can listen in, not even us,” the creators said of the product. Meanwhile, Russia’s Federal Guard Service, which protects Kremlin communications and President Vladimir Putin, says it has returned to using typewriters for communications following revelations of the U.S. National Security Agency’s surveillance program.
Full Story

PRIVACY—INDIA

Gov’t Surveillance Raises Trust Concerns (July 12, 2013)

The New York Times reports on India’s Centralized Monitoring System—its new surveillance program—and whether citizens can trust that the government will not infringe on their privacy. The government has said it will abide by laws mandating that it receive proper authorization prior to intercepting communications and that privacy will be better protected. “But there are a host of reasons why the citizens of India should be skeptical of those official claims,” the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Breach Requirements Are Coming (July 11, 2013)
It’s not a question of whether breach notification requirements will be part of the new EU Data Protection Directive, but rather when and what they’ll look like. Privacy Tracker rounds up articles examining what’s coming down the pike and how to prepare, along with a look at enforcement actions and new potential laws in the Netherlands and Switzerland. (IAPP member login required.)

DATA LOSS

Breaches Abound in the U.S., UK and Online (July 11, 2013)

Across the U.S. and the UK, data breach incidents, investigations and litigation have been making headlines, and, globally, a videogame maker has reported a breach that may have affected four million of its users. The Privacy Advisor highlights some of the top data breach stories from the past week and includes links to insights on breach trends and how to address a breach if it happens.
Full Story

GEO PRIVACY—U.S.

New Database Sells License-Plate Tracking Info (July 11, 2013)

Forbes reports on the business of license-plate recognition. One data broker, TLO, announced recently it has begun selling location information on license plates that have been filed and identified, and police have started using the technology to track suspects. TLO’s “massive” database claims to add up to 50 million new vehicle sightings each month. “One possible longer term issue around license-plate recognition is that new firms in the field seeking to gain market share could gather specific data such as who was visiting what churches or mosques, underground clubs or medical clinics and perhaps distribute that information more freely than companies now do,” the report states.
Full Story

HEALTHCARE PRIVACY—U.S.

The Additional Burdens of Patient Access to PHI (July 11, 2013)

HealthITSecurity explores the move toward patient access to personal health records (PHI) under the EHR Incentive Programs Stage 2 Meaningful Use and the new burdens that will be implicitly placed on providers. Covered entities will have to take steps to ensure that patients are aware of their responsibility for protecting their PHI. Mount Sinai Hospital’s David Mendelson queried, “Does the fact that we put (PHI) in the control of the patient endanger the provider in some way? Does the patient know what to share and what to expose over time? Does the patient want that responsibility? Sometimes, the answer is no.”
Full Story

PRIVACY—U.S.

Farmers Sue To Halt EPA Disclosures (July 11, 2013)

The American Farm Bureau Federation and the National Pork Producers Council (NPPC) have jointly filed a federal lawsuit and temporary restraining order to halt disclosures of farmers’ personal information by the U.S. Environmental Protection Agency (EPA), National Hog Farmer reports. The move comes after the EPA released the personal information of tens of thousands of farmers, including names, addresses and personal contact information, after a number of Freedom of Information requests by animal rights groups. Filed before the U.S. District Court for the District of Minnesota, the order seeks to stop the disclosures and clarify the EPA’s role in keeping personal data private in such circumstances.
Full Story

SURVEILLANCE—U.S.

Americans Divided on Snowden; Young Alito Pushed for Protections (July 11, 2013)

The New York Times reports on a poll indicating division among Americans on whether Edward Snowden is a traitor or a whistleblower. The Quinnipiac University poll indicates the majority of those surveyed—55 percent—said he was a whistleblower for revealing the National Security Agency’s (NSA) PRISM program, while 34 percent said he was a traitor. Meanwhile, a report cited in the Electronic Privacy Information Center’s lawsuit asking the Supreme Court to halt the NSA’s surveillance program indicates that Supreme Court Associate Justice Samuel Alito, in his days as a Princeton undergraduate, urged strict safeguards to protect personal privacy online. (Registration may be required to access this story.)
Full Story

DATA LOSS—JAPAN

Incorrect Privacy Settings Reveal Internal Gov’t Memos (July 11, 2013)

Japanese government officials and journalists have mistakenly revealed internal memos, draft stories and interview transcripts by reportedly using the incorrect privacy settings in Google Groups, ZDNet reports. Yomiuri Shimbun, a Japanese newspaper, reports it found more than 6,000 cases where public or private organizations revealed nonpublic information, including hospital records, via the wrong privacy settings.
Full Story

PRIVACY LAW—U.S.

How First PCLOB Meeting Affects Private Firms (July 10, 2013)
At the Privacy and Civil Liberties Oversight Board’s first public meeting since its reemergence under new Chairman David Medine, the focus was very precise: What direct and concrete improvements could be made to improve “Surveillance Programs Operated Pursuant to Section 215 of the USA PATRIOT Act and Section 702 of Foreign Intelligence Surveillance Act.” Ideas generated included making the FISA Court adversarial, decreasing the vagueness around “data minimization,” instituting a data retention law and a number of other suggestions. In this exclusive for The Privacy Advisor, we examine the potential impact on private industry.

BIG DATA—U.S.

The USPS Is Selling Data to Brokers (July 10, 2013)

Forbes reports on the relationship between the United States Postal Service (USPS) and various data brokers. According to the report, the USPS will sell change-of-address information to a data broker provided the firm purchasing the data has the user’s previous address. The USPS National Change-of-Address program (NCOA) approves licenses to approximately 500 companies. “There’s nothing terrible about NCOA, but people should be given a choice,” said privacy expert Bob Gellman. “New movers are fodder for data brokers, who sell mailing lists to marketers and who also maintain lifetime files on every household in America. NCOA is a prime source of this information.” There is, however, a loophole for consumers that prevents data brokers from accessing the updated address.
Full Story

PRIVACY LAW—U.S.

ME and MA Laws Suggest Mixed Views on Privacy (July 10, 2013)

Privacy Tracker reports that while Massachusetts lawmakers will soon vote on the “Act Updating Privacy Protections for Personal Electronic Information,” they, along with MA Attorney General Martha Coakley, are also considering S 654, which would expand the state’s wiretapping powers. Meanwhile, the Maine legislature voted 125 to 17 to override Gov. Paul LePage’s veto of "An Act To Require a Warrant To Obtain the Location Information of a Cell Phone or Other Electronic Device,” but failed to override his veto of An Act To Protect the Privacy of Citizens from Domestic Unmanned Aerial Vehicle Use. (IAPP member login required.)
Full Story

ONLINE PRIVACY—U.S.

Post Mortem, What Happens to Your Account Info? (July 10, 2013)

At its annual meeting in Boston, MA, the Uniform Law Commission (ULC) plans to consider fiduciary access to digital assets. According to Technology’s Legal Edge, the ULC has been drafting a uniform state law with stakeholders during the last seven months to balance the various interests, including “the need for a fiduciary to gain access to a decedent’s online account information to settle an estate, privacy rights of the decedent and third parties who communicated with the decedent and limitations in copyright license agreements against transfers of licensed games, movies and music,” write DLA Piper’s Jim Halpert and Haris Khan.
Full Story

CHILDREN’S PRIVACY—U.S.

Internet Groups Complain About COPPA Compliance Costs (July 10, 2013)

Internet groups have complained to the Federal Trade Commission (FTC) that new regulations to protect children’s privacy online are financially burdensome to start-ups, Los Angeles Times reports. The regulations went into effect July 1 and not only hold sites and apps that collect data from children under 13 responsible for ensuring parental consent but also for any affiliated third-party services collecting data on their sites. The FTC estimates annual compliance costs for current web services at $6,223 and new services at $18,670. The report states 85 percent to 90 percent of the web services are run by small businesses.
Full Story

ONLINE PRIVACY—U.S.

This ISP Won’t Share Your Data Without a Warrant (July 10, 2013)

The Guardian reports on a tech company operating in Utah that has spent the past 15 years “resolutely shielding customers’ privacy from government snoops in a way that larger rivals appear to have not.” Xmission is Utah’s first independent and its oldest Internet service provider and has only 30,000 subscribers, but it has cited the Fourth Amendment in order to rebuff dozens of warrantless requests from local and federal law enforcement authorities. “I would tell them I didn’t need to respond if they didn’t have a warrant, that to do so wouldn’t be constitutional,” said Founder and CEO Pete Ashdown. “I’m not an unpaid branch of the government or law enforcement.”
Full Story

INTERNET OF THINGS—U.S.

Digital Diapers Track Children’s Health (July 10, 2013)

The New York Times reports on newly developed baby diapers complete with digital tracking technology to detect potential urinary tract infections, kidney dysfunctions and dehydration. Developed by Pixie Scientific, the diaper connects to a smartphone app and can transmit the health data to a central database where a physician can interpret the information. The technology is currently being tested by a number of children’s hospitals and, if successful, would then be submitted to the U.S. Food and Drug Administration for approval. Pixie Scientific’s founder said, “You really don’t want to overload parents with data they don’t understand…Eventually, the quantified self idea will be mostly silent and unobtrusive, just something inside the existing flow of life.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Expert: Kids Revel in Online World Because It Feels More Private Than Offline (July 10, 2013)

In an interview with The Guardian, Microsoft researcher danah boyd discusses some of her work. Boyd says she’s frustrated when people assert that kids don’t care about privacy. “It's just that their notions of privacy look very different than adult notions," she says. "Kids don't have the kind of privacy that we assume they do. As adults...we think of the home as a very private space...The thing is, for young people it's not a private space—they have no control. They have no control over who comes in and out of their room, or who comes in and out of their house…the online world feels more private because it feels like it has more control."
Full Story

PERSONAL PRIVACY—U.S.

Administration May Change Law To Encourage Gun Database Participation (July 10, 2013)

Chicago Tribune reports on concerns by mental health advocates that those who’ve received treatments for their illnesses could be put at risk by a White House push to expand a gun-buyer database. The National Instant Criminal Background Check System helps gun dealers tell if a potential purchaser has been involuntarily committed to a mental hospital or found to have had serious mental illnesses by courts, the report states. But many states don’t participate, so the Obama administration is looking at changing the Health Insurance Portability and Accountability Act "to remove one potential barrier," the report states. Some advocates say a privacy rule change could scare people away from seeking the treatment they need.
Full Story

PRIVACY LAW—U.S.

Court Ruling Impacts BYOD (July 9, 2013)
What happens to an employee’s expectation of privacy regarding her personal e-mails on her company-issued Blackberry after she leaves the company? Privacy Tracker reports that if a recent ruling by the U.S. District Court for the Northern District of Ohio stands up to further scrutiny, the answer could be that a former employee has greater expectations of privacy after her departure than while she was still employed. In Lazette v. Kulmatycki, the court ruled the Stored Communications Act (SCA) applies to unauthorized access of employees’ personal e-mail accounts, among other determinations.

PRIVACY COMMUNITY

IAPP Resource Center Gets an Upgrade (July 9, 2013)

Check out the latest iteration of the IAPP’s online Resource Center. In our efforts to “define, promote and improve the privacy profession globally,” we are working hard to improve usability and expand our offerings to help you do your job more efficiently. We now have “Close-up” pages that offer tools and research to tackle big issues like BYOD, creating organizational privacy policies and programs, conducting privacy impact assessments and more. The new look is already getting great feedback; let us know what you think—or if there’s something you need, tell us and we’ll do our best to get it. We add new resources all the time, so check back often and stay tuned, there are more changes to come.
IAPP Resource Center

HEALTHCARE PRIVACY—U.S.

Why Providers Should Engage With Social Media (July 9, 2013)

Healthcare providers “seem to approach social media as one of the contents in Pandora’s box,” yet, “because of the potential good to be had from large data analysis, healthcare providers should get engaged through social media and think critically about its potential, while being mindful of potential privacy and legal risks,” writes Indiana University Health Chief Privacy Officer Valita Fredland, CIPP/US. In this installment of Privacy Perspectives, Fredland cites a number of studies and examples that bolster why healthcare providers “can no longer justify being slow adopters of new technology,” including social media.
Full Story

ONLINE PRIVACY—U.S.

Audit Reveals IRS Exposed SSNs (July 9, 2013)

A recent audit by a transparency and public-domain group has revealed that the Internal Revenue Service exposed tens of thousands of Social Security numbers, The Atlantic reports. The numbers were posted for less than 24 hours, but the group, Public.Resource.org, requested that the IRS shut down one of its databases to prevent against future lapses, which the IRS has done, the report states.
Full Story

ONLINE PRIVACY—U.S.

Researcher Finds Health-Related Searches Threaten Privacy (July 9, 2013)

AFP reports on a researcher at the University of Southern California who says patients searching for health-related information online may have their privacy threatened. Marco Huesch searched key terms such as "depression," "herpes" and "cancer" on health-related websites. Using free privacy tools such as DoNotTrackMe and Ghostery, Huesch found third-party entities tracking him. Sampling 20 high-traffic sites, including the Food and Drug Administration and WebMD, at least one third-party entity—and as many as six or seven—were tracking him on each site, he found. Additionally, 13 out of 20 sites contained third-party elements that tracked user data, and seven of those 13 leaked Huesch’s searches to tracking entities, the report states.
Full Story

PRIVACY IN POPULAR CULTURE

Future of Data Dealer in the Balance (July 9, 2013)

A couple of months back, we told you about Data Dealer, a browser-based game that both tweaked the data brokerage industry and educated players about how PII is collected and sold in the global marketplace. Not long afterward, the team of open source coders and developers at Cuteacute Media who have been working on Data Dealer launched a Kickstarter campaign to raise funds that would allow them to take Data Dealer from the demo stage to a full multi-player game. Now, with just two days to go, they could use a little help.
Full Story

DATA PROTECTION—U.S.

Rapper’s Free Download Comes With A Price (July 9, 2013)

Billboard reports on privacy concerns surrounding rapper Jay-Z and Samsung’s “Magna Carta” app, which promises to give the first one million downloaders a free copy of Jay-Z’s new album three days ahead of its official release. Upon its download, the app asks for the user’s permission for “precise GPS location” among other identifiers. Though it isn’t unusual for apps to request access to such information, recent revelations on the National Security Agency’s PRISM program may have contributed to users’ reticence to hand it over, the report states.
Full Story

DATA PROTECTION—EU & U.S.

Privacy and Trade Talks To Commence in Parallel (July 8, 2013)
The Associated Press reports that European Officials plan to discuss “data protection and privacy rights” in tandem with trade talks with the U.S. this week. In a statement, Lithuania, which now holds the rotating EU presidency, said, “It will deal with data protection and privacy rights of EU citizens falling within the competence of the EU, addressing the scope and composition of future meetings.” In the wake of concerns about U.S. surveillance of EU officials, European Commission President Jose Manuel Durao Barroso said the process is “very important to build and to enforce the confidence that is necessary also to pursue very ambitious agreements that we hope to conclude with the United States, namely in the field of trade and investment.”

PERSONAL PRIVACY—GERMANY & U.S.

Visualizing Your Metadata (July 8, 2013)

The New York Times reports on Immersion, an MIT Media Laboratory project that mines a consenting user’s e-mail metadata and creates an interactive graphic. “The result is a creepy spider web showing all the people you’ve corresponded with, how they know each other and who your closest friends and professional partners are,” the report states. Meanwhile, a German politician who sued a telecommunications company for his phone data over a six-month span has, in conjunction with ZEIT ONLINE, created a mapped visual of his day-to-day life. By combining Green Party Politician Malte Spitz’s phone data, which includes location information, with publicly available data—including information relating to his political life, Twitter feeds and blog entries—a robust and detailed interactive portrait emerges of Spitz’s personal movements. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—EU & U.S.

Spying Reports Give Momentum to ECPA Reforms, Spur Legal Actions (July 8, 2013)

Revelations about the U.S. National Security Agency (NSA) surveillance of domestic and foreign communications should add momentum to the already politically charged atmosphere surrounding updates to the U.S. Electronic Communications Privacy Act—and on both sides of the aisle, Politico reports. Already, Senate Judiciary Committee Chairman Patrick Leahy (D-VT) has co-sponsored a reform bill, and House Judiciary Committee Chairman Bob Goodlatte (R-VA) has pledged to make the issue a priority. In the UK, lawyers for Privacy International have filed legal papers calling for an immediate suspension of Britain’s use of material from the NSA’s PRISM program, and in the U.S., The New York Times reports on EPIC’s plans to file an emergency petition with the Supreme Court today asking that it stop the NSA’s surveillance program altogether. The Hill discusses “five unanswered questions about the NSA’s surveillance programs,” including the scope of the programs, additional data being collected under the USA PATRIOT Act and other programs the public may not be aware of, and The Guardian reports on the NSA’s bumpy ride at a recruitment drive on a U.S. college campus last week.
Full Story

PRIVACY

A Case for Making the CSO Your New BFF (July 8, 2013)

The chief security officer (CSO) and chief privacy officer (CPO) at any given company can seem to occupy very different job functions. But the truth is the two positions can be exponentially fortified by working together. This exclusive for The Privacy Advisor discusses why it’s a good idea for any CPO to take the CSO out to lunch.
Full Story

SURVEILLANCE—U.S.

Glasses Secretly Film Arrest (July 8, 2013)

Business Insider reports on what may be the first arrest to be filmed by Google Glass. Documentary filmmaker Chris Barrett captured the arrest using Google’s wearable computer during a trip to the Jersey Shore boardwalk on July 4, where he witnessed a fight resulting in police intervention. Barrett filmed the incident without being noticed, the report states. “More notable than the video itself is the ease at which it was captured without the knowledge of those in the middle of the melee. His footage foreshadows the rapidly approaching future where everything can be filmed serendipitously by folks wearing devices like Google Glass without the knowledge of the parties involved,” wrote Thompson Reuters’ Christophe Gevrey.
Full Story

SOCIAL NETWORKING

Facebook Rolls Out Graph Search to Millions (July 8, 2013)

Several hundreds of millions of people will have access to Facebook’s Graph Search beginning this week, six months after its beta testing. Tech Crunch reports on the tool, which is “designed to take any open-ended query and give you links that might have answers,” according to Facebook CEO Mark Zuckerberg. Upon its initial release, the tool prompted concerns that it would compromise the privacy rights of minors. It “makes paying attention to privacy settings much more important if you don’t want embarrassing photos from years ago dredged up or your public contact information scraped,” the report states.
Full Story

PRIVACY PROFESSION—CANADA & U.S.

Privacy Audits: Practical Tools for Accountability (July 8, 2013)

The IAPP has announced its latest web conference, set for July 17, and focusing on privacy audits. Chartered Professional Accountants of Canada CPO Nicholas Cheung, CIPP/C, and KPMG National Privacy Service Leader Doron Rotman, CIPP/US, will discuss what “audit” really means, how to decide whether to do an audit internally or with a third party and what are the key pieces of a privacy audit done right.
Full Story

SURVEILLANCE—U.S.

Postal Service Tracking, Retaining Images of Mail (July 5, 2013)
The New York Times reports on a little-known but long-running surveillance system by the United States Postal Service (USPS). Leslie James Pickering, a bookstore owner who, a decade ago, was spokesman for a radical environmental group flagged by the FBI as eco-terrorists, noticed a handwritten card mistakingly delivered with his mail stating any mail headed to his address should be shown to a supervisor first. He was being tracked by the Mail Isolation Control and Tracking program, in which the USPS photographs the exterior of every piece of paper mail processed in the U.S. The more-than-a-century-old program provides such images to law enforcement officials who request them, the report states. (Registration may be required to access this story.)

SURVEILLANCE—EU & U.S.

EU Officials, U.S. Privacy Group Seek Answers, Action (July 5, 2013)

PC World reports the “European Parliament gave European Commissioners and national ministers some extra ammunition Thursday in discussions with the U.S. following allegations about American spying and the PRISM scandal: possible suspension of data-sharing agreements.” The European Parliament is asking the U.S. “to provide full disclosure of any spying activities” and has established an inquiry to review the allegations, but it “stopped short of suspending bilateral trade talks due to start on Monday,” the report states. Meanwhile, the European Commission has written to the UK for answers about its surveillance program, Tempora. In the U.S., the Electronic Privacy Information Center’s Domestic Surveillance Project announced Thursday that it plans to file a petition with the Supreme Court “to vacate the Foreign Surveillance Intelligence Court ruling” authorizing the NSA’s collection of metadata on U.S. phone calls.
Full Story

BEHAVIORAL TARGETING

A Tracking Method That Privacy Advocates Like? (July 5, 2013)

Twitter will begin using cookies to track users and deliver advertising, but because its program abides by Do-Not-Track settings and has a clear opt-out, privacy advocates are praising it, PC Pro reports. An Electronic Frontier Foundation activist said in a blog post, “We think Twitter is setting an important example for the Internet: It is possible to exist in an ecosystem of tailored advertisements and online tracking while also giving users an easy and meaningful opt-out choice." Meanwhile, Vine, a video-sharing site owned by Twitter, has added privacy settings to its services—including the ability to make Vines private.
Full Story

MOBILE PRIVACY

Carrier Changes Policy, May Sell User Data (July 5, 2013)

AT&T has a new privacy policy and may begin selling anonymized user data to third parties, reports Slashgear. The company cites “more relevant advertising” as its reason for selling the data, joining other big tech companies in the practice. AT&T will offer customers the opportunity to opt out, and plans to sell demographic and device information as well as information on viewing behavior through its television service. Pointing to Verizon’s use of consumer data, AT&T’s privacy policy states, “we similarly plan to provide our customers with these sorts of personalized services, and we’re committed to doing so in line with our long-standing policy to respect and protect our customers’ privacy.”
Full Story

DATA PROTECTION—EU

Regulators Prepared To Take Action Against Google (July 5, 2013)

The UK Information Commissioner’s Office (ICO) has written to Google to warn the company that it could take “formal enforcement action” if it does not alter its privacy policy by September 20, Out-Law.com reports. “In our letter we confirm that its updated privacy policy raises serious questions about its compliance with the UK Data Protection Act,” an ICO spokesperson said. The updated policy “does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.” Meanwhile, Hamburg Commissioner for Data Protection and Freedom of Information Johannes Caspar says his office will join other European regulators, including Spain, in taking action against the company.
Full Story

PRIVACY LAW—ITALY

DPA Asks Facebook for Clarifications (July 5, 2013)

The Italian Data Protection Authority, the Garante, is requiring Facebook to provide clarifications by July 20 on personal data processing following recent announcements of a “bug” that caused the exposure of personal information. In this exclusive for The Privacy Advisor, Panetta & Associati Studio Legale’s Rocco Panetta writes, “Facebook has already assured that the unwanted data processing has occurred due to a mere technical bug.” Despite that, he notes, the Garante is requiring confirmation on six points, including the duration of the event and measures taken to resolve the issue.
Full Story

DATA PROTECTION—EU

Majority of Retailers Say New Rules Will Harm Business (July 5, 2013)

More than two-thirds of online retailers say proposed changes to EU data protection rules will damage business, EurActiv reports. That’s according to a recent survey by the European Multi-channel and Online Trade Association, which represents more than 80 percent of EU online traders, the report states. The survey polled 90 companies from the UK, Germany, Austria, France, Sweden, Switzerland, Greece and Spain.
Full Story

PRIVACY—U.S.

Forum Focuses on Protecting Privacy While Enabling Innovation (July 5, 2013)

StaySafeOnline Blog features the IAPP’s recent KnowledgeNet forum, The Components of an Accountable Company Privacy Program and How To Implement It, in Washington, D.C., citing comments by David Hoffman, CIPP/US, and Data Privacy Day Chair Dan Caprio. “This is really about protecting privacy and enabling innovation,” Caprio said, noting those goals are not mutually exclusive. Hoffman spoke about developing accountability programs, noting, “The question is, ‘What’s the right model to provide appropriate protections so that individuals are going to have trust and confidence in the way they participate in society?’…I think that’s where accountability is trying to play a role.”
Full Story

SURVEILLANCE—EU & U.S.

EU Special Committee To Investigate Spying Reports (July 3, 2013)
As headlines continue to abound regarding concern from EU officials and member states, EurActiv reports the European Parliament “plans to establish a special committee to investigate reports that an American spy agency monitored phone calls and e-mails of EU institutions and some member states.” The panel, which will be established as part of the Committee on Civil Liberties, Justice and Home Affairs, will deliver its report by year’s end and “formulate proposals on adequate redress measures in case of confirmed violations and put forward recommendations to prevent that similar espionage events happen in the future,” the report states. Following communication with U.S. Attorney General Eric Holder, Justice Commissioner Viviane Reding said, “The U.S. appears to take our concerns regarding PRISM seriously,” noting Holder has committed to setting up an expert group “to assess the matter in detail…and the group will have its first meeting this month and a second one in Washington in September." Meanwhile, in a TechNewsWorld interview, Oxford Prof. Viktor Mayer-Schönberger opines, “People feel they have been deceived; people feel that they cannot trust the U.S. government.”

ONLINE PRIVACY

Do-Not-Track Continues To Spark Fires (July 3, 2013)

Microsoft’s newest version of Internet Explorer (IE) allows users to grant permission for specific websites to log their movements, IT Pro reports. IE11 was debuted in the Windows 8.1 preview last week and features a default Do-Not-Track setting with a “user-granted exceptions” option. Meanwhile, following criticism over its plans to move forward with a project to block third-party cookies in the Firefox browser, Mozilla’s Harvey Anderson said  there’s “no constitutional right that allows people to modify my computer.” The Digital Advertising Alliance has called the proposal “draconian.”
Full Story

DATA LOSS—U.S.

Felony Privacy Invasion Charge for Trooper; Breaches Affect USC, Ubisoft (July 3, 2013)

The University of South Carolina has sent letters to 6,300 students whose personal information may have been on a stolen laptop, Greenville Online reports. The information included Social Security numbers. The school is currently working toward a new cybersecurity program. Meanwhile, a Virginia trooper has been indicted on one felony and eight misdemeanor counts of computer invasion of privacy based on allegations she was improperly using the Virginia Criminal Information Network. Meanwhile, game company Ubisoft has announced its systems have been breached by cybercriminals, recommending users change passwords immediately.
Full Story

PRIVACY LAW—U.S.

FL Law Under Fire; MO Gov. Axes Database Bill (July 3, 2013)

The Privacy Tracker reports on two pieces of legislation that have come under fire this week for violating privacy rights. Five lawsuits filed on Monday claim a Florida law, which went into effect that same day, violates the federal Health Insurance Portability and Accountability Act. The law, which aims to protect doctors facing malpractice suits, allows healthcare providers called as witnesses to give defendants’ attorneys information about patient treatment. Meanwhile, Missouri Gov. Jay Nixon axed a bill that would have created a database of workers who have filed workers’ compensation claims in the state.
Full Story

GEO PRIVACY—U.S.

States Move On Laws Requiring Warrants for Cellphone Records (July 3, 2013)

The New York Times reports on a recently passed Montana bill that requires police to obtain a search warrant before determining a suspect’s location based on cellphone carrier records. Realizing the value of metadata and the ability of cellphones to track our daily movements, Montana’s governor signed the location information privacy bill—reportedly the first of its kind in the nation—into law on May 6. Other states are working to pass similar bills. Maine’s version is on its way to the governor’s desk, and Massachusetts will hold a legislative hearing on a similar measure next week. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Children’s Privacy Suits To Be Heard in NJ (July 3, 2013)

The U.S. Judicial Panel on Multidistrict Legislation has sent six class-action lawsuits alleging Google and Viacom “violate children's privacy by using cookies to track their Internet use and target them for ads” to New Jersey to be heard, Courthouse News Service reports. A nationwide class-action was filed back in December in Texas by Stephanie Fryar, who “claimed that when her sons registered and created profiles on three Viacom-operated websites…the defendants placed a doubleclick.net cookie ‘id’ on the children's computers to track their communications to those websites and others,” the report states, noting similar cases were filed in California, Illinois, Missouri, New Jersey and Pennsylvania.
Full Story

PRIVACY—U.S.

10 Steps to a Quality Privacy Program: Part One (July 3, 2013)

The May edition of The Privacy Advisor featured an article on the “Ten Steps to a Quality Privacy Program: Taking Your Program to the Next Level.” This is the first of a series of articles that will drill down on each recommended step in an effort to help those just getting started on or revamping existing policies, beginning with “Step 1: Creating Roadmaps on Requirements.”
Full Story

DATA PROTECTION

Security Company Releases Privacy Product (July 3, 2013)

Symantec has released a new privacy product capable of scanning a mobile device for data an application may be leaking about the user. Norton Mobile Security for Android devices checks for “malicious applications, privacy risks and potentially risky behavior.” While Norton’s suite of mobile security products have typically focused on malicious threats, Michael Lin, vice president of Symantec Mobility Solutions, told the IAPP that this latest solution reacts to the fact that “now we are seeing threats impact mobile applications and data being shared without the user’s knowledge or consent.” This latest product aims to “protect users from these types of privacy threats as well.”
Full Story

DATA PROTECTION—U.S.

AG Report Reveals Breaches Affect 2.5 Million in 2012 (July 2, 2013)
According to a first-of-its-kind report released Monday by California Attorney General Kamala Harris, 2.5 million Californians had personal information put at risk because of electronic data breaches in 2012. Had companies encrypted data when sending it outside of a network, 1.4 million Californians would have been protected. Retail establishments were the worst offenders. Noting the dangers inherent to individuals’ privacy, finances and even personal security, Harris said companies and government agencies “must do more to protect people by protecting data.” Meanwhile, Blizzard Entertainment has asked a California federal judge to dismiss a multi-million dollar class-action filed after a data breach, stating the plaintiffs have not alleged “actual harm.”

SURVEILLANCE—EU & U.S.

Albrecht: Reports Suggest NSA Intercepted Regulation Data (July 2, 2013)

“If the actual revelations on these spying activities are true, then it is completely clear that there have been also interceptions with the activities of this regulation,” German Green MEP Jan Philip Albrecht said of the EU’s draft data protection regulation in response to this weekend’s reports on the U.S. National Security Agency (NSA) allegedly spying on EU activities. EUObserver cites lobbying efforts against the draft regulation by the U.S. government and U.S.-based companies, quoting Albrecht as saying, “Perhaps it’s time to re-discuss once more if we really want to completely exclude national security from the scope of the regulation." A European Commission spokeswoman has called the weekend allegations “disturbing” and said the European External Action Service has asked Secretary of State John Kerry to respond.
Full Story

PRIVACY

What Is Privacy in the Digital Age? (July 2, 2013)

In his most recent Privacy Perspectives installment, Phil Lee, CIPP/E, CIPM, describes his path to the privacy profession. “With privacy, I get to advise on matters that affect people, that concern right or wrong, that are guided by lofty ethical principles about respecting people’s fundamental rights,” he writes. With the growing dichotomy between regulatory mandates and “what, in practice, actually delivers the best protection for people’s personal information,” Lee challenges the privacy profession to “debate and encourage an informed consensus about what privacy really is, and what it should be, in this digital age.” Editor’s Note: For expert insights into the privacy career track and a high-level review of basic privacy laws, register for the IAPP’s web conference, Legal Privacy Primer—First Steps in a Career, to be held July 11.
Full Story

FINANCIAL PRIVACY—CANADA & U.S.

Data-Sharing Deal Will “Depend on the Details” (July 2, 2013)

Canada finds itself grappling between thwarting tax evasion and protecting privacy as it nears the announcement of a deal with the U.S. to share banking information, reports The Globe and Mail. The Foreign Account Tax Compliance Act, which will go into effect January 1, requires financial institutions in other countries to inform the U.S. Internal Revenue Service about Americans’ offshore back accounts storing more than $50,000, the report states. Whether Ottawa or financial institutions themselves will hand over the data is up for debate, with many arguing having the banks do it will ensure compliance with privacy laws. A spokesperson for Canadian Privacy Commissioner Jennifer Stoddart said the privacy implications will “depend on the details.”
Full Story

STUDENT PRIVACY

Task Force Tackles Innovation-Privacy Balance in Education (July 2, 2013)

Researchers, innovators and thought leaders all over the world are thinking about education. From danah boyd to Sugata Mitra to the Aspen Institute, they’re discussing ways the Internet, social networks, mobile media and gaming technology are affecting our youth and the way they learn. In this Privacy Advisor exclusive, Microsoft CPO and IAPP Chairman Brendon Lynch, CIPP/US, talks about the Aspen Institute’s new Task Force on Learning and the Internet--of which he’s a member. Noting the group is just beginning its exploration, Lynch says, “as schools are experimenting with their online capabilities, and as they utilize those technologies and solutions, they need to make sure they’re addressing privacy concerns that parents and children may have.”
Full Story

PRIVACY LAW—U.S.

Laws Restricting Drones, Gun-Owner and Student Data on the Move (July 2, 2013)

The spate of state privacy laws—proposed and passed—continues in Louisiana, Massachusetts, New Jersey and Oregon. The Privacy Tracker reports on Louisiana’s new law to protect the identities of concealed-weapons permit holders, paralleling a number of other states in response to a map indicating the homes of gun owners published in New York last year. Massachusetts lawmakers are considering a bill that would protect student data in the cloud from third-parties as it mulls participation in a Gates Foundation pilot program that aims to help schools simplify computer systems. And New Jersey and Oregon have seen movement on drone bills—with Oregon’s on its way to passage.
Full Story

CONSUMER PRIVACY—U.S.

Experts: Don’t Fall Victim to New ZIP Code Laws (July 2, 2013)

“Under recent developments in state data privacy law, seemingly innocuous business practices can result in major liability for retailers,” write experts Anthony Bongiorno and Matthew Turnell for Corporate Counsel. States like California and Massachusetts have recently passed laws that consider ZIP codes personal information. While many retailers collect ZIP codes at checkout, without the proper policies and procedures in place, doing so could result in class-action lawsuits. Since California passed its law, 150 class-actions have been filed there against retailers. As such, Bongiorno and Turnell urge in-house counsel to know what information a company is collecting, how its stored and processed and the reason for its collection. Editor’s Note: For more on ZIP code laws and how to keep your company out of hot water, read “ZIP Codes: Are Courts Set To Protect Consumers from Marketing?” from the May edition of The Privacy Advisor, which includes a state-by-state guide to the laws.
Full Story

SURVEILLANCE—U.S.

Opinion: Policies Should Acknowledge Technology (July 2, 2013)

The U.S. National Security Agency took advantage of the “increased use of digital communications and cloud services, coupled with outdated privacy laws, to expand and streamline their surveillance programs,” writes Ashkan Soltani for MIT Technology Review. Technology will no longer be a barrier to automated surveillance, and costs are only coming down. “Whatever policy actions are taken as a result of the recent leaks” should address these facts, Soltani says. Meanwhile, The New York Times reports on one artist creating products that offer increased privacy in light of Google Glass, and a Texas congressman has said he’s disappointed with Google’s response to questions over the product.
Full Story

SURVEILLANCE—EU & U.S.

Reports: “Europe in an Uproar” Over NSA, UK Allegations (July 1, 2013)
The New York Times' Kevin O’Brien writes, “Europe was in an uproar Sunday over a magazine’s charge that Washington bugged European Union offices in the United States,” and Der Spiegel has quoted German Chancellor Angela Merkel as saying, “The monitoring of friends—this is unacceptable. It can't be tolerated. We're no longer in the Cold War.” In this roundup, The Privacy Advisor examines the key headlines of the past three days as well as the varying opinions now being published on the implications of the allegations of spying by U.S. and UK government programs.

CHILDREN’S PRIVACY—U.S.

New COPPA Rules Take Effect Today; Marketers May Not Be Ready (July 1, 2013)

In a piece for GigaOm, Jeff John Roberts discusses what COPPA’s new rules mean for marketers. The revised law comes into effect today and can impose penalties of up to $16,000 per violation. Many app developers may not be prepared for the rules, which require parental consent before collecting basic data on children. Fast Company predicts three outcomes following today’s implementation of the law: The privacy business--including Safe Harbor programs and privacy lawyers--will boom; sites will neglect to ask users’ age, and/or a “chilling effect” will take place on the development of educational apps and games.
Full Story

PRIVACY LAW—AUSTRALIA

Breach Notification Laws Fail To Pass Before Break (July 1, 2013)

The Australian Senate has failed to pass mandatory data breach notification reform laws, which were expected to go into effect by March of next year. The Senate has now taken its break until the next election. The proposed law was described by the Australian Law Reform Commission in 2008 as a “long-overdue measure,” Business Spectator reports. The Senate did pass laws last week requiring commonwealth public officials to report suspected wrongdoing, reports The Register. Meanwhile, a new report says that many Australian data-driven firms are using consumer data to support existing beliefs rather than “achieve fresh insights.”
Full Story

ONLINE PRIVACY—EU

Working Group: Default Should Be No Tracking (July 1, 2013)

The EU’s International Working Group on Data Protection has released a whitepaper on online behavioral advertising, reports the Electronic Privacy Information Center. The working group says in its release that World Wide Web Consortium efforts to create a Do-Not-Track mechanism could serve as a “sugar pill instead of a proper cure and would such be useless.” The working group recommends that the default setting be that users are not tracked.
Full Story

PRIVACY—U.S.

Wong’s Role as Deputy CTO: Behind-the-Scenes but Influential (July 1, 2013)

National Journal reports on the new deputy U.S. chief technology officer’s first week on the job. The White House appointed former Google and Twitter attorney Nicole Wong to the role—one which could have far-reaching effects on everything from the Internet to foreign policy to human rights issues. While a spokesman for Wong’s boss, Chief Technology Officer Todd Park, hasn’t specified Wong’s duties, he said “chief privacy officer” doesn’t fully describe them. But Wong has a “stellar reputation for aggressively protecting individual privacy rights,” the report states. Andrew McLaughlin, a former U.S. deputy chief technology officer for Internet policy, said though Wong’s job is behind the scenes, it can be influential.
Full Story

CHILDREN’S PRIVACY—U.S.

Advocates: Facebook Settlement Not Enough (July 1, 2013)

At a hearing on Friday, children’s advocates worked to convince U.S. District Judge Richard Seeborg that last year’s proposed settlement of a case surrounding Facebook’s Sponsored Stories doesn’t do enough to protect children’s information, Reuters reports. The Children's Advocacy Institute argued that minors’ content should be off limits to advertisers, but Seeborg—without indicating how he would rule—noted that his function “is not to craft the perfect policy for minors” but only to say whether the settlement is fair. Seeborg gave initial approval of the settlement last year, but it still needs his final sign-off.
Full Story

DATA PROTECTION—SOUTH KOREA

Presidential Office Hacked (July 1, 2013)

A hacking attack on the presidential office has resulted in the leak of 100,000 individuals’ personal information, ZDNet reports. The information includes names, birth dates, ID numbers and both online and offline addresses, the report states. Users’ registration numbers—similar to Social Security numbers—were not affected because they were encrypted. The presidential office has issued an apology and is offering compensation to those affected.
Full Story

BIG DATA

Opinion: The Few Are Benefitting From the Many (July 1, 2013)

In an opinion piece for Financial News, Ben Wright discusses the rise of Big Data and questions who owns it. To this point, such a determination has not been made, resulting in the few benefitting “at the expense of the many,” Wright opines. “The financial industry clearly needs to have an open debate about all the data it is generating and amassing. It needs to decide who owns this information, how it should be used and shared and where the balance lies between privacy and the public good.” (Registration may be required to access this story.)
Full Story