Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

SURVEILLANCE—U.S.

DOC’s Kerry to EU: Don’t Worry About It (August 30, 2013)
As he prepares to leave the Department of Commerce, General Counsel Cameron Kerry gave a speech Wednesday at the German Marshall Fund of the United States aimed to reassure European officials that the U.S. National Security Agency (NSA) is not violating their privacy rights, The Hill reports. Kerry said it would be a sad outcome if the NSA disclosures led to “Internet policy-making and governance in which countries became a series of walled gardens with governments holding the keys to locked gates. But that is where we will end up if all data has to stay on servers located in the nation in which a citizen lives or where a device is located."

SURVEILLANCE

Skepticism Surrounds NSA Review Board; Massive “Black” Budget Revealed (August 30, 2013)

Opinion is streaming in surrounding U.S. President Barack Obama’s creation of an independent board to investigate the NSA’s surveillance operations, and much of it is highly critical. Focus is generally on Obama’s promise that the experts on the panel would be “outsiders” and commenters’ opinion that the members of the panel are anything but—save Peter Swire. Also, The Washington Post has major revelations derived from a leaked copy of the U.S. intelligence community’s “black budget” and you’ll never guess where Glenn Greenwald’s partner David Miranda was hiding the password to encrypted national security files leaked by Edward Snowden.
Full Story

DATA LOSS—U.S.

Regulators, State AG To Investigate Advocate Breach (August 30, 2013)

Federal regulators and the Illinois Attorney General’s Office confirmed this week they will investigate Advocate Medical Group’s data breach, Chicago Tribune reports. The breach was the second-largest loss of unsecured protected health information reported to the Department of Health and Human Services (DHHS) since its mandatory breach notification rule came into effect in September 2009, the report states. The July 15 breach affected more than four million patients seen by Advocate Medical Group from the early 1990s through July. Affected patients have begun receiving notification letters. DHHS investigates any breach affecting more than 500 people, but wouldn’t comment on the Advocate case citing the pending investigation.
Full Story

SOCIAL NETWORKING

Facebook Changes Include Expanded Facial Recognition (August 30, 2013)

The Wall Street Journal reports on Facebook’s announcement that it is “updating its privacy policies to clarify how the personal information of its more than one billion users” is collected and used—including at least one change: the expanded “use of facial recognition software to include profile pictures.” Some of the language is being included to comply with the recent $20 million settlement of a lawsuit over Facebook’s "Sponsored Stories" feature. Chief Privacy Officer Erin Egan, who outlined the changes to two legal documents, explained, “we revised our explanation of how things like your name, profile picture and content may be used in connection with ads or commercial content to make it clear that you are granting Facebook permission for this use when you use our services.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—EU

New Data Breach Notification Requirement in Effect (August 30, 2013)

SC Magazine reports on the new data breach reporting requirement in the EU. The requirement took hold last week and requires telecommunications and Internet service providers in the EU to report a data breach to authorities within 24 hours of the moment the breach is discovered. Meanwhile, in an exclusive for The Privacy Advisor, Laura Vivet Tañà, CIPP/US, CIPP/E, examines the proposed EU data protection regulation’s breach notification rule, including such key elements as what should be considered as a personal data breach, the notification requirement and consequences of a security breach.
Full Story

PRIVACY LAW—U.S.

States Taking Lead in E-mail, Location Privacy (August 30, 2013)

After delays in congressional efforts to update the Electronic Communications Privacy Act (ECPA), some states are taking matters into their own hands, reports The Washington Post. Texas and Montana have both passed e-mail privacy laws—and Montana went a step further, becoming the first in the nation to pass location-tracking legislation. Maine passed a law requiring a warrant for police to access text messages, and Massachusetts lawmakers are considering an e-mail and geolocation privacy bill for mobile device data. New York and Florida have also announced plans to tackle this issue in their next session. But, as the report states, “state-level laws cover only state-level authorities and can’t compel federal investigators. For that, there must be congressional action.” (Registration may be required to access this tory.)
Full Story

ONLINE PRIVACY—U.S.

Opinion: “Revenge Porn” Should Be Illegal (August 30, 2013)

University of Maryland Francis King Carey School of Law Prof. Danielle Keats Citron outlines the reasons she believes “revenge porn,” or the nonconsensual disclosure of nude photos online, should be punishable by criminal law in this CNN report. The practice raises the risk of offline stalking, costs victims job opportunities with the prevalent use of search engines in employee background checks and causes severe anxiety in victims, Citron says. New Jersey is currently the only state in which revenge porn is illegal, and California is considering a similar law, but Citron wants the federal cyberstalking law amended to “cover the use of any interactive computer service to produce or disclose a sexually graphic visual depiction of an individual without that individual's consent.”
Full Story

INTERNATIONAL RELATIONS

The Brussels and Warsaw Privacy Peace Talks (August 29, 2013)
Next month, U.S. Federal Trade Commissioner Julie Brill and Deputy Assistant Secretary of State Danny Sepulveda will travel to Brussels to discuss privacy with EU officials. Later in the month, Poland will host the 35th Conference of Data Protection and Privacy Commissioners, a meeting that will be attended by privacy officials and stakeholders from around the world. In the latest installment of Privacy Perspectives, Hogan Lovells’ Christopher Wolf argues that the “gatherings provide an opportunity to declare a ceasefire in the war of words—a war in which most of the ‘incoming’ has originated on the European side of the Atlantic in the wake of the Snowden NSA revelations, and a war that threatens progress in international cooperation on privacy.”

DATA PROTECTION—EU & U.S.

Safe Harbor May Be Controversial in the European Union, But It Is Still the Law (August 29, 2013)

Safe Harbor has become a target for retribution in light of revelations about the National Security Agency's PRISM program. It has come under fire from Rapporteur Jan Albrecht and the Article 29 Working Party, among others. While various officials have promised reviews and improvements to the framework, none have yet been released. In this exclusive for The Privacy Advisor, Damon Greer, who directed the EU-U.S. and Swiss Safe Harbor frameworks from 2006-2011, discusses Safe Harbor's fate.
Full Story

PRIVACY LAW—U.S.

Cybersecurity Policy Developments Roundup (August 29, 2013)

In February, President Barack Obama signed an executive order that put into motion a number of initiatives aimed at improving the cybersecurity posture of the “critical infrastructure” of the United States. In this latest Privacy Tracker post, we look at the order’s ripple effect, including the Cybersecurity Act of 2013, which is likely to both pass and be legislation that affects nearly every organization’s privacy plans. What do you need to do to prepare? Editor’s Note: The Privacy Advisor recently interviewed Director for Cybersecurity Privacy, Civil Liberties and Policy Ari Schwartz about his new position.
Full Story

MOBILE PRIVACY—U.S.

Opinion: New Code of Conduct Demonstrates Self-Reg Can Work (August 29, 2013)

The recent NTIA multi-stakeholder vote to test new guidelines for mobile privacy indicates self-regulation is possible, writes Ken Wasch, president of the Software and Information Industry Association, in a post for The Hill’s Congress Blog. “In a time of rapidly evolving technology, this approach is the only way to effectively maintain the right balance between consumer confidence and continued innovation—a balance that government regulation or legislation would most certainly fail to accomplish,” Wasch writes, adding that while the process wasn’t without bumps, it’s proof that “industry and civil society can avoid burdensome, costly regulation and reach practical consensus on a path forward.”
Full Story

ONLINE PRIVACY—U.S.

Swire Leaves DNT Group (August 29, 2013)

AdWeek reports on the departure of Co-Chairman Peter Swire, CIPP/US, as the latest development for the W3C’s working group tasked with creating a Do-Not-Track browser standard. “The 110-member international group was formed two years ago to unite all stakeholders on a tracking standard. But by the end of last year, the group was still nowhere near consensus, and browser companies such as Mozilla and Microsoft began to go their own way with their own browser solutions, causing a controversy with the interactive advertising community,” the report states. Swire, who was recently named to the Obama administration’s NSA review panel, wrote he is leaving due to the appointment, citing a "sense of responsibility" to serve on that panel, the report states.
Full Story

ONLINE PRIVACY—EU & RUSSIA

Sen. Wants Probe Into Twitter Compliance (August 29, 2013)

Russian Sen. Ruslan Gattarov says Twitter’s privacy policies violate Russian and European data protection laws, Rapsi News reports. Gattarov has asked the prosecutor general, the head of the federal communications agency and the Council of Europe’s data protection commissioner to conduct an investigation. He alleges certain parts of Twitter’s policies violate Russian users’ rights, including the omission of explanation for the reason personal data is collected and the lack of a translation of part of its policy into Russian.
Full Story

SURVEILLANCE

Opinion: Support for Anti-Tracking Wear on the Rise (August 29, 2013)

When the developers of “OFF Pocket,” a sleeve for smartphones that blocks incoming phone signals, WiFi, GPS and Internet connections, launched their kickstarter campaign looking for $35,000, they ended up raising $56,447. NPR blogger Robert Krulwich offers his views on why the campaign was so successful. At some point, news of the U.S. government’s warrantless data collection combined with a proliferation of surveillance devices will “make us wonder… ‘Who's watching me?’” he writes, adding, “once we start wondering, it's only natural to think about protecting ourselves—and that's the change, I suspect, that has just begun.” After its kickstarter success, OFF Pocket may go commercial, but concerns about use by terrorists have caused designers of other surveillance-blocking attire to hold back their technologies.
Full Story

SURVEILLANCE—U.S.

Gov. Signs Bill To Regulate Law Enforcement Drone Use (August 29, 2013)

Illinois Gov. Pat Quinn has signed a bill that will regulate law enforcement’s use of drones, The Republic reports. State Sen. Daniel Biss (D-Ninth District) sponsored the bill and said it helps to maintain a reasonable expectation of privacy, the report states. The American Civil Liberties Union supports the bill, calling it reasonable. The bill includes exceptions for when the Department of Homeland Security decides surveillance is necessary to prevent a terrorist attack.
Full Story

CHILDREN’S PRIVACY—U.S.

School District To Monitor Students’ Online Posts (August 29, 2013)

A California school district has hired a company to monitor and analyze students’ public social media posts, Los Angeles Times reports. Aiming to intervene when students are in danger related to cyberbullying, substance abuse or despair, among other risks, the school will receive a daily report of student posts on sites such as Facebook, Instagram, YouTube and Twitter from company Geo Listening. The school district’s superintendent said the program means another opportunity to keep kids safe at all times, but some parents have concerns that the program is “big brother-ish.”
Full Story

GOVERNMENT ACCOUNTABILITY

Final FIPP Is Crucial for Federal Privacy Programs (August 28, 2013)
As federal programs as diverse as the National Security Agency and the Drug Enforcement Agency come under scrutiny for their privacy practices, Mary Ellen Callahan, CIPP/US, former CPO at the Department of Homeland Security, says federal agencies of all kinds can avoid privacy disasters by adhering to the most crucial of Fair Information Practice Principles: auditing and accountability. In this latest post for Privacy Perspectives, Callahan lays out in detail how privacy worked at DHS under her watch and why CPOs need “holistic investigatory authority.”

PRIVACY RESOURCES

The Complex Concept of Accountability (August 28, 2013)

The principle of accountability is found in guidance across the globe, and while it is recognized as an essential element of an effective privacy program, demonstrating it and measuring it can be a challenge. The IAPP Resource Center has compiled research, articles and presentations on the topic. From Hunton & Williams’ “Accountability: A Compendium for Stakeholders” to the Article 29 Working Party’s opinion on the principle of accountability, you’ll find the information you need to clarify what it means and how to demonstrate it.
Close-Up: Accountability

ONLINE PRIVACY

Gov’t Requests for Facebook Data Outlined in Transparency Report (August 28, 2013)

In the first half of 2013, Facebook fielded governments’ requests for data on more than 38,000 Facebook users and complied with about 80 percent of those requests, Reuters reports. That’s according to the social networking giant’s first report on the scale of data inquiries it receives globally. Of those, U.S. law enforcement authorities made the most requests, seeking data on between 20,000 and 21,000 users between January and June, the report states. That’s up from the amount of requests they made in the six month-period prior, which was roughly between 18,000 to 19,000. Authorities in India, the UK and Germany also requested data on large numbers of users.
Full Story

SURVEILLANCE—U.S.

President Meets with Surveillance Review Panel (August 28, 2013)

President Barack Obama met with the panel he requested to review U.S. surveillance programs on the collection of telephone and Internet data for the first time on Tuesday, Bloomberg reports. Obama announced the panel’s establishment earlier this month, saying, “It’s not enough for me, as president, to have confidence in these programs. The American people need to have confidence in them as well.” The panel will provide the president with interim findings in 60 days, and its goal is to examine how the U.S. “can employ its technical collection capabilities in a way that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties.”
Full Story

DATA LOSS—U.S.

Judge Dismisses Class-Action; Breaches Affect Business and School (August 28, 2013)

A California federal judge has dismissed a proposed class-action accusing Symantec of concealing a data breach, Law360 reports. Meanwhile, Sustainable Business Oregon reports that a data breach at the Bonneville Power Administration has compromised the data of 3,100 employees. And the University of Mississippi has acknowledged that an employee mistakenly attached a spreadsheet containing nearly 2,300 students’ names, Social Security numbers, grade-point averages, races, genders and other details to a mass e-mail to students. (Registration may be required to access this story.)
Full Story

PRIVACY SCHOLARSHIP

IAPP/PLSC Award-Winning Papers Posted (August 28, 2013)

Earlier this month, The Privacy Advisor spoke with the authors of the award-winning papers from the Privacy Law Scholars Conference: Ryan Calo and Daniel Solove and Woodrow Hartzog. Now, both papers have been posted to the Social Science Research Network and you can read the current drafts. Find Solove and Hartzog’s “The FTC and the New Common Law of Privacy” here. Find Calo’s “Digital Market Manipulation” here. Geekwire talks with Calo as well about his paper and its implications for the current Internet marketplace. Editor’s Note: Calo, Solove and Hartzog will present their papers at the IAPP Privacy Academy, in Seattle, Sept. 30-Oct. 2.
Full Story

PRIVACY LAW—SOUTH AFRICA

National Assembly Passes POPI (August 28, 2013)

In this Privacy Tracker post, Eversheds’ Paula Barrett and Penelope Jarvis examine South Africa’s Protection of Personal Information Bill (POPI), passed by the South African National Assembly this month. “All that stands in the way of POPI becoming law is its translation into Afrikaans and the signature of South African President Jacob Zuma,” they write. Barrett and Jarvis examine the history of the legislation and detail what you need to know about POPI, including the conditions that must be met to process personal data legally and information on compliance and enforcement. (IAPP member login required.) Editor’s Note: The IAPP will host a KnowledgeNet in Johannesburg, South Africa, on Monday, October 7, focusing on “International Privacy Initiatives Using Marketing as a Case Study.” Registration closes October 3.
Full Story

DATA PROTECTION—GERMANY

Berlin Commissioner Talks Surveillance, Big Data and New Rules on Privacy (August 28, 2013)

Bloomberg talks with Berlin Commissioner for Data Protection and Freedom of Information Alexander Dix on the U.S. NSA scandal, Big Data technologies and privacy concerns within the commercial sector. When it comes to anonymization, Dix says while it’s true that it’s possible for anonymized data to be linked to individuals, it “does not make anonymization a useless process. It is still better than having outright personal data on the Internet or pseudonymized data…” As far as essential aspects that should be applied in new privacy regulations, Dix says telecommunications surveillance should be the exception and not the rule and adds that data minimization is essential.
Full Story

ONLINE PRIVACY

Lenders Determining Creditworthiness Via Facebook Friends (August 28, 2013)

CNN reports that a handful of tech startups are using social data to determine the risk of lending to people. That’s because financial lenders have discovered social connections are a good indicator of a person’s creditworthiness, the report states. Lenddo, for example, determines whether an individual is “Facebook friends” with someone who was late in paying back a loan. “It turns out humans are really good at knowing who is trustworthy and reliable in their community,” said the company’s CEO. “What’s new is that we’re now able to measure through massive computing power.”
Full Story

ONLINE PRIVACY—U.S.

Facebook To Pay $20 Million in Settlement (August 27, 2013)
A federal judge has approved a class-action settlement that will require Facebook to pay $20 million for putting users in their “Sponsored Stories” advertising program without their permission, Wired reports. Originally, U.S. District Judge Richard Seeborg had said he had “serious concerns” over the deal because it paid $10 million to charity but nothing to class members. The settlement now divides the $20 million among charities, the class-action attorneys and the 125 million U.S. Facebook users affected.

DATA LOSS—U.S.

Second Largest HIPAA Breach Ever Affects Four Million (August 27, 2013)

Advocate Health System has announced the theft of four unencrypted computers that contained information on four million patients, reports Healthcare IT News. According to officials, the computers contained the patients’ names, addresses, dates of birth, Social Security numbers and clinical information. In a letter to affected individuals, the group’s chief medical officer wrote that, "In order to prevent such an incident from reoccurring, we have enhanced our security measures and are conducting a thorough review of our policies and procedures."
Full Story

PRIVACY

Shortage of Privacy Specialists, An Opportunity for Pros? (August 27, 2013)

Forbes reports on a shortage of qualified privacy and cybersecuity legal specialists in California. LinkedIn Corp. General Counsel Erika Rottenberg speculates that technology companies in Silicon Valley are scooping up the qualified attorneys. The need for privacy attorneys could present an opportunity for law schools capable of responding to such a demand. Certification is an option for professionals, and managers who hold certifications earn on average $10,000 more in salary than their non-certified counterparts, the report states. Editor's Note: For more benchmarking data on the salaries of privacy professionals, see the IAPP 2013 Privacy Professionals Salary Survey.
Full Story

CLOUD COMPUTING

Managing Risks in the Growing Cloud Environment (August 27, 2013)

As a precursor to his presentation at the IAPP Privacy Academy in Seattle this fall, Chris Zoladz, CIPP/US, CIPP/E, CIPP/IT, CIPP/G, writes in this latest Privacy Perspectives blog post that, “While there are real security and privacy concerns surrounding the cloud, they are by no means insurmountable.” Acknowledging studies that predict the growth of the cloud market to more than $120 billion by 2020, Zoladz offers common characteristics of those companies currently active in the cloud and advocates for “strong encryption with appropriate key management,” adding, “What would be the security and privacy risk if only encrypted data is ever stored in the cloud and only you as the cloud customer have the encryption keys?”
Full Story

PRIVACY COMMUNITY

A Turbulent Time for Gathering Privacy Commissioners (August 27, 2013)

As host of this year’s 35th Annual Conference of Data Protection and Privacy Commissioners, Wojciech Wiewiórski, Poland’s Inspector General for Personal Data Protection, finds himself with privacy in perhaps its brightest spotlight ever. Not only is the European Union in the midst of the much-talked-about overhaul of the Data Protection Regulation, but virtually the entire globe continues to be riveted by the news of U.S. (and more) government surveillance triggered by the whistleblower Edward Snowden. In an exclusive interview with The Privacy Advisor, he talks about the conference’s big themes, how the NSA revelations will be discussed and what the big news will be in Warsaw this year.
Full Story

WEB CONFERENCE

The Snowden Fallout: How To Respond (August 27, 2013)

Despite a history of disagreements over privacy issues at the government level, European and U.S. businesses have largely enjoyed mutually beneficial working relationships with regards to personal data processing. But Edward Snowden’s revelation about NSA surveillance activities have shaken this balance, requiring American companies to face a barrage of questions and doubts from their European customers regarding the security and privacy of personal data. Join OPower Associate General Counsel Adam Connolly, MobileIron VP and General Counsel Laurel Finch, and InfoLawGroup Partner Boris Segalis, CIPP/US, Sept. 12, as they outline demands recently made of U.S. service providers and you will gain practical guidance on how to meet these concerns.
Full Story

SURVEILLANCE

“There Are Potentially Tons of Edward Snowdens” (August 27, 2013)

NBC News reports that when Edward Snowden accessed the data of the National Security Agency, he didn’t need sophisticated devices or software, he just needed some thumb drives and “the willingness to exploit a gaping hole in an antiquated security system to rummage at will through the NSA’s servers and take 20,000 documents without leaving a trace.” Snowden, as a system administrator, had access to any file he wanted and was rarely audited. He also was not required to leave a signature on any data he accessed. One intelligence official said it’s a pervasive problem: “There are potentially tons of Edward Snowdens.”
Full Story

DATA PROTECTION

Password-Cracking Just Got Smarter (August 27, 2013)

Passwords just got a lot easier to crack, Ars Technica reports. That’s because password-cracker “ocl-Hashcat-plus,” a freely available service for offline hashed password cracking, can now decode passwords with as many as 55 characters. The program previously could only crack passcodes with 15 characters or less, but Web users have increasingly used longer passcodes and phrases to protect their online data. “This was by far one of the most requested features,” said the program’s lead developer. The development means Hashcat users can now achieve as many as eight-billion guesses per second “on a virtually unlimited number of compromised hashes.”
Full Story

PRIVACY LAW

California and Brazil Consider Serious New Legislation (August 26, 2013)
This week’s Privacy Tracker roundup of legal developments highlights a California bill passed by the state Senate that would require certain website operators and online service providers to disclose whether they honor users’ "do not track" requests and a bill proposed in the Michigan Assembly that could mean fines and jail time for law enforcement officers who track suspects using GPS without a warrant. Wisconsin is poised to be the ninth state this year to pass an employee social media privacy law. And, in Brazil, work is ongoing towards the nation’s first set of data protection and Internet governance laws—including a new amendment requiring data to be stored locally, which is raising concerns among U.S. tech companies. (IAPP member login required.)

PRIVACY

GE Appoints Chief Privacy Counsel (August 26, 2013)

General Electric has announced the appointment of Peter Lefkowitz, CIPP/US, as chief privacy counsel. Lefkowitz most recently served as vice president of privacy and security legal and chief privacy officer at Oracle. “I’m honored to join the strong global privacy team at General Electric. Privacy is increasingly a business and brand differentiator, and GE is at the forefront of managing privacy compliance and providing thought leadership,” Lefkowitz told the IAPP. He will take his post September 9.
Full Story

PRIVACY

What Happens When Technology Advances and the Law Does Not? (August 26, 2013)

Baseball fans in the Detroit area have been actively debating whether slugger Prince Fielder’s recent struggles at the plate are fueled by his divorce from his wife. However, columnist Mitch Albom noted, this is the kind of personal privacy invasion that only became truly possible in the Internet age. This latest installment of Privacy Perspectives from Jedidiah Bracy, CIPP/US, CIPP/EU, looks at the disappearance of practical obscurity and why it is that public privacy policy has not kept up with technological advancements.
Full Story

SURVEILLANCE

PCLOB to U.S. Intelligence: Update Data-Gathering Guidelines Now (August 26, 2013)

News that NSA analysts knowingly violated surveillance authority over the past decade, and were in fact disciplined for it, is just the latest information drawing attention to U.S. intelligence data-gathering activities. That scrutiny now looks to be leading to active changes. In its first major missive since its resurrection earlier this year, the Privacy and Civil Liberties Oversight Board has sent a letter to U.S. Attorney General Eric Holder and Director of National Intelligence James Clapper telling them the board believes that “key policies and procedures addressing privacy and civil liberties should be kept up to date to take into account new developments including technological advancements.” We roundup this news, a new agreement Germany would like to iron out with the Obama Administration and why the NSA might be a topic at enormous music and tech festival SXSW.
Full Story

DATA LOSS

Federal Reserve Employee Data Exposed (August 26, 2013)

Law enforcement is working with the Federal Reserve to investigate a hacking incident that has resulted in the release of employee data online. Bloomberg reports individuals claiming to be part of the hacktivist group Anonymous have claimed responsibility for posting online the “full details of every single employee at Federal Reserve Bank of America,” adding central banks have “systematically defrauded the planet.” The bank says the data was likely accessed more than six months ago, through a breach of its Emergency Communications Systems and includes names, phone numbers and e-mail addresses, among other information.
Full Story

PRIVACY LAW—U.S.

State Bill Would Track Drivers’ Mileage (August 26, 2013)

Oregon lawmakers have approved a bill that would tax drivers not on the amount of gas their cars burn but on the number of miles driven. The program, which would commence in 2015 with volunteers, would use technology to track driver’s mileage, but that has raised concerns about government surveillance of driving habits. In response to such concerns, the legislation limits who can see the information reported by tracking devices and requires the state and private entities tracking the data to destroy location information from participating drivers within 30 days of using it for billing, Stateline reports.
Full Story

SURVEILLANCE—U.S.

White House Names NSA Review Panel (August 23, 2013)
In response to the slew of leaks stemming from Edward Snowden, President Barack Obama has reportedly named a panel of four experts to conduct a full review of U.S. surveillance programs, ABC News reports. This “high-level group of outside experts” will reportedly include recent acting head of the CIA Michael Morell, and former White House officials Peter Swire, CIPP/US, Cass Sunstein and Richard Clarke. Two weeks ago, Obama said the panel will “consider how we can maintain the trust of the people (and) how we can make sure that there absolutely is not abuse.” This roundup for The Privacy Advisor looks at reaction to the panel and includes more news on the intelligence community’s attempt at transparency though social media and how Silicon Valley is investing in security start-ups.

PRIVACY LAW—U.S.

Advocacy Groups Oppose $8.5M Settlement (August 23, 2013)

Advocacy groups including the Electronic Privacy Information Center, Consumer Watchdog, Center for Digital Democracy, Patient Privacy Rights and Privacy Rights Clearinghouse are opposing Google’s settlement in a privacy lawsuit, writing to U.S. District Court Judge Edward Davila that the donation of $8.5 million to nonprofit groups and schools should be rejected, Media Post Blogs reports. While the groups cite several reasons, “the most significant is that the deal allows Google to continue engaging in the same activity that led to the lawsuit—leaking the names of people who use its search engine,” the report states, noting, “The only difference for Google is that the deal requires it to revise a section of its privacy policy.”
Full Story

PRIVACY IN POPULAR CULTURE

Privacy Is “More Complicated Than We Realized” (August 23, 2013)

When Shel Israel and Robert Scoble started looking into their second book together, Age of Context: How Mobile, Sensors and Data Will Change Your Life, it was because “we’re enthusiasts of new technology,” said Israel. As Rackspace’s startup liaison officer, Scoble has gained wide renown in tech circles for his Scobleizer blog and Twitter handle. Israel is maybe best known for his writings for Forbes, where he looks at “the ever-evolving tech industry.” So maybe their initial impressions of privacy should not be surprising: “We joked that people ought to get over it,” Israel said with a laugh. “But the more we listened, the more deeply we realized that we don’t really have a choice about what’s coming.” The Privacy Advisor offers you exclusive thoughts from Israel about how privacy will become a business driver, plus a free download of the privacy chapter from the book.
Full Story

CHILDREN’S PRIVACY—U.S.

COPPA Changes Leading to “Plummeting” Ad Revenue (August 23, 2013)

COPPA changes that went into effect July 1 are creating headaches for publishers of “mom and pop” websites who say their ad revenue is plummeting, AdAge reports. Judy Miller, founder of Apples4TheTeacher, a resource for teachers that also attracts children. Said, “The law is so subjective for what is a kids' site and what is a mixed site, it just has thrown me into a tailspin.” The Interactive Advertising Bureau’s (IAB) Mike Zaneis said, "Unfortunately, this was all too predictable, as the IAB warned for two years that the impact of the new COPPA rules would mean less revenue for child-directed sites and fewer free offerings for families.”
Full Story

ONLINE PRIVACY

Companies Enhancing Ways To Go Incognito (August 23, 2013)

Companies that offer secure online communication services are increasingly pushing private texting applications over encrypted e-mail, reports The Wall Street Journal. While consumer e-mail programs require authentication credentials—which are then stored in a database—for user login capabilities, the companies say the encryption for smartphone-based services happen on the device, so there is no way to unencrypt the messages remotely. Both Apple and Android secure messaging services say they have seen an increase in downloads in the past month. Meanwhile, a new website called justdelete.me collects on one page links that will delete online accounts, including social media, photo-sharing and shopping accounts, simplifying the process of vanishing from the Internet. (Registration may be required to access this story.)
Full Story

PRIVACY—U.S.

Opinion: Who’s the Most Active Enforcer? (August 23, 2013)

In a post for Concurring Opinions, Robert Gellman discusses recent Federal Trade Commission (FTC) enforcement activities, writing, “I want to put FTC privacy activities into a perspective by comparing the FTC with the Office for Civil Rights (OCR), Department of Health and Human Services.” Gellman cites statistics, writing the FTC reported 153 cases from 1997 through February of this year, while the “OCR investigated 19,726 complaints that revealed a violation during the 10-year period ending in April 2013.” Gellman opines, “It seems to me that it is difficult to look at the numbers and still think that the FTC’s record justifies grand claims about the role of the FTC as a general enforcer of privacy standards in the commercial sector.”
Full Story

PRIVACY LAW—U.S.

The Class-Certification Battleground (August 22, 2013)
Privacy and data breach class actions are on the rise. Plaintiffs typically claim that the defendant—whether a retailer, hospital, health insurer, payment card processor or other company handling their personal information—failed to adequately protect their information, used that information for unauthorized purposes or otherwise violated their privacy rights. But, as David M. Governo and Corey M. Dennis, CIPP/US, highlight in this exclusive for The Privacy Advisor, such plaintiffs are often unable to overcome the class-certification hurdle, which generally results in the failure of the case. Why do some succeed where others fail?

PRIVACY LAW—U.S.

Should Smith v. Maryland Be Revisited? (August 22, 2013)

With more focus on the recent dragnet collection of phone metadata by the National Security Agency, NPR explores whether the legal precedent—the 1979 case, Smith v. Maryland—needs to be revisited. Smith v. Maryland is at least one case that supports the third-party doctrine—when information is shared with a third party, a person’s expectation of privacy is diminished. Stanford University Prof. Jennifer Granick said, “Nothing in Smith v. Maryland authorized mass surveillance, and the information that was collected (in that case) is a much narrower category than the information that the government’s currently getting.” Since so much data is now shared with third parties—including location information from smartphones—individuals are constantly revealing their location, which “is not information that you voluntarily disclose to anybody,” Granick added.
Full Story

DATA PROTECTION—U.S.

More Healthcare SMEs Eyeing Breach Insurance (August 22, 2013)

In light of a growing number of healthcare breaches affecting small- and medium-sized organizations, many are looking at acquiring cyber insurance, American Medical News reports. A recent Experian/Ponemon Institute study found a growing trend of organizations across industry sectors looking toward such protection. Experian Data Breach Resolution Vice President Michael Bruemmer said specifically with healthcare, 32 percent of organizations polled already have insurance and an additional 41 percent are considering it. Bruemmer also said he has seen a shift toward smaller healthcare practices showing interest in cyber insurance coverage.
Full Story

SURVEILLANCE—U.S.

NSA Gathered E-mails Prior to FISA Court-Ordered Revision (August 22, 2013)

The Washington Post reports on a newly declassified Foreign Intelligence Surveillance Court (FISC) opinion from 2011. The 85-page opinion, released by U.S. intelligence officials on Wednesday, states that the NSA estimated the agency had collected as many as 56,000 “wholly domestic” communications per year. In the opinion, FISC Chief Judge John D. Bates wrote, “For the first time, the government has now advised the court that the volume and nature of the information it has been collecting is fundamentally different from what the court has been led to believe,” adding in a footnote, “The court is troubled that the government’s revelations regarding NSA’s acquisition of Internet transactions mark the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

New Class-Action Sought Over UDIDs (August 22, 2013)

A group of consumers seeking class-action status is alleging Apple's pledge that it would restrict access to devices' 40-character unique identifiers (UDIDs) “has thus far been ineffective and leaves class members’ personal information exposed,” Media Post News reports. The consumers, who had previously sued Apple after reports alleged developers could access iPhone and iPad UDIDs, have filed a motion asking U.S. District Court Judge Lucy Koh to grant them class-action status. While Apple does not define UDIDs as personal information, “the consumers argue that the identifiers become personally identifiable information when combined with other supposedly anonymous information, such as ZIP codes, occupation or area code,” the report states.
Full Story

ONLINE PRIVACY

Can What We Post Online Ever Be Forgotten? (August 22, 2013)

In a blog post for Field Fisher Waterhouse’s Privacy and Information Law Blog, Phil Lee, CIPP/E, CIPM, asks the question that continues to persist in discussions of online privacy: “Can your data, once uploaded publicly onto the web, ever realistically be forgotten?” Lee writes that while much discussion has centered around EU’s proposed “right to be forgotten,” leaving legal arguments aside, the question is “whether it is even possible to purge all copies of an individual’s data from the web.” The answer, he suggests, “is both yes and no: yes, it’s technically possible, and no, it’s very unlikely ever to happen.”
Full Story

ONLINE PRIVACY

Project Loon Raises Concerns (August 22, 2013)

The Atlantic explores Project Loon, Google’s plan for a “soaring, international balloon armada, beaming Internet to the parts of the world that don't have it.” While the report acknowledges there is potential for humanitarian benefits in “bringing a connection to the farthest reaches of the developing world,” it also cautions, “If Google's claims about the Loon balloons' navigability are true, it is in fact an 'unmanned aircraft,' sometimes more pejoratively referred to as a drone,” with vast possibilities for data collection. And questions of jurisdiction abound, the report states, noting, “With its Project Loon, Google is venturing into not one but two vast open spaces—the law and the sky.”
Full Story

BIG DATA

Is This Our Biggest Public Policy Challenge? (August 21, 2013)
Difficult questions about balancing national security with privacy have come to light since the NSA surveillance disclosures and its use of Big Data, “Yet the benefits of Big Data…exceed the realm of national security or even government usage and extend to areas such as scientific research, public health and energy conservation by the private sector,” writes Omer Tene in this latest installment of Privacy Perspectives. Tene, who is now the IAPP’s first vice president of research and education where he administers the IAPP Westin Research Center, writes, “Finding the right balance between privacy risks and Big Data rewards may very well be the biggest public policy challenge of our time,” and calls for “momentous choices” between “weighty policy concerns” and “individuals’ rights to privacy” and freedom of speech, among others.

SURVEILLANCE—U.S.

NSA Programs Cover 75 Percent of U.S. Web Traffic (August 21, 2013)

According to a report from The Wall Street Journal, the surveillance network set up by the National Security Agency (NSA) intercepts more U.S. Internet communications than has been publicly revealed. The system, allegedly designed to target foreign communications for intelligence purposes, has the ability to reach approximately 75 percent of all U.S. Internet activity—including, in some cases, the ability to retain written content of e-mails sent between Americans and domestic phone calls made via the web, the report states. One U.S. official, however, said the NSA is “not wallowing willy-nilly” though domestic communications, adding, “We want high-grade ore.” Meanwhile, The New York Times reports that the federal government is developing a facial recognition surveillance system that ties cameras to computers to scan crowds to automatically identify faces. One specialist familiar with a program initiated by the Department of Homeland Security noted, “I would say we’re at least five years off, but it all depends on what kind of goals they have in mind” for a given system. (Registration may be required to access this story.)
Full Story

PRIVACY PROFESSION—U.S.

Bloomberg Releases Data and Privacy Practice Review (August 21, 2013)

In response to revelations last May that Bloomberg News and some of its journalists were using terminals that had access to sensitive financial subscriber data, the organization conducted and has now released the results of a comprehensive external review of its data and privacy practices. Conducted by Hogan Lovells and Promontory Financial Group, the review examined Bloomberg news stories, employees, client data systems and other documents, to locate and address the company’s governance framework. This exclusive for The Privacy Advisor looks into some of the recommendations and how privacy pros can use this example within their organizations to bolster the need for strong data and privacy frameworks.
Full Story

FINANCIAL PRIVACY—U.S.

FTC Announces $3.5M FCRA Settlement (August 21, 2013)

The Federal Trade Commission (FTC) has announced a settlement with Cetergy Check Services, Inc., for failing to correct or delete inaccurate consumer information in a timely manner, violating provisions of the Fair Credit Reporting Act (FCRA). Hunton & Williams’ Privacy and Information Security Law Blog reports the agreement includes a $3.5 million civil penalty for the check-verification company due to “knowing violations…that constituted a pattern or practice of violations.” Meanwhile, the Future of Privacy Forum has recorded a podcast with Prof. Chris Hoofnagle about his essay “How the Fair Credit Reporting Act Regulates Big Data,” in which he points to consumer reporting as the first Big Data initiative and argues that use-based regulation hasn’t been effective.
Full Story

ONLINE PRIVACY—U.S.

FTC Getting Impatient on DNT (August 21, 2013)

The Hill reports that Federal Trade Commission Chairwoman Edith Ramirez and agency commissioners Julie Brill and Joshua Wright “all declined to endorse legislation” mandating that web companies allow users to opt out of online tracking, but are growing impatient on industry efforts for a self-regulatory solution. Recent World Wide Web Consortium talks have stalled on the issue. Ramirez said she remains “hopeful” an agreement remains possible and is not ready to call on Congress to take legislative action. Brill also remained optimistic, noting there’s “a lot of very important issues at stake.” Meanwhile, ad-serving company TruEffect—one of the first web companies to publicly say it would not serve targeted ads—has changed direction and will no longer honor Do-Not-Track requests. TruEffect’s chief marketing officer said that since most of the industry ignores the requests, it was placing itself at a competitive disadvantage.
Full Story

PRIVACY RESOURCES

Drill Down to the Most Valuable Content for You (August 21, 2013)

The improvements to the IAPP Resource Center just keep coming. We’ve added industry verticals to the mix. Are you in higher education and looking for help with FERPA? Check out the education section of the tools page. Confused about GLBA? Look in the finance section. And if you don’t find it by browsing, we’ve improved search, too; you can now specifically search the section that relates to you—just tools, just research or even just research helpful for the healthcare industry, for example. Take a look, and as always, if you can’t find what you’re looking for, let us know, and we’ll do our best to help.
IAPP Resource Center

BIOMETRICS

Pay-Per-Gaze Tracking Patent Revealed (August 21, 2013)

Earlier this month, the U.S. Patent and Trademark Office published a gaze-tracking system proposed by Google to monitor the pupils of a user wearing a head-mounted device, such as Google Glass, Fast Company reports. Connected to a server, the tracking system could infer emotion by detecting pupil dilation and eye movement and could potentially offer “a mechanism to track and bill offline advertisements in the manner similar to popular online advertisement schemes,” the patent states. In other words, the system could charge advertisers when opted-in users gaze at a given billboard, magazine, newspaper or other media. Additionally, the patent specifies that “personal identifying data may be removed from the data and provided to the advertisers as anonymous analytics.” A report by The New York Times delves into ubiquitous data collection, specifically data collected from wearable devices where “Records of voices and events will be a permanent part of the Internet the way text is already, held forever and searched, mined and inspected.”
Full Story

PRIVACY RESEARCH

PricewaterhouseCoopers Exploring Privacy Roles (August 21, 2013)

Just how much influence does the privacy team have in large organizations? Is the C-suite paying attention to privacy? How can privacy professionals better communicate both the risk that taking privacy lightly poses and the value that good privacy practice can lend to an organization? These are questions that any number of privacy pros would like to better understand. To that end, PricewaterhouseCoopers has a survey in the field now, asking questions of both privacy pros and high-level executives to perhaps find some answers that will help businesses better navigate the quickly evolving field of privacy landmines.
Full Story

CONSUMER PRIVACY—U.S.

If Your Biz Has Large Databases, Watch Out for the FTC (August 20, 2013)
Federal Trade Commission (FTC) Chairwoman Edith Ramirez said her agency plans to police businesses controlling large databases of information, The Hill reports. The agency, she said, will crack down on companies that don’t practice what they preach with consumer data use and those with inadequate data security practices. “Like a vigilant lifeguard,” she said, “the FTC’s job is not to spoil anyone’s fun but to make sure that no one gets hurt.” Ramirez’s speech comes days after FTC Commissioner Julie Brill wrote an op-ed for The Washington Post on cracking down on data brokers. In an open letter, the Direct Marketing Association countered Brill’s assertions. Meanwhile, the FTC has opened up a public comment period on a proposed verifiable consent method for complying with COPPA, submitted by AssertID, Inc. The deadline for comment is September 20.

ONLINE PRIVACY—U.S.

Gmail Opinion: Sensational Headlines Shouldn’t Drive Privacy Policy (August 20, 2013)

Last week, Gmail made its way back into headlines after a court document was released that included Google quoting the Supreme Court case Smith v. Maryland about users having “no reasonable expectation of privacy.” Several media sources picked up the story, but there seemed to be confusion around interpreting the quote. In this Privacy Perspectives blog post, InfoLawGroup Founding Partner Tanya Forsheit, CIPP/US, asserts Google “did not actually say that,” adding, “But what happened last week reaches far beyond Google and demonstrates the folly of letting the media drive the privacy debate in this country—and consequently, the development of privacy law and policy.”
Full Story

DATA PROTECTION—U.S.

NSA Revelations Boon for Some Biz, Detriment to Others (August 20, 2013)

Business Insider reports on Silent Circle’s shutdown of its encrypted e-mail service based on the claim that e-mail is “fundamentally broken from a privacy perspective.” Meanwhile, the owner of now-defunct e-mail service provider Lavabit says he’s stopped using e-mail completely. And legal analysis site Groklaw is shutting down because of the threat of NSA spying. Last year, Canadian startup SurfEasy asked students at Harvard Business School to help it come up with a marketing plan for its Internet privacy product, but it wasn’t clear how it would convince users to pay for privacy enhancement when so many Internet services are free. However, NSA revelations have seemingly alleviated some of those concerns. An open source software project aims to give users control over their e-mail data, and a new free app deletes sent messages and prevents screen grabbing, among other privacy protections.
Full Story

SURVEILLANCE—EU & U.S.

European Advocates, Officials Investigating U.S. Surveillance (August 20, 2013)

European privacy advocates are demanding details on the extent of U.S. surveillance efforts, the Associated Press reports. The Article 29 Working Party, a conglomerate of data protection agencies across Europe, said it wrote to EU Justice Commissioner Viviane Reding to demand “specifics regarding the exact nature of data collected” by the NSA’s PRISM program and details on U.S. authorities’ access to European citizens’ data. Meanwhile, the Working Party has outlined the issues it aims to pursue as it investigates PRISM.
Full Story

PRIVACY LAW—UK

Google Says UK Privacy Law Doesn’t Apply (August 20, 2013)

Google has told British consumers in a privacy claim that it doesn’t have to answer to UK courts and the country’s privacy laws don’t apply to the company, IDG News Service reports. Google will fight UK Safari users’ right to bring a case in the country and will force the plaintiffs to instead file the suit in California. The plaintiffs are seeking damages, disclosure and an apology from Google for allegedly circumventing users’ security settings and tracking them on Apple’s Safari browser, the report states.
Full Story

CHILDREN’S PRIVACY—U.S.

LinkedIn To Allow Teens (August 20, 2013)

Professional networking site LinkedIn will soon welcome teens ages 14 and up, Forbes reports. The service was previously only available to users aged 18 and up, but it will launch “University Pages” in an effort to help college-bound students network. The change required LinkedIn staff to do some research on how to protect teens’ privacy online. Privacy settings for teens will include hiding birth dates, preventing their profiles from appearing in public search engines and only allowing their photos to be visible to “first-degree” connections.
Full Story

DATA PROTECTION—U.S.

OMB Releases Privacy Guidance on “Do-Not-Pay Lists” (August 20, 2013)

Office of Management and Budget (OMB) Director Sylvia Mathews Burwell has released mandatory guidance for agencies implementing the “Do-Not-Pay List” of contractors considered ineligible for government work. According to Government Executive, the memo also outlines how this can be done while adhering to laws that protect privacy. The memo also lays out the legal procedures for using an online tool designed for a “single point of entry” through which agencies can access data on determining a contractor’s eligibility for a benefit, grant or contract award, the report states.
Full Story

DATA PROTECTION—BRAZIL

Tech Giants Concerned About Proposed Law (August 20, 2013)

Brazil is currently crafting its first nationwide set of data protection and Internet governance laws. Recent amendments to the country’s Internet Constitution, or the Marco Civil da Internet, have raised concerns among some U.S.-based tech companies. A new amendment would require data to be stored locally, ZDNet reports, causing representatives from Google and Facebook to raise red flags. Facebook’s Bruno Magrani has said the company is concerned because it would be “an enormous technical challenge” for the company and could jeopardize its service in Brazil. Part of the thinking behind storing data locally, according to Foreign Policy, is to protect Brazilians from U.S. government surveillance.
Full Story

DATA LOSS

One Hour To Report a Breach? (August 20, 2013)

GovInfoSecurity talks with Curt Kwak, CIO of the Washington State Health Insurance Exchange, about a U.S. Department of Health and Human Services proposal that would require state health insurance exchanges set up in accordance with the Affordable Care Act to report data breaches within one hour of discovering them. Is this doable? Kwak said it’s possible given planning and staff, but it “will force us to be less efficient and most likely impact the usability of the system and, of course, our ability to support the system.” In other health data breach news, a Sherman, TX, specialist’s office has notified 3,000 patients of a “potential information breach,” and warning them to “check their bank accounts,” after a disk drive containing patient records went missing. Similarly, Emory University administrators have told employees and students to change their university account passwords after a breach of its IT infrastructure was detected. Emory’s experience is of course not unique. A similar breach at the University of Delaware is now believed to have affected as many as 74,000 students and staff.
Full Story

HEALTHCARE PRIVACY—AFRICA

Study: Dearth of Laws May Delay Mobile Health Apps (August 20, 2013)

A recent report by TrustLaw Connect, a pro bono legal initiative of the Thomson Reuters Foundation, has shown that most African countries have not implemented laws to protect patient data, delaying efforts to launch mobile healthcare (mHealth) applications, reports SciDev.Net. "The primary risk of not having explicit laws assuring patient confidentiality is that many people may avoid accessing necessary services," says William Philbrick, of the mHealth Alliance, noting this is “particularly true when we are talking about HIV.” Esther Ogara, head of eHealth at Kenya's health ministry, says while it’s important to make laws to safeguard patient data, "countries must continue to deploy mHealth tools to save lives while they formulate laws."
Full Story

PRIVACY—U.S.

Telecoms Want FTC as Regulator (August 19, 2013)
Financial Times reports the biggest U.S. cable and telecommunications companies are lobbying for a relaxation of privacy rules to allow them to sell data on customers’ telephone use. The companies want to be regulated more like private companies such as Google and Facebook rather than public utilities, arguing the regulatory landscape hasn’t kept pace with technological advances. The change, which would require new legislation, would transfer oversight of the companies from the Federal Communications Commission to the Federal Trade Commission (FTC). FTC Privacy and Identity Protection Associate Director Maneesha Mithal supports the shift, saying current law seems “gerrymandered to have a carve-out on mobile.” Not everyone agrees. (Registration may be required to access this story.)

MOBILE PRIVACY—U.S.

Product Chief: Adhering To Best Practices Not Enough (August 19, 2013)

The release last month of rapper Jay Z’s Magna Carta album and mobile app created controversy for failing to disclose its data collection practices. In a feature for TechnoBuffalo, NQ Mobile Chief Commercial Officer Gavin Kim writes, “the ado around the app signals something else: Adhering to app marketplace best practice policies is no longer enough. We, as an industry, have to be more proactive about establishing ‘better practices’ that go beyond what’s required in order to earn the waning consumer trust and confidence that is demonstrated by the Magna Carta debacle.”
Full Story

PRIVACY LAW

From Gmail to HIPAA to Class-Actions, Questions Abound (August 19, 2013)

The privacy news seems to have stirred up more legal questions than answers this past week, as you’ll discover in the Privacy Tracker Global News Roundup. With effective dates coming up for HIPAA in the U.S. and FOIA reforms in the UK, privacy pros are figuring out the new lay of the land. Court cases in the U.S. and France bring up e-mail privacy questions, both in and out of the workplace, and in the UK one court ruling may reveal a need for stronger data destruction policies. Lastly, an article from The New York Times questions the new trend of class-actions leaving plaintiffs empty-handed. (IAPP member login required.)
Full Story

ONLINE PRIVACY

Our Collective Privacy and One Strange Tale (August 19, 2013)

What happens when individuals decide to publish their entire lives on the Internet? Is it just their privacy they are giving up, or is it also the privacy of their friends, family and others that is violated, too? Last week, a former sportswriter published a website revealing countless personal thoughts, photos and memories and timed it to go public after his death by suicide. But in revealing his personal secrets, others around him were affected as well. This post for Privacy Perspectives explores the implications of our collective privacy and how our choices to disclose personal data can have wide-reaching effects on those around us.
Full Story

HEALTHCARE PRIVACY—U.S.

Coalition of AGs Protest Navigator Program (August 19, 2013)

New hires under the Affordable Care Act could threaten the private information of health insurance candidates, says Florida Attorney General Pam Bondi. Joined by a dozen other Republican state AGs, Bondi wrote a letter to Department of Health and Human Services (DHHS) Secretary Kathleen Sebelius arguing that DHHS’s forthcoming “navigator” program—designed to help Americans navigate paperwork of the new healthcare system—puts patients at risk, The Hill reports. Bondi said those hired as navigators will not undergo background checks, meaning individuals’ personal information could fall into the wrong hands. “What if they’ve been convicted of committing identity theft or grand theft before?” Bondi said. “They could potentially still become a navigator.”
Full Story

PRIVACY COMPLIANCE—U.S.

NSA Says Violations “Minuscule,” Senators React (August 19, 2013)

Last week, leaked documents disclosed a National Security Agency (NSA) audit revealing thousands of internal privacy violations were found each year, going back to 2008, but a representative from the NSA told The New York Times that the number of mistakes was low compared to the agency’s overall activities. Sens. Mark Udall (D-CO) and Ron Wyden (D-OR) warned the privacy violations are “just the tip of a larger iceberg” and said in a joint statement that the violations “were more serious than had been acknowledged.” House Minority Leader Nancy Pelosi (D-CA) said the report was “extremely disturbing” adding, “Congress must conduct rigorous oversight to ensure that all incidents of noncompliance are reported to the oversight committees and the FISA court in a timely and comprehensive manner and that appropriate steps are taken to ensure violations are not repeated.” (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

University, Energy Dept. Announce Breaches (August 19, 2013)

Michigan’s Ferris State University is notifying thousands of individuals that their personal information was potentially compromised when an unauthorized person gained access to the school’s network security. Approximately 39,000 names and Social Security numbers were stored in accessible files. The school is offering free credit monitoring to those affected, Ventura County Star reports. Meanwhile, the U.S. Department of Energy has disclosed a security incident resulting in the “unauthorized disclosure of federal employee personally identifiable information.” The breach is the department’s second this year.
Full Story

DATA THEFT—U.S.

Best Buy Sued for Employee Theft of Nude Photos (August 19, 2013)

A former customer and current employee of Best Buy is suing the company over the alleged theft and distribution by another employee of her nude photos taken from a laptop brought in for repair, NBC News reports. According to the lawsuit, the plaintiff received a text message from a Geek Squad employee informing her of the theft. A Best Buy representative confirmed an internal investigation is underway, saying, “Our policies and procedures would prohibit the handling of data in the manner described and the facts alleged do not make sense.” She added, "Best Buy engages in responsible customer information management practices, and our employees are trained to follow very specific, industry-leading procedures in caring for this important information.”
Full Story

PRIVACY LAW—U.S.

Gov’t Wants Court To OK Warrantless Cellphone Searches (August 19, 2013)

The Obama administration has asked the Supreme Court to rule that police are free to search the contents of an arrested individual’s cellphone without a warrant, SCOTUSblog reports. A First Circuit Court kept intact a ruling that searches are unconstitutional, but the administration wants the decision overturned, arguing that “police have long had the authority, without a warrant, to search items that are found on a person whom they arrest” and that creating exceptions on an “item-by-item” basis would complicate police enforcement.
Full Story

PRIVACY COMPLIANCE—U.S.

Leaked NSA Audit Reveals Thousands of Privacy Violations (August 16, 2013)
The Washington Post reports that the National Security Agency (NSA) broke privacy rules or overstepped its legal authority thousands of times each year, beginning in 2008. Most violations concerned unauthorized surveillance of U.S. citizens or foreign intelligence targets in the U.S. This roundup for The Privacy Advisor brings together thoughts from former DHS CPO Mary Ellen Callahan, CIPP/US, the leaked documents, government responses—including from the NSA and Sen. Dianne Feinstein (D-CA)—as well as reported comments from Reggie B. Walton, chief judge of the FISA court, who said the court is limited in its government oversight. Additionally, in a letter to the EU’s justice commissioner, the Article 29 Working Party’s head explores investigating whether EU data protection law has been violated.

ONLINE PRIVACY

Fight for Your Users, Or Comply With Gov’t? (August 16, 2013)

Last week, two encrypted e-mail service providers opted to shut down their services, leaving their users in the lurch, instead of providing the U.S. government access to encrypted e-mails. In this Privacy Perspectives blog post, Andrew Clearwater, CIPP/US, explores the technology challenges surrounding encrypted e-mail and the difficult choices some businesses may face when deciding whether to protect users' privacy or comply with government access requests.
Full Story

HEALTHCARE PRIVACY—U.S.

Breach Costs Health Plan $1.2M (August 16, 2013)

iHealthBeat reports Affinity Health Plan will pay the Department of Health and Human Services (HHS) approximately $1.2 million as a result of a data breach. Affinity filed the breach report with HHS Office for Civil Rights (OCR) back in April, the report states, after it “was informed by CBS Evening News that the network had purchased a photocopier previously leased by Affinity as part of an investigatory report and that the copier still contained confidential medical data on its hard drive.” The OCR found Affinity violated HIPAA by failing “to incorporate the electronic protected information stored on the photocopier hard drives in its analysis of risks and vulnerabilities as required,” the report states.
Full Story

CYBERSECURITY—U.S.

Researchers Earn Grant To Study Privacy Notices (August 16, 2013)

The National Science Foundation (NSF) has announced it is investing $20 million in grants to more than a dozen universities to help tackle the “fundamental challenges” to the nation’s cybersecurity. One group of recipients, including researchers from Carnegie Mellon, Fordham and Stanford, aim to work on a multidisciplinary approach to create effective web privacy notices. The project’s lead investigator said, “If you read privacy notices, you quickly realize that they contain a lot of boilerplate text and that people seem to often be recycling entire sentences and even larger text fragments from one another,” adding, “This project will aim to exploit these types of patterns.” An NSF representative said its “investments in foundational research will transform our capacity to secure personal privacy, financial assets and national interests.”
Full Story

HEALTHCARE PRIVACY—U.S.

Texas AG Seeks Assurances Over Navigator Privacy (August 16, 2013)

Texas Attorney General Greg Abbott has issued a statement to U.S. Department of Health and Human Services (DHHS) Secretary Kathleen Sebelius expressing concerns about the Affordable Care Act’s impending “navigator” program, reports Glen Rose Reporter. “Over the next few weeks, the Obama administration plans to dole out millions of taxpayer dollars to so-called ‘navigators’ who will be paid to help Americans navigate the Obamacare behemoth. Because these navigators will be granted substantial access to Americans’ personal information—including their Social Security numbers and tax information—I am deeply concerned about privacy and the security of this very sensitive information,” Abbott wrote, adding that DHHS’s privacy rules lack clarity.
Full Story

ONLINE PRIVACY—U.S.

Teens Turn to Friends for Advice on Settings Management (August 16, 2013)

A new report from the Berkman Center for Internet and Society at Harvard University indicates that while teens generally figure out how to manage their online privacy themselves, 70 percent report they have sought advice from someone else. The people they turn to are generally friends, parents or other close family members. The report is based on a survey that polled 802 parents and their children ages 12 to 17 as well as focus group interviews with 156 participants.
Full Story

ONLINE PRIVACY—U.S.

Opinion: ‘Reclaim Your Name’ Online (August 16, 2013)

In an opinion piece for The Washington Post, FTC Commissioner Julie Brill comments on the national debate on balancing security and privacy following revelations about the NSA’s surveillance program. It’s clearer now that there is an exchange for using free online services: Data miners collect personal information without users’ knowledge or consent, she suggests, and given that knowledge, now is the time to demand transparency from commercial data brokers about what is done with user data. She pushes an approach she’s dubbed “Reclaim Your Name,” which aims to empower consumers with knowledge on how their data is collected and used and give them the option to opt out. (Registration may be required to access this story.)
Full Story

CHILDREN’S PRIVACY—U.S.

Apple Updates App Store Guidelines Per COPPA Revision (August 16, 2013)

Following the legislative update to the Children’s Online Privacy Protection Act in July, Apple has updated its App Store Review Guidelines, Information Week reports. The revised guidelines offer stronger privacy protections and limit the way apps can handle user information. They also contain a new provision on Kids Apps, which apply to children under the age of 13. That provision requires apps to have a privacy policy and be made for kids within the age ranges of five and under, six to eight or nine to 11. Kids Apps rules also forbid apps from serving ads through behavioral targeting.
Full Story

MOBILE PRIVACY—HONG KONG

PCPD: App Invades Privacy (August 16, 2013)

South China Morning Post reports Hong Kong Privacy Commissioner for Personal Data (PCPD) Allan Chiang Yam-wang has "found mobile app Do No Evil had supplied sensitive personal data—including names of litigants, partial identity card numbers, addresses, claims amounts and company directors' data—to users without voluntary consent." The PCPD found the smartphone application, which allows members of the public to access a database of millions of litigation records "seriously invaded" privacy, the report states. "I must make clear that personal data obtained from the public domain is still subject to regulation of the [Personal Data (Privacy)] Ordinance, otherwise consequences will be dire," the PCPD said. The PCPD's actions are receiving criticism from a corporate governance activist.
Full Story

HEALTHCARE PRIVACY—U.S.

Rewards Program Raises Concern (August 16, 2013)

Los Angeles Times reports on a new prescription-drug rewards program that gives store credit to opted-in customers for other nonprescription products. In February, CVS announced it was expanding its ExtraCare Pharmacy & Health Rewards program to include prescription drug purchases. According to the website, “each person must sign a HIPAA Authorization to join.” A representative from Privacy Rights Clearinghouse expressed concern, saying, “Pharmaceutical companies obviously would want to know what you’re taking and get you to buy more expensive medicines.” A CVS representative said, “We have extensive procedures, stringent policies and state-of-the-art technology in place to protect our customers' personal and health information," adding, "We do not sell, rent or give personal information to any nonaffiliated third parties."
Full Story

BIG DATA

Will Mega Data-Mining Company Be Good for Biz, Bad for Privacy? (August 15, 2013)
Forbes reports on the CIA-funded data-mining startup Palantir and its “deviant philosopher” and chief executive Alex Karp. For the past five years, the company has become the “go-to” for mining massive data sets for U.S. intelligence agencies and is now poised to “take corporate America by storm.” The tools deployed by Palantir have been credited with sniffing out Mexican drug cartel members and locating Osama Bin Laden. The ACLU’s Jay Stanley said that Palantir’s software could bolster a “true totalitarian nightmare, monitoring the activities of innocent Americans on a massive scale.” Karp, however, believes the company can rewrite the rules around privacy and security. “I didn’t sign up for the government to know when I smoke a joint or have an affair,” he said. Palantir notes that it has privacy-centered, technical safeguards as well as a team of “privacy and civil liberties engineers.”

DATA PROTECTION

IBM Gets Certified Under APEC Privacy Rules (August 15, 2013)

IBM has announced it has achieved certification under the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR), the first company to do so, according to a press release. The CBPR system is designed to facilitate data flows between the U.S. and the other APEC member economies, through voluntary, enforceable codes of conduct. IBM Chief Privacy Officer Christina Peters, CIPP/US, said, “CBPR rules will become the foundation of a globally accepted system that enables data to be shared throughout different regions with strong and trustworthy privacy protections.” Hogan Lovell’s Partner Christopher Wolf told The Daily Dashboard, “APEC CBPRs, containing enforceable commitments for the protection of personal data, are a lot like BCRs (binding corporate rules) that the EU recognizes as sufficient for cross-border transfers. Their adoption and effectiveness suggests that the EU should move its focus from the adequacy of the U.S. legal framework to whether personal data is being adequately protected through mechanisms like the CBPRs.”
Full Story

DATA LOSS—U.S.

Healthcare Breach Affects 32,000 (August 15, 2013)

eSecurity Planet reports Cogent Healthcare is notifying approximately 32,000 patients in 24 physician groups it manages “that their personal health information may have been exposed online.” The report states that M2ComSys, a company Cogent Healthcare contracted to transcribe patient care notes for some of its physician groups, stored notes that included “patients' names, birthdates, diagnoses, summaries of treatments, medical histories, medical record numbers and physicians' names, on a website” that suffered a security lapse. “We are generally unable to identify who accessed the notes," Cogent Healthcare has said. Those affected are being offered a free one-year membership in an identity protection service.
Full Story

BIG DATA—U.S.

The Future of Predictive Policing (August 15, 2013)

Bloomberg reports on the possibilities of predictive policing. Jim Adler, former chief privacy officer at Intelius, an online provider of background checks, created software that sifts through criminal records, focusing on select criteria—including gender, eye and skin color, the number of minor offences and whether an individual has tattoos—all of which can allegedly increase the chances someone will commit a serious crime. Adler says his software is “not ready for prime time” but noted, “It’s important that geeks and suits and wonks get together and talk about these things…Because geeks like me can do stuff like this…it’s not our job to figure out if it’s right or wrong.” He added, “We often don’t know.” Future of Privacy Forum’s Jules Polonetksy, CIPP/US, said, “When we start using data to make decisions that imprison people and execute people and impact their freedom, that is a reason to be enormously careful.”
Full Story

PRIVACY COMMUNITY—U.S.

CDD Announces New Legal Director (August 15, 2013)

The Center for Digital Democracy (CDD) has announced the selection of Hudson Kingston as its new legal director, Broadcasting & Cable reports. The CDD “is staffing up as it prepares to keep tabs on compliance with the Federal Trade Commission's updated enforcement policy of the Children's Online Privacy Protection Act (COPPA),” the report states. "Hudson's strong commitment to consumer protection and public health will help CDD represent the interests of young people in the digital era," said CDD Executive Director Jeff Chester, adding, “Now that the revised COPPA rules are in force, CDD intends to closely monitor the children's online marketplace to help promote compliance.”
Full Story

DATA PROTECTION—UK

ICO Publishes Regulatory Action Policy (August 15, 2013)

The UK Information Commissioner’s Office (ICO) has published a Data Protection Regulatory Action Policy, outlining what the office will consider when deciding whether to initiate regulatory action, reports Out-Law.com. Noting that “market factors” may influence the decision, the policy points to some “initial drivers,” including issues of “general public concern,” those due to the “novel or intrusive nature of particular activities” and those stemming from complaints. When asked for clarity on “market factors,” an ICO spokesman said in markets where "consumers demand effective privacy protection…market forces will be driving businesses to deliver better privacy protection, without the need for the regulator to intervene."
Full Story

HEALTHCARE PRIVACY—U.S.

Will HHS Enforce Actions Against Offshore Vendors? (August 14, 2013)
With a nearing enforcement date for the final HIPAA Omnibus Rule, Healthcare Info Security reports on whether U.S. regulators will enforce actions against foreign business associates (BAs) and subcontractors. “It’s a mess,” said Wiley Rein Partner Kirk Nahra, CIPP/US. “There’s a lot of uncertainty.” If there is a breach with a foreign vendor, the ability for the Department of Health and Human Services (HHS) to take action is unclear. Though a BA would be subject to a breach of contract agreement with a covered entity, Davis Wright Tremaine Partner Adam Greene noted, "it is untested…whether HHS has jurisdiction to bring an (enforcement) action,” adding, “HIPAA, unlike certain other federal statutes, does not have explicit extra-territorial reach.” Additionally, Becker’s ASC Review has posted 15 things to know before the final rule’s deadline. Editor’s Note: For more on complying with the final HIPAA Omnibus Rule, see Close-Up: HIPAA.

ONLINE PRIVACY

Study: Consumer Reaction to NSA Could Hurt Ad Targeting (August 14, 2013)

AdWeek reports on a study revealing that consumer concerns about online privacy have jumped from 48 percent to 57 percent since the National Security Agency surveillance programs were first disclosed in June. The findings, according to the report, could have “huge implications for the targeted advertising” industry because users will likely alter privacy settings and block tracking. The study also noted, if similar trends continue and some browser makers block third-party cookies by default, “the ad industry’s ability to effectively use third-party cookies for marketing purposes will decrease.” The study also found that 31 percent said they now actively take steps to protect their privacy online.
Full Story

PRIVACY BIZ

Leizerov on Thinking Strategically About Privacy (August 14, 2013)

In a column for SC Magazine, Ernst & Young's Sagi Leizerov, CIPP/US, discusses the importance of thinking strategically about privacy. Governance, technology and regulation, he notes, are “three distinct megatrends forming based on market conditions and the impact they are having on how organizations approach privacy.” Leizerov writes, “Regulators realize that their tools of compliance and enforcement are simply not enough,” adding, “As such, they are becoming more active participants—strategic advisors—in decision-making discussions with organizations and consumers.” Though enforcement actions are “an important tool,” Leizerov says the “focus is shifting more toward collaboration, communication and education.”
Full Story

DATA LOSS—CANADA & U.S.

Hospital Notifies 1,300 of Breach, Nurse Fired (August 14, 2013)

A nurse has been fired by Canadian-based Norfolk General Hospital for unauthorized access to more than 1,300 patient records, Brantford Expositor reports. An investigation revealed the nurse allegedly violated the Personal Information Protection Act multiple times dating back to 2004. Compromised data included patient names, health care numbers, dates of birth, contact information, doctor names and reason for visit. The organization has notified affected patients. A Vermont-based healthcare and hospice facility has also announced a breach and notified affected patients after an employee’s laptop was stolen. Meanwhile, Boston Public Schools will redesign student information cards after a hard drive, containing PDF images of 21,054 student IDs, was lost.
Full Story

DATA LOSS

Responding to a Data Breach (August 14, 2013)

According to the Ponemon Institute’s 2012 Data Breach Notification Study, most consumers that have received a breach notification say the breached organization did not do a good job in communicating and handling the data breach. What’s your plan for breach response? If you need some guidance on responding to a breach, the IAPP Resource Center can help. Check out Close-Up: Responding to a Data Breach for valuable tools, research and articles from experts in the field. (IAPP member login required.)
Read Now

PRIVACY COMMUNITY—U.S.

Former FTC Staffer Is FPF’s First Policy Director (August 14, 2013)

The Future of Privacy Forum (FPF) has hired former Federal Trade Commission (FTC) staffer Molly Crawford as its first policy director. Crawford will be tasked with “expanding and coordinating FPF’s focus on cutting-edge privacy issues,” and told the IAPP she’s excited to use the flexibility of her new role to do things “you simply can’t accomplish in government.”
Full Story

MOBILE PRIVACY—UK

Authority Wants To Toss Smart Bin Tracking (August 14, 2013)

A UK-based authority has called for the end of WiFi tracking by recycling bins placed across London, The Independent reports. The “pods” feature LCD screens that show advertisements to passersby, but can also record smartphone movements and other details. The City of London Corporation (CLC) has alerted the Information Commissioner’s Office of the bins, which have allegedly recorded the details of 4,009,676 devices from pedestrians in one week. “Irrespective of what’s technically possible, anything that happens like this on the streets needs to be done carefully, with the backing of an informed public,” the CLC said. Financial Times reports the company behind the bins says there is potential to help companies predict “personal habits” of consumers.
Full Story

PRIVACY LAW—U.S.

Are Class-Actions Failing To Serve the Class? (August 13, 2013)
The New York Times reports on class-action settlements that strip plaintiffs of any benefit. The article highlights a past settlement attorney Scott Kamber reached with Facebook, resulting in the company paying roughly $6.5 million to a new foundation that it would partly control, with the millions of plaintiffs in the class—who’d sued for a privacy violation—receiving nothing. According to the report, the Supreme Court could soon decide to hear the case, noting that “justices have been quite active in restricting other aspects of class-actions, and they may decide it is time to consider settlements that critics say leave plaintiffs worse off than when they started.” Meanwhile, Google has responded to a class-action complaint over Gmail privacy saying, “a person has no legitimate expectation of privacy” when sending messages to a Gmail account. (Registration may be required to access this story.)

ONLINE PRIVACY

Global Sweep Highlights “Significant” Shortcomings (August 13, 2013)

The Office of the Privacy Commissioner of Canada (OPC) today released the findings of the first-ever Global Privacy Enforcement Network Internet Privacy Sweep, noting “shortcomings in how some online organizations provide information about their privacy practices.” The OPC’s blog includes key details as well as screenshots from the sweep. “While we did see some good examples that demonstrated it is possible to create transparent privacy policies, unfortunately, we also found some sites with no policies or that offered only brief, over-generalized statements about privacy,” said Canadian Privacy Commissioner Jennifer Stoddart, noting one “particularly disappointing example…was a paternity testing website with a privacy statement so skimpy it would fit into a tweet.”
Full Story

SOCIAL NETWORKING—U.S.

The Ethics of Altering Online Profiles During Court Proceedings (August 13, 2013)

Responding to recent news that a plaintiff’s attorney was suspended for advising his client to clean up his Facebook page after a discovery request, K Royal, CIPP/US, CIPP/E, writes the advice was “clearly wrong,”  but what if there was no discovery request? What are the ethics of having a client remove potentially incriminating social media posts during a lawsuit? Would that be the equivalent of “hiding the smoking gun?” In this Privacy Perspectives blog post, Royal explores these questions and where the line between what is public and private resides when dealing with civil and criminal actions.
Full Story

DATA PROTECTION—EU

EU Looks To Speed Up Privacy Reforms (August 13, 2013)

The European Commission wants to quicken the pace of passing the proposed data protection regulation, which is currently held up in the European Parliament’s civil liberties committee, EUObserver reports. Commissioner for Justice Viviane Reding, who in July appealed to member states to place the bill on an EU summit in the fall, said, “I would find it helpful if the European Council in October, which will deal with the European single market, could address this matter and speed up the work in the council on this important file.” Hunton & Williams’ Bridget Treacy noted, “Over the past few months, there has been widespread discussion of a risk-based approach to data protection regulation and some detailed exploration of the key elements of such an approach under the Irish presidency.” EU lawmakers have said they want the reforms passed by May 2014.
Full Story

DATA PROTECTION—UK

ICO Publishes Breach Trends Statistics; Gov’t Leads List (August 13, 2013)

In a recent Information Commissioner’s Office (ICO) blog post, Sally-Anne Poole says statistics indicate carelessness is the cause of much of the office’s enforcement business. The ICO uses statistics to help inform its response to incidents, Poole writes. The health and local government sector leads the list for data breaches, followed by schools and solicitors. The ICO has published a spreadsheet of its civil monetary penalties for the first quarter of 2013 so the public can see such trends.
Full Story

DATA PROTECTION—EU

Working Party Weighs In on Purpose Limitation and Big Data (August 13, 2013)

The concept of purpose limitation is a cornerstone of the protection of personal data. It is an essential first step in applying data protection laws since it constitutes a prerequisite for other data quality requirements, contributes to transparency and legal certainty and sets limits on how controllers are able to use personal data. In this exclusive for The Privacy Advisor, Stefano Tagliabue, CIPP/E, discusses the Article 29 Working Party’s opinion on purpose limitation and Big Data.
Full Story

HEALTHCARE PRIVACY—U.S.

Provider Announces Laptop Theft (August 13, 2013)

California-based Retinal Consultants Medical Group has announced the theft of an unencrypted laptop containing protected health information, reports HealthData Management. The laptop, part of a diagnostic imaging machine, contained patients’ names, dates of birth and genders, among other information. The provider has notified affected individuals, encouraging them to monitor bank accounts and obtain credit reports; however, according to the notification, it is not aware of any access to or misuse of the data.
Full Story

SURVEILLANCE—EU & U.S.

Opinion: Do Not Allow Citizen Privacy To Be Negotiated Away in TTIP (August 13, 2013)

In a feature for Deutsche Welle, the Center for Digital Democracy’s Jeff Chester cautions that amidst Transatlantic Trade and Investment Partnership (TTIP) negotiations, “U.S. tech companies want the TTIP to sanction a bypassing of the EU's data protection rules,” urging the EU to “reject this self-serving vision of a borderless digital world where legal frameworks protecting civil liberties and the distinctions of country and culture are tossed aside in the name of increased profits for U.S.-based transnational data marketers.” In the wake of the U.S. National Security Agency (NSA) allegations, he warns, “The source of information for much of the NSA's spying is the growing digital data depositories operated by the leading U.S. Internet companies.
Full Story

SURVEILLANCE—U.S.

NSA To Create Full-Time Privacy Officer; Obama Proposes Changes (August 12, 2013)
In his first news conference since April, President Barack Obama defended the National Security Agency (NSA) surveillance programs, called for more transparency along with a task force charged with reporting on the programs and proposed four changes to the existing programs. Obama said the NSA will create a full-time privacy and civil liberties officer, The New York Times reports. The White House released a 22-page whitepaper defending the domestic collection of phone metadata, and the NSA also released a seven-page document detailing its role and authority. This roundup for The Privacy Advisor presents some of the proposals, including how the task force could be an “odd fit” for the tech industry.

PRIVACY LAW

News from the U.S. to the Ukraine (August 12, 2013)

In this Privacy Tracker global news roundup, learn about the lasting legacy of California’s SB 1386, more about the court case that has some questioning BYOD policies and congressional delays to reforming the Electronic Communications Privacy Act. You’ll also read about key changes included in amendments to the Ukrainian privacy law and a contentious New Jersey bill that would allow warrantless cellphone searches. (IAPP member login required.)
Full Story

BIG DATA

Making the Case for Data Assets, Not Privacy (August 12, 2013)

Alex “Sandy” Pentland discussed the importance of Universal People Sensors and the benefits of using Big Data to enhance the public good, effectively making our lives safer, at the IAPP’s Navigate un-conference in June. This Privacy Perspectives blog post delves into Pentland’s discussion and looks at how consumer choice and trust can play an important role in promoting the public good in a Big Data world.
Full Story

CHILDREN’S PRIVACY—U.S.

Kids’ App Prevents Tracking and Targeting (August 12, 2013)

A mobile app developer has released a new iOS app that aims to prevent web-browsing data and other in-app activity from being shared with third parties, Broadway World reports. Disconnect Kids also includes an educational function to introduce children and parents to online privacy issues. Features include a mobile tracking blocking function, a comic book discussing online tracking and targeting and two animated videos to help children and parents understand and control their personal data.
Full Story

PERSONAL PRIVACY—U.S.

Chronic Retail ‘Returners’ May Be Tracked (August 12, 2013)

The Huffington Post reports on retailers’ tracking of customers’ merchandise returns. Citing fraud and security risks, companies such as Best Buy, JC Penney, Victoria’s Secret and Nike say they must create profiles on individual customers’ returns at their stores. The stores use third parties to create “return profiles” and report back to the retailer, but consumer advocates say the practice violates privacy because of a lack of transparent disclosures. The practice led to a lawsuit against Best Buy recently, though the case was eventually dismissed.
Full Story

SURVEILLANCE

Satellite Technology a Boon for Business (August 12, 2013)

The New York Times reports on affordable miniature satellites that will soon be orbiting Earth and sending back frequent, low-cost snapshots from space. The data captured from such technology will be valuable, one expert says, perhaps used by insurance companies to take “before” and “after” views of insured property to validate claims, for example. But some may not be so excited about such surveillance, said New York University Prof. Mitchell Stephens, calling the satellite’s pictures “a Godlike view, looking down from the heavens.” (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Alumni, Donors Notified of Breached Server (August 12, 2013)

The School of Forestry and Wildlife Sciences at Alabama’s Auburn University has begun notifying an undisclosed number of alumni and donors that their personal information has been breached, eSecurity Planet reports. The incident occurred when spreadsheets containing the individuals’ names, Social Security numbers and e-mail addresses, among other data, were mistakenly uploaded to a publicly available server. Meanwhile, a Texas lawmaker is taking action to ensure greater transparency when it comes to state agencies’ cyber threats.
Full Story

PRIVACY LAW—U.S.

Judge Rules Apple Can’t Dismiss Class-Action (August 9, 2013)
A federal judge has ruled that Apple cannot dismiss a class-action alleging it let third parties upload user information from applications on their mobile devices, Courthouse News Service reports. The judge said lead plaintiff Maria Pirozzi was able to make a “causal connection” between statements Apple made about the iPhone and the safety of its apps and her loss, the report states. “Plaintiffs alleged loss is clear: Apple claimed that apps could not access data from other apps…in actuality they can and have.”

PRIVACY IN POPULAR CULTURE

Talking With Cullen Hoback, Director of Terms and Conditions May Apply (August 9, 2013)

It’s no secret that privacy is top of mind for many Americans—one need only read the top-of-the-fold stories in the local paper about Edward Snowden’s leaked documents or the latest WiFi hack. Hence, the time is particularly ripe for Cullen Hoback’s newly released documentary, Terms and Conditions May Apply, which takes a hard look at data collection and use by the world’s largest websites. In an exclusive for The Privacy Advisor, we talk with him about data ownership, corporate ethics, government oversight and what he's learned in researching privacy notices for the past two years.
Full Story

PRIVACY LAW—U.S.

SB 1386 10 Years Later, and the Path Forward (August 9, 2013)

“Whether or not you view the passage of California's SB 1386 data privacy law in 2003 as a watershed moment in the information security world, few can argue that its enactment significantly changed the infosec playing field,” writes Randy Sabett for Search Security. Sabett predicts that the trend started by SB 1386 “of increasingly proactive and granular state data privacy laws will continue to evolve” by focusing on the obligations of stakeholders—mainly those that are collecting the data, and he also expects to see federal privacy legislation. “For now though, it seems that there are too many stakeholders with varied interests to get an ‘omnibus-style’ bill on the books.”
Full Story

BYOD—U.S.

Ohio Case Demonstrates Danger in BYOD Policies (August 9, 2013)

JDSupra Law News analyzes the recent case in the Northern District of Ohio demonstrating the tension between employer control and employee privacy when it comes to bring your own device (BYOD) policies. In Lazette v. Kulmatycki, an employer read the personal e-mails of a former employee after she turned in her Blackberry device, thinking she’d deleted the account. The employer was found to be at fault, but prosecutors had to stretch a bit to convict him under existing laws. “At a macro level, this case should be a warning to employers to continue to be careful with personal information in a BYOD environment,” the report states. “The potential liability for employers could be significant.”
Full Story

SURVEILLANCE—U.S.

Obama Meets with Tech Biz; Snowden’s E-mail Provider Shuts Down (August 9, 2013)

On Thursday, President Barack Obama met with CEOs from Apple, AT&T and other U.S.-based technology companies to discuss government surveillance, just days after meeting with privacy advocates, POLITICO reports. On the same day, officials from the FBI, CIA and NSA spoke about cybersecurity, and e-mail service provider Lavabit—which offered high-level encryption services and was reportedly used by whistleblower Edward Snowden—announced it was immediately shutting down its service. Lavabit owner and operator Ladar Levison said it was a “difficult decision: to become complicit in crimes against the American people or walk away” from his company. He added the experience has taught him that “without congressional action or a strong judicial precedent, I would_strongly_recommend against anyone trusting their private data to a company with physical ties to the U.S. government.” Snowden said U.S. tech companies "must ask themselves why they aren't fighting for our interests (in) the same way." Additionally, Silent Circle announced it was shutting down its encryption e-mail service, according to The New York Times. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—EU & U.S.

Spy Programs Prompt Potential May Deadline (August 9, 2013)

The Wall Street Journal reports on EU reaction to the U.S. National Security Agency surveillance program disclosures, including the determination by some, to enact the proposed data protection regulation by May of next year. German MEP Jan-Philip Albrecht said, “The importance has been made clear now with all these revelations, we need cross-border rules, European rules, to safeguard fundamental rights,” adding, “It makes the world more vivid.” Shearman & Sterling associate Hartmut Häselbarth said the May deadline is ambitious, but in the long run, American businesses with a presence in Europe “will most likely have problems in (the) future.” (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Personal Data Trashed, Paper Trail Plagues Veterans Affairs (August 9, 2013)

Police in Beaverton, OR, say employees at Sylvan Learning Center trashed a large amount of business documents containing personal information about clients, KATU.com reports. The branch’s owner says the documents—which contained hundreds of individuals’ names, dates of birth and Social Security numbers—were intended to be shredded. Meanwhile, Veterans Affairs Acting Assistant Secretary for Information and Technology Stephen Warren said the main cause of data breaches at the Department of Veterans Affairs involves physical paper being misplaced, mishandled and improperly mailed. And an Australian IT firm says it has promised it will alert clients to their stolen private information found on the Internet almost as quickly as it is posted by using a new service called Pure Hacking.
Full Story

HEALTHCARE PRIVACY—U.S.

HIPAA-Compliance Deadline Looms (August 9, 2013)

In an article for National Law Review, Elizabeth Johnson of Poyner Spruill says one of the highest priorities for HIPAA-covered entities required to meet new aspects of the recently updated HIPAA rules is to update business associate agreements. That’s because the distribution, negotiation and execution process can be time-consuming, she writes. “With the compliance deadline only two months away, covered entities must focus efforts to ensure that all updates are complete and new training concluded prior to the September 23 deadline.”
Full Story

STUDENT PRIVACY—U.S.

The Current State of InBloom Cloud Service (August 9, 2013)

With several states raising concerns about student privacy issues regarding InBloom cloud services, the company’s board chair Bob Wise said some states and districts are “stepping back, not necessarily from an eventual commitment, but for now,” Information Week reports. He noted the project is still “moving ahead well in Colorado, particularly Jefferson County.” Shawn Bay, the founder of eScholar, said the operators of the cloud service “stepped in it on the issue of student privacy” and that it has damaged the brand, but he suspects there will be a shift in emphasis for the company. Wise said that InBloom “may have been a bit slow in anticipating and getting involved in this discussion on student privacy,” but will “make sure it’s done in a proper way, that achieves the educational goal and makes sure the public fully supports it.”
Full Story

ONLINE PRIVACY

Twitter Retargeting Service Gets Advocate Approval (August 8, 2013)
The Guardian reports on what Twitter’s new retargeting advertising service may mean for user privacy. Users “won’t see more ads on Twitter, but they may see better ones,” the company told its users. While some privacy advocates have scrutinized the plan, others say Twitter’s approach is admirable given its adherence to “Do Not Track” settings and its easy opt-out. The Electronic Frontier Foundation says other companies should follow Twitter’s lead: “We think Twitter is setting an important example for the Internet: It is possible to exist in an ecosystem of tailored advertisements and online tracking while also giving users an easy and meaningful opt-out choice.”

HEALTHCARE PRIVACY—U.S.

Opinion: University Requirement for Medical Data Violates Privacy (August 8, 2013)

In an op-ed for Patriot-News, political science professor Matthew Woessner opines that a recently announced healthcare initiative violates privacy. The initiative would require all Penn State employees to complete a medical survey—which asks questions on everything from how many alcoholic drinks the respondent consumes per week to how many times in the last six months they’ve driven a vehicle after drinking too much to whether they suffer from anxiety or persistent sadness—through WebMD. Those who don’t comply would be fined $100 per month. “University officials are blind,” Woessner writes, “to the ethical ramifications of an employer forcing employees to hand over extremely private information to the world’s largest medical website.”
Full Story

DATA LOSS—U.S.

Airline’s Second Significant Breach in a Month (August 8, 2013)

For the second time in the past 30 days, U.S. Airways has revealed it has suffered a breach of PII, wsoctv.com reports. As many as 7,700 customers may have been affected by the latest breach, which customers discovered when they noticed their frequent flyer miles were missing, and compromised data includes usernames, passwords, birth dates, addresses, security question answers and the last four digits of credit cards. The last breach involved employee data. U.S. Airways said it has restored “all mileage balances as quickly as possible” and will provide free identity-theft monitoring.
Full Story

SURVEILLANCE

NSA Is Casting “Far Wider Net” Than Previously Disclosed (August 8, 2013)

While the NSA has publicly acknowledged collecting and searching the contents of Americans’ digital communications without a warrant, it was previously understood that only conversations between Americans and targeted foreign nationals were collected and searched. Now, reports The New York Times, the documents released by Edward Snowden reveal that any communication that crosses the border and even mentions a piece of information connected to a suspect is being collected and searched. The NSA says this practice is legal under the 2008 FISA law. An anonymous senior intelligence official told The Times the NSA “makes ‘a clone of selected communication links’” to gather the information. NSA officials have publicly denied this practice in the past. The ACLU and other organizations are calling this “precisely the kind of generalized spying that the Fourth Amendment was intended to prohibit.” (Registration may be required to access this story.)
Full Story

GENETIC PRIVACY—U.S.

Unprecedented Pact Reached With Lacks’ Descendants (August 8, 2013)

In an unprecedented move, the National Institutes of Health (NIH) announced an agreement with the descendants of Henrietta Lacks, whose cervical cancer cells were taken without permission by scientists 62 years ago, giving them control over which biomedical researchers will gain access to the full genome data derived from her cells, MSNBC reports. NIH Director Francis Collins said it is an “historical agreement” that will “protect the family’s interest and also further their commitment to biomedical research.” In a column for Nature, Martin Bobrow writes on the “growing issue in modern science: access to biomedical and health-related research data.”
Full Story

FINANCIAL PRIVACY—U.S.

Senator Concerned About CFPB Data Collection (August 8, 2013)

In a press release, Sen. Mike Crapo (R-ID) has raised privacy concerns about the collection of sensitive financial data by the newly created U.S. Credit Financial Protection Bureau. The ranking member of the Senate Banking, Housing and Urban Affairs Committee, Crapo is concerned about how data is being collected, how many accounts are being monitored, how the data is being used and how many safeguards are in place to protect the data. The Government Accountability Office has agreed to investigate the collection programs. “Recently, cases of privacy abuse” have reached the headlines, Crapo said, “and we now have a federal agency that is using unchecked power to gather data on the spending habits of hundreds of millions of Americans.” The senator plans to hold a press conference on the issue on Monday, August 12.
Full Story

MOBILE PRIVACY

Android 4.3 Keeps WiFi On, Even When It’s “Off” (August 8, 2013)

The latest version of the Android operating system comes with a new feature that some technologists are drawing attention to: Even when a user switches WiFi access off, the device will continue to scan for WiFi networks. This is done, according to a report from ValueWalk, “for providing better location information to apps.” However, there is a way to disable this functionality, which is detailed in the article. WPIX, a television station in New York, notes this default setting is raising privacy concerns.
Full Story

HEALTHCARE PRIVACY—U.S.

Obamacare Privacy Safeguards “Way Behind”; Violations Could Be “Rampant” (August 7, 2013)
The Office of the Inspector General of the Department of Health and Human Services (HHS) says the Obama administration has not set up adequate safeguards to protect U.S. citizens’ privacy under the law, Forbes reports. The office says health data exchanges under Obamacare may expose private records to hackers and criminals. The healthcare plan mandates the creation of a “data hub,” accessible by seven different federal agencies, including the Internal Revenue Service, the Social Security Administration and the Department of Homeland Security. A spokeswoman for HHS said privacy safeguards are delayed by at least two months, with the exchanges slated to begin October 1.

HEALTHCARE PRIVACY

Get Ready for HIPAA Compliance with the Resource Center (August 7, 2013)

The IAPP Resource Center has teamed up with Adam Greene of Davis Wright Tremaine to offer IAPP members access to a key section of Davis Wright Tremaine’s HIPAA Audit Tool—recently acknowledged on the IAPP Privacy List as a very helpful tool to map organizational record-keeping back to the OCR audit protocol. This new addition to the Resource Center assists healthcare providers with ensuring that they are providing individuals with access to their protected health information in compliance with HIPAA. To view this tool and others to help you get ready for the upcoming HIPAA Omnibus Rule compliance deadline, see Close-Up: HIPAA. (IAPP member login required.)
Read Now

PRIVACY LAW—UK

ICO Publishes PIA Code of Practice (August 7, 2013)

The UK Information Commissioner’s Office (ICO) has published a consultation on a new privacy impact assessment (PIA) code of practice and released a study on PIA and risk management. The ICO first announced the study, conducted by Trilateral Research & Consulting, was underway back in January. The consultation states the new code of practice aims to “help organizations conduct assessments of new projects that involve the use of personal information. The code explains the key principles behind a PIA and suggests how a PIA can be integrated with an organization’s project and risk management processes.”
Full Story

CYBERSECURITY—U.S.

Survey: CIO, CISO Not Part of Insurance Decision (August 7, 2013)

A new survey conducted by the Ponemon Institute reveals that approximately one-third of businesses and public-sector organizations purchase cyberinsurance, but chief information officers and chief information security officers often have “very little influence” in the purchase decision, Network World reports. Among the 638 U.S. organizations canvassed, there is “still a lot of skepticism about whether such insurance is worth the cost,” the report states.
Full Story

SURVEILLANCE—U.S.

White House Discusses Surveillance, Privacy with Advocates (August 7, 2013)

As the Obama administration continues to deal with criticism over the National Security Agency’s surveillance programs, senior White House officials met with privacy advocates and business groups yesterday to discuss government surveillance and consumer privacy regulation, The Hill reports. The Electronic Privacy and Information Center’s Marc Rotenberg said the meeting was the “beginning of an important dialogue about the challenge of protecting privacy in the 21st century.” Sascha Meinrath of the New America Foundation said “many questions remain unanswered.”
Full Story

BIG DATA—U.S.

The Inaccuracies of Data Broker Dossiers (August 7, 2013)

Forbes reports on the inaccuracies that are often found in dossiers compiled by data brokers. Amassing profiles on millions of Americans can be difficult because many people have the same names and can easily be mixed up, and in one example, that caused embarrassment. “Even with so many suppliers sucking up details of our personal transactions at every step and selling them to data brokers,” the report states, “errors plague the process.” The inaccuracy problem has received attention from the Federal Trade Commission (FTC). Earlier this year, FTC Commissioner Julie Brill gave a speech calling for a new policy, called Reclaim Your Name, which would provide consumers with avenues to check the accuracies of their profiles. Acxiom is reportedly working on an access feature.
Full Story

PRIVACY LAW—U.S.

Judge Dismisses Privacy Claim Against Neighborhood Photographer (August 7, 2013)

New York State Court Judge Eileen A. Rakower has dismissed a claim against photographer Arne Svensen that alleged invasion of privacy, Photo District News reports. Svensen is a photographer who took photos of his neighbors through their windows, without their knowledge, and displayed the images in an art show. Rakower said the photos are protected under the First Amendment. New York’s civil rights laws "yield to an artist’s protections under the First Amendment under the circumstances presented here,” Rakower wrote.
Full Story

CYBERSECURITY

Tor Network Breached (August 7, 2013)

The web anonymity service Tor announced that its network had been breached through a vulnerability in the Tor Browser, Naked Security reports, and that malicious JavaScript may have revealed the identities of those using the service. Tor allows web users to mask their browsing habits by sending data through onion routers to mask the original header information—including the user’s IP address. As a result, a hidden server network run by Freedom Hosting was taken offline. Freedom Hosting’s owner and operator Eric Eion Marques is currently being held without bail and awaits extradition by the FBI for allegedly distributing child pornography online. Based on the timing of the arrest and the insertion of the malicious code, some speculate U.S. investigators introduced the script. “There are lots of rumors and speculation as to what’s happened,” writes the Tor Project on its blog. “We’re reading the same news and threads you are and don’t have any insider information.”
Full Story

PERSONAL PRIVACY

Will Data Ownership EVER Be a Privacy Solution? (August 6, 2013)
“Why is it that better methods of digital contracting and data ownership have not yet developed to help us protect our privacy online?” asks Adam Thierer in this installment of Privacy Perspectives. Thierer, a senior research fellow at George Mason University’s Mercatus Center, writes, “there probably hasn’t been as much demand for formal contracting because many users don’t mind today’s ‘take-it-or-leave-it’ model of online services” and that formal contracting around privacy “has always been tied up with the same thorny issues of information ownership and enforcement, which have complicated digital copyright policy.” But maybe that's changing.

CLOUD COMPUTING

Europe and Asia Stand To Gain from U.S. Industry’s Loss (August 6, 2013)

The U.S. cloud computing industry could take a major earnings hit as a result of fallout from the NSA revelations. That’s according to an Information Technology and Innovation Foundation (ITIF) report, which estimates U.S. cloud computing providers could lose $21.5 billion in revenue in the next three years. And that’s its conservative estimate, IT News reports. The worst-case scenario could see losses of up to $35 billion by 2016, with European and Asian markets poised to gain, the report states. “If European cloud customers can’t trust the United States government, then maybe they won’t trust the U.S. cloud providers either,” European Commissioner for Digital Matters Neelie Kroes said recently. Editor’s Note: The preconference workshop The Privacy Pro’s Field Guide to Contracting and Compliance in the Cloud will be part of this year’s Privacy Academy in Bellevue, WA. Also, Jason Weinstein recently proposed steps for U.S. cloud providers to take on the Privacy Perspectives blog.
Full Story

PRIVACY LAW

Surveillance Issues Loom Large, Safe Harbor Questions and More (August 6, 2013)

In this week’s Privacy Tracker Global News Roundup, you’ll find new challenges to a Utah surveillance law; an interesting turn of events in a case deciding whether government authorities can extract historical location data directly from telecommunications carriers without a search warrant; legislative initiatives related to FISA and the USA PATRIOT Act; questions about the future of Safe Harbor, and information on developments in Italy, France and Australia. (IAPP member login required.)
Full Story

HEALTHCARE PRIVACY—U.S.

Pharmacy Association Takes Issue with HIPAA Revisions (August 6, 2013)

The Specialty Pharmacy Association of America has sent a letter to the Office for Civil Rights at the Department of Health and Human Services asking for clarification or revision of several key elements of HIPAA regulations. Bill Sullivan, executive director of the association, wrote in the letter that by passing the Accountable Care Act, Congress “clearly sought to protect and enhance public health benefits that accrue to patients through adherence and compliance messaging programs. Unfortunately, the current interpretation of HITECH through the HIPAA Omnibus Rule restricts and adversely conflicts these potential benefits.”
Full Story

DRIVER’S PRIVACY—U.S.

Court: Vehicle Records Must Be Reasonably Cared For Before Resale (August 6, 2013)

A U.S. Court of Appeals has ruled that companies that resell personal information from motor vehicle records are subject to a “duty of reasonable care before disclosing such information pursuant to the Driver’s Privacy Protection Act (DPPA),” Bloomberg BNA reports. The court ruled on July 31 in Gordon v. Softeach Int’l that “Given the nature of information available through motor vehicle records—e.g., Social Security number, medical or disability information and home address—the DPPA’s purpose would be severely undermined if resellers’ disclosures were not subject to a duty of reasonable inquiry.”
Full Story

DATA LOSS—U.S.

Data Breaches from 2005 to Present Exceed 500 Million (August 6, 2013)

From 2005 to present, there have been a reported 535,267,233 data records breached in the U.S., ZDNet reports. That’s 1.7 times the U.S. population, and the number only reflects reported breaches. “Many, or perhaps most, of the breaches that have occurred over the past decade have no reported number of records associated with them. They’re designated as ‘unknown,’” the report states. Ken Hess writes that, if each record breached represents one account, “just about everyone who lives in the U.S. is at risk of having at least one part of his or her data hijacked from multiple sources. It also means that absolutely no one's data is safe.”
Full Story

DATA PROTECTION—EU & U.S.

Safe Harbor in Hot Water (August 5, 2013)
Despite the U.S.-EU Safe Harbor agreement’s apparent success at facilitating cross-border data transfers since its adoption in 2000, it’s in danger. MEP Jan-Phillip Albrecht recommended in his report earlier this year that the mechanism be discontinued, and the Transatlantic Trade and Investment Partnership (TTIP) negotiations have indicated discontent with the current framework. As such, organizations certified under Safe Harbor “should closely monitor the EU’s legislative process and the TTIP for indications about Safe Harbor’s future,” writes Hogan Lovells’ Privacy Team in this latest installment of the IAPP’s Privacy Tracker blog. (IAPP member login required.)

SURVEILLANCE—U.S.

Some Lawmakers Denied NSA Data Access; Cover-Up of DEA Program Revealed (August 5, 2013)

Documents leaked by two members of Congress reveal the difficulty some U.S. lawmakers have in gaining access to basic information about the National Security Agency’s (NSA) surveillance programs and Foreign Intelligence Surveillance Act (FISA) court orders. Reps. Morgan Griffith (R-VA) and Alan Grayson (D-FL) disclosed “numerous letters and e-mails documenting their persistent, and unsuccessful, efforts to learn about NSA programs and FISA court rulings,” Glenn Greenwald of The Guardian writes. In another burgeoning story, Reuters reports on a separate surveillance program run by the U.S. Drug Enforcement Agency “that extends well beyond intelligence gathering.” The data gathering efforts of the Special Operations Division “raises fundamental questions about whether the government is concealing information used to investigate and help build criminal cases against American citizens,” the report states.
Full Story

ONLINE PRIVACY

Making the Case for More Obscurity and Less Anonymity (August 5, 2013)

Speaking at Navigate in June, Prof. Woodrow Hartzog explored the value of and made the case for using online obscurity to help protect a user’s personal privacy. By obscuring our online profiles—by varying degrees depending on intent and context—Hartzog said we can help protect some of our online privacy. But what about those who hide behind masks of online anonymity to spout nefarious words of hate speech? This Privacy Perspectives installment explores the tension between the need for online obscurity and the need to unmask those who prowl the Internet with damaging intent.
Full Story

PRIVACY LAW—U.S.

Vote Delayed on E-Mail Warrant Bill (August 5, 2013)

The Hill reports on the delay in “a vote on legislation that would require police to obtain a warrant before accessing e-mails and other online messages.” Senate Judiciary Committee Chairman Patrick Leahy (D-VT) had pressed for a vote prior to the August recess, “but at least one Republican objected to the bill,” resulting in the delay, the report states. If passed, the legislation will limit law enforcement’s ability to access private online messages. Currently, the Electronic Communications Privacy Act of 1986 only requires a subpoena to require Internet companies to provide access to such communications if they have been opened or are more than 180 days old.
Full Story

PRIVACY LAW—U.S.

The Value of Consent (August 5, 2013)

Venture Beat poses the question, “What do a hacker and a 26-year-old Republican legislator have in common?” The answer? “They both believe that one of the core values of good privacy law needs to be consent.” In this report, Meghan Kelly shares the story of Eric Fulton and Daniel Zolnikov, who attended college together and went on to become a hacker and a state legislator, respectively. Both are advocating for privacy law that focuses “on consumers giving consent before data can be collected,” the report states, noting Fulton believes the recent National Security Agency surveillance backlash may be the “story people could latch on to” in order to move such legislation forward.
Full Story

BIG DATA—AUSTRALIA

Australia Gunning To Become World Leader in Big Data Analytics (August 5, 2013)

The Australian Government Information Management Office has released its Public Service Big Data Strategy that aims to “position Australia as a world leader in the public sector use of Big Data analytics to deliver service-delivery reform, better public policy and protect citizens’ privacy,” ZDNet reports. The report discusses Big Data’s role in improving the targeting of services and the ability for businesses to offer more tailored services in accordance with individual and community needs, but it also notes privacy concerns that must be addressed before full benefits are realized. Agencies must develop better practices when it comes to cross-agency data sets and data deidentification, for example.
Full Story

SURVEILLANCE—U.S.

Researcher’s Spy Boxes Pick Up Troves of Unencrypted Data (August 5, 2013)

Security researcher Brendan O’Conner recently wondered how easy it would be to monitor—as a private citizen—the movement of strangers on the street. So he built 10 contraptions made of sensors, a tiny computer and Wi-Fi adaptors and proceeded to spy on himself. The data his contraptions collected sent signals to a command-and-control system and included the unique identifiers to his phone and iPad—in unencrypted fashion, The New York Times reports. “Actually it’s not hard,” O’Connor said. “It’s terrifyingly easy…It could be used for anything, depending on how creepy you want to be.” (Registration may be required to access this story.)
Full Story

DRIVER’S PRIVACY—U.S.

Bill To Allow Warrantless Cellphone Searches Contended (August 5, 2013)

Proving illegal cellphone use was the cause of a car crash can be difficult for law enforcement. So one New Jersey lawmaker aims to make the process easier by proposing legislation that would allow police to search through a driver’s cellphone after a crash without a warrant, South Jersey Times reports. Sen. James Holzapfel (R-Ocean) proposed the legislation in June, but privacy advocates have called it unconstitutional. “We’re entitled to have a zone of privacy, and just because technology threatens to pierce that zone of privacy…doesn’t mean we should give up our constitutional protections,” said a trial lawyer and privacy expert.
Full Story

BIOMETRICS

Exploring Computer-Manipulation of the Mind (August 5, 2013)

The New York Times reports on the latest research into computer-brain interfaces and the possibilities of sending brain waves over the Internet. Potential uses for brain-computer interfaces include human interaction with computers and other mobile devices simply by thinking. In 2011, scientists published research on Decoded Neurofeedback, a process by which brain activity can be altered. Additionally, Duke University neuroscientist Miguel A. Nicolelis has successfully connected the brain activity of two rats over the Internet and conducted an experiment called a “brain net,” which allowed rats to share information over the web. Nicolelis said he believes humans will eventually be able to communicate over the Internet via brain waves. “I think this is the real frontier of human communication in the future,” he said. (Registration may be required to access this story.)
Full Story

PRIVACY PROFESSION

The Case for a Code (August 2, 2013)

Should privacy professionals have a code of ethics? That was the question first raised on Privacy Perspectives by Alex Fowler, and now continued by K Royal, CIPP/US, CIPP/E. Balancing roles as a nurse and an attorney, Royal discovered a tension allowing for conflict between professional obligations. The same may be true for privacy professionals serving as in-house counsel. “The potential for conflict is reduced when the law speaks clearly to the issue, but becomes muddy when the ‘right thing’ is not statutorily driven,” Royal writes. “Does one’s duty to the company carry more weight than one’s duty to a data subject? Does one have a duty to a data subject if the law is silent?”
Full Story

ONLINE PRIVACY—U.S.

House Committee Creates Privacy Working Group (August 2, 2013)
Broadcasting & Cable reports on the House Commerce, Manufacturing and Trade Subcommittee’s creation of a bipartisan privacy working group to focus on online privacy. With Reps. Marsha Blackburn (R-TN) and Peter Welch (D-VT) as its chairs, the working group will also include Reps. Joe Barton (R-TX), Pete Olson (R-TX), Mike Pompeo (R-KS), Jan Schakowsky (D-IL), Bobby Rush (D-IL) and Jerry McNerney (D-CA). Blackburn said the working group will “seek opportunities where Congress can forge bipartisan agreement to better protect consumers' sensitive information and foster U.S.-based innovation," while Welch added that given advancements in technology, it is “more important than ever that we make sure the consumer's right to privacy is protected.”

ONLINE PRIVACY—U.S.

Mayer Resigns from DNT Group (August 2, 2013)

Stanford’s Jonathan Mayer has resigned from the working group tasked with creating a Do-Not-Track standard for the Internet, GigaOm reports. “We do not have a credible timetable—and we’ve just adjourned for a month. We do not have a definitive base text. We do not have straightforward guidelines on what amendments are allowed…This is not process: This is the absence of process,” he wrote. Mayer’s resignation comes on the heels of his comments in June indicating that if the group could not reach consensus in the month that followed, it would be time to “call it quits.”
Full Story

SURVEILLANCE—U.S.

FBI Employing Hackers’ Techniques (August 2, 2013)

The Wall Street Journal reports U.S. law enforcement officials are “expanding the use of tools routinely used by computer hackers to gather information on suspects.” Law enforcement calls the practice, which includes remotely activating Android microphones to record conversations on cellphones or on laptops and hiring hackers themselves, “going dark.” The ACLU says there should be legal guidelines on how such hacking tools can be used. A spokesperson for the Justice Department said it makes decisions regarding legal authority to conduct surveillance on a case-by-case basis. (Registration may be required to access this story.)
Full Story

PRIVACY COMMUNITY

IAPP Signs Alliance Agreement with Pribatua (August 1, 2013)

The IAPP announced today an alliance agreement with Pribatua, the Basque Association of Privacy and Information Security (Asociación Vasca de Privacidad y Seguridad de la Información). As part of this “sister” relationship, Pribatua members will receive membership rates for IAPP offerings and Pribatua will be co-sponsors of IAPP Europe’s two major events, the Data Protection Intensive and the Data Protection Congress.
Full Story

PRIVACY LAW—ITALY

Garante Releases Rules on Spam and Viral Marketing (August 1, 2013)

The Italian Data Protection Authority (Garante) has released, earlier this month, a set of rules dealing with spam and viral marketing. The provision, named “Guidelines on Marketing Activities and Spam,” is intended to fight the abuses of marketing communications and to promote fair commercial practices towards users and consumers.
Full Story

SOCIAL NETWORKING—U.S.

Twitter Report Shows U.S. Gov’t User Data Requests On the Rise (August 1, 2013)
Twitter says the U.S. government continues to make the most requests for data on subscribers, The Washington Post reports. In the first six months of the year, federal authorities made 902 requests for user information. In the same period last year, it requested information on 815 subscribers, the company’s transparency report indicates. Additionally, the U.S. government’s requests comprised 78 percent of all requests for user data. In its latest blog post, Twitter said it has “joined forces with industry peers and civil liberty groups to insist that the United States government allow for increased transparency into these secret orders.” (Registration may be required to access this story.)

SURVEILLANCE—U.S.

Senate Strongly Presses NSA; Bills Introduced; Classified Docs Released (August 1, 2013)

This exclusive for The Privacy Advisor reports on a Senate Judiciary Committee hearing yesterday where senators from both sides of the aisle pressed representatives from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Federal Bureau of Investigation and Justice Department over surveillance programs, particularly the provision allowing for the dragnet collection of Americans’ phone metadata. Committee Chairman Patrick Leahy (D-VT), on several occasions, expressed deep concern about the amount of Americans’ data being collected under Section 215. A number of senators said they were introducing legislation to narrow the scope of the collection of phone metadata. Obama administration representatives said they were willing to “reevaluate” the program.
Full Story

PRIVACY LAW—U.S.

Court Dismisses Class-Action Claim Against Gaming Site (August 1, 2013)

The U.S. District Court for the Central District of California has dismissed a majority of the claims brought against Blizzard Entertainment, Inc., after a 2012 data breach, Mondaq reports. Hackers had gained access to customers’ accounts, including e-mail addresses and cryptographically scrambled versions of Battle.net passwords. Among other allegations, the plaintiffs claimed the company failed to notify users of the breach in a timely manner. The court said the plaintiffs “failed to allege adequate harm.” Meanwhile, a Colorado clinic reports it has fired an employee in its billing department who improperly e-mailed some patients’ protected information to her own personal account.
Full Story

DATA PROTECTION—U.S.

Cyber Insurance Policies On The Rise (August 1, 2013)

Cyber insurance has become increasingly popular among businesses, Live Insurance News reports. That’s because of high-profile data breaches at companies including Citigroup and Sony and at governments around the world, the report states. “We’ve reached a threshold where people are now coming to us instead of us going to them,” said one industry executive, adding that his company, Aon Corp., has sold more cyber insurance policies within the last year and a half than in the five years prior.
Full Story

PRIVACY SCHOLARSHIP

Deception Is at the Heart of PLSC-Winning Papers (August 1, 2013)

At each year’s Privacy Law Scholars Conference, scholars workshop papers that bring together the academic privacy community with those working in industry, advocacy, law and government. The IAPP awards the two papers that receive the most votes from attendees with a cash prize and a speaking slot at the IAPP Privacy Academy, to be held this year in Seattle, Sept. 30 through Oct. 2. In an exclusive for The Privacy Advisor, we interview the winners and discuss their inspiration for the papers and the conclusions they’ve drawn about deceptive privacy practices and what the FTC might start doing about them.
Full Story

ONLINE PRIVACY

Companies Shifting To Meet Consumer Expectations (August 1, 2013)

Forbes reports on products that are changing based on consumer expectations of privacy. Pinterest is now offering users a Do-Not-Track option. Google Now is a digital assistant capable of alerting users if a flight is delayed or a particular route is backed up with traffic, but Google reserves the service’s full functionality for those users who don’t mind their locations being tracked, the report states. And Facebook’s latest ad offerings target users based only on age and gender rather than more granular data.
Full Story

PRIVACY LAW—U.S.

Fifth Circuit Decision “Doomed” at SCOTUS Level (August 1, 2013)

In a feature for Slate, Mark Joseph Stern contends that this week’s Fifth Circuit Court of Appeals decision that authorities do not need warrants to extract historical location data from cell phones “is doomed at the Supreme Court” level. “The Fifth Circuit’s cellphone ruling is almost certain to be reversed in the near future, barring a dramatic change of heart from one of the Supreme Court’s privacy lovers,” he writes. Meanwhile, TIME takes a look at five recent privacy cases in a report examining how the Supreme Court defines the right to privacy.
Full Story