Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW

CA Signs Do-Not-Track Disclosure Law, Plus Other Legal News (September 30, 2013)
In this week’s Privacy Tracker legislative roundup, read about California’s continued push toward privacy protections including Gov. Jerry Brown signing into law an amendment to the California Online Privacy Protection Act that requires websites to disclose in privacy policies how they react to Do-Not-Track signals, the passing of the “eraser law” and movement on a bill that would extend the employee social media law to public agencies. Meanwhile, a Minnesota court has determined the state is not responsible for an employee’s alleged inappropriate accessing of driver’s license records, and the Fourth U.S. Circuit Court of Appeals has ruled in favor of a former Virginia deputy sheriff saying his Facebook “Like” is protected by the First Amendment. Plus, read about legislative activity in the EU, Singapore, Australia and South Africa. (IAPP member login required.)

PRIVACY LAW—EU

“Privacy by Default” Could Be Major Post-Regulation Issue (September 30, 2013)

“Privacy by Design” is as close to privacy dogma as you’re going to get. Regulatory bodies across the globe now provide this idea, developed by Ontario Information and Privacy Commissioner Ann Cavoukian, as guidance for all technology companies that hope to gather personal information. At the 35th International Conference of Data Protection and Privacy Commissioners in Warsaw, however, it was the idea of “privacy by default” that produced one of the most interesting back-and-forths. In this exclusive for The Privacy Advisor, Sam Pfeifle reports on the discussion, which featured Jacob Kohnstamm, Omer Tene and Reijo Aarnio.
Full Story

SURVEILLANCE

NSA Legislation To Move This Week; Revelations Continue (September 30, 2013)

Armed with continuing revelations like the news that the U.S. National Security Agency (NSA) has been building sophisticated graphs of Americans’ social connections, The Hill reports the U.S. Senate Intelligence Committee will vote this week on legislation authored by Committee Chairwoman Dianne Feinstein (D-CA) and ranking member Saxby Chambliss (R-GA) that would slightly amend the NSA’s ability to collect phone records. “It would also require,” according to the report, “that the Senate confirm the NSA director and instruct the agency to produce annual reports containing statistics on its surveillance activities.” Many senators do not believe the bill goes far enough, however, and Sen. Patrick Leahy (D-VT) is working on his own bill that would end the phone-record collection entirely and will hold a hearing on Wednesday to examine NSA surveillance programs.
Full Story

PRIVACY LAW—FRANCE

CNIL Says It Will Soon Fine Google (September 30, 2013)

CNET and other media outlets are reporting that France’s data protection agency, the CNIL, announced Friday it plans to sanction Google following the company’s refusal to meet its demands for changes to its privacy policy. The CNIL will now appoint a rapporteur to “initiate the possibility of sanctions, which could include fines.” The CNIL’s requests reportedly include asking Google to inform users about the purposes of its data processing, to define retention periods for the personal data processed and to get explicit consent for placing cookies. Google feels it already complies with European privacy law. A number of privacy industry members weigh in on the case’s importance.
Full Story

PRIVACY COMMUNITY

Koenig Leaves PwC for Booz Allen Hamilton (September 30, 2013)

Booz Allen Hamilton has announced that James H. Koenig, CIPP/US, most recently of PricewaterhouseCoopers, will join the firm as a principal to lead its cross-industry privacy and identity theft practice as well as cybersecurity for its commercial health business. The move is effective today, and Koenig will be based in Philadelphia, PA, with global responsibilities.
Full Story

SURVEILLANCE

Spying Leads to Calls for “Privacy Havens” (September 30, 2013)

The Wall Street Journal reports today on new data privacy trends inspired by Edward Snowden’s NSA revelations, including a new “Email Made in Germany” service created by three of Germany’s largest Internet service providers. "We can say that we protect the e-mail inbox according to German law," says Jorg Fries-Lammers, a spokesman for one of the German companies, 1&1 Internet AG. "It's definitely a unique selling point." Facebook COO Sheryl Sandberg pronounced herself “nervous” about these kinds of developments. "It means fragmenting the Internet and putting the economic and social opportunities it creates at risk." President of Brazil H. E. Dilma Rousseff even went so far as to call for “the establishment of a civilian multilateral framework for the governance and use of the Internet and to ensure the effective protection of data that travels through the web” in a speech before the United Nations. The NSA news is leading to tech innovation as well. John McAfee announced this week he is developing personal gadgetry that will protect the user from NSA spying. (Registration may be required to access this story.)
Full Story

PRIVACY

Privacy Lessons from Berlin: An Exploration (September 30, 2013)

In the first installment of an investigative series for The Atlantic, Conor Friedersdorf writes about spending a week in Berlin exploring the question, “What can Germans teach us about privacy?” He questions, “Are German attitudes toward personal data protection spurring the country to refashion itself as a 'Cayman Islands of privacy’, or at least the leader of a Euro zone that reorients the Internet so that it's less NSA-accessible? How are German politicians who favor greater protection for privacy planning to proceed?” Friedersdorf suggests Berlin is “an important test case for Western nations as leaders and citizens decide how best to navigate the digital revolution and its implications for privacy.”
Full Story

PRIVACY COMMUNITY

Facebook Hires Privacy Pro as New Deputy Counsel (September 30, 2013)

TechCrunch reports Facebook has hired Ashlie Beringer, a partner at California firm Gibson Dunn and co-chair of the law firm’s information technology and data privacy practice group, as the company’s new deputy counsel. Beringer will report to Facebook General Counsel Colin Stretch, “who was promoted from deputy to take the social network’s top legal job in June after long-running GC Ted Ullyot left the company.” Beringer will run Facebook’s legal department’s litigation, regulatory and product groups. She will begin at Facebook November 18.
Full Story

BEHAVIORAL TARGETING—UK

MPs Give Data Harvesters “Green Light” (September 30, 2013)

Members of Parliament are giving companies that harvest personal data from Internet-connected devices “the green light … prompting disquiet over Parliament's commitment to protecting consumer rights,” Daily Mail reports. The House of Commons Culture, Media and Sport Committee noted in a report, “Increasing use is being made of personal data to target online advertising better … While concerns around this have prompted reviews of data protection legislation, we do not think the targeting of appropriate advertising—essential to so many business models—represents the greatest threat to privacy.” Consumer and privacy advocates caution, however, that consumers are losing control of their data, the report states.
Full Story

ONLINE PRIVACY

PGP Creator Warns About E-mail Privacy (September 30, 2013)

Creator of the e-mail encryption software PGP, Phil Zimmermann, has told The Guardian that users of consumer e-mail services should be aware of the threat of exposing their metadata. Zimmermann says his opinions on privacy have changed drastically in the more than 20 years since he invented PGP, noting “more recently … everyone has become aware that metadata is becoming increasingly important—that the message headers mean a lot.” These risks prompted him to develop a new feature for his Silent Phone app that encrypts conversations earlier in the call process, but the report states, in spite of PGP flaws “becoming clearer with time,” he maintains that PGP is holding up just fine.
Full Story

PRIVACY LAW—U.S.

Court Rules Gmail Case Alleging Wiretapping Can Continue (September 27, 2013)

In this Privacy Tracker blog post, Westin Fellow Kelsey Finch analyses U.S. District Judge Lucy Koh’s decision that Google’s practice of intercepting e-mails to and from Gmail users may violate federal and California wiretap laws. Using a “narrow reading” of the federal wiretap law and a “broad reading” of the California law, Koh sent the majority of the case on to trial, “inviting close scrutiny of both … statutes in light of the latest technologies and business practices.” Finch writes, “As the tension between consumer protection and business innovation continues to loom large in the privacy world, decisions that attempt to bridge new technologies and old laws become more and more important.”
Full Story

CYBERSECURITY—U.S.

What NIST Is Hoping To Get Out of Its Privacy Grant Program (September 27, 2013)

The National Institute of Standards and Technology (NIST) has released news of approximately $7 million in grant money headed toward five start-ups, all with a privacy or cybersecurity bent. The money is meant to support the National Strategy for Trusted Identities in Cyberspace, which envisions an "Identity Ecosystem" that allows for a cyber-commerce experience that is as safe as the brick-and-mortar commerce experience, with movement beyond the simple username-password operation. In this exclusive for The Privacy Advisor, NIST Senior Privacy Policy Advisor Naomi Lefkovitz discusses the endeavor.
Full Story

CONSUMER PRIVACY—U.S.

Usage-Based Car Insurance Raises Privacy Concerns (September 27, 2013)

Computerworld reports on a new study out of the University of Denver revealing that pay-as-you-drive insurance plans may pose a potential privacy risk for drivers. Though insurance companies do not collect location data with these plans, the research found that driving habits, including speed, braking and acceleration, mileage and time of travel have the potential to reveal a detailed portrait of a driver’s movement within a specific time period. According to the research paper, “Customer privacy expectations in non-tracking telematics applications need to be reset, and new policies need to be implemented to inform customers of possible risk.”
Full Story

DATA PROTECTION—EU & UK

UK Asking Member States To Block Plans for Tighter Rules (September 27, 2013)

The UK will encourage other EU nations to block plans to tighten data protection rules, Bloomberg reports. Justice Secretary Chris Grayling said the proposals risk burdening business. “This is a debate to my mind about how much and how far can Europe continue to impose costs on business. The EU is unrealistic if it believes that imposing extra costs on business is not going to drive companies and jobs out of the EU in a world that is extraordinarily competitive.” Plans to revise data protection rules will be debated in Luxembourg on October 7.
Full Story

PRIVACY LAW—SINGAPORE

New Data Protection Guidelines Issued (September 27, 2013)

Singapore’s Personal Data Protection Commission has issued new data protection guidelines for businesses operating in the country, Out-Law.com reports. Failure by consumers to opt out can signal consent to process data in certain circumstances, according to the new 18-page guidance note. The guidelines have been published to complement the Personal Data Protection Act—introduced in January and which goes into effect next July. One technology law expert said, “With the issuance of these advisory guidelines, the whistle has blown for organizations to kick off their compliance programs if they have not done so.”
Full Story

PRIVACY REGULATION

Frameworks Emerging Around the World, But Is Enforcement? (September 27, 2013)

AdAge reports on privacy frameworks in regions around the globe—particularly in Latin America and India. Nations including Chile and Brazil are currently exploring new data protection rules, similar to that of the EU, which consider privacy as a human right. India is also grappling with emerging privacy issues, even though culturally, “Your expectation of privacy is nil,” one expert said, adding, “The Indian outsourcing industry needs to instill a sense of confidence … in how it respects U.S. and EU data.” VP of Privacy Certified at the Entertainment Software Rating Board Dana Fraser said when navigating global privacy rules, “We have to figure out what’s the highest bar we have to uphold … It can actually impact your rollout dates for an app.” Several privacy experts agreed, however, that enforcement is a hurdle outside the U.S. “I think it is true that the U.S. enforces more than anyone else,” Covington & Burling’s Matthew DelNero said.
Full Story

TRAVELLERS’ PRIVACY—U.S.

Offline Tracking at an Airport Near You? (September 27, 2013)

Recent reports have detailed retailer tracking of shoppers via smartphones and other mobile devices, but the practice has extended to some airports, according to Covington & Burling Partner Nigel Howard in a recent post for InsidePrivacy. The offline tracking systems aim to follow passenger patterns, detail real-time movement of travelers and track retail behavior by using a unique identifier system. Though these systems provide several benefits, Howard writes, “they also raise privacy issues that might not fit neatly into the notice-and-choice framework that—notwithstanding the FTC’s recent efforts—still is the predominant model of privacy protection in the U.S.”
Full Story

SURVEILLANCE—U.S.

Senators Address NSA Phone Program; Rival Bills Issued (September 27, 2013)

At least two new bills have been introduced in the Senate addressing the National Security Agency (NSA) phone surveillance program. The Senate Intelligence Committee is looking to swiftly pass legislation that would “change but preserve” the recently revealed dragnet program, according to The New York Times. The bill, backed by Sens. Diane Feinstein (D-CA) and Saxby Chambliss (R-GA), would require public reports revealing frequency of access by the NSA to the call log database, reduce the retention time from five to two years and require the NSA to send the data it searches to the Foreign Intelligence Surveillance Court for review. A rival bill, backed by Sens. Ron Wyden (D-OR) and Mark Udall (D-CO), would ban the collection program. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

From Warsaw, DPAs Prepare To Join Forces (September 26, 2013)
Here in Warsaw at the 35th Annual Convention of Data Protection and Privacy Commissioners, only one subject hangs over the event more than whistleblower Edward Snowden: The upcoming European Data Protection Regulation and what the future of privacy enforcement will look like. Nearly every presentation contained some disclaimer about how things will change once the regulation comes into place. The form it will take in the end? No one can confidently predict that. The fact that it’s needed? On that there is universal agreement. Sam Pfeifle reports on developments in this exclusive for The Privacy Advisor.

DATA LOSS

The Latest Data Breach Roundup (September 26, 2013)

This roundup for The Privacy Advisor reports on the potentially expansive hack into the internal servers of several data aggregators. Sensitive data—including Social Security numbers—may have been compromised. The Federal Bureau of Investigation is currently probing the issue. Meanwhile, two universities, a hospital and an investment firm have all notified students, patients and clients their personal data have been affected. Meanwhile, HR News and Employment analyzes a case involving a nurse and personal health information. The report queries whether the nurse was breaching the privacy of a number of patients or acting as a whistleblower.
Full Story

PRIVACY RESOURCES

Guidance and Research on De-identification (September 26, 2013)

In the fall of 2012, both the U.S. HHS Office for Civil Rights (OCR) and the UK Information Commissioner’s Office (ICO) published guidance on data de-identification. The OCR guidelines intend to clarify how to interpret the U.S. HIPAA Privacy Rule's de-identification standards and provide certainty on some of the issues creating confusion among covered entities. The ICO code of practice provides a set of general principles and specific techniques that can be applied. This Close-Up provides insight on this guidance and research to help you get a better understanding of the challenges and benefits of de-identification in all its forms.
Close-Up: De-Identification

DATA GOVERNANCE

Is Your Biz Viewing Privacy Through the Right Lens? (September 26, 2013)

For many consumers and businesses, privacy and data protection remain a top concern, “But are business leaders looking at the glass half empty?” asks PricewaterhouseCoopers Data Protection and Privacy Manager Rafae Bhatti, CIPP/US. “By considering only what privacy safeguards can prevent—customer loss, brand damage, fines and litigation—they are missing a big opportunity,” he writes. In this post for Privacy Perspectives, Bhatti provides some suggestions on what companies can do to “find the right balance between protecting data and enabling its use in new ways.” Editor’s Note: PwC’s Aaron Weller, CIPP/US, CIPP/IT, will speak in the breakout session “How To Get the C-Suite on Board (and Make Them Think It Was Their Idea)” at next week’s IAPP Privacy Academy in Seattle, WA.
Full Story

PRIVACY

Survey: Orgs Lacking Comprehensive Privacy Programs (September 26, 2013)

A new survey by Gartner has found the “perceived level of maturity attached to organizations’ privacy activities has decreased since 2011,” CIOL reports. While 43 percent of organizations have a comprehensive privacy management program in place, more than a third of organizations “still ‘consider privacy aspects in an ad hoc fashion,’” the survey found. And while 90 percent of organizations do have at least one person responsible for privacy, only 66 percent have a defined privacy officer role.
Full Story

CHILDREN’S PRIVACY—U.S.

Will Kinnect 2.0 and COPPA Play Well Together? (September 26, 2013)

The age of the Internet of Things is upon us. Interconnected devices that gather, aggregate and transmit personal information autonomously are pervasive throughout households. Your next generation gaming console is one such device. The Kinect 2.0—which ships this fall with Microsoft's Xbox One gaming console—has the unprecedented ability to recognize faces, track a user's position in space, observe vital signs and relay this information to Microsoft and others. In this exclusive for The Privacy Advisor, David Tashroudian discusses the privacy concerns of such benefits.
Full Story

PRIVACY LAW—SOUTH AFRICA

President To Sign Data Protection Bill (September 26, 2013)

The Protection of Personal Information Bill has recently passed in Parliament and will soon be signed into law by the president, report attorneys for Edward Nathan Sonnenbergs. The bill brings South Africa in line with international data protection laws, the report states, granting citizens the right to privacy when it comes to organizations collecting and processing their personal information by mandating compliance with eight conditions, including accountability, purpose specification and security safeguards.
Full Story

PERSONAL PRIVACY—INDIA

Supreme Court Stalls UID Program, Sends Petition to Constitution Bench (September 26, 2013)

The Supreme Court of India has issued an interim order sending writ petitions on the UID Aadhaar project to a Constitution Bench, reports The Hindu. The order brings up two main points; the challenge of offering cards to the poor and homeless without offering them to immigrants who aren’t legal residents, and questions about the delivery of benefits based on the card. Until then no person should suffer for not getting the Aadhaar card in spite of the authority making it mandatory, since government says it is voluntary,” said the two-judge panel. Justice K.S. Puttaswamy, a retired judge of the Karnataka High Court, and other petitioners claim the program violates their right to privacy under Article 21 of the Constitution. 
Full Story

HEALTHCARE PRIVACY—U.S.

Questions Surround Prep for Exchange Overhaul (September 26, 2013)

Those seeking insurance coverage via Idaho’s online health exchange starting next week shouldn’t fear for their privacy, federal officials say in response to state Senate concerns that the overhaul doesn’t sufficiently protect personal information. Idaho Business Review reports a 19-member board will vote September 30 to determine whether the system is secure enough to begin enrolling participants on October 1. Meanwhile, the U.S. Office of the National Coordinator for Health Information Technology’s Chief Privacy Officer Joy Pritts recently discussed protecting patient data within the healthcare industry, and Florida lawmakers are questioning the privacy of the state’s Prescription Drug Monitoring Program.
Full Story

PERSONAL PRIVACY—U.S.

Patent-Approved Personalized TV Keeps Privacy in Mind (September 26, 2013)

FourthWall Media has received the go-ahead from the U.S. Patent Office for its broadband device personalization technology, Rapid TV News reports. The technology analyzes consumer behaviors but addresses privacy concerns by storing viewers’ profile data only on the consumer’s own television or mobile device, the report states, where it can be used to indicate to targeted advertising technology which ad to run or what content would be preferred.
Full Story

PRIVACY LAW

DPAs Release Resolutions (September 25, 2013)
In an exclusive for The Privacy Advisor, Sam Pfeifle reports from the 35th Annual Conference of Data Protection and Privacy Commissioners in Warsaw, Poland. Pfeifle notes that from the outset, “the collective DPAs intended to show a united front and that they mean business.” As Polish Minister of Administration and Digitization Michel Boni said in his keynote, “We need regulations. Hard regulations. In Europe, we have a discussion pending—we have to make sure it is a strong law to harmonize the laws of all the states rather than a directive.” This report highlights the resolutions released following the DPAs’ closed session.

CHILDREN’S PRIVACY—U.S.

Gov. Signs Bill Allowing Kids To Delete Online Pasts (September 25, 2013)

California Gov. Jerry Brown has signed into law a bill that requires online companies and app developers to give minors the ability to remove their online content, KVNU reports. The bill is similar to EU proposals for a right to be forgotten. “A minor with a juvenile record can petition the courts to have it expunged when he turns 18,” said an attorney specializing in Internet privacy. “This new law is akin to what’s already out there in traditional law.” While the law only applies to Californians, companies based outside of the state must comply when dealing with California residents.
Full Story

PRIVACY—U.S.

Changing Tactics: The Rise of the Privacy Advocates (September 25, 2013)

In September, Facebook announced it would delay planned changes to its privacy policies. The announcement followed pressure from six major consumer privacy groups—EPIC, the Center for Digital Democracy, Consumer Watchdog, Patient Privacy Rights, U.S. PIRG and the Privacy Rights Clearinghouse—that said the changes would make it easier for Facebook to use users' data for advertising and other purposes. The coalition asked the Federal Trade Commission to block the changes, alleging they would violate a 2011 settlement with the commission. In this exclusive for The Privacy Advisor, experts discuss the ways in which privacy advocates have become increasingly politically savvy and strategic in achieving their goals.
Full Story

BIG DATA—U.S.

Senate To Expand Data Broker Probe (September 25, 2013)

Sen. Jay Rockefeller (D-WV) has announced he is expanding his investigation of the data broker industry after several companies refused to disclose specific details about their business practices around the collection and processing of consumers’ personal information, Financial Times reports. Expanding beyond the nine original data broker businesses, Rockefeller said he will investigate 12 additional health, personal finance and family-focused websites. To this point, the Senate investigation has found that data brokers categorize and market consumer dossiers into groups, and in some cases, the categories included names such as “Rural and Barely Making It” and “Ethnic Second City Strugglers.” Rockefeller said, “Regardless of whether such characteristics are positive, negative or erroneous, the process of determining these characterizations is not transparent to the consumer and is beyond the consumer’s control.” (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—U.S.

CFPB Guidance: Fraud Reporting Won’t Breach GLBA (September 25, 2013)

The Consumer Financial Protection Bureau (CFPB) has issued new guidance informing banks it’s their responsibility to report instances of suspected fraud of senior citizens and, according to the CFPB, reporting such exploits will not contravene the Gramm-Leach-Bliley Act. Bank tellers and other financial employees “can be instrumental in reporting such fraud,” said CFPB Director Richard Cordray, because they are familiar with the customers who may be exploited, The Wall Street Journal reports.
Full Story

HEALTHCARE PRIVACY—U.S.

OCR’s Rodriguez Says Increased Enforcement Ahead (September 25, 2013)

At an event earlier this week, Office for Civil Rights Director Leon Rodriguez said there will be increased enforcement of HIPAA regulations, highlighted the importance of appropriately protecting patient privacy and discussed the “what-not-to-dos” regarding healthcare privacy, Government Health IT reports. “Today is a critical day for the Omnibus,” Rodriguez said. “On the one hand, you have to have assertive enforcement; you have to have credible enforcement, that really does play a critical role in obtaining compliance,” he noted, adding, “But at the same time, you have to set rules of the road that are understandable and consistent, and you really need to make sure people know what the rules of the road are.”
Full Story

WEB CONFERENCE

Where Security Meets Privacy (September 25, 2013)

The relationship between IT security and privacy teams within organizations should ideally be a strong one—with clear communication channels and responsibilities—but this is rarely the case. Competing demands, siloed cultures and even competition for budget can all contribute to produce a less-than-ideal partnership. Join panelists Jonathan Fox, CIPP/US, CIPM, of McAfee, Co3 System’s Gant Redmon and Navigate’s Chris Zoladz, CIPP/US, CIPP/E, CIPP/G, CIPP/IT, on October 17 from 1 to 2:30 p.m. EDT to gain tips and insights into how you can improve this working relationship at your organization.
Full Story

PRIVACY LAW—EU & U.S.

MEPS: Stop TFTP Agreement in Its Tracks (September 25, 2013)

European politicians have demanded that a broad data-sharing agreement between the U.S. and EU be suspended, PCWorld reports. The demands to halt the Terrorist Finance Tracking Program (TFTP) at Tuesday’s hearing of the Civil Liberties Committee follow allegations that the U.S. National Security Agency illegally tapped banking data, the report states. "We have no evidence that they have actually been doing this, but they don't deny it either. So in a way it is irrelevant whether they have used the opportunity so far, because they will continue to reserve that right in the future," said Dutch MEP Sophie in’t Veld, adding she considers the agreement to be “effectively dead.”
Full Story

PRIVACY LAW—U.S.

Sen. Leahy Aims To Revamp NSA Capabilities (September 25, 2013)

Speaking at Georgetown University on Tuesday, Senate Judiciary Committee Chairman Patrick Leahy (D-VT) said he plans to aggressively pursue legislation to curb the National Security Agency’s surveillance powers, The Hill reports. Leahy announced he is working together with USA PATRIOT Act author Sen. Jim Sensenbrenner, Jr., (R-WI) and Sen. Mike Lee (R-UT) to craft the new legislation. “I am convinced that the system set up in the 1970s to regulate the surveillance capabilities of our intelligence community is no longer working,” Leahy said, adding, “In my view—and I’ve discussed this with the White House—the Section 215 bulk collection of Americans’ phone records must end.”
Full Story

PRIVACY LAW—U.S.

DEA Cites Third Party Doctrine With Prescription Data Case (September 25, 2013)

The Verge reports on an argument submitted by the Drug Enforcement Agency (DEA) in response to an American Civil Liberties Union (ACLU) lawsuit over the privacy of certain medical records. According to the DEA, citizens who share medical records with pharmacies—or any other third party—have “no expectation of privacy” regarding that data. According to a blog post, ACLU Attorney Nathan Wessler wrote, “Just because we trust our doctors and pharmacists with our medical information, doesn’t mean the DEA should be able to easily access it too.”
Full Story

BIG DATA

“Master Profiles” Will Connect Online, Offline Data (September 24, 2013)
Financial Times reports that Acxiom has launched a new system designed to combine consumers’ offline and online activities, which then processes the collected data using algorithms. The data is then made available to marketers for behavioral targeting and personalized ads on mobile, the web and eventually television, the report states. Acxiom Chief Technology Officer Phil Mui said, “We are making big marketing data truly actionable.” The new system is a significant shift for targeted advertising as the system—which features a new identifier to match user profiles—allows marketers to track users across devices into one profile instead of multiple profiles based on a given device. Editor’s Note: Acxiom Chief Privacy Officer Jennifer Barrett Glasgow, CIPP/US, will speak in the breakout session Taming Big Data at next week’s IAPP Privacy Academy in Seattle, WA. (Registration may be required to access this story.)

BIG DATA

The Misconceptions of Defining Data Brokers (September 24, 2013)

“The marketing industry has come under fire recently for its use of consumer data to provide ads and offers,” writes Epsilon Privacy Manager Nicole Tachibana, CIPP/US, adding, “There are a number of misconceptions at the heart of the issue.” She notes that Federal Trade Commissioner Julie Brill has said that data brokers are using user profiles to “determine the rates we pay (and) even what jobs we get.” In this Privacy Perspectives post, Tachibana writes, “However, the reality is that marketing data brokers use information for marketing purposes only,” and she parses out misperceived definitions of what marketing data brokers do with consumer data.
Full Story

CLOUD COMPUTING—EU & U.S.

Reports Call for EU Cloud, Student Data Protection (September 24, 2013)

A report commissioned by the European Parliament suggests the EU-U.S. Safe Harbor Framework does not protect against U.S. interception of European citizen data processed in the cloud and “urges the European Union to encourage development of local cloud computing capacity based on open source software as a way of safeguarding against U.S. intelligence community surveillance,” Fierce Government IT reports. Meanwhile, a SafeGov.org report “shows broad support for safeguarding especially vulnerable cloud user populations in public organizations, such as schoolchildren, civil servants and healthcare professionals and their patients, who are at risk of being tracked and profiled for online advertising purposes.” A U.S. lobbying group is proposing a code of conduct to prohibit “user profiling and data mining by cloud services used by European schools.”
Full Story

PRIVACY—U.S.

Survey Results Indicate Companies Should Compete on Privacy (September 24, 2013)

Forbes reports on a survey showing “40 percent of companies use customer information collected online for targeting purposes and 88.5 percent of chief marketing officers (CMOs) expect this practice to increase over time.” Another report suggests data hoarding can be a drag on business, presenting dangers including potential legal issues surrounding the requirements to protect the data a company possesses. The CMO study indicates marketers “have very low levels of concern about how the use of online customer data infringes upon privacy.” Considering this in the context of a Pew survey where 86 percent of respondents indicated taking “steps to remove or mask their digital footprints,” the report suggests companies should compete on privacy.
Full Story

EMPLOYEE PRIVACY—U.S.

Court Says Facebook “Like” Is Protected (September 24, 2013)

The Fourth U.S. Circuit Court of Appeals has ruled in favor of a former Virginia deputy sheriff who said he was fired for “liking” the Facebook page of a man running for his boss’s position, MarketWatch reports. Chief Judge William Traxler, Jr., said in the ruling, “On the most basic level, clicking on the ‘like’ button literally causes to be published the statement that the user ‘likes’ something, which is in itself a substantive statement.” However, the report cautions, “The decision may not protect social networkers who press the 'Like' button with abandon” as the First Amendment “primarily protects individuals from government action,” one expert notes.
Full Story

MOBILE PRIVACY—AUSTRALIA

Commissioner To Release Mobile Guidelines (September 24, 2013)

Australian Privacy Commissioner Timothy Pilgrim plans to release new mobile privacy guidelines for app developers next week, and according to IT News Australia, the guidelines will focus on third-party data sharing. Pilgrim has been consulting with industry and advocacy groups since draft guidelines were released last April. Pilgrim noted that app developers can expect more scrutiny of app industry privacy practices from regulators and the marketplace itself, the report states. The new guidelines are expected to be released next Monday.
Full Story

PRIVACY LAW—U.S.

Apple Wants Class-Action Status Denied (September 24, 2013)

Apple says iPhone users suing the company for allegedly allowing app developers to access personal information shouldn’t be able to proceed with a class-action lawsuit, MediaPost News reports. In the case, consumers claim Apple misled them by sharing their devices’ unique identifiers with app developers after promising to protect their personal information. But Apple says consumers haven’t presented “a shred of evidence that even a single app transmitted ‘personal information.’” The company is asking U.S. District Court Judge Lucy Koh to reject the plaintiffs’ request for class-action status.
Full Story

PRIVACY LAW—U.S.

New Online Media Privacy Opinion Issued (September 24, 2013)

According to a recent federal court opinion, “news organizations may be more liable in privacy lawsuits if their reporting is factually incorrect,” Inside Privacy reports. The opinion centers on how one gossip website used the plaintiff’s modeling pictures to allegedly publish a false story on the plaintiff, stating the model was a sister of a known celebrity. Senior District Judge Denis R. Hurley filed the opinion in Edme v Internet Brands, Inc. et al and denied a motion to dismiss in the case. Hurley noted that, although the published story “can be considered, for better or worse, a matter of public interest merely because its subject matter involved a celebrity,” the media website in the case reported an “undisputedly false” claim that the plaintiff was a sister of the celebrity, thus losing its newsworthiness.
Full Story

PRIVACY LAW—U.S.

LinkedIn Sued for E-Mail Mining; Suits Mount Against Gov’t (September 23, 2013)
A new lawsuit against LinkedIn has been filed by four users who claim the professional networking site accessed their e-mails without consent and used the harvested addresses of their contacts to spam non-users with invites to the service, The New York Times reports. In one claim, the suit alleges LinkedIn is “breaking into” external e-mail accounts pretending to be the user, but no details are offered. In response, LinkedIn has released a blog post refuting the claims. In separate class-action news, a Politics in Minnesota report details the mounting data protection lawsuits being filed against the government after one case resulted in more than $1 million worth of settlements from illegal government access to driver’s license records. (Registration may be required to access this story.)

HEALTHCARE PRIVACY—U.S.

Omnibus Rule Kicks In, Four Compliance Steps for BAs (September 23, 2013)

In light of today being the implementation date of the HIPAA Final Rule on Privacy and Security, Government Health IT reports on four steps that business associates (BAs) need to take to comply with the update. For covered entities, the effects “are mostly incremental because the compliance structure remains unchanged,” but for BAs, the change “raises the risks of noncompliance to a new level because, for the first time, they face many of the same compliance requirements as their covered entities,” making them subject to government fines and civil penalties, the report states. Meanwhile, a new study reveals there is increasing confidence in cloud technology among healthcare policy decision-makers.
Full Story

PRIVACY LAW

Courts and States Acting Where Feds Will Not (September 23, 2013)

U.S. Courts and states have been taking things into their own hands in terms of privacy law these days, and this week is no exception. While recent cases have mainly tackled the Stored Communications Act, this week’s news highlights a court decision upending the way the Telephone Consumer Protection Act has been interpreted. Also in this week’s Privacy Tracker global legislative roundup, California continues to push forward privacy bills, with the “eraser law” that would allow youths to erase misguided posts, and while industry and regulators clash on the EU data protection law’s timeline, France is pushing the EU to adopt a plan that would see non-EU tech firms regulated and taxed based on where their websites are used. (IAPP member login required.)
Full Story

PRIVACY

On What Rock and Privacy Might Have In Common (September 23, 2013)

Near the end of the 1960s, rocker Jim Morrison and The Doors recorded a blues jam called “Rock is Dead.” The phrase, however, isn’t particular to the music world, as it’s a phrase often spoken when discussing privacy, “especially in light of what some are calling the ‘Summer of Snowden,’ which has brought on a new chorus of reports, blogs and posts exclaiming the death knell of privacy,” writes Jedidiah Bracy, CIPP/US, CIPP/E. Though our world is rapidly changing in many ways, some things stay the same, highlighted in part by a Newsweek cover story from 1970 asking if privacy is dead. This Privacy Perspectives post explores that article and excavates many of the similar arguments and concerns that still resonate today.
Full Story

DATA LOSS—U.S.

Bank Faces Potential Class-Action Over SSN-Laden Mailing (September 23, 2013)

JPMorgan Chase & Co. is facing a proposed class-action lawsuit accusing it of printing Social Security numbers on the outside of forms mailed to customers telling them of the bank’s efforts to protect their private data, Reuters reports. The suit was filed last week in federal court in Chicago, IL, and alleges the bank put customers at risk for identity theft. “Chase even says on its website that providing Social Security numbers to an identity thief is ‘as good as gold,’” said the lawyer who filed the suit. It’s unknown how many customers were affected.
Full Story

SURVEILLANCE—U.S.

Opinion: U.S. Needs Privacy Czar (September 23, 2013)

In an opinion piece for The Washington Post, Sidley Austin Attorney Alan Charles Raul calls for the establishment of a U.S. privacy czar who would answer to the president but would also be responsive to Congress. The Office of Management and Budget should establish the position, Raul writes, adding the position would coordinate various U.S. data protection agencies and agendas and represent the U.S. internationally. Meanwhile, the National Security Agency (NSA) has posted an ad for a civil liberties and privacy officer. The Hill reports that because the NSA has admitted to collecting data on U.S. communications, those being surveilled may be able to challenge those policies in court more easily than in the past. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—U.S.

FISC Adversary Bill Introduced, Would Draw from Privacy Attorneys (September 23, 2013)

Reuters reports on a new bill introduced by House Intelligence Chair Adam Schiff (D- CA) proposing that the Foreign Intelligence Surveillance Court (FISC) implement a public advocate to serve as a check on court decisions. The bill would create a pool of independent attorneys from which the FISC would draw. “Even though the FISC’s deliberations are necessarily secret in nature, it’s vital that the American people have confidence that there are voices within the process arguing forcefully and effectively on behalf of the Fourth Amendment and privacy concerns of ordinary Americans.”
Full Story

BIOMETRICS—U.S.

Franken Wants Answers on Fingerprint Passwords (September 23, 2013)

Sen. Al Franken (D-MN) is concerned about the fingerprint swipe password feature on Apple’s latest iPhone release. In a letter to Apple CEO Tim Cook, Franken wrote, “Passwords are secret and dynamic; fingerprints are public and permanent … If someone hacks your password, you can change it—as many times as you want. You can’t change your fingerprints.” Franken asked Cook to answer questions on how fingerprint data will be protected and with which third parties it may be shared. Meanwhile, a group of hackers in Germany say they have successfully hacked the fingerprint feature.
Full Story

ONLINE PRIVACY—U.S.

App Maps Users’ Lives Via Inbox Scanning (September 23, 2013)

Wired reports on an app built by a group of MIT researchers that visualizes users’ social lives by looking at their e-mail inboxes. Immersion uses timestamps and the to, from and CC fields to draw a map of the user’s social connections. It offers users a look at Big Data and the “digital exhaust they’re continually leaving behind,” said MIT’s Cesar Hidalgo, adding it’s a particularly useful perspective following revelations of NSA surveillance measures. The app does allow users to delete data upon logout. “If I am able to withdraw my money from my bank account, I should be able to withdraw my data from my e-mail provider,” Hidalgo said.
Full Story

EMPLOYEE PRIVACY—U.S.

The Corporate Privacy Conundrum (September 20, 2013)
“It’s a conundrum,” writes Intel Chief Privacy and Security Counsel Ruby Zefo, CIPP/US, CIPM, “Companies want employees to be satisfied with their corporate services, but great user experiences in this context can require a certain amount of employee tracking that could affect employees’ views about workplace privacy.” In this Privacy Perspectives installment, Zefo explores how organizations “have to manage potentially complex trade-offs between employee privacy, company security and user experience” as well as BYOD issues, context-aware apps and call-monitoring for quality assurance.

BEHAVIORAL TARGETING

Industry Reacts to Google Cookie Alternative (September 20, 2013)

The Wall Street Journal reports on the ad industry’s reaction to an unofficial proposal by Google to replace cookies with an anonymous identifier (AdID) system. Advertising executives, ad technology firms and analysts say that changing how consumers are tracked online would significantly affect the $120 billion industry. Interactive Advertising Bureau President Randall Rothenberg said, “This would be anticompetitive and potentially negatively impact all other online publishers.” Financial Times has published a Q&A to explore the proposed cookie alternative, and AdAge has posted a video with some industry reaction. Independent researcher Ashkan Soltani has posted a blog answering some questions on the AdID proposal. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

CA Bill Would Allow Kids To Erase Online Pasts (September 20, 2013)

A California bill aims to address how to allow minors to recover from embarrassing online indiscretions, The New York Times reports. San Francisco-based advocacy group Common Sense Media is one group pushing for California users under the age of 18 to have the right to delete tweets, pictures, status updates and other material. “Kids and teenagers often self-reveal before they self-reflect,” the group’s chief executive said. The so-called eraser law, reminiscent of calls for a right to be forgotten in the pending EU data regulation, has critics warning that in trying to protect children, the law could lead companies to collect more information about customers to ensure they are under 18 and are in California. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

Data Privacy Tests Needed, GOP Lawmakers Say (September 20, 2013)

House and Senate Republicans have introduced legislation that would delay enrollment in the healthcare exchanges under the Affordable Healthcare Act until it is confirmed that robust data protection standards are in place, The Hill reports. Sen. Orrin Hatch (R-UT), a sponsor of the Trust But Verify Act, says the Government Accountability Office must verify that data privacy safeguards are in place. "It would simply be irresponsible to open the exchanges without adequate safeguards to protect and secure consumers' personal information," Hatch said, adding, "While the administration claims that these safeguards exist, there is simply no way to verify these claims absent an independent review."
Full Story

DATA PROTECTION—EU & UK

Opinion: Industry Actually Wants Regulators With More Powers (September 20, 2013)

In an opinion piece for The Guardian, UK Direct Marketing Association Chairman Scott Logie says as the European Parliament prepares to vote on data regulation in October, it’s “time for a rethink on how we tackle this problem” in the UK. From a business perspective, the final proposals are not expected to be favorable, Logie writes, citing a weak Information Commissioner’s Office that “no one really fears” and calling for a stronger enforcement agency and clear guidelines about how to establish trust-based agreements between businesses and their consumers. His comments echo Canadian Privacy Commissioner Jennifer Stoddart’s call this week for stronger enforcement powers.
Full Story

ONLINE PRIVACY—U.S.

Study: Consumers Favor Companies That Let Them Opt Out (September 20, 2013)

A recent TRUSTe study has found that 62 percent of consumers will do more business with a company that gives them the option to opt out of online behavioral advertising. The study, which polled 1,171 U.S. Internet users, also found that 53 percent of consumers are more willing to click on an ad that gives them the option to opt out and that users feel more positive about the business behind an ad if the Digital Advertising Alliance’s AdChoices icon is displayed, indicating a growing awareness of the tool.
Full Story

BIOMETRICS

Facedeals To Use Facial Recognition for Targeted On-Site Advertising (September 20, 2013)

In an interview with MarketingLand, Facedeals CEO Dave McMullen says his company will soon be offering an opt-in service where consumers can select preferences ahead of time and then be offered deals via a text to their phones when cameras at establishments recognize their faces. In addressing privacy concerns, McMullen says the “double opt-in” service—the downloading of the app and then the process of registering—“ensures no one is signed up without their permission.” Further, he said privacy is already being infringed upon by every phone noting your location, camera recording your likeness and credit card transaction tracking your purchases. Why shouldn’t the consumer get something out of the deal?
Full Story

PRIVACY LAW—FRANCE & EU

French Proposal Aims To Boost EU Tech Firms (September 20, 2013)

France is pushing for the EU to adopt proposals that would see technology companies such as Google and Facebook regulated and taxed where customers use their websites, Financial Times reports. The proposals “could put Europe at loggerheads with the U.S., which has previously reacted angrily at attempts to impose greater regulation on the Internet.” Fleur Pellerin, France’s digital economy minister, said the campaign does not target American companies—though they are the ones on top, currently—but aims to “boost the ability of European actors to develop in Europe and gain positions that can compete on the same level playing field as the other international actors.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE

Group Wants Countries To Disclose Data Requests (September 20, 2013)

Privacy advocates, human rights groups and tech companies are asking 21 countries to release information on their surveillance requests, The Hill reports. The Global Network Initiative includes such companies as Facebook, Google and Microsoft and said in letters to the members of the Freedom Online Coalition—a group of 21 countries working together to advance Internet freedom—that governments should release the data and allow the tech companies asked to respond to such requests to do the same.
Full Story

PRIVACY COMMUNITY

Karen Neuman named DHS CPO (September 19, 2013)
The U.S. Department of Homeland Security (DHS) announced last night that Karen Neuman, a partner in the DC law firm St. Ledger-Roty Neuman & Olson LLP, has been named Chief Privacy Officer for DHS. She takes over for Jonathan Cantor, CIPP/US, CIPP/G, who has been acting chief privacy officer since the departure of Mary Ellen Callahan, CIPP/US, from the position in August of last year. Neuman, a long-time member of the IAPP, has an extensive background in privacy and data protection, and spoke at the 2013 IAPP Global Privacy Summit this spring. In an interview with The Privacy Advisor, Callahan, now a partner with Jenner & Block LLP, gives her opinion on the appointment and the job Neuman now has in front of her.

HEALTHCARE PRIVACY—U.S.

Obama To Reinforce Privacy in Affordable Healthcare Act (September 19, 2013)

The Obama administration is seeking to bolster privacy protections for Americans signing up for the federally mandated Affordable Healthcare Act, Reuters reports. To help stem identity theft, personal privacy protection and fraud, the administration plans to launch a toll-free telephone number to report fraud incidents and an online verification system. On Wednesday, Attorney General Eric Holder met with Department of Health and Human Services Secretary Kathleen Sebelius and Federal Trade Commission Chairwoman Edith Ramirez to discuss the privacy and security implications of the impending law. Concern has also been expressed about counselors—also called navigators—who are set to educate and help Americans enroll in the health exchanges. A House Committee report stated, “There are already reports from across the country that scam artists are attempting to impersonate navigators and assisters to steal credit card information and personally identifiable information in order to take advantage of massive confusion about Obamacare.”
Full Story

DO NOT TRACK

W3C Not Ready To Give Up the Ghost (September 19, 2013)

The World Wide Web Consortium (W3C) has announced the appointment of two new chairs for its Tracking Protection Working Group (TPWG). Carl Cargill, a director at Adobe, and Justin Brookman, from the Center for Democracy & Technology, will join incumbent Matthias Schunter, principal at Intel. This exclusive for The Privacy Advisor explores the new priorities for the W3C’s TPWG and insight from Brookman on what’s next for the multi-stakeholder process.
Full Story

DO NOT TRACK

With DNT, What Next for Policymakers? (September 19, 2013)

In what can be perceived as a rollercoaster week for the World Wide Web Consortium’s Do Not Track (DNT) working group, IAPP VP of Research and Education Omer Tene asks if the appointment of the Center for Democracy & Technology’s Justin Brookman and Adobe’s Carl Cargill can save the process. “Hopefully, all sides will work together to pursue an agreed-upon solution, since an implosion of the process, which seemed inevitable on Tuesday as the Digital Advertising Alliance announced its departure from the group, would cast a long shadow over the prospects for multi-stakeholder resolutions to the burning privacy problems of our time,” he writes. In this post for Privacy Perspectives, Tene explores what’s next for DNT and the policymakers working on such a resolution.
Full Story

ONLINE PRIVACY

Study: Whois System’s Privacy Controls Being Abused (September 19, 2013)

A new study commissioned by the Internet Corporation for Assigned Names and Numbers (ICANN) indicates the Whois system’s current ad hoc privacy controls are being abused, ZDNet reports. ICANN—a pseudo-directory of contact details for domain names—is recommending the Whois system be replaced to include authenticated access. Currently, contact details for administrators of a domain are publicly available, prompting domain name owners to provide false information.
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Launches Meaningful Consent Site for Providers (September 19, 2013)

The Department of Health and Human Services (HHS) has launched an online resource to help healthcare providers “effectively engage patients” in choosing how they want their electronic health information shared. The site provides strategies and tools to help educate patients. “As patients become more engaged in their healthcare, it’s vitally important that they understand more about various aspects of their choices when it relates to sharing their health in the electronic health exchange environment,” said the chief privacy officer of the HHS Office of the National Coordinator for Health Information Technology.
Full Story

ONLINE PRIVACY—U.S.

Coalition Making Renewed Push for ECPA Update (September 19, 2013)

A coalition of digital civil liberties groups are making a renewed push for a bill to reform the Electronic Communications Privacy Act, Mashable reports. The coalition relaunched a website this week that supports the E-mail Privacy Act, a bill that would require the government to obtain a warrant anytime it wanted access to e-mails or documents stored in the cloud. "Internet surveillance is not going to be completely solved until we have a warrant requirement for content, until the Fourth Amendment protections apply fully to the Internet,” said Mark Stanley of the Center for Democracy and Technology—one of the groups advocating for the bill.
Full Story

BEHAVIORAL TARGETING—U.S.

Creepy and Cool Considerations With Loyalty Card Programs (September 19, 2013)

A recent survey of 6,000 individuals belonging to loyalty card programs across the U.S. queried respondents to classify certain types of targeted marketing as “cool and exciting” or “creepy and weird.” Respondents to the Maritz Loyalty Marketing survey on average enrolled in 7.4 loyalty programs, with 1.8 connected to a credit or debit card, American Banker reports. Card program categories included retail, grocery, hotel, airline, entertainment and financial services. Respondents over the age of 50 tended to get more “creeped out” by use of their personal data than younger individuals even when special benefits were transmitted. The marketing function that received the highest “creepy” rating stemmed from reviewing Facebook posts of friends to determine rewards eligibility.
Full Story

PERSONAL PRIVACY

Product To Track Seniors Launched (September 19, 2013)

TechCrunch reports on a new product designed to track the activity of seniors living on their own. The system, created by Lively, consists of various sensors strategically placed around a home that report movements—such as refrigerator or medicine cabinet doors being opened—to a base station connected to an app. The system aims to let concerned guardians know if individuals are taking their medicine and moving around the house. “This is not ‘Big Brother’ monitoring,” said one of the company’s founders, adding, “Lively’s passive sensing tracks just enough information to interpret meaningful activity that shows how you’re doing without sharing too much.”
Full Story

ONLINE PRIVACY

Is Google Set To Do Away with Cookies? (September 18, 2013)
USA TODAY reports on a potential move by Google to replace third-party cookies with a new anonymous identifier (AdID) that would allow advertisers to track Internet browsing activity for marketing. The AdID would be communicated to online advertisers and ad networks that have aligned with agreed-upon guidelines in the attempt to give consumers more privacy and control as they browse the Internet. Though the program has not been officially announced by Google, a spokesman said, “Technological advancements can improve users’ security while ensuring the web remains economically viable. We and others have a number of concepts in this area, but they’re all at very early stages.” According to the report, Google plans to reach out to industry, government agencies and consumer groups in the near future.

PRIVACY—U.S.

NIST Announces $7 Million in Privacy-Related Grants (September 18, 2013)

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has issued more than $7 million in privacy- and security-related grants to five different organizations, according to a NIST press release. The move supports the National Strategy for Trusted Identities in Cyberspace program that was initiated by President Barack Obama in 2011. The thrust of the grants aims to improve identity protection and verification systems to make the online ecosystem easier to use and more secure for consumers.
Full Story

PRIVACY TECHNOLOGY

Why Privacy Pros Must Embrace Technology (September 18, 2013)

“As privacy professionals, we have the opportunity to help companies restore the balance in the personal data ecosystem by considering the business needs of our employers as well as those of the individual,” writes UnboundID Product Marketing Director Nick Crown, CIPP/IT. To provide more user control over personal data, “our industry needs to look beyond static, ‘detective’ approaches to privacy practices,” he notes, and “embrace technology as an enabler of preventative privacy controls.” In this installment of Privacy Perspectives, Crown presents four phases that outline how businesses can better provide transparency, choice and control to their customers in relation to the collection, processing and transfer of their personal information.
Full Story

PRIVACY RESOURCES

Consumer-Facing Privacy Policies: What Should Yours Look like? (September 18, 2013)

With privacy becoming more of a competitive advantage in business, it’s important that organizations communicate their data collection and handling practices with consumers in an easily digestible manner. But with the amount of legal jargon in most policies, many consumers don’t read them, or if they’ve tried, they can’t understand them anyway. In this IAPP Resource Center Close-Up, see examples of successful policies, guidance on creating plain-language and layered policies and what to pay attention to when making changes to your policy. (IAPP member login required.)
Close-Up: Creating a Privacy Policy

CONSUMER PRIVACY—U.S.

Court: Debt Collectors’ Cell Phone Calls Excluded from TCPA (September 18, 2013)

A federal judge in Pennsylvania has ruled the Telephone Consumer Protection Act (TCPA) does not apply to debt-collection calls, even those made to cellular phones, insideARM reports. In Roy v. Dell Financial Services, the court relied on an earlier court decision that “all debt-collection circumstances are excluded from the TCPA’s coverage.” The decision conflicts with that of nearly all courts that have examined the issue, the report states. Most have found that calls made using automatic dialing systems violate the TCPA unless “prior express consent” has been given.
Full Story

SURVEILLANCE—U.S.

Court: Phone Companies Never Resisted NSA Data Collection (September 18, 2013)

A newly released Foreign Intelligence Surveillance Court document offers the most extensive public explanation for why the court allowed the government to keep records of all U.S. citizens’ phone calls, The New York Times reports. The previously classified 29-page opinion said the program was constitutional and did not violate privacy rights because of a provision in the USA PATRIOT Act. Additionally, the opinion indicates, none of the phone companies who handed over data ever challenged the NSA’s requests for such data. Meanwhile, LinkedIn has filed an amicus brief in federal court over the government’s disclosure of National Security Letter requests for private data. (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

Operator Calls for Consistent Privacy Approach (September 18, 2013)

Mobile operator Vodafone is calling on the app development community to take the lead in communicating to consumers a consistent set of privacy guidelines similar to nutrition labels used by the food industry, Marketing Week reports. Vodafone Global Privacy Counsel Kasey Chappelle said the company is telling mobile app developers and other third parties to help safeguard consumer privacy and to communicate how data is collected and shared with advertisers. Vodafone is lobbying third parties through trade organizations such as the GSMA and the Mobile Entertainment Forum, the report states.
Full Story

PRIVACY LAW—EU

Industry, Policymakers Clash on Regulation Timeline (September 18, 2013)

Industrialists and diplomats have accused MEPs of rushing through data protection laws that they say would boost their electoral chances more than Europe’s economies,” EurActiv reports. At an event in Brussels on Tuesday, policymakers and industry representatives clashed over the EU draft regulation’s timeline, the report states, citing comments by the European Commission’s Paul Nemitz indicating companies that value their customers’ needs will not have issues with the new rules. “If you are operating cross-borders, your life is likely to become easier. Why? Because in the future, we’ll have one law in form of a regulation rather than 28 implementing laws based on a directive and we will have a consistency mechanism,” Nemitz said.
Full Story

DO NOT TRACK—U.S.

Is This the End? DAA Withdraws from W3C Process (September 17, 2013)
In a letter sent this morning to Jeff Jaffe, CEO of the World Wide Web Consortium, the Digital Advertising Alliance (DAA) announced that it is withdrawing “from future participation in the World Wide Web Consortium (W3C) Tracking Protection Working Group (TPWG). After more than two years of good-faith effort and having contributed significant resources, the DAA no longer believes that the TPWG is capable of fostering the development of a workable ‘Do-Not-Track’ (DNT) solution.” Instead, the DAA says it is convening its own DNT process, beginning almost immediately, for evaluating “how browser-based signals can be used meaningfully to address consumer privacy.” That process “will be a more practical use of our resources than to continue to participate at the W3C,” wrote DAA Executive Director Lou Mastria. In this exclusive for The Privacy Advisor, we look at what's next for the DAA, how the DNT process fell apart and whether legislators and the Federal Trade Commission are about to get involved.

PRIVACY LAW—U.S.

Ruling Has Breach Liability Implications (September 17, 2013)

On September 3, the Fifth Circuit Court reversed and remanded a district court ruling that dismissed a negligence claim against Heartland Payment System based on its 2008 data breach. “Though the Fifth Circuit stopped short of deciding any dispositive issues, the decision has important implications concerning the scope of liability for data breaches” writes Westin Fellow Dennis Holmes in this Privacy Tracker blog post. Offering a breakdown of the ruling, Holmes points out why those “entities actively involved in transactions with nested parties, such as payment processing” companies may want to take note. (IAPP member login required.)
Full Story

DATA LOSS—U.S.

LabMD CEO Fights FTC Complaint, Asks for Standards (September 17, 2013)

Michael Daugherty, president and founder of LabMD, is challenging a Federal Trade Commission (FTC) complaint accusing the medical testing lab of failing to take “reasonable and appropriate measures” to protect sensitive customer data, Jacksonville Business Journal reports. The complaint followed a 2012 breach in which billing data for 9,000 LabMD patients was stolen by identity thieves. LabMD has refused to sign a consent agreement with the FTC, alleging the FTC is making up data security standards as it goes along. Daugherty says the FTC should establish data security standards or Congress should define businesses’ obligations.
Full Story

HEALTHCARE PRIVACY

On Where Health IT and Privacy Meet (September 17, 2013)

With the advent of National Health IT Week, Align Technology Privacy Counsel K Royal, CIPP/US, CIPP/E, discusses the global health technology initiative and where health IT and privacy overlap. In this Privacy Perspectives installment, Royal delves into some of the topics and issues being raised this week—including mobile health technology and telehealth—and asks if your organization is taking part. “How do you see it correlating with privacy?” she queries, and “What do you see as the biggest challenges?”
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Releases Model HIPAA Privacy Notices (September 17, 2013)

The Office for Civil Rights, in collaboration with the National Coordinator for Health Information Technology, has released three model privacy notices to help providers comply with the Health Insurance Portability and Accountability Act (HIPAA), according to a U.S. Department of Health and Human Services press release. The three new notice of privacy practice models were constructed out of input from “consumers and key stakeholders” and include the recent changes in the HIPAA Omnibus Rule. The three options include notice in the form of a booklet, a layered notice and a text-only version.
Full Story

DATA PROTECTION—U.S.

Firm Wants To Know: Should We Panic? (September 17, 2013)

Law firm Pillsbury Winthrop Shaw is asking privacy officers and other compliance or audit executives worried about data security to help it determine “just how much corporate America should panic about cyber attacks,” Compliance Week reports. The survey asks professionals about attacks within the last year, their estimated costs and the steps taken to protect against future attacks. It also asks respondents how they evaluate the policies of third parties.
Full Story

CLOUD COMPUTING—U.S. & SWEDEN

An NSA-Resistant Cloud Storage Solution? (September 17, 2013)

File-sharing service Box is working on a cloud storage solution that would put the encryption keys into the hands of its customers instead of the company, Ars Technica reports. Box cofounder and CEO Aaron Levie said the current architecture of the company resembles that of Google or Microsoft “in that we are encrypting all the data on both transit and storage, but we obviously have to manage the encryption key because as a collaborative application we have to broker that exchange between multiple users.” Yet, with some forecasting a $180 billion loss in U.S.-based IT businesses in the wake of the NSA disclosures, the move to provide an “NSA-resistant” service is alluring. Levie said the company is “exploring ways that in the future our customer would be responsible for its keys, and that’s something we may make available to some of the largest organizations.” In other cloud computing news, Sweden’s data protection authority has ordered a Stockholm-based municipality to cease using Google Apps because it may contravene Sweden’s Data Protection Act.
Full Story

SURVEILLANCE—U.S.

DHS To Test Facial Recognition at Hockey Game (September 17, 2013)

The Department of Homeland Security will test facial recognition software capabilities at a September 21 hockey game in the state of Washington, Computerworld reports. The Tri-Cities Toyota Center can seat 6,000 fans. Twenty specific faces will be sought by the technology, called the Biometric Optical Surveillance System (BOSS). A privacy impact assessment in 2012 found the technology was capable of capturing images of an individual from 50 to 100 meters away and can be set up to track an individual as he or she moves. Fans will be allowed to opt out and sit in an area without cameras; no names will be collected, and only government researchers will see the images, the report states.
Full Story

ONLINE PRIVACY

NSA Program Monitors Credit Card Transactions (September 17, 2013)

Spiegel reports on the U.S. National Security Agency’s (NSA) “Dishfire” program, which collects information on credit card transactions from 70 banks worldwide. The NSA targets transaction information from large credit card companies such as VISA and MasterCard on customers in Europe, the Middle East and Africa, the report states, adding that credit card data and related text messages made up 84 percent of NSA financial database Tracfin in September 2011.
Full Story

ONLINE PRIVACY

Tumblr Inks Deal With Analytics Biz (September 17, 2013)

TechCrunch reports that Tumblr has signed a deal with analytics company DataSift, a move that could give advertisers more knowledge of what is posted on the site and boost Tumblr’s advertising sales. DataSift will have access to all of Tumblr’s real-time and historical data. DataSift currently has similar deals with Twitter and Facebook. Meanwhile, a report suggests that Google may have access to the WiFi passwords of every Android user, and, “Considering how many Android devices there are, it is likely that Google can access most WiFi passwords worldwide.”
Full Story

BIG DATA

Can Privacy and Big Data Coexist? (September 16, 2013)
A recent report by Forbes’ Kashmir Hill revealed how an E-Z Pass is not only tracked by toll booths but also by a New York City traffic management initiative. The news highlights both the benefits of Big Data use and the privacy concerns about secondary use, ubiquitous data collection, anonymization and other topics covered at last week’s Future of Privacy Forum and Stanford Law School event on Big Data and privacy. This Privacy Perspectives installment delves into some of the major takeaways from the event and what these paradigms could mean for businesses and consumers moving forward.

SOCIAL NETWORKING

Will Going Public Diminish Privacy on Twitter? (September 16, 2013)

News that microblogging site Twitter plans to go public has prompted some to ask whether certain privacy functions on the site will have to go by the wayside to help generate revenue. Blouin News reports the company plans to exact a $15 billion IPO on $500 million of revenue and, to help boost its bottom line, Twitter may have to do away with its Do-Not-Track option. The report also questions whether Twitter may cease publishing its transparency reports and how much it will comply with foreign government requests to remove or share user data. “As the social media company executes its plans to expand abroad,” the report states, “it has much less of an incentive to get into spats with foreign governments over user data.”
Full Story

PRIVACY—U.S.

Microsoft Funds Tech Policy Lab (September 16, 2013)

Microsoft is donating $1.7 million to the University of Washington to found a Tech Policy Lab that will study and test new technologies in order to shape national policies in areas including consumer privacy, security, censorship, public records and wearable devices, GeekWire reports. Meanwhile, nine out of 10 statisticians believe consumers should worry about privacy issues related to the data being collected about them, and an article in the MIT Technology Review asserts that computer scientists at the National Security Agency are in breach of their own profession’s code of conduct—a list of 16 moral imperatives including “be honest and trustworthy” and “respect the privacy of others.”
Full Story

PRIVACY LAW

Tracker Global Round-Up: Old Laws Reinterpreted; New Laws on the Way (September 16, 2013)

A U.S. District Court cited the Stored Communications Act as protecting “friend-only” posts on Facebook; one expert questions whether the False Light Tort is still relevant, and Apple’s new fingerprint authentication could bring up interesting questions about invoking the Fifth Amendment when it comes to accessing biometrically protected data and devices. Read about these developments plus more on HIPAA, California’s leading role in privacy legislation, breach notification in the EU and Brazil’s struggle to pass a privacy law in this week’s Privacy Tracker weekly legislative roundup. (IAPP member login required.)
Full Story

SOCIAL NETWORKING

Company Admits Facebook Privacy Violation (September 16, 2013)

HasOffers, a company that provides tools for tracking the performance of online ads, has acknowledged it “recently ran afoul of Facebook’s user privacy policies, and it has had to change its marketing practices,” VentureBeat reports. The company’s CEO noted the company’s “MobileAppTracking platform inappropriately allowed advertisers to obtain device-level attribution and performance data. This was a mistake on our part.” Meanwhile, U.S. Sen. Al Franken (D-MN) has written to Facebook’s Mark Zuckerberg urging the company to rethink plans to use profile photos for tagging suggestions, citing concerns about facial recognition and its ability to track people in the “real world.”
Full Story

EMPLOYEE PRIVACY—U.S.

University Staff Object to Health Plan (September 16, 2013)

The New York Times reports on Pennsylvania State University’s introduction of “Take Care of Your Health,” a wellness plan that sparked staff protests and allegations it “is coercive, punitive and invades university employees’ privacy.” Under the plan, nonunion employees must “visit their doctors for a checkup, undergo several biometric tests and submit to an extensive online health risk questionnaire that asks, among other questions, whether they have recently had problems with a co-worker, a supervisor or a divorce,” the report states. Those who do not participate face a $1,200 pay deduction annually. “You can’t force people to disclose the state of their marriage or fine them $100 a month,” one professor said. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

LinkedIn Defends Data Practice, Seeks Class Dismissal (September 16, 2013)

LinkedIn is seeking a dismissal of a suit that claims the company was deceptive with its data security and privacy statements, Main Justice reports. LinkedIn has stated its privacy policy is the same for both its baseline and premium subscriptions and that the plaintiff’s claim is unjustified. “So there is no question that what members are paying for in upgrading to premium services is the enhanced premium tools and capabilities—not LinkedIn’s promise in its privacy policy to secure personal information with ‘industry standards and technology,’” the claim states, while also citing document showing the plaintiff purchased the subscription before privacy statements were included on the transaction page. According to LinkedIn, “Plaintiff’s arguments ignore that the allegedly deceptive statement was not made in advertising or in other materials that can be reasonably understood to be aimed at inducing members to purchase premium subscriptions.”
Full Story

PRIVACY

A Look at the “Age of Context” (September 16, 2013)

In an article for Forbes, Rawn Shah reviews Age of Context: Mobile, Data, Sensors and the Future of Privacy by Shel Israel and Robert Scoble. The book looks at the state of technology in 2013 with regard to healthcare, transportation, mobile devices and understanding customers, among others. Context is important when it comes to wearable technologies, the book notes. The kind of information collected, how its processed and cross-referenced with other sources and the responses they produce are all important questions, the authors note, calling such data points “Little Data.” Editor’s Note: Sam Pfeifle interviewed Israel last month in anticipation of his keynote address at IAPP Privacy Academy, in Seattle, September 30 to October 2. The interview contains a free download of the book’s chapter on privacy.
Full Story

CONSUMER PRIVACY—U.S.

CFPB Seeks To Monitor Credit Card Transactions (September 16, 2013)

Officials at the Consumer Financial Protection Bureau (CFPB) are seeking to monitor 80 percent of all U.S. consumer credit card transactions this year through a controversial data-mining program, Washington Examiner reports. A CFPB planning document for fiscal years 2013-17 indicates plans for a “markets monitoring” program as well as plans to monitor up to 95 percent of mortgage transactions. “This is one step closer to a Big Brother form of government where they know everything about us,” said Rep. Sean Duffy (R-WI) at a hearing on the matter last week where critics asserted the agency’s plans are beyond its authority.
Full Story

SURVEILLANCE

Law Enforcement Surveillance Tools Abound (September 16, 2013)

Ars Technica reports on BlueJay—a “Law Enforcement Twitter Crime Scanner.” The program provides real-time access to the “firehose” of public tweets so police can track suspects, keywords, locations, public events, social unrest and department mentions. The Verge reports on Italian-based firm Hacking Team and how the small tech security firm started from two programmers who created a suite of hacking tools. The Milan police eventually contacted the programmers with the intent of purchasing their hacking tools. Hacking Team now boasts 40 employees and sells commercial hacking software to law enforcement in “several dozen countries” on “six continents.” Meanwhile, a recent Foreign Intelligence Surveillance Court opinion states the Edward Snowden leaks “have engendered considerable public interest and debate about Section 215.”
Full Story

MOBILE PRIVACY

Group Releases Privacy Notice Generator (September 13, 2013)
MEF, a mobile content and commerce industry trade organization, has launched a privacy notice generator for app developers, Bloomberg reports, and the goal, according to the group’s press release, is “to build consumer trust in mobile apps by helping developers apply best practice in the collection and sharing of personal data.” By checking off boxes detailing what data is collected, the free online tool “produces a bespoke privacy policy as HTML code that can be customized and embedded directly into the developer’s application.” Future of Privacy Forum Executive Director Jules Polonetsky, CIPP/US, said, “AppPrivacy is a useful resource that will help developers effectively and easily create a mobile-friendly privacy policy.” Editor’s Note: Find a guide to mobile privacy standards in the IAPP’s Resource Center here. Find help for writing privacy notices here.

DATA TRANSFER

How Should Your Firm Respond to the NSA Fallout? (September 13, 2013)

While news of the NSA’s surveillance program surely destabilized data-sharing confidence between the EU and U.S., the ramifications will be global. That was the message yesterday from panelists of an IAPP web conference on the Snowden fallout, which looked at whether NSA revelations have changed the rules of the trade game and how companies should respond. “Privacy and security was happening later in the sales process. Now it’s a sales issue, it’s coming up in RFPs,” said OPower Associate General Counsel Adam Connolly. Hear how OPower, MobileIron and Thomson Reuters London are managing the fallout in their organizations and get practical advice for yours.
Full Story

SURVEILLANCE

NSA Reactions Abound in U.S., Canada, Brazil (September 13, 2013)

The latest headlines reflect the pattern of the past week: The fallout from Edward Snowden’s U.S. National Security Agency (NSA) revelations is showing no sign of letting up. In the U.S., Sen. Edward J. Markey (D-MA) is asking for details from major cellphone carriers on how many government data requests they receive and how they respond. In Brazil, President Dilma Rousseff is asking legislators to support a bill requiring foreign companies to store data about their Brazilian clients on servers in that country in the wake of the NSA reports. And in Canada, Communications Security Establishment Canada “handed over control of an international encryption standard to the NSA, allowing the agency to build a ‘backdoor’ to decrypt data,” reports indicate. Ontario Information and Privacy Commissioner Ann Cavoukian has introduced a policy aimed at allowing privacy and counterterrorism surveillance to coexist in harmony, while a What'sYourTech report suggests almost half of Canadians "think it’s OK for the government to monitor our e-mail and other online activities.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Insurer Wants Out of Breach Coverage in ZIP Code Case (September 13, 2013)

Consumers in California, Massachusetts and Washington, DC, are suing Urban Outfitters, Inc., and its subsidiary, Anthropologie, Inc., for collecting ZIP codes during credit card transactions, Main Justice reports. OneBeacon American Insurance Company says the retailer’s insurance doesn’t cover such privacy issues, the report states, and is asking a federal judge to absolve it of any obligation in the case. Editor's Note: For a primer on this issue, see Angelique Carson's report, with a guide to zip code law.
Full Story

BIOMETRICS

Apple’s Fingerprint Feature and Pleading the Fifth (September 13, 2013)

The Wall Street Journal delves further into the inner workings of Apple’s new iPhone fingerprint sensor. As was previously reported, the phone will not store actual fingerprints but rather “fingerprint data.” The stored data is also encrypted. Meanwhile, in a column for Wired, privacy expert Marcia Hofmann argues that substituting biometric authentication for passwords could create legal issues, particularly with regard to the Fifth Amendment. Being required to share a password—a communication—is a “testimonial” because individuals are sharing the contents of their minds. However, “if we move toward authentication systems based solely on physical tokens or biometrics—things we have or things we are, rather than things we remember—the government could demand that we produce them without implicating anything we know,” Hofmann writes, “Which would make it less likely that a valid privilege against self-incrimination would apply.”
Full Story

CHILDREN’S PRIVACY—U.S.

FTC Seeks Comment on Verifiable Consent Method (September 13, 2013)

The Federal Trade Commission (FTC) is seeking public comment on a proposed verifiable consent method submitted by Imperium, according to an agency press release. Under a provision within the new Children’s Online Privacy Protection Act Rule, organizations may submit new verifiable consent methods for FTC approval. In addition to seeking comment, the FTC examines whether the method is already covered by existing methods and whether it will ensure the individual providing consent is the actual parent. The comment period will be open until October 9.
Full Story

PRIVACY LAW—BRAZIL

The Right To Be Forgotten in Brazil (September 13, 2013)

Brazil is still dragging its feet passing even basic legislation regarding the protection of personal data, and the issue regarding this right to be forgotten is beginning to grow in importance within the country. The issue was recently addressed by the 6ª Jornada de Direito Civil da Justica Federal/2013, a Brazilian legal committee, which concluded that such a right would strengthen the protection of human dignity, reports Renato Opice Blum in this exclusive for The Privacy Advisor.
Full Story

PRIVACY LAW—U.S.

Court Rules Nonpublic Facebook Posts Protected by SCA (September 12, 2013)
The U.S. District Court in New Jersey has ruled that nonpublic Facebook posts are protected under the Stored Communications Act (SCA), reports Hunton & Williams’ Privacy and Information Security Law Blog. The case involved a hospital worker who posted to her page a negative comment, which could only be seen by her Facebook friends, about paramedics’ handling of a situation. A Facebook friend then took a screen shot of the post and shared it with hospital management—none of whom had access to the post through Facebook. The employee was suspended and issued a memo saying she had deliberately disregarded patient safety; she then sued on the grounds of SCA violations, among others. The court interpreted the 1986-era language and determined the post is protected under SCA, as it is an electronic communication “transmitted via an electronic communication service” that was in storage and not public.

PRIVACY ENGINEERING

Is 2013 the Year of the Privacy Engineer? (September 12, 2013)

With the recent introduction of a new master’s degree by Carnegie Mellon and an influx of privacy engineering job openings by large tech firms, will this be the year of the privacy engineer? “Though the term privacy engineering has been around since at least 2001,” writes Robert Jason Cronk, CIPP/US, “only recently has the computer science community tried to use it in a concrete and systematic way.” In this Privacy Perspectives post, Cronk, a privacy engineering consultant for Enterprivacy Consulting Group, delves into the work of privacy engineers and why they “must be in place to identify user-centric risks and help design solutions” to help organizations mitigate risks while improving data flows. Editor’s Note: Cronk, along with MITRE’s Stuart Shapiro, CIPP/US, CIPP/G, will lead the preconference workshop Privacy Engineering Primer later this month at the IAPP’s Privacy Academy in Seattle, WA.
Full Story

PRIVACY RESOURCES—EU

Insight on the EU Data Protection Regulation (September 12, 2013)

The EU Data Protection Regulation offers a new framework for the protection of individuals with regard to the processing of personal data and how that data is shared. This regulation will, if passed, supersede the EU Data Protection Directive and has caused much debate, controversy and discussion. In this IAPP Resource Center Close-Up, you’ll find links to the proposal, the directive, Article 29 Working Party opinions, related reports and communications as well as analysis and guidance offering, in essence, a history of the ongoing process of the implementation of the directive and the forming of the regulation.
Close-Up: EU Data Protection Regulation

ONLINE PRIVACY

Which Companies Top the ‘Privacy-Friendly’ List? (September 12, 2013)

Forbes reports on the “most privacy-friendly companies” according to privacy experts. Lee Tien of the Electronic Frontier Foundation cites Microsoft, Google, Tumblr and Facebook, while Chris Hoofnagle of Berkeley’s Center for Law & Technology cites B2B services “such as Salesforce, which explicitly says that the data you load into their service is yours, that you can encrypt it and that they will never sell it.” Boston attorney Sarah Downey says Twitter’s “Do-Not-Track” policy puts it at the top, and a number of experts cited companies such as DuckDuckGo, which doesn’t track users’ searches.
Full Story

SOCIAL NETWORKING—U.S.

FTC Investigating Facebook Policy Changes (September 12, 2013)

The Federal Trade Commission (FTC) has initiated an investigation of Facebook’s recently altered privacy policy to assess whether it violated a 2011 consent order with the agency, The New York Times reports. Under the 2011 agreement, Facebook must gain explicit consent from users prior to exposing their information to new audiences. An FTC spokesman said, “Facebook never sought out a discussion with us beforehand about these proposed changes.” A Facebook spokeswoman said, “We routinely discuss policy updates with the FTC, and this time is no different,” adding, “Our updated policies do not grant Facebook any additional rights to use consumer information in advertising … the new polices further clarify and explain our existing practices.” Sen. Ed Markey (D-MA) has sent a letter to the FTC raising concerns about the changes. (Registration may be required to access this story.)
Full Story

DATA THEFT—GERMANY

Hacker Accesses Two Million Vodafone Accounts (September 12, 2013)

Bloomberg reports that an intruder “with insider knowledge” hacked into a Vodafone server located in Germany and gained unauthorized access to approximately two million customer accounts. Compromised personal information include names, addresses, dates of birth and bank account information but did not include credit card information, passwords, PIN numbers or phone numbers, according to a company statement (in German). According to the report, Vodafone shares fell 0.8 percent yesterday. The attack was detected earlier this month and was halted.
Full Story

SURVEILLANCE

NSA Fallout Continues; Latest News Involves Israel (September 12, 2013)

The U.S. National Security Agency (NSA) continues to make headlines, most recently with a report that the NSA “routinely shares raw intelligence data with Israel without first sifting it to remove information about U.S. citizens,” The Guardian reports. Citing a document released by Edward Snowden, the report describes an intelligence-sharing deal between the NSA and its Israeli counterpart. Meanwhile, Yahoo CEO Marissa Mayer and Facebook’s Mark Zuckerberg are hitting back at critics of tech companies, saying U.S. government did a "bad job" of balancing people's privacy and duty to protect. Tech executives did not tell the public about the NSA surveillance because, Mayer said, "Releasing classified information is treason” and would mean incarceration.
Full Story

BIOMETRICS

U.S. To Expand Data Sharing Overseas (September 12, 2013)

The Department of Homeland Security plans to expand foreign biometric data sharing, FCW reports. The Office of Biometric Identity Management (OBIM), now five months old, will use a $33 million contract with Accenture to decrease the time, cost and personnel required to share U.S. biometric data with the UK, New Zealand, Canada and Australia. OBIM provides biometric data to federal, state and local governments to deal with immigration violators, criminals and known or suspected terrorists, OBIM’s deputy director said, adding it aims to improve biometric data-sharing and increase interoperability among the U.S. Departments of Defense, Justice and State. Meanwhile, the U.S. and Japan seek to formalize an agreement on sharing fingerprints of convicted criminals.
Full Story

HEALTHCARE PRIVACY—U.S.

ONC Releases Guidance on Interoperable E-Health Exchanges (September 12, 2013)

The Office of the National Coordinator for Health Information Technology has released guidance in order to facilitate interoperable electronic health information exchanges. While many healthcare providers qualify for Medicare and Medicaid electronic health record incentive payments under the HITECH Act, there are many providers that are ineligible for such payments. The guidance aims to “serve as a building block for federal agencies and stakeholders to use as they work with different communities to achieve interoperable electronic health information exchange.”
Full Story

SURVEILLANCE—U.S.

NSA Tries To Explain, Criticisms Abound (September 11, 2013)
On this anniversary of the September 11, 2001, attacks, terrorism, security and safety are dominating the headlines once again—this time, their focus is not, thankfully, on a terrorist attack but on the debate of security vs. privacy. This roundup for The Privacy Advisor examines yesterday’s explanation of the NSA’s collection programs by U.S. Director of National Intelligence James R. Clapper and reactions from industry, advocates and other nations to the ongoing NSA revelations.

PRIVACY LAW—U.S.

Is the False Light Tort Unnecessary? (September 11, 2013)

Within the past 50 years, First Amendment lawyers have convinced courts and state legislatures to increase the difficulty for plaintiffs to bring defamation lawsuits, which “have helped preserve the public debate that is vital to our democracy,” writes Covington & Burling Associate Jeff Kosseff, CIPP/US. “Unfortunately, privacy law has long provided plaintiffs with an end-run around the First Amendment,” adding, “Rather than filing a defamation lawsuit, plaintiffs bring claims under a privacy tort known as ‘false light.’” In this Privacy Perspectives post, Kosseff argues why this privacy tort is outdated and unnecessary.
Full Story

PRIVACY LAW—U.S.

Opinion: Do-Not-Track Disclosure Bill Would Have Broad Impact (September 11, 2013)

While California’s Do-Not-Track Disclosure bill (AB 370) has been sent to the governor, it has not yet been signed, writes Tanya Forsheit for Information Law Group. The bill would amend the California Business & Professions Code (CalOPPA) to require commercial websites and services that collect personal data to disclose how they respond to Do-Not-Track signals as well as disclose whether third parties may collect personally identifiable information. “If AB 370 becomes law, it will have impact beyond California—CalOPPA purports to apply to any website that collects information from California residents,” Forsheit writes.
Full Story

PRIVACY—U.S.

Attorney General Launches Database Probe (September 11, 2013)

Following law enforcement’s increasing use of facial-recognition software, Ohio Attorney General Mike DeWine has requested a review of a law enforcement database, The Columbus Dispatch reports. The Ohio Law Enforcement Gateway allows about 300 Ohio law enforcement agencies to access records in a sex-offender registry, driver’s license and motor vehicle registration files and criminal history. There are more than 30,000 approved users. DeWine has formed a working group to discuss safeguards against hacking and privacy violations.
Full Story

TRAVELERS’ PRIVACY—U.S.

Authorities Use Border Crossings To Seize Devices (September 11, 2013)

The New York Times reports on newly released documents revealing how U.S. authorities use border crossings to seize travelers’ electronic devices without acquiring warrants to access the data. The “largely secretive process” allows the government to set up a travel alert for an individual—even if the person is not a suspect of an investigation—and then detain, seize or copy files stored on electronic devices. As part of a settlement reached with the Department of Homeland Security, the documents were disclosed to David House, a former fundraiser for the legal defense of Chelsea Manning. “I think it’s important for business travelers and people who consider themselves politically inclined to know what dangers they now face in a country where they have no real guarantee of privacy at the border,” House said. (Registration may be required to access this story.)
Full Story

BIOMETRICS

Apple Releases Include Fingerprint Sensor (September 11, 2013)

The New York Times reports on Apple’s release of two new iPhones Tuesday, including a model with a fingerprint sensor that can be used instead of a passcode. In response to privacy concerns, Apple says user fingerprints will only be stored on the phone and will not be shared with app developers. The release is symbolic of a number of new on-the-market devices that use biometric authentication tools. A new wristband, Nymi, contains a voltmeter to read heartbeats. “You put it on. It knows it’s you. It communicates that identity securely to everything around you,” said the wristband’s creator. The biometric devices come on the heels of the recent discovery that even a 55-character password could be broken. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Court Reverses Heartland Negligence-Claim Ruling; Case Proceeds (September 11, 2013)

Following the 2008 data breach at Heartland Payment Systems, several banks that had issued credit cards to customers affected by the breach alleged they incurred significant costs by replacing the cards of impacted customers and refunding fraudulent charges, writes attorney Stephen Shapiro. While a trial court dismissed the negligence claim, citing New Jersey’s economic loss doctrine, a Fifth Circuit Court has reversed the ruling, allowing the case to proceed.
Full Story

HEALTHCARE PRIVACY—U.S.

New HIPAA Rules Require Revised Notices; Deadline Looms (September 11, 2013)

Earlier this year, the Department of Health and Human Services Office for Civil Rights released omnibus regulations changing significantly HIPAA’s privacy, security, enforcement and breach notification rules. An article for Boston’s WBUR looks at what the changes mean for patients. Under the changes, covered entities must update and post a revised notice of privacy practices before September 23. In this report for Lexology, attorneys from Wilson Elser describe what such notices must include. Meanwhile, California lawmakers are considering proposing stricter HIPAA regulations. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Google Case Can Proceed, Appeals Court Rules (September 11, 2013)

A federal appeals court in San Francisco has said a lawsuit accusing Google of illegal wiretapping can proceed, The New York Times reports. The case involves Google’s Street View initiative, in which Google vehicles collected e-mail, passwords and other personal information from unencrypted home networks. Google wanted the case dismissed, arguing the data it accessed was exempt from the Wiretap Act because it was readily accessible to the general public. The appeals court agreed with an earlier federal court’s ruling, reasoning that, "Even if it is commonplace for members of the general public to connect to a neighbor's unencrypted Wi-Fi network, members of the general public do not typically mistakenly intercept, store and decode data transmitted by other devices on the network.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU & U.S.

MEPs Call for Halt to Anti-Terror Program (September 10, 2013)
Amidst ongoing U.S. National Security Agency surveillance program revelations, Members of the European Parliament (MEPs) are calling for “the immediate suspension” of the Terrorist Finance Tracking Program (TFTP), CIO reports. "I think there is more than enough evidence to call for a suspension," said Dutch MEP Sophie in't Veld. The TFTP allows the U.S. Treasury access to data that international bank transfer company Swift stores in Europe, but NSA revelations indicate the U.S. spied on Swift, the report states. German MEP Jan Philipp Albrecht said, "The NSA surveillance is an open breach of the agreement and further undermines the already insufficient data protection given to European citizens under the deal.”

SURVEILLANCE

Internet Giants Make New Push for FISA Transparency (September 10, 2013)

As gloomy predictions about the impact of privacy fears on the Internet economy grow ever more frequent, and major concerns about the future of the Internet are expressed, big firms like Facebook, Google, Yahoo and Microsoft have stepped up their efforts in petitioning the U.S. government to allow them to share more about government requests for data with their customers. Computerworld sums up a number of the blog posts from these companies, which outline their legal efforts toward transparency. “The actions and statements of the U.S. government have not adequately addressed the concerns of people around the world,” wrote Facebook general counsel Colin Stretch, in his post.
Full Story

ONLINE PRIVACY

When “All About You” Isn’t About You at All (September 10, 2013)

Acxiom’s release of AboutTheData.com has been touted as a step forward for online data transparency, as it’s now possible to know what Acxiom and other data brokers likely know about you. But people are finding that Acxiom doesn’t seem to know much about them at all. And what they do know is wrong. In this installment of Privacy Perspectives, Jedidiah Bracy, CIPP/US, CIPP/EU, explores the impact the bizarro world of data brokerage could have on public perceptions of behavioral advertising and online tracking, and why this whole thing just might backfire.
Full Story

PRIVACY LAW—U.S.

CA Senate Passes Breach Notification Amendment (September 10, 2013)

California’s Senate has passed an amendment to its breach notification law that would expand the notification requirement to incidents involving personal information that would allow access to online accounts, reports Hunton & Williams’ Privacy and Information Security Law Blog. SB 46 redefines personal information to include “a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.” The bill also allows organizations to deliver notifications in electronic form but prohibits them from using an e-mail address that may have been compromised due to the breach. The future of SB 46 hinges on the passing of Assembly Bill 1149 as well; both must be passed and enacted prior to the start of 2014 in order to become law.
Full Story

PERSONAL PRIVACY—U.S.

Lawmaker, HIPAA Provision Raise Gun Privacy Questions (September 10, 2013)

A Maryland legislator is asking Attorney General Douglas F. Gansler about the legality of viewing confidential information on potential gun-buyers, The Washington Times reports. Delegate Kevin Kelly (D-District 1B) has sent the AG’s office a letter seeking details on “whether it was legal for state police to allow up to 200 state employees from five agencies to view confidential information about prospective gun buyers,” the report states. Meanwhile, the Office for Civil Rights has sent the Office of Management and Budget a proposal “to lift legal barriers related to the HIPAA privacy rule that may prevent states from reporting mental health information to the National Instant Criminal Background Check,” HealthData Management reports.
Full Story

ONLINE PRIVACY—U.S.

Microsoft Says Suit Isn’t Suitable Class-Action (September 10, 2013)

Microsoft says a lawsuit against it seeking class certification should be denied such a designation because “little is ‘common’ among the tens of thousands of proposed class members.” The suit alleges Microsoft violated California’s Song-Beverly Act by asking in-state consumers for personal information without informing them such disclosures weren’t required for credit card purchases to be completed. The August 30 request for class certification says Microsoft’s training and policy documents do not instruct employees to inform customers that personal information disclosures are voluntary. Microsoft says each customer’s experience is varied and some class members knew providing data was voluntary.
Full Story

DATA PROTECTION

HP Launches Regulatory-Compliance Service (September 10, 2013)

Hewlett-Packard (HP) has launched a service that aims to help organizations comply with government privacy regulations, eWEEK reports. HP’s Data Privacy Services contains a suite of services addressing data sanitization, defective media retention and comprehensive defective material retention. "What we're seeing is demand for this type of service from customers, driven by compliance and liability concerns about leakage of data," said an HP spokesman.
Full Story

ONLINE PRIVACY

New Apps Give Posts a Shelf Life (September 10, 2013)

Reuters reports on the proliferation of mobile apps that allow users to control who sees their content on social media sites—and for how long. Secret.li, for example, allows iPhone users to post a photo to Facebook knowing it will be automatically deleted either an hour, a day or a week after it’s posted and giving them control over with whom it will be shared. Another app, Spirit, allows users to hashtag tweets so they will auto-delete after a time period of the users’ discretion. "With the ongoing privacy scares, people are thinking about what they put out there now and looking for ways to have more control," said Spirit’s developer.
Full Story

DATA LOSS—U.S.

Schools, Council Investigate Breaches (September 10, 2013)

The Medical University of South Carolina sustained the largest breach of its history between June 30 and August 21 after a third-party credit card processing company compromised 7,000 patients’ data, HealthITSecurity reports. Meanwhile, parents of 130 children at two elementary schools in Virginia say their children came home with other students’ sensitive data, prompting fears of identity theft. The Washington Post reports Washington, DC’s privacy officer has “serious concerns” after a paramedic wrote a letter to the DC Council that included a patient’s data, and the University of South Florida is investigating a data breach caused by an employee.
Full Story

PRIVACY LAW

The OECD Heralds the Arrival of the Privacy Profession (September 9, 2013)
For anyone following the field of privacy policymaking, the past two years have seen a flurry of activity unsurpassed in any other legal arena. Fittingly, the first reform process to come to fruition is that of the OECD Privacy Guidelines, which date back to 1980 and contain the first internationally agreed upon iteration of the now ubiquitous Fair Information Privacy Principles (FIPPs). Together with the expected result of the major reform processes in the U.S. and EU, the revised guidelines, slated to be launched later today on the OECD website and with a reception at the Canadian embassy in Washington, DC, are set to become the second generation of information privacy laws. As such, it is important to assess what has changed since their inception more than 30 years ago. In this installment of Privacy Perspectives, Omer Tene, who served as rapporteur for the Expert Group advising the OECD, examines the potential impact of the new guidelines.

ONLINE PRIVACY—U.S.

Yahoo Issues First Gov’t Transparency Report (September 9, 2013)

The Washington Post reports on Yahoo’s first government transparency report, which indicates the company “received 12,444 requests for data from the U.S. government so far this year” related to the accounts of 40,322 users. Of those requests, “37 percent disclosed the content of Yahoo accounts, such as words in e-mails, photos or uploaded files. In about 55 percent of the requests made, the company disclosed information about its users that did not involve content but gave information such as names, location data and e-mail addresses.” To date, the report states, Yahoo has rejected “two percent of those federal government requests.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW

New State Laws in the U.S. and Concerns About Notification in the EU (September 9, 2013)

In this week’s Privacy Tracker Legislative Roundup, find out about Google’s push to get its e-mail scanning case dismissed, changes to the HIPAA final rule, the latest FTC settlement, updates on proposals in California and new laws in New Jersey and Illinois—and those are just the U.S. developments. In Europe, one MEP has expressed “major concern” regarding two data breach notification schemes proposed under the draft Network and Information Security Directive and the planned General Data Protection Regulation. (IAPP member login required.)
Full Story

DATA LOSS—U.S.

Breach Settlements and Class-Actions Filed (September 9, 2013)

A recent dismissal of a case arising from a credit card skimming attack suffered by Barnes & Noble by the U.S. District Court for the Northern District of Illinois demonstrates the struggle plaintiffs face in trying to articulate injury, write attorneys for Ropes & Gray, LLP. Meanwhile, ModernHealthcare discusses the legal consequences of a recent and massive data breach at Advocate Health Care. MediaPost News reports on both a potential class-action filed in Illinois accusing Google of violating its privacy policy and on Netflix users’ request that a $9 million settlement of a class-action lawsuit be nixed.
Full Story

DATA PROTECTION

When It Comes to Success, PIAs Should Not Be Underrated (September 9, 2013)

Privacy impact assessments (PIAs) are likely to become the most vital item in the privacy professional’s toolkit. That’s according to Eduardo Ustaran, CIPP/E, who writes for Field Fisher Waterhouse’s Privacy and Information Law Blog that PIAs are an effective tool that can be used to send a powerful message within an organization that the privacy pro is “on the side of the organization” as far as innovation and progress while “coming up with sensible ways of preventing unjustifiable risks” for everyone’s benefit. PIAs are especially relevant when it comes to global compliance, as they reach outside of the legal obligations of a given regime, Ustaran writes. Editor's Note: Want tools and templates for conducting PIAs? See Close-Up: PIAs.
Full Story

ONLINE PRIVACY

When Everything Is Connected, How Are Consumers Protected? (September 9, 2013)

In opinion pieces for The New York Times, representatives of academia, advocacy, government and industry discuss how to minimize risks when it comes to the Internet of Things. The Federal Trade Commission (FTC) will hold a public workshop on the topic in November. FTC Commissioner Julie Brill says that as the benefits of Big Data reveal themselves, it’s essential to let them develop “within an ecosystem that garners consumer trust by safeguarding privacy.” Existing principles and legal standards apply to smart devices, Brill writes, but how they should apply is the question. Meanwhile, in examining criticism of Big Data, Ad Age looks at data aggregator Acxiom’s recent decision to become more transparent to consumers. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—U.S.

ACLU Report Voices Qualms With License-Plate Scanning (September 9, 2013)

Approximately 75 percent of U.S. police departments are using or plan to use license-plate scanning technology to help solve crimes, Business Insider reports. The American Civil Liberties Union (ACLU) says the technology has the potential to collect data on innocent Americans and can be used in ways that violate privacy. "In our society, it's a core principle that the government doesn't watch people's innocent activities just in case they may be connected with a crime," said Allie Bohm of the ACLU, adding that often “police are retaining this data indefinitely with few privacy protections … It can reveal people's political views, religious activities and a lot of other personal information."
Full Story

ONLINE PRIVACY—U.S.

Experts Want Web Security Rewritten (September 9, 2013)

Internet security experts are calling for a campaign to rewrite web security following news that the U.S. National Security Agency is capable of breaking millions of sites’ encryption codes, Reuters reports. But that’s a task that would be extremely difficult, the experts admit. “A lot of our foundational technologies for securing the Net have come through the government,” said researcher Dan Kaminsky, adding, "As much as I want to say this is a technology problem we can address, if the nation states decide security isn't something we're allowed to have, then we're in trouble.” Meanwhile, Chris Matyszczyk writes for CNET that trusting corporations over the government when it comes to data privacy is flawed logic.
Full Story

RFID—U.S.

New Jersey School Employing RFID for Students and Staff (September 9, 2013)

RFID Journal reports on the Belleville Public School District’s use of RFID to track students and faculty in the school and on buses as part of a security effort aimed at preventing a tragedy such as that in Newtown, CT, last year. According to the report, the badges will come equipped with buttons to alert authorities to an emergency and will typically be set to “beacon” their ID numbers every 28 seconds to be captured by one of the 190 RFID readers in the school or installed on each of its 21 buses. The system may also be used to eliminate attendance-taking in class or “identify if the same individuals were repeatedly visiting the bathrooms simultaneously, possibly suggesting a drug-use or fighting issue.” Schools in Texas and New York are considering similar systems.
Full Story

SURVEILLANCE—INDIA

Investigation: Gov’t Monitoring 160M Internet Users (September 9, 2013)

The Hindu reports on its investigation into the upcoming launch of India’s Central Monitoring System (CMS) , which found “the Internet activities of India’s roughly 160 million users are already being subjected to wide-ranging surveillance and monitoring, much of which is in violation of the government’s own rules and notifications for ensuring ‘privacy of communications.’” The CMS plan has prompted privacy concerns in recent months, but The Hindu’s investigation found the government already has monitoring systems “deployed by the Centre for Development of Telematics for monitoring Internet traffic, e-mails, web-browsing, Skype and any other Internet activity of Indian users.”
Full Story

SURVEILLANCE

NSA Undermines High Level of Internet Encryption (September 6, 2013)
The latest leak from former government contractor Edward Snowden reveals the U.S. National Security Agency has “circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, web searches, Internet chats and phone calls of Americans and others around the world,” according to a multi-pronged report by The New York Times, ProPublica and The Guardian. Since 2000, the agency has invested billions of dollars to influence international encryption standards and force technology companies to provide backdoor access to encrypted communications. The ACLU’s Christopher Soghoian said the programs are “making the Internet less secure and exposing us to criminal hacking, foreign espionage and unlawful surveillance,” adding that it “will further erode not only the United States’ reputation as a global champion of civil liberties and privacy but the economic competitiveness of its largest companies.” Editor’s Note: Former NSA General Counsel Stewart Baker will keynote later this month at the IAPP Privacy Academy in Seattle, WA. Additionally, the IAPP web conference The Snowden Fallout will broadcast Thursday, September 12.

SOCIAL NETWORKING

Facebook Delays Planned Policy Changes (September 6, 2013)

Following heat from six major consumer privacy groups, Facebook says it will delay planned changes to its privacy policies, Los Angeles Times reports. The coalition asked the U.S. Federal Trade Commission to block the changes, arguing they would make it easier for Facebook to use user data to endorse advertisements without their consent. "We are taking the time to ensure that user comments are reviewed and taken into consideration to determine whether further updates are necessary, and we expect to finalize the process in the coming week," Facebook said in a statement.
Full Story

ONLINE PRIVACY—U.S.

Survey: 86 Percent of ’Net Users Mask Footprint; Scared of Peers More than Gov’t (September 6, 2013)

According to a recent survey, 86 percent of Internet users have taken at least one step to remove or mask their digital footprints online, and 55 percent have taken steps to avoid observation by certain people—including organizations or the government. The survey, conducted in July by the Pew Research Center’s Internet & American Life Project, examined 792 adult Internet users’ responses. Given recent revelations about U.S. government access to data, Director Lee Rainie said he was surprised to find that respondents were more concerned with hiding data from people they knew than the government or law enforcement. Rainie analyzes the survey’s results in this exclusive for The Privacy Advisor.
Full Story

PRIVACY LAW—U.S.

The Internet Has Grown Up, Why Hasn’t the Law? (September 6, 2013)

“The greatest threat to an American's reputation and online privacy is Section 230 of the Communications Decency Act,” writes Andrew Bolson, CIPP/US. It impacts the ability of individuals to prevent and stop cyber bullying, cyber harassment and cyber defamation. While the problems of Section 230 have achieved attention, there have been few solutions presented to challenge the status quo. In this exclusive for The Privacy Advisor, Bolson examines why the law hasn’t grown up alongside the Internet.
Full Story

PRIVACY COMMUNITY

Accountability Is About Values (September 6, 2013)

“Over the past year, I reflected on why I have been doing privacy for nearly a quarter of a century,” writes Martin Abrams. “And after reflection, I decided it is time for me to focus on the role of values in privacy.” In this Privacy Perspectives blog post, Abrams discusses his new role as leader of the Information Accountability Foundation and how organizations can institutionalize accountability “in businesses’ practices, regulatory oversight and the next generation of privacy law.” Editor's Note: For more information on accountability see Close-Up: Accountability in the IAPP Resource Center.
Full Story

ONLINE PRIVACY—U.S.

Google Wants “Precedent-Setting” Case Dismissed (September 6, 2013)

Google has asked for a case against it, concerning its alleged electronic scanning of Gmail users’ e-mails for the purpose of sending targeted ads, to be dismissed, Associated Press reports. In a San Jose, CA, court on Thursday, Google said “all users of e-mail must necessarily expect that their e-mails will be subject to automated processing.” The suit was filed on behalf of 10 people and is expected to be certified as a class-action. It’s also predicted to be a “precedent-setting case for other e-mail providers,” the report states.
Full Story

GENETIC PRIVACY—U.S.

What Happens if Newborns’ Entire Genomes are Screened? (September 6, 2013)

NBC News reports on U.S. government funding for studies on what happens if you screen newborns' entire genomes. The aim of the study is to find out if the data results in better healthcare or simply data overload. “We would like to see if genome sequencing can shed light on disorders that we don’t screen for currently,” said National Institute of Child Health and Human Development Director Dr. Alan Guttmacher, adding there are questions involved. “How do we protect the baby’s privacy? Where will the baby’s genome data be stored, and who will have access to it?”
Full Story

CONSUMER PRIVACY—U.S.

FTC Reaches First “Internet of Things” Settlement (September 5, 2013)
TRENDnet, a maker of Internet-connected home video cameras, has agreed to settle with the Federal Trade Commission (FTC) over charges “that its lax security practices exposed the private lives of hundreds of consumers to public viewing on the Internet,” an FTC press release states, adding, “This is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices—commonly referred to as the ‘Internet of Things’ (IoT).” The FTC alleges the business failed to use “reasonable security to design and test its software, including a setting for the cameras’ password requirement.” Under terms in the settlement, TRENDnet must not misrepresent the security of its products and must create a comprehensive information security program and undergo a biannual third-party audit for the next 20 years. The FTC will host a roundtable in November exploring the privacy issues surrounding the IoT.

MOBILE PRIVACY—U.S.

Consumers: Forget Screen Size, Cameras; Sell Us Privacy (September 5, 2013)

Consumers are now more concerned about privacy in the use of their mobile phones and apps than they are about screen size, brand, weight or camera resolution. That’s according to TRUSTe’s 2013 Consumer Data Privacy Study, which polled more than 700 U.S. smartphone users. Only a phone’s battery life topped privacy when users’ prioritized their concerns. In this exclusive for The Privacy Advisor, TRUSTe’s Dave Deasy discusses the survey’s findings and the potential implications for businesses.
Full Story

DATA LOSS

Treating Breaches as Customer Issues (September 5, 2013)

In a world rife with data breaches affecting organizations large and small, businesses should treat these events as customer issues rather than compliance issues, writes Experian Data Breach Resolution Group VP Michael Bruemmer, CIPP/US. Bruemmer points out that organizations often smoothly handle the technical and regulatory sides of a breach response, but he adds, “as I’ve seen time and time again, what you might be falling behind on is the consumer engagement side of breach response, and that’s when your customers start making calls.” In this Privacy Perspectives installment, Bruemmer offers a number of ways businesses can go beyond a “compliance-only response.”
Full Story

SOCIAL NETWORKING—U.S.

Coalition Asks FTC To Block Facebook Policy Changes (September 5, 2013)

A coalition of six major consumer privacy groups has asked the Federal Trade Commission (FTC) to block coming changes to Facebook’s privacy policies, The New York Times reports. The coalition—which includes EPIC, the Center for Digital Democracy, Consumer Watchdog, Patient Privacy Rights, U.S. PIRG and the Privacy Rights Clearinghouse—says the changes would make it easier for the site to use users’ data. The coalition wrote a letter to the FTC Wednesday stating the changes violate a 2011 settlement and order with the FTC. (Registration may be required to access this story.)
Full Story

PRIVACY—U.S.

PCLOB Finds a Director, Looks Toward Action (September 5, 2013)

The long-defunct, then fledgling and now finally functioning Privacy and Civil Liberties Oversight Board will take yet another step forward September 9, when Sharon Bradford Franklin comes on board to serve as its executive director. In this exclusive for The Privacy Advisor, Franklin discusses the forthcoming challenges, including implementing systems and beginning to review programs “whose very existence is classified—that the public doesn’t even know about.”
Full Story

SURVEILLANCE

NSA Review Board To Meet with Advocates, Tech (September 5, 2013)

The surveillance review board recently named by the White House is slated to meet with privacy advocates and representatives from technology companies in two separate meetings Monday, The Hill reports. A White House spokeswoman said it is not a “White House meeting” and a list of who will be attending has yet to be disclosed. Additionally, President Barack Obama addressed European Union concerns about the National Security Agency (NSA) surveillance program disclosures. “I can give assurances to the publics in Europe and around the world that we’re not going around snooping at people’s e-mails or listening to their phone calls.” Meanwhile, Brazilian telecom regulator Anatel is reviewing contracts between national operators and foreign businesses to investigate possible privacy breaches in the wake of the NSA disclosures.
Full Story

HEALTHCARE PRIVACY—U.S.

Surgery Photo Prompts Privacy Concerns (September 5, 2013)

A former patient has filed a civil lawsuit against a Los Angeles-based medical center after her doctor and his assistant decorated her face and took a photo while she was unconscious during a surgery, Los Angeles Times reports. The state also investigated the case. The incident, as well as another involving a salesman taking a photo of a naked patient without the patient’s knowledge, has sparked concerns about mobile devices in healthcare facilities. “The idea that people are using their cellphone or even have one in the operating room is crazy,” said Deborah Peel, founder of Patient Privacy Rights. “It’s a massive security risk and incredibly insensitive to patients.” Editor’s Note: Valita Fredland, chief privacy officer of Indiana University Health, has written about healthcare providers and social media use in a recent Privacy Perspectives blog post.
Full Story

DATA PROTECTION

Opinion: Loyalty Cards Don’t Serve the Consumer (September 5, 2013)

In an article for Slate, Brian Palmer dares consumers to take six months off from using loyalty cards. Palmer cites British grocery chain Tesco’s program, in which the grocer monitored customers’ buying habits closely and sent coupons to those whose buying patterns slowed. “Would you prefer to shop at a store that increases profits by figuring out what you already do, then tricking you into doing it a little more often? Or a store that thinks creatively, brings you new products and showcases its wares in a novel way?” Palmer asks.
Full Story

SURVEILLANCE—U.S.

University To Install 2,000 Surveillance Cameras; ACLU Doesn’t Like It (September 5, 2013)

The University of Kentucky is planning to install 2,000 surveillance cameras on campus, The Huffington Post reports. The plan has the American Civil Liberties Union (ACLU) concerned about such monitoring. “You’re capturing a lot of information about people who are completely innocent,” said ACLU of Kentucky’s Amber Duke. “That’s a lot of information that could be misused.”
Full Story

ONLINE PRIVACY—FRANCE & GERMANY

Mosley Wants Censorship Google Isn’t Willing To Give (September 5, 2013)

Former Formula One boss Max Mosley wants Google to set up a personal filter to stop personal images of him from appearing on the search engine, Financial Times reports. The images of Mosley were ruled to be a breach of his privacy rights by a UK court in 2008. Google is willing to remove links to sites where the images are used, the report states, but says setting up a permanent filter for the pictures would mean an “alarming new model of automated censorship,” the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

California To Require Do-Not-Track Disclosures (September 4, 2013)
The California Senate and Assembly passed an amendment to the California Online Privacy Protection Act, which the governor is expected to sign, that will require commercial websites and services that collect personal data to disclose how they respond to Do-Not-Track signals, AdWeek reports. California Assemblyman Al Muratsuchi (D-66th District) introduced the bill, which was also sponsored by Attorney General Kamala Harris—who’s been pushing for privacy protections and consumer privacy enforcement actions. The bill does not prohibit tracking but “does require websites to choose sides to either honor or ignore Do-Not-Track browser signals,” the report states.

DATA PROTECTION—U.S.

Ten Steps to a Quality Privacy Program, Part Two: Risk Assessments (September 4, 2013)

In part two of The Privacy Advisor’s series on "Ten Steps to a Quality Privacy Program," Deirde Rodriguez explores risk assessments. We've all heard them called out as best practice, but, how do you know where and how to start? This article looks at how to make your risk assessment live and breathe.
Full Story

BIG DATA

Information Pollution and the Internet of Things (September 4, 2013)

As we get closer to a super-connected world of devices and sensors—estimates posit that by 2020 there will be between 30 to 50 billion connected devices—privacy professionals will be faced with the massive issue of data access. In this Privacy Perspectives post, Field Fisher Waterhouse Partner Phil Lee, CIPP/E, CIPM, looks into this underlying problem, writing, “when so much information is collected—and across so many devices—how can we provide individuals with meaningful access to information in a way that is not totally overwhelming?”
Full Story

PRIVACY ENGINEERING

A Look at the Future of Privacy Notices (If They Have a Future) (September 4, 2013)

How bad is the situation for privacy notices? The National Science Foundation just used part of its largest grant program, a Frontier award of well over $1 million, to fund a team of researchers looking to fix them. And, to be clear, “We try to look at society’s biggest challenges and the things that really matter,” said Lisa-Joy Zgorski, a spokesperson for the National Science Foundation. In this exclusive for The Privacy Advisor, we talk with Norman Sadeh at Carnegie-Mellon University, the team lead for the project in question, “Towards effective Web privacy notice and choice: a multi-disciplinary perspective,” and how he hopes to "take these policies in their ugliness and extract something meaningful out of them.”
Full Story

PRIVACY RESOURCES

What Do You Need To Build a Privacy Program? (September 4, 2013)

Privacy professionals looking to build a privacy program may need to call on “proactive strategies, persuasion, political savvy, adaptability and a passion to get an exciting new organizational function up and running”—never mind knowledge of relevant laws and how to comply with them—to get the job done. That’s according to the IAPP’s guide book, Building a Privacy Program: A Practitioner's Guide, one offering in this IAPP Resource Center Close-Up. You’ll also find freely accessible guides from the Massachusetts Office of Consumer Affairs and Business Regulation, an outline of IAPP award-winner Vodafone’s privacy program and articles to help you get buy-in from your organization.
Close-Up: How To Build a Privacy Program

SOCIAL NETWORKING

Pro-Privacy Attorney Leaving Twitter (September 4, 2013)

Twitter attorney Alex Macgillivray has announced his plans to leave the company, The Guardian reports. Macgillivray is credited with being aggressively pro-free speech and is described as being Twitter’s “conscience-in-residence,” turning the company into “one of the fiercest defenders of user privacy in cyberspace,” the report states. Macgillivray’s departure may have industry wondering whether Twitter will “now have a less robust defence against government requests for user data and compromise its position on free speech and privacy online,” the report states.
Full Story

PRIVACY SCHOLARSHIP

Academics Explore the Intersection of Privacy and Big Data (September 4, 2013)

In anticipation of next week’s Future of Privacy Forum and Stanford Center for Internet and Society workshop on meeting the challenges of Big Data and privacy, Stanford Law Review has released its 2013 Symposium Issue with contributions from academics and other privacy experts. Academic works cover topics such as Big Data rewards, classification and fairness, paradoxes of Big Data, “preemptive analytics” and public vs. nonpublic data. Meanwhile, a new post by Ari Waldman in Concurring Opinions explores the “sociology of privacy.” Editor's Note: Look for IAPP coverage of the event next week.
Full Story

HEALTHCARE PRIVACY—U.S.

Opinion: HHS May Need More Innovation-Friendly Approach (September 4, 2013)

In this new age of information technology, protecting patient privacy in health exchanges can be a challenge, writes C. Jason Wang for The Journal of the American Medical Association. Especially under the Department of Health and Human Services’ (HHS) Omnibus Final Rule, which expands existing regulations under HIPAA and increases penalties for violations of protected health information. While “the technical challenges can be overcome, the most important hurdles may come from costly, time-intensive efforts needed to comply with regulations on data protection,” Wang writes, adding that in the end, HHS may need to modify its regulations “to keep up with the advent of mobile technologies” and take an “innovation-friendly” approach to privacy. Editor’s Note: For more on grappling with the new components of HIPAA rules, see yesterday’s Privacy Perspectives blog post by Wiley Rein Partner Kirk Nahra, CIPP/US.
Full Story

MOBILE PRIVACY

Did NTIA’s Multi-Stakeholder Process Work? Depends On Whom You Ask. (September 3, 2013)
While many members of the National Telecommunications and Information Administration’s (NTIA) multi-stakeholder group on mobile app transparency will tell you they laud the NTIA’s efforts to bring together opposing forces to compromise on a self-regulatory code of conduct for mobile apps, not everyone is hot on the newly released code as it stands, and one consumer group says the NTIA isn’t the body that should lead the effort. Period. In this exclusive for The Privacy Advisor, the NTIA’s John Verdi and the Dept. of Commerce’s Cam Kerry discuss the outcome, and stakeholders weigh in on what went well and what could have gone better.

DATA LOSS—U.S.

FTC Files Complaint Against LabMD; Companies Suffer Breach Fallouts (September 3, 2013)

The Federal Trade Commission (FTC) has filed a complaint against medical testing laboratory LabMD, Inc., alleging the company failed to reasonably protect consumers’ personal data, including medical information. The FTC alleges that in two incidents LabMD collectively exposed 10,000 consumers’ personal information. Meanwhile, the insurance company for Schnuck Markets has filed a lawsuit against the company seeking release from liability after a data breach earlier this year, and The University of Texas has informed patients of a data breach after a laptop containing their personal data was stolen. In Florida, the State Department of Health is the subject of criticism over new proposals regarding an online prescription database. And the U.S. Department of Energy has disclosed new information on a data breach affecting more than 14,000 employees.
Full Story

CONSUMER PRIVACY—U.S.

FTC’s Ramirez Talks Big Data, Legislation (September 3, 2013)

In a Q&A with Politico, FTC Chairwoman Edith Ramirez discussed the FTC’s efforts to rein in Big Data players and ensure they play by the rules when it comes to privacy. The commission is in the process of conducting its study on Big Data practices and anticipates releasing a report by year’s end. “One of the concerns is that we don’t know enough about what’s happening—what information is being collected, how it’s being used, what sources are being used,” Ramirez said. Asked whether privacy legislation is needed, Ramirez said she’d “like to see Congress take action” and thinks “ultimately it will.”
Full Story

PRIVACY LAW

South Africa Gets a Law; Breach Notification Goes Into Effect in the EU, and More (September 3, 2013)

Last week saw a new law in South Africa, new guidelines from the Australian privacy commissioner, a new breach notification requirement in effect in the EU and U.S. states tackling big issues like e-mail and location privacy in the absence of forward motion on a federal level. In this week’s Privacy Tracker legislative roundup, you’ll get more in-depth information on all of the above and more—including a series of cases in Minnesota questioning the liability of government agencies when an employee violates the Driver’s Privacy Protection Act. (IAPP member login required.)
Full Story

HEALTHCARE PRIVACY—U.S.

Looking Beyond the New HIPAA Rules (September 3, 2013)

As HIPAA-covered entities and business associates scramble to revamp compliant HIPAA privacy and security policies and grapple with the new HITECH components of the HIPAA rules, the job may not be over, according to Wiley Rein Partner Kirk J. Nahra, CIPP/US. In this Privacy Perspectives post, Nahra observes “there is a wide range of other privacy and security practices, rules, laws and regulations that must be met—and the laundry list is evolving almost constantly,” adding, “It’s taken so long for the HITECH rules to become final that we’ve seen a whole new set of issues arise across the healthcare industry, resulting in a set of new challenges that must be addressed at the same time—and continuing beyond September’s HIPAA compliance date—for the healthcare industry and their service providers.”
Full Story

HEALTHCARE PRIVACY—U.S.

One-Hour Breach Reporting Provision Scrapped (September 3, 2013)

A proposal that would require state health insurance exchanges to report data breaches to federal regulators within an hour of their discovery has been dropped from the final regulation, GovInfoSecurity reports. Instead the Department of Health and Human Services (HHS) will rely on the “strict” breach reporting provisions included in the HHS final rule, to be published in the Federal Register, slated to take effect by October 1.
Full Story

SURVEILLANCE—U.S.

DEA Works With Telecom To Use Data Trove (September 3, 2013)

The New York Times reports on the Hemisphere Project, a partnership between federal and local drug officials and AT&T. For at least six years, according to slides provided to the Times, law enforcement officials working on counter-narcotics operations with administrative subpoenas have had access to “an enormous AT&T database” containing decades of Americans’ phone calls. The government allegedly pays the telecommunications provider to place employees in drug-fighting units. The employees work with Drug Enforcement Agency officials and local detectives to provide phone data, often including location data, going back to 1987. The data—up to 4 billion phone records a day—is stored by AT&T and not the government. “Is this a massive change in the way the government operates?” queried a Columbia law professor. “No. Actually you could say that it’s a desperate effort by the government to catch up.” Meanwhile, in an op-ed, Ginger McCall, founder of Advocates for Accountable Democracy, writes about the future of technological surveillance, noting, “we are doing far too little to prepare ourselves.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—UK & U.S.

Aggregator To Show Users Their Data (September 3, 2013)

Data aggregator Acxiom is planning to unveil a free website where U.S. consumers can view the data the company has collected on them, The New York Times reports. Users who visit AbouttheData.com will view data on themselves including homeownership status, vehicle details, recent purchase categories and household interests. The site will allow users to click on icons to view the source the aggregated data came from originally. Acxiom’s CEO says the company aims to alleviate consumer fears on data aggregation by being more transparent. Meanwhile, a new UK platform allows users to sell direct access to their data to bidding companies. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

California Suspends RFID Legislation (September 3, 2013)

In the wake of concerns from privacy groups, California legislators have suspended SB 397, which would have allowed RFID chips to be embedded into driver’s licenses and state identification cards, Wired reports. California’s Assembly Appropriations Committee put the legislation on hold “despite it having been approved by the California Senate, where it likely will be reintroduced in the coming months,” the report states, noting, “Had the measure passed, it would have transformed the Sunshine State’s standard form of ID into one of the most sophisticated identification documents in the country, mirroring the four other states that have embraced the spy-friendly technology.”
Full Story

ONLINE PRIVACY

Project Aims To Educate About Digital Footprints (September 3, 2013)

GigaOm reports on a National Science Foundation-funded project called Teaching Privacy and a related online tool that lets users track the location of Twitter and Instagram users. Both the project and the “Ready or Not” tool aim to educate individuals—particularly high school students—about online privacy and how our personal information forms a digital footprint. Expanding on the Ready or Not geo-tracking tool, Gerald Friedland, an International Computer Science Institute researcher working on the Teaching Privacy project, said, “Most people…do not know that if you tweet something this location data is actually publicly available.” The researchers are also working on a study showing that an anonymous account holder of a service such as Yelp can have reviews cross-referenced with location data and timestamps on other services to reveal the user’s identity.
Full Story