Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

BIG DATA—U.S.

How To Solve Obama’s Big Data Challenge (January 31, 2014)
Speaking to a group of students earlier this week, White House Deputy Chief Technology Officer Nicole Wong discussed the challenges of addressing privacy when utilizing Big Data and highlighted President Barack Obama’s recently announced Big Data study to be headed by John Podesta. By making these recent remarks and initiating this new study, “President Obama grabbed the Big Data bull by the horns,” write Future of Privacy Forum Co-Founders Jules Polonetsky, CIPP/US, and Christopher Wolf and IAPP VP of Research Omer Tene. In this post for Privacy Perspectives, these three privacy experts lay out the potential privacy concerns while addressing “the profound impact of new technologies on Big Data business opportunities,” adding, “Big Data was all the rage in privacy circles in 2013, and now it is achieving appropriate, broad policy attention.”

DATA PROTECTION—U.S.

LabMD: FTC Investigation Forced Closure (January 31, 2014)

Atlanta-based LabMD shut down its operations this week due to the ongoing Federal Trade Commission (FTC) investigation over a data breach there, Computerworld reports. LabMD CEO Michael Daugherty says the FTC’s investigation is an “abuse of power” and has accused the FTC of overstepping its authority in its pursuit of LabMD. He added that the small company is “exhausted” from the last four years, during which the FTC has subpoenaed dozens of LabMD employees, required executives to travel to give depositions and requested information from the company.
Full Story

PRIVACY COMMUNITY

A Record Night of Privacy After Hours Gatherings (January 31, 2014)

Privacy pros know that when they gather on IAPP Privacy After Hours nights they are part of something big. This past Tuesday night, however, was bigger than ever. More than 500 people who work with data—from all levels of experience, every sector and industry—gathered around the world in more than 30 locations. A big thank you to our volunteer hosts for setting up gatherings being described by participants as “extremely successful” and “practically a party … people didn’t want to leave.” For The Privacy Advisor, we’ve gathered up some scenes from around the globe.
Full Story

PRIVACY LAW—U.S.

CA Senate Approves Bill Defining Collection and Use; AG Files Suit Over Kaiser Breach (January 31, 2014)

California’s Senate approved a measure Thursday aimed at protecting consumers’ information from being misused, Los Angeles Times reports. The bill, introduced by Sen. Hannah-Beth Jackson (D-Santa Barbara), would limit online merchants’ collection of data to only that which is necessary and would prohibit the merchants from selling the data or using it for marketing purposes. Meanwhile, a recent breach at Snapchat narrowly avoided repercussions under California’s updated data breach law, which took effect January 1, and the state’s attorney general recently filed a suit against Kaiser Foundation Health Plan for a 2011 breach.
Full Story

PRIVACY RESOURCES

New Whitepapers on Cloud Computing (January 31, 2014)

The IAPP has recently added to the Resource Center a series of four articles by Kuan Hon, Christopher Millard, Ian Walden and Julie Hornle of Queen Mary University of London. The articles cover topics including what personal data is regulated in cloud computing, who is responsible for it, jurisdiction concerns and exporting data outside the European Economic Area. Editor’s Note: Christopher Millard will take part in the preconference session The Privacy Pro's Field Guide to Contracting and Compliance in the Cloud at this year’s Global Privacy Summit. Register for the session online and receive a free copy of Millard’s book, Cloud Computing Law.
Full Story

BEHAVIORAL TARGETING

Researcher Identifies 212 Data Brokers; Fewer Than Half Allow Opt-Outs (January 31, 2014)

Journalist and author Julia Angwin recently sought to find the information commercial data brokers store about her, she reports on her blog. During her research, she discovered some of the data was incorrect—one broker asserting she was a single mother with no education—and decided to opt out. But less than half of the 212 data brokers Angwin identified offered opt-outs—there are no laws requiring they do so. In this post, Angwin provides two downloadable spreadsheets for users to both identify data brokers and then decipher which of them allow opt-outs. Editor's Note: Julia Angwin will give a keynote address at the IAPP Global Privacy Summit, March 5-7, in Washington, DC.
Full Story

GEO PRIVACY—U.S.

Personalized Ads Super Bowl-Style; SocialRadar Released (January 31, 2014)

As the NFL makes last-minute preparations for this Sunday’s Super Bowl, The New York Times reports on plans to feature personalized ads based on physical location, both in Times Square and at MetLife Stadium. At both locations, the NFL has placed transmitters designed to send ad-based signals to smartphones. “When it rolls out, you will see all this utility for it,” said the University of Washington’s Ryan Calo, “And at some point, the economic incentives will come into play, and it won’t be pretty.” Meanwhile, a new iPhone app called SocialRadar has been released. The app aggregates data from Facebook, Foursquare, Instagram, Twitter, LinkedIn and Google+ and finds users’ social media contacts based on location and shares locations, profile data and recent posts. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

World Privacy Forum Releases New HIPAA Report (January 31, 2014)

The World Privacy Forum (WPF) has released a new report on a recently added option within the Health Insurance Portability and Accountability Act (HIPAA) on the right to restrict disclosure. Co-written by WPF Founder and Executive Director Pam Dixon and privacy and information policy consultant Bob Gellman, Paying out of Pocket To Protect Health Privacy: A New but Complicated HIPAA Option; A Report on the HIPAA Right To Restrict Disclosure looks into this new right as it “will take effort and planning for patients to utilize effectively,” the WPF press release states.
Full Story

DATA PROTECTION—SOUTH KOREA

Commissioner Fines Google Over Street View (January 31, 2014)

South Korea’s communications regulator is fining Google over its Street View operations there. It’s the regulator’s first fine of a global company for privacy violations. The $196,000 fine results from the collection of residents’ personal data while the company took pictures for its Street View service, The Korean Herald reports. The move follows similar actions in Canada and France, among other jurisdictions. “This commission will punish those who collect information of the Korean public without exception,” said Korea Communications Commission Chairman Lee Kyung-jae.
Full Story

MOBILE PRIVACY—EU & U.S.

The All-New IAPP Mobile App Privacy Tool (January 30, 2014)
With nearly unlimited niches to fill and a global audience within reach, the mobile app universe can be richly rewarding—but it can also present privacy pitfalls for those who leap before they look. Regulators globally have begun to turn a watchful eye toward the privacy and security practices of mobile apps. You may now find it difficult to navigate the numerous guidance documents in order to understand what your app or mobile platform can and can’t do with users’ data. The IAPP’s Westin Research Center has launched a new tool to help with compliance requirements imposed by regulators and trade associations in both the U.S. and Europe.

PRIVACY—U.S.

What Will the New CPO at NSA Do, Anyway? (January 30, 2014)

Rebecca Richards, CIPP/US, CIPP/G, moves from a privacy office at the Department of Homeland Security where her job is literally written into law to a brand-new office at the NSA where she will be building a privacy office from scratch. What will her role be? Will NSA leadership respect her? Does her background suggest she’ll find success? In this exclusive for The Privacy Advisor, hear thoughts on these questions and more from former DHS CPOs Nuala O’Connor, CIPP/US, CIPP/G, and Mary Ellen Callahan, CIPP/US, and former NSA General Counsel Stewart Baker.
Full Story

PRIVACY LAW—U.S.

Criminal Liability in Breach Legislation Could Be a Recipe for Disaster (January 30, 2014)

With recent high-level data breaches, and the introduction by Sen. Patrick Leahy (D-VT) of the Personal Data Privacy and Security Act of 2014, some are hopeful a federal breach notification statute is on the horizon. There is one issue, however, raised by Leahy’s bill that “deserves considerable debate,” writes Andrew Proia, of Indiana University’s Center for Applied Cybersecurity Research and Maurer School of Law. “In addition to creating the federal breach notification law, Section 102 of Leahy’s bill would open the door to criminal liability for anyone who ‘intentionally and willfully’ conceals the fact of a security breach,” he writes for Privacy Perspectives, adding, “it would be wise for the information privacy and security community to think critically about whether the bill’s criminal statute would be a prudent addition.”
Full Story

SURVEILLANCE—U.S.

Officials Want Rules on Data Breach Disclosures (January 30, 2014)

U.S. law enforcement officials have called on Congress to draft stricter requirements for how retailers and other private businesses should report large breaches of personal and financial data, Reuters reports. FBI Director James Comey said political uproar over surveillance and the Edward Snowden leaks have complicated discussions about how to fight consumer data breaches, the report states. "There is the threat of fraud and theft because we've connected our lives to the Internet," Comey said. "We need to make sure that the private sector knows the rules of the road and how we share that information with the government." Meanwhile, Sen. Jay Rockefeller (D-WV) has qualms with letting a third party store NSA telephone metadata.
Full Story

PRIVACY LAW—U.S.

Constitutionality of NSA Surveillance Challenged in Court (January 30, 2014)

A suspect facing terrorism charges has become the first criminal defendant to challenge the constitutionality of the National Security Agency’s bulk surveillance program, The Washington Post reports. A motion was filed in a federal court to suppress any evidence against the defendant gathered from the warrantless government surveillance under the FISA Amendments Act. The defendant “believes that the government’s surveillance of him was unlawful for the simple fact that it was carried out … under a statute that fails to comply with the Fourth Amendment’s most basic requirements,” according to the motion. In a separate case, for the first time in FISA’s 36-year history, a federal judge has allowed a defense lawyer to review classified evidence gathered under the law. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Google Denied Chance To Immediately Appeal Wiretap Ruling (January 30, 2014)

U.S. District Court Judge Lucy Koh has denied Google’s request to immediately appeal her ruling that the company’s scanning of Gmail messages potentially violates the Electronic Communications Privacy Act, MediaPost News reports. That means the ruling will stand for now. Koh’s ruling could have implications for Internet service providers’ common practices—even seemingly innocuous ones like scanning for viruses. “We desperately need clarity on the legal question,” said one law professor, adding it could be months, years or longer before that arrives.
Full Story

PRIVACY BY DESIGN

Whitepaper Highlights Emerging Privacy Engineer Discipline (January 30, 2014)

A new whitepaper surveying the emerging discipline of privacy engineering has been released. Co-written by Ontario Information and Privacy Commissioner Ann Cavoukian, Stuart Shapiro of the MITRE Corporation and Enterprivacy Consulting Group’s R. Jason Cronk, CIPP/US, Privacy Engineering: Proactively Embedding Privacy, by Design “seeks to promote a broader understanding and deeper practice of privacy engineering.” Editor’s Note: In a Privacy Perspectives installment, Cronk wrote, “Is 2013 the Year of the Privacy Engineer?
Full Story

CHILDREN’S PRIVACY—U.S.

Gov’t To Fund Devices To Track Children With Autism (January 30, 2014)

Sen. Charles Schumer (D-NY) said Wednesday the federal government will fund voluntary-use GPS tracking devices for children with autism or other disorders that put them at risk when away from their caregivers, the Associated Press reports. The federal government, led by the Justice Department, has already funded a similar program for individuals with Alzheimer’s disease. The new program stems from a recent case where a 14-year-old with autism died after disappearing from his school. The case is still under investigation. Schumer said the program would be voluntary and work in conjunction with local law enforcement. The devices cost approximately $85, plus monthly fees.
Full Story

PRIVACY COMMUNITY—U.S.

NSA Announces First-Ever Chief Privacy Officer (January 29, 2014)
The Washington Post reports on the National Security Agency’s announcement that it has named IAPP member Rebecca Richards, CIPP/US, CIPP/G, its first-ever privacy officer. Former Department of Homeland Security (DHS) official Paul Rosenzweig told the Post that Richards, leaving DHS for the new job, has her work cut out for her and civil libertarians are skeptical. However, former DHS CPO Mary Ellen Callahan, CIPP/US, told Daily Dashboard, “She is one of the best privacy officials I have worked with in over a decade and a half of privacy counseling. She works meticulously with the program managers and creators of new programs, and demonstrates an ardent level of diligence and devotion to privacy.” Meanwhile, a report for Federal News Radio says agencies are now treating privacy the way they treated cybersecurity five years ago, as a “classic risk-management issue.” But privacy is “hard to define because it means different things to everyone,” making the role of CPO somewhat less defined than a CSO. Editor’s Note: Look for a story on Richards’ appointment in The Privacy Advisor tomorrow. (Registration may be required to access this story.)

PERSONAL PRIVACY

Which Information Do Consumers Most Closely Guard? (January 29, 2014)

Though consumers don’t always know how companies collect their data, which often causes a “trust gap,” evidence exists that consumers are still willing to exchange some of their personal information for products and services. Create with Context (CwC) recently surveyed 800 consumers to find out what information they would be willing to give up “in exchange for 50 percent off three different items: a gallon of milk, a large-screen television and a new car.” This Privacy Perspectives post reveals what CwC’s Ilana Westerman and Gabriela Aschenberger found, including how “97 percent of respondents said they’d be willing to give up at least one piece of data about themselves in exchange for a discount,” while noting that consumers don’t guard “all their information with equal vigilance.” 
Full Story

PRIVACY LAW—BRAZIL

2014 Brings the World Cup and Perhaps New Privacy Laws (January 29, 2014)

This Privacy Tracker post from the Hogan Lovells privacy team explores the impact two proposed privacy laws would have on organizations that provide digital products and services to Brazilian consumers. The Marco Civil da Internet would establish data protection requirements and preserve net neutrality, and the Data Protection Bill would establish an EU-style framework for the processing of personal data. These laws have been in limbo for the past few years, but will the fallout from U.S. government surveillance practices be the inspiration Brazilian lawmakers need to pass provisions, including some that would restrict cross-border data transfers?
Full Story

PRIVACY

Given the Heightened Fervor, What’s To Come in 2014? (January 29, 2014)

In this exclusive for The Privacy Advisor, Brian Dean, CIPP/US, pulls out his “foggy crystal ball” and prognosticates the future of privacy and security, looking at controversial topics including Safe Harbor, the NSA, the erosion of consumer trust, facial recognition and data brokers. “For data privacy and security professionals, this year offers optimism, but with looming midterm elections and recent significant data breaches, only subtle privacy improvements are likely,” Dean writes.
Full Story

CONSUMER PRIVACY—U.S.

FTC’s Rich and Microsoft, Intel CPOs Talk Privacy, Accountability (January 29, 2014)

Federal Trade Commission (FTC) Director of Consumer Protection Jessica Rich spoke Tuesday at the National Cyber Security Alliance promoting Data Privacy Day and highlighting plans for the FTC, Broadcasting & Cable reports. In addition to calling for more data security legislation, Rich announced the release of revised Netcetera guidelines for parents teaching children safe web navigation. She also noted the FTC still plans to release a report on the data broker industry in the coming months and that industry needs to increase “real privacy protections” instead of “empty promises.” Microsoft Chief Privacy Officer Brendon Lynch, CIPP/US, said it’s important for companies, rather than consumers, to protect privacy, “assess the risk, weigh the value and make a decision.” Intel Global Privacy Officer David Hoffman, CIPP/US, also emphasized industry accountability, adding, “Distrust is the cancer that could kill the digital economy.” Editor's Note: Rich will speak with Hogan Lovells' Christopher Wolf and the IAPP's Omer Tene at the IAPP Global Privacy Summit, March 5-7, in Washington, DC.
Full Story

ONLINE PRIVACY—U.S.

Are You Prepared To Update Your Privacy Policy? (January 29, 2014)

New state and federal legislation as well as industry and technological innovation are prompting online businesses to update their privacy policies. Companies collecting consumer data in California need to know about the state’s Do-Not-Track mandate, and for businesses moving to mobile applications, creating a solid privacy policy will be essential. On February 27, legal and public policy experts will share advice for updating online privacy policies. Panelists including California Department of Justice Director of Privacy Education and Policy Joanne McNabb, CIPP/US, CIPP/G, CIPP/IT, Latham & Watkins Partner Jennifer Archie, CIPP/US, and Dorsey & Whitney Partner Melissa Krasnow, CIPP/US, will share practical teaching and drafting tips on everything from California’s new legislation to mobile disclosures to updated rules for children and teens to cross-border collection and more.
Full Story

BEHAVIORAL TARGETING—U.S.

Whitepaper Imagines Cookie-Free World; Ad Choices Icon Unsuccessful? (January 29, 2014)

The Wall Street Journal reports on a whitepaper released Tuesday examining how online ads might function in a cookie-less world. The Interactive Advertising Bureau published “Privacy and Tracking in a Post-Cookie World,” which it calls a “first step” toward “eliminating one of the biggest limitations impacting mobile advertising today.” Meanwhile, a TRUSTe report indicates web users are increasingly concerned about online privacy, and new research suggests the Digital Advertising Alliance’s AdChoices icon, used in targeted display advertising as part of its public education campaign, hasn’t been as effective to date as the coalition may have hoped. (Registration may be required to access this story).
Full Story

DATA PROTECTION—U.S.

DMA Releases Guidelines on Breaches; Retail Association Launches Initiative (January 29, 2014)

The Digital Marketing Association says it will be releasing new guidelines for best practices on data breach protection, Broadcasting & Cable reports. The guidelines will include advice on data minimization, transparency on data use and cleaning and purging instructions. Meanwhile, a liability insurer at KPMG says the firms that need cyber insurance the most aren’t investing in it. Following the Target breach, the Retail Industry Leaders Association has launched an initiative to provide additional safeguards for consumer transactions, and the co-founder of a new service says it has struck the right balance between employee privacy and corporate security.
Full Story

SURVEILLANCE—U.S.

Lavabit Founder Fights Contempt-of-Court Charges (January 29, 2014)

CIO reports on now-defunct e-mail encryption service Lavabit founder Ladar Levison’s fight against contempt-of-court orders. The case involves Levison’s refusal to hand over data on a particular user—rumored to be Edward Snowden—when the government came knocking for it; specifically, they wanted Levison’s SSL keys—which unencrypt encrypted data. Three judges for the Fourth U.S. Circuit Court of Appeals in Virginia are hearing the case, one of whom criticized the FBI agents involved in the case for not working with Lavabit to overcome the technical obstacles that delayed Levison’s eventual compliance. The government does not plan to prosecute Levison for obstruction of justice for shutting down Lavabit, the report states. Editor’s Note: The Privacy Advisor spoke with Levison recently on the day the FBI Came Knocking.
Full Story

The Big News from IAPP Data Protection Congress (January 28, 2014)
The IAPP’s recent Data Protection Congress in Brussels proved to be full of robust discussions and even disagreements on the future of everything from Safe Harbor to notice-and-consent to NSA spying. In this roundup, we summarize the most stimulating conversations and presentations, including a showdown between former U.S. National Security Agency (NSA) General Counsel Stewart Baker, anonymous Internet platform Tor’s Jacob Appelbaum, Vodafone CPO Stephen Deadman and Ralf Bendrath, policy advisor to German MEP and Data Protection Regulation Rapporteur Jan Philip Albrecht.

PRIVACY

IAPP Releases Two New Whitepapers for #DPD2014 (January 28, 2014)
Looking for tools to help you spread the message of privacy professionalism through your organization or community? The IAPP has released for Data Privacy Day two new whitepapers. “Privacy Polices: How To Communicate Effectively With Consumers” is a collaboration between the IAPP, Kinsella Media and Rust Consulting and features new research on how consumers interact with privacy notices posted online. “Privacy 101 for SMEs: The Best Defense Is a Good Offense” was written by IAPP VP of Research and Education Omer Tene and Network Advertising Initiative President and CEO Marc Groman, CIPP/US, and provides practical advice for setting up a privacy program at, for example, a small tech start-up. Both papers are free for download and can be distributed as you see fit. Help spread the word of professional privacy practices. Editor’s Note: Celebrate Data Privacy Day at one of a record 36 scheduled Privacy After Hours events tonight.

SURVEILLANCE—U.S.

Justice Dept. To Allow More Transparency; More Surveillance Programs Revealed (January 28, 2014)

Ahead of President Barack Obama’s annual State of the Union speech on what many in the privacy community know as Data Privacy Day, the Justice Department agreed on Monday to let technology companies disclose more data to the public on national security requests. The agreement will allow companies—including Facebook, Apple, Microsoft, Google and Yahoo—to publish additional aggregate information, including, for the first time, Foreign Intelligence Surveillance Court requests. This roundup for The Privacy Advisor looks into the agreement and what’s expected from Obama’s State of the Union address tonight, as well as new documents leaked by Edward Snowden on the U.S. NSA and UK’s GCHQ surveillance programs.
Full Story

TRANSPARENCY—U.S.

Will Transparency Calm Concerns Over Government Access? (January 28, 2014)

In light of Monday’s agreement by the U.S. Department of Justice to allow Internet companies to disclose more aggregated data on law enforcement requests for access to user information, Hogan Lovells’ Christopher Wolf delves into whether increased transparency will quell concerns over government access. In this post for Privacy Perspectives, Wolf writes, “The transparency reports, which soon will have greater granularity, should help the world understand that the U.S. is hardly alone in its national security practices and that reform needs to be viewed as a global concern.” Editor’s Note: Wolf will moderate a panel at the IAPP Global Privacy Summit on “Governmental Access to Private-Sector Data: The Realities and Impacts in the U.S. and EU” featuring former NSA General Counsel Stewart Baker, Civil Liberties Protection Officer Alexander Joel, CIPP/US, CIPP/G, and the ACLU’s Chris Calabrese.
Full Story

PRIVACY

Opinion: Privacy Is Not Dead; Innovate for the Future (January 28, 2014)

“It’s time to get over zero-sum thinking about Internet privacy,” writes Respect Network CEO Drummond Reed, adding, “Privacy is not dead or dying because of the advances in new technologies.” Reed’s comments are in response to a recent Privacy Perspectives post by IU CLEAR Director Stanley Crosley, CIPP/US, CIPM, called “Old School Privacy is Dead, But Don’t Go Privacy Crazy.” Reed opines in his response on Perspectives that “it’s not an either/or proposition, and the thought of abandoning the notion of user control simply invites control by others.” Instead of “suggesting that privacy must adapt to technology,” Reed notes, privacy should be “embedded into technology systematically so as to remove the burden from the individual to protect their privacy.”
Full Story

DATA PROTECTION—EU

EU Officials Seek Deal by Year’s End; Hustinx To Stay on the Job (January 28, 2014)

Bloomberg reports on EU plans for negotiations on the data protection regulation to resume, with EU officials agreeing on a roadmap that would see the law adopted before the end of this year. “We cannot afford any more delay,” said German MEP Jan Philipp Albrecht. Meanwhile, EU Justice Commissioner Viviane Reding recently discussed with the BBC how the U.S. National Security Agency’s spying revelations were a “wake-up call.” And outgoing European Data Protection Supervisor Peter Hustinx has agreed to stay on the job until October after the European Commission rejected the candidates seeking to replace Hustinx.
Full Story

PRIVACY COMMUNITY

Want to Speak at the All-New Academy? (January 28, 2014)

The IAPP and the Cloud Security Alliance have opened up the call for presentations for the 2014 Privacy Academy, a joining of the IAPP Privacy Academy and the Cloud Security Alliance Congress. The event happens September 17-19, and the programmers of the event are looking for innovative presentations in areas like the Internet of Things and connected devices, Big Data, risk management, privacy and cloud computing, employee privacy issues like BYOD and many more. This is the place where information security and privacy meet up to find technological solutions to the leading privacy issues of our day. The call for proposals ends February 21.
Full Story

SOCIAL NETWORKING—U.S.

Suit Accuses Facebook of Scanning Users’ Private Messages (January 28, 2014)

Facebook is facing a second potential class-action lawsuit accusing it of scanning users’ personal messages to each other, Media Post reports. In the complaint filed last week in the Northern District of California, David Shadpour says, “Facebook’s desire to harness the myriad data points of its users has led to overreach and intrusion on the part of the company as it mines its account holders’ private communications for monetary gain.” Shadpour says the practice violates California laws. The suit is similar to one filed last late year.
Full Story

HEALTHCARE PRIVACY—U.S.

Is Policy Needed for “Personal Representative” PHI Disclosures? (January 28, 2014)

Federal health IT advisors are struggling with whether new policies are needed to address an ongoing and increasingly common HIPAA issue likely to grow as baby boomers age, Government Health IT reports. The issue at hand is caregiver, family member and “personal representative” access to patients’ personal information, the report states; HIPAA’s privacy rule requires covered entities to provide someone authorized under state law to act on a patient’s behalf with access to their personal health data. The Health IT Policy Committee’s Privacy & Security Tiger Team Co-Chair Deven McGraw discussed whether policy should be developed on the matter or if “best practices” recommendations would suffice.
Full Story

PRIVACY—U.S.

MRA Names Top 10 Gov’t Officials in Privacy (January 28, 2014)

In recognition of Data Privacy Day, the Marketing Research Association has published a list of the “Top 10 Government Players in Consumer Data Privacy in 2014.” The list is topped by President Barack Obama for his multi-stakeholder approach to the White House’s Consumer Privacy Bill of Rights and his efforts to “demonize” private-sector data collection. The list also includes Federal Trade Commission (FTC) Chairwoman Edith Ramirez, Sen. Jay Rockefeller (D-WV), FTC Commissioners Julie Brill and Maureen Ohlhausen, and Sen. Al Franken (D-MN), among others.
Full Story

DATA PROTECTION—EU & U.S.

Will FTC’s Recent Safe Harbor Settlements Quench Europe’s Thirst for Enforcement? (January 27, 2014)
The Federal Trade Commission (FTC) last week announced it had settled with 12 U.S. companies over charges they let their Safe Harbor certifications lapse but still indicated they were certified. Was the move a response to recent criticism from the EU? The FTC said it was business as usual. But does it at least indicate more enforcement to follow? Will the EU be placated? FTC Commissioner Julie Brill said she does not “believe these settlements were reached because of pressure from the European Commission or anyone else.” But some say the settlements were expected and the “ball was in the FTC's court after the developments in Europe.” The researcher who filed the complaints said he supports all but one of the settlements. This exclusive for The Privacy Advisor zooms in.

PERSONAL PRIVACY—UKRAINE & U.S.

Was It a Week of “Tangible” Privacy Harms? (January 27, 2014)

Two recent news events may show evidence of “tangible” privacy harms. One involved a U.S. family that received marketing mail from OfficeMax in an envelope reading, “Daughter Killed In A Car Crash Or Current Business,” prompting this Privacy Perspectives post to ask, “Can we safely say this was a tangible privacy harm?” The second event involved the riots in Kiev, Ukraine, and a government text message warning citizens within that location, “Dear subscriber, you are registered as a participant in a mass riot.” With new laws mandating potential 15-year sentences for participating in such riots, Perspectives asks “what if you were just a random person going about your day on the side of the street and received that text message? Does the dark pit of fear that developed in your stomach count as harm?”
Full Story

PRIVACY LAW

Privacy on the Docket from Davos to DC (January 27, 2014)

While industry leaders at the World Economic Forum in Davos, Switzerland, called for new rules surrounding data protection, the U.S. Supreme Court announced it will hear two cases involving warrantless searches by law enforcement of suspects’ cellphones. And, the U.S. Federal Trade Commission announced settlements with 12 companies over false claims of alignment with Safe Harbor rules. In this Privacy Tracker roundup, learn about these issues as well as bills being considered by U.S. state legislatures, how Obama’s NSA plans may affect EU law and more. (IAPP member login required.)
Full Story

SURVEILLANCE—U.S.

Cryptographers, Others Sound Off on NSA Programs (January 27, 2014)

The Verge reports on pressure on the U.S. government to reform the NSA’s surveillance programs, most recently from more than 50 cryptography experts in an open letter published Friday. “The value of society-wide surveillance in preventing terrorism is unclear, but the threat that such surveillance poses to privacy, democracy and the U.S. technology sector is readily apparent,” the letter reads. Meanwhile, the Republican Party passed a resolution at its annual meeting on Friday condemning the NSA’s massive collection of data. Stanford Center for Internet and Society’s Jennifer Granick writes on the Privacy and Civil Liberties Oversight Board’s report that NSA data collection is illegal.
Full Story

ONLINE PRIVACY—EU & U.S.

On the Eve of Data Privacy Day, Study Highlights Differing Perspectives (January 27, 2014)

On the eve of Data Privacy Day, the debate over online privacy is more complicated than ever, ZDNet reports. “Pre-Snowden, most discussions of privacy focused on data collection by giant advertising and analytics companies. That was the impetus for the Do Not Track initiative,” the report states, adding, “Post-Snowden, discussions of online privacy have taken on a darker tone, one that regularly verges on scenarios that would have been considered paranoid only a year ago.” With tomorrow’s observation of the first Data Privacy Day in this new era, the report examines a recent Microsoft survey “of technically sophisticated customers” in the U.S. and EU that found, “not surprisingly, there are some big differences in attitudes between consumers in the U.S. and those in the more privacy-sensitive European Community.”
Full Story

CYBERSECURITY—U.S.

Possible Breach Hits Michaels Stores; Has PCI Been Undermined? (January 27, 2014)

KrebsonSecurity reports on a potential data breach affecting Michaels Stores. The U.S. Secret Service has confirmed it is investigating the incident. A company statement cites “possible fraudulent activity on some U.S. payment cards … suggesting that the company may have experienced a data security attack.” With recent breaches hitting Target and Nieman Marcus, a column in Computerworld asks whether the Payment Card Industry Data Security Standard (PCI DSS) is ineffective. A recent letter from Nieman Marcus CIO Michael Kingston to Sen. Richard Blumenthal (D-CT) suggests although the company complied with PCI DSS, it brought limited security against a massive intrusion. In a Q&A with Kroll’s Timothy Ryan, USA Today explores how retailers rationalize not disclosing breaches or delaying breach notification to consumers.
Full Story

SURVEILLANCE—U.S.

San Jose Considers Tapping Private Surveillance Cameras (January 27, 2014)

Under a new proposal to be heard by San Jose’s City Council next week, police would be able to tap into residents’ private video cameras, Emergency Management reports. The proposal would allow property owners to voluntarily register their security cameras for a new database managed by the San Jose Police Department in order to help solve crimes. A spokesperson from the police department said it is reviewing the program’s merits and any privacy concerns.
Full Story

DATA PROTECTION

E-Receipts Helping Retailers Do More than Save Paper (January 27, 2014)

Paper receipts are headed toward extinction, Today reports, as e-receipts increasingly become commonplace. But e-receipts may serve more of a purpose for merchants than is obvious. “Merchants see digital receipts as a way to ‘engage’ with their customers. Translation: They see this as a new marketing channel—an efficient way to sell you more stuff,” the report states. While collecting customer data can be difficult, e-mailing receipts is “a fairly effective and simple way to get accurate contact points for your customer base,” says one CEO. A recent Epsilon International report found that 83 percent of retailers offering e-receipts did so to obtain a customer’s e-mail address.
Full Story

BIG DATA—U.S.

White House Launches Future of Privacy Review (January 24, 2014)
John Podesta, a counselor to the president, announced in The White House Blog he will lead a review on how “Big Data will affect the way we live and work; the relationship between government and citizens, and how public and privacy sectors can spur innovation and maximize the opportunities and free flow of this information while minimizing the risks to privacy.” Podesta will be joined by the secretaries of commerce and energy as well as science and economic advisors and “other senior government officials” to “help identify technological changes to watch; whether those technological changes are addressed by the U.S.’s current policy framework, and highlight where further government action” may be needed. Meanwhile, Future of Privacy Forum Director Jules Polonetsky, CIPP/US, and George Mason University’s Adam Thierer appeared on PBS Newshour to discuss the future of privacy in a Big Data world.

PRIVACY TOOLS

A New Handy Guide to Global DPAs (January 24, 2014)

The legal world is still fond of reference books. How many of you have giant binders on your shelves into which you insert this year’s latest update on some area of law or other? For a quickly changing legal environment like privacy, though, your binder fills up fast. Pretty soon, you need another binder. Luckily, we have the Internet. DLA Piper has attacked the problem of surveying the world’s data protection laws and regulations with a handy online and interactive guidebook for which they’ve released version 3.0 just in time for Data Privacy Day. Find out where it lives and how it was developed in this exclusive for The Privacy Advisor.
Full Story

PRIVACY BUSINESS

IAPP Launches Industry of Privacy Survey (January 24, 2014)

As part of our organization’s efforts to better understand the industry of privacy and the collective budgetary power of privacy professionals, the IAPP has launched an ambitious program to study the economic impact of the privacy industry and distribute the results to the world at large. And we need your help. Please take our first survey and be part of this effort to benchmark spending and help privacy professionals around the globe better shape their privacy programs.
Full Story

SURVEILLANCE—U.S.

PCLOB: NSA Phone Program Is Illegal (January 24, 2014)

The Privacy and Civil Liberties Oversight Board (PCLOB) released its report on the National Security Agency (NSA) program that collects en masse phone metadata, noting it provides minimal benefits to thwarting terrorism, is illegal and should come to a halt, Reuters reports. The PCLOB report goes further in criticizing the programs than did President Barack Obama and his ad hoc review panel. “The Section 215 bulk telephone records program lacks a viable legal foundation under Section 215,” the PCLOB report states, adding it “raises serious threats to privacy and civil liberties as a policy matter and has shown only limited value.” Two of the board’s members—Rachel Brand and Elisebeth Collins Cook—voted against the recommendation to end the bulk collection. The PCLOB is also working on a separate report on the NSA’s Internet surveillance. The Guardian has compiled quotes from groups and lawmakers calling for the end of bulk phone records collection.
Full Story

DATA LOSS—U.S.

Industry Is Begging for Federal Rules? Yes, As Breaches Prove Hard To Clean Up (January 24, 2014)

Sony PlayStation users who filed a class-action lawsuit following the 2011 data breach have “limited berth to sue,” Courthouse News Service reports. The class-action claimed Sony failed to notify the users of the breach in a timely manner and didn’t remedy its known system vulnerabilities. But a judge found the class didn’t have standing to bring its claims. Meanwhile, three Democrats from the House of Representatives have sent Target’s CEO a letter seeking documents on its recent data breach. And the Neiman Marcus data breach appears to be worse than originally thought: Hackers were in for months, it seems. A National Journal piece says big-box stores are “begging” Congress to require them to notify customers when a data breach occurs; such a rule would streamline compliance across the nation rather than the current requirements of complying with individual state rules.
Full Story

DATA PROTECTION—EU

Regulation Won’t Be Adopted Before May Elections (January 24, 2014)

With several member states aiming to water it down, the revised data protection law will not be adopted before European Parliament elections in May, EUObserver reports. On Wednesday, EU Justice Commissioner Viviane Reding and the lead negotiators on the package agreed to set the deadline for before the end of the year. German Green MEP Jan Philipp Albrecht said the timetable established seeks a mandate for negotiations in June, adding, “If it will be possible to stick to this timetable, this would be good news and important.” The member states aiming to soften the regulation—UK, Denmark, Hungary and Slovenia—would prefer to see it turned into a directive instead.
Full Story

BIOMETRICS

Facial Recognition Databases Demand “Responsible” Actions; App Explores Augmented Reality (January 24, 2014)

In a column for The Atlantic, Profs. Woodrow Hartzog and Evan Selinger highlight the importance of separating facial recognition apps and large databases in order to protect privacy and relative anonymity in public. “No matter how powerful a facial recognition app is designed to be, it can’t get the job done without being connected to a database that links names to faces,” they write, adding, “the key is to ensure legal and social pressure demands the same responsible behavior from database owners as it does from designers, hosts and users of facial recognition technologies.” Meanwhile, CNET News reports on an augmented reality app planned for Google Glass. The Brain app would lay data from the virtual world—such as a Facebook profile—over what’s being observed in the real world. The company’s chief executive said, “We are trying to develop the platform … to try to anticipate and understand what you need and what you want and then present it when you need it.”
Full Story

PRIVACY—NEW ZEALAND

The Interesting View From the NZ Privacy Office (January 24, 2014)

“One of the dubious delights of being a privacy regulator,” writes Assistant Privacy Commissioner of New Zealand Katrine Evans, “is the unexpected things that crop up during every working week.” In this latest Privacy Perspectives post, she provides a thumbnail sketch of the major issues she sees coming across her desk in 2014, from wearables to a reform of the Privacy Act to biometrics—even the departure of Privacy Commissioner Marie Shroff, who leaves her post after 10 years on the job.
Full Story

HEALTHCARE PRIVACY—UK

Intersection of Big Data, Healthcare Promises Benefits But Raises Concerns (January 23, 2014)

The Guardian reports on how the “ability to create and capture data is exploding and offers huge potential for the NHS to save both lives and scarce resources” as well as “the potential to personalise healthcare for every NHS patient.” In a separate report, the newspaper looks at privacy concerns around a plan to sell NHS patient information—“scrubbed of some personal identifiers”—available to drug and insurance firms. Health and Social Care Information Centre’s Mark Davies has indicated “the process for anonymising personal medical information, aggregating the data and selling it to third parties such as medical researchers and insurance companies does not have to guarantee individuals' privacy to comply with UK data protection rules,” the report states.
Full Story

PRIVACY LAW—U.S.

Is a Constitutional Amendment the Answer to Restricting Data Collection? (January 23, 2014)
Last Sunday, privacy scholar and National Constitution Center President and Chief Executive Jeffrey Rosen opined that a constitutional amendment may be needed to “prohibit unreasonable searches and seizures of our persons and electronic effects, whether by the government or by private corporations like Google and AT&T.” But Adam Thierer, a senior research fellow at George Mason University’s Mercatus Center, disagrees. In this Privacy Perspectives post, Thierer explains why there “are several problems with Rosen’s proposal—legal, economic and practical” and writes “that better alternatives exist to deal with the privacy concerns he identifies.”

HEALTHCARE SECURITY—U.S.

Rodriguez Is Leaving OCR: A Look at His Legacy and the Hole He Leaves Behind (January 23, 2014)

News that President Barack Obama has nominated Department of Health and Human Services Office for Civil Rights (OCR) Director Leon Rodriguez to direct U.S. Citizenship and Immigration Services has spiked the heart rates of some in the healthcare industry. The Privacy Advisor reports on this shift, which would leave the OCR director post vacant for the foreseeable future—and at an historic juncture. While HIPAA passed in 1996, its rules were enforced more like suggestions than federal mandates during the early years. But when Rodriguez took his post as OCR director in 2011, armed with powers granted under HITECH, the tone shifted, healthcare insiders seem to agree. As his departure looms, who will take his place and how will HIPAA enforcement change?
Full Story

DATA PROTECTION

Microsoft Hints Overseas Users Can Store Data Outside U.S. (January 23, 2014)

Microsoft General Counsel Brad Smith has suggested that overseas users will be able to store their data outside of the U.S., in what Reuters reports as “the most radical move yet by a U.S. technology company to combat concerns that U.S. intelligence agencies routinely monitor foreigners.” According to Financial Times, Smith said users “should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides.” As one example, Smith said, Europeans could choose to store their data in Microsoft’s data center in Ireland.
Full Story

PRIVACY LAW—U.S.

Viacom Hit with Privacy Lawsuit; Group Files Complaint with FTC (January 23, 2014)

Google and Viacom are asking a federal judge to dismiss a potential class-action lawsuit that argues the companies are violating privacy laws at Nick.com, NickJr.com and NeoPets, MediaPost News reports. The lawsuit alleges the companies place cookies on websites visited by children under the age of 13. The plaintiffs allege the companies have violated federal wiretap law, the Video Privacy Protection Act and several New Jersey and California state laws. In a separate case, Consumer Watchdog has filed a complaint with the Federal Trade Commission alleging a planned contact list merger between Google+ and Gmail violates a privacy settlement reached between the federal regulator and Google.
Full Story

CONSUMER PRIVACY—U.S.

Vladeck Discusses FTC Enforcement Past and Present (January 23, 2014)

In a Q&A with The Wall Street Journal, Georgetown Law Prof. David Vladeck discusses his experiences as director of the FTC’s Bureau of Consumer Protection from 2009 until 2013. On enforcement action brought against Facebook and Google during his tenure, Vladeck says regulators want to punish bad conduct but don’t want to stifle companies’ innovation, and that the orders the FTC issued don’t tell the companies “how to run their business” but require them to embed privacy within their approaches—advice he’d give any large company. As for who should be on watch for forthcoming FTC attention, Vladeck says the data broker business needs added transparency, and “children’s privacy is going to stay on the forefront.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE—U.S.

PCLOB: Data Surveillance Violates Law, and NSA is Wrong Agency for the Job (January 23, 2014)

A new report from the Privacy and Civil Liberties Oversight Board (PCLOB) says “the bulk collection of billions of American phone records violates the letter and the spirit of the law,” NPR reports. Excerpts from the report, which is scheduled to be read at an open board meeting today, say the mass collection has “no connection to a specific FBI investigation when it’s being gathered” and the amount of it being “vacuumed up” can’t be considered “relevant.” It also says that under the law, the FBI—not the NSA—should be doing the collecting. Two PCLOB members, however, wrote dissents on that opinion. “The board will vote Thursday on whether to call for an outright end to the phone metadata program and call for more transparency from the government and the secret court,” the report states.
Full Story

BIG DATA—U.S.

OfficeMax Blames Data Broker for “Daughter Killed” Mailing (January 23, 2014)

In one of the latest developments in the headline-making story of a targeted mailing sent to a Chicago man with the disturbing words “Daughter Killed in Car Crash or Current Business” as part of the address, Forbes reports OfficeMax has said it “unintentionally bought (that information) from a third-party data broker.” OfficeMax requested a mailing list from the broker “for Businesses, Small Offices and Home Offices … NO personal information qualifiers were part of our request; we were not seeking personal information and did not ask for it,” a company spokesperson wrote. “As an additional measure to prevent future mailing errors, we have upgraded the filters designed to flag inappropriate information.”
Full Story

DATA COLLECTION—U.S.

Farmers Warned About Sharing Data with Monsanto, Others (January 23, 2014)

NPR reports on services Midwest farmers can sign up for allowing “big agribusiness” to collect data “minute by minute, as they plant and harvest their crops … promising to mine that data for tips that will put more money in farmers' pockets.” However, the American Farm Bureau Federation is warning farmers to be cautious, the report states, suggesting such services “could threaten farmers' privacy and give the big companies too much power.” One participant in an experimental data-sharing system from Monsanto said, "My theory is, if they have my information, and they're out there working with me, I'm hoping that they're going to bring me a better product."
Full Story

CONSUMER PRIVACY—EU & U.S.

FTC Settles Safe Harbor Charges Against 12 Companies (January 22, 2014)
The Federal Trade Commission (FTC) has settled with 12 U.S. companies over charges the companies falsely claimed they were abiding by Safe Harbor rules. The companies involved spanned various industries, including mobile apps, DNA testing and professional sports. The complaints filed by the FTC state the companies allowed their EU-U.S. Safe Harbor certifications to lapse, despite claims in their privacy policies or Safe Harbor certification marks indicating otherwise. Three of the companies were also charged with falsely claiming to abide by the U.S.-Swiss Safe Harbor framework. The settlements, which follow criticism from the European Commission that the Safe Harbor framework has not been effectively enforced, are now open for public comment. FTC Chairwoman Edith Ramirez said Safe Harbor enforcement is a priority and the cases “send a signal to companies” that they can’t falsely claim certification. In a blog post on the FTC’s site, Lesley Fair, senior attorney with the Federal Trade Commission's Bureau of Consumer Protection, says this is fair warning that, “If you feature the Safe Harbor mark on your site or refer to your participation, remember that you must ‘re-up’ every year.”

PRIVACY LAW—EU & U.S.

How Obama’s NSA Plans May Affect EU Law (January 22, 2014)

President Barack Obama’s plans for surveillance reform, as revealed in his speech last week, “have had a lukewarm reception by European politicians,” writes Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E. “Such reforms are a work in progress that will extend over months and years, but Obama’s stance is bound to have a very direct effect on existing and forthcoming EU data protection requirements,” he adds. In this installment of Privacy Perspectives, Ustaran lays out his predictions “about the practical impact of the proposed plans in Europe.”
Full Story

PRIVACY LAW

At World Economic Forum, Industry Leaders Call for New Privacy Rules (January 22, 2014)

In a blog post, Microsoft General Counsel Brad Smith has called for “an international legal framework—an international convention—to create surveillance and data access rules across borders” and has said the current legal structures are out-of-date, prompting “some governments, as we’ve learned over the past year … to take unilateral actions outside the system,” CNET News reports. Smith is expected to take part in a World Economic Forum (WEF) panel discussion about the public perceptions of surveillance, data security and privacy in light of the NSA disclosures. BT Group Chief Executive Gavin Patterson, also speaking at the WEF, said customers cannot be guaranteed 100-percent privacy online and called for updates to “murky” data collection laws, The Guardian reports. Meanwhile, DW reports on Human Rights Watch's call this week for "a clear regulatory framework to keep intelligence services in check."
Full Story

SURVEILLANCE

Verizon Releases First Transparency Report (January 22, 2014)

In a press release on its website, Verizon has released its first transparency report for law enforcement requests in the U.S. and “other countries in which we do business.” According to the release, “Although Verizon has released a great deal of information over the past few years regarding the number of law enforcement demands we’ve received, Verizon’s online Transparency Report now makes an expanded data set more easily accessible.” The company said it will update the report semi-annually. Verizon also said it saw an increase in the number of law enforcement demands in 2013, as compared to 2012.
Full Story

ONLINE PRIVACY

Study Uncovers Tor Sabotage; Privacy Tools Used by 28 Percent Globally (January 22, 2014)

A group of computer scientists has found at least two dozen computers actively trying to sabotage the Tor privacy network, according to Ars Technica. The newly released paper, Spoiled Onions: Exposing Malicious Tor Exit Relays, is one of the first studies to document exit nodes purposely attempting to tamper with encrypted messages between the exit node and the open Internet. Developer Tal Ater has recently demonstrated that a microphone permission policy in Google Chrome can allow any site enabled for voice recognition to transcribe everything in range of the device without the user knowing. Separate research has revealed that privacy tools are used by 28 percent of the online world, or an estimated 415 million users. The GlobalWebIndex (GWI) study also found that 56 percent of those surveyed said they believe the Internet is eroding their personal privacy. The GWI study notes 11 percent of all users say they use the Tor network.
Full Story

INTERNET OF THINGS—U.S.

AAA Unveils Consumer Rights for Car Data (January 22, 2014)

The American Automobile Association (AAA) has drafted a consumer bill of rights and is urging industry to adopt it, USA Today reports. AAA calls for transparency, choice and security and states car owners should have the right to understand what data is being collected about them, control with whom their data is shared and expect that companies will exercise best security practice. "Many connected car features are made possible through the collection of large amounts of potentially sensitive data from drivers," said AAA CEO Bob Darbelnet, adding, "Companies collecting, using and sharing data from cars should do everything possible to protect consumer rights as they offer these exciting technologies."
Full Story

GEOLOCATION—UKRAINE

Gov’t Locates Riot Participants, Sends Text Warnings (January 22, 2014)

The Guardian reports on the Ukrainian government’s efforts to quiet violent protests, including a text message sent to mobile phone users in the vicinity of the clashes reading, “Dear subscriber, you are registered as a participant in a mass riot.” The interior ministry has denied involvement in sending the texts, as have two telephone providers. Another provider said, “We strictly observe the confidentiality of our users, their telephone numbers and locations.” The interior ministry did say it is using video footage to arrest the most active participants in the riot. The protests were sparked by new laws on public gatherings.
Full Story

MOBILE PRIVACY—U.S.

Ad Agencies More Worried About Scale Than Privacy (January 22, 2014)

At a recent meeting of digital ad agencies, representatives indicated a lack of concern about the future safety of customer data, despite recent hacks at Target, Neiman Marcus and Snapchat, Forbes reports. The agencies said clients are excited about hyper-location data tools. Asked what the biggest hurdles may be to marketing on mobile and whether privacy and security were top-of-list, agencies instead cited a need for bigger audiences and getting technology startups to explain how their tracking products work. The director of mobile strategy at Horizon Media said while clients are excited about new data, they rely on the ad agencies to be sure privacy issues are addressed.
Full Story

DATA PROTECTION—EU & U.S.

Opinion: Stop Confusing Safe Harbor with State Surveillance (January 22, 2014)

In an opinion piece for ComputerWeekly, Morrison & Foerster’s Cynthia Rich writes that suspending the EU-U.S. Safe Harbor program under the assumption it facilitates NSA surveillance is misguided. Any of the data transfer mechanisms in the EU offer no protection against government surveillance, Rich says, and “shutting out U.S. companies may appeal to market protectionists, but in the end, will only disadvantage European consumers.” Further, Federal Trade Commission enforcement of Safe Harbor has been more rigorous than the European Commission claims, she writes. Meanwhile, San Jose Mercury News columnist Mike Cassidy opines that the recent Target hack indicates that “the privacy war is over—and we lost.”
Full Story

DATA PROTECTION

Top Tips for a Data Incident Plan (January 21, 2014)
With recent data breach incidents practically saturating headlines, and with increasing evidence that preventing breaches altogether is next to impossible, Online Trust Alliance Director of Public Policy and Outreach Heather Federman, CIPP/US, writes about the importance of developing a data incidence plan (DIP). “The DIP is a playbook that describes the breach fundamentals an organization can deploy on a moment’s notice,” she writes, adding, “A good DIP helps you quickly determine the nature of an incident, immediately contain it, ensure evidence is not accidentally ruined and easily notify regulators.” In this Privacy Perspectives post, Federman, “in honor of the upcoming Data Privacy Day” next Tuesday, January 28, presents the top 14 tips for creating a DIP.

PRIVACY LAW—EU

Reding Calls for Billion-Dollar Fines (January 21, 2014)

European Commission Vice President Viviane Reding is calling for larger fines against companies that breach the EU’s privacy laws, BBC News reports. Reding “dismissed recent fines for Google as ‘pocket money’ and said the firm would have had to pay $1 billion under her plans for privacy failings,” the report states, noting she believes increased punishments are needed to encourage firms to take personal data use more seriously. Out-Law.com, meanwhile, reports the EU’s Court of Justice “is set to rule in a case involving Google and the judgment could offer some clarity about which local data protection rules will apply to multinational Internet service providers that process personal data abroad but have a business presence in a local jurisdiction.”
Full Story

PRIVACY

Opinion: Old-School Privacy Is Dead, Embrace the New School (January 21, 2014)

“There is nothing left to debate. Our old-school privacy, as we’ve known it for decades, is dead and buried,” writes Indiana University Center for Law, Ethics and Applied Research Director Stanley Crosley, CIPM, CIPP/US. “But there’s good news,” he adds in this installment of Privacy Perspectives. “If your notion of privacy is defined by your personal control over all of the data about you, well, you’re privacy crazy, and I have tragic news: That privacy is lost.” Crosley notes that regulations “that default to all ‘use’ of data as being impermissible unless authorized by the individual are trying to protect a version of privacy that no one really wants”—the equivalent of going back to using “VCRs and flip phones.” Rather, Crosley explains, “our parents’ brand of privacy is being replaced by a better, more sustainable and meaningful privacy.”
Full Story

BIG DATA

Evaluating Tools for the Marketing Industry (January 21, 2014)

The market research industry has been collecting information on consumer behavior and attempting to analyze it for predictive purposes for over a century, long before the term “Big Data” was coined. Today this industry is at the forefront of the movement to collect, analyze and exploit vast amounts of information about what people buy, from whom and where using powerful technological tools previously unimagined. Join Gary Kibel, CIPP/US, of Davis & Gilbert LLP; George Pappachen, CPO at The Kantar Group, and David Stark, CIPP/US, VP at GFK, on February 6 for a virtual conversation to explore the interplay between new data sources and uses, the tension between self-imposed industry standards and regulatory guidance and the potential consequences emerging from Congressional inquiries and consumer expectations.
Full Story

SURVEILLANCE—U.S.

Obama NSA Speech Has Low Impact on Public; Tech Reacts (January 21, 2014)

According to a new national survey by the Pew Research Center and USA Today, President Barack Obama’s NSA reform speech last week had little impact on an already skeptical public. Half of the 1,504 adults surveyed between January 15 and 19 had not heard of Obama’s speech and nearly three-quarters of those who heard the speech believed it would have little impact on people’s privacy. Meanwhile, PBS Newshour reports on reaction from the tech industry. “What the president was doing in his speech didn’t go far enough,” said Christian Dawson of the Internet Infrastructure Coalition, adding, “if we don’t go out with bold language to convince the world that we do believe in privacy standards, we are going to see an EU Internet and a U.S. Internet and a China Internet…” Center for Democracy & Technology President Nuala O’Connor, CIPP/US, CIPP/G, said Obama should have been more “clear about the specifics of how he plans to end bulk data collection as we know it.”
Full Story

PRIVACY BUSINESS—GERMANY

Privacy Proving To Be Tech Industry Driver (January 21, 2014)

With “some of the world’s toughest privacy laws,” “an unusually large number of hackers and security experts” and “a deep appreciation for privacy among the German people,” Germany is seeing entrepreneurs in the wake of the Snowden revelations looking to privacy-focused business models, reports Forbes. Germany is now home to start-ups ZenGuard, an encryption service; Blippex, a search engine “built with user privacy in mind,” and Arriver, “a social navigation tool developed on the principle of neutrality.” State-level business support is available to these start-ups through innovation funding programs, and Arriver CEO Felix Langhof says, “The privacy relevance is only just beginning to dawn on all of us.”
Full Story

BIG DATA—U.S.

Office Supply Mailing Increases Broker Scrutiny; Will We See Anticipatory Shipping? (January 21, 2014)

Marketing Daily reports on news that OfficeMax mistakenly sent a family mail with “Daughter Killed In Car Crash, or Current Business” in the address. University of Washington Assistant Prof. Ryan Calo said this “exemplifies very efficiently all the troubling things about data-driven marketing … It’s inscrutable. Why does an office supply store have information about someone’s dead kid? And in such granularity—not just that the child is dead but even her gender and precisely how she died? It just goes to show how promiscuous this ecosystem is.” In an unrelated story, TechCrunch reports on a patent filed by Amazon designed to minimize package delivery times by predicting what users will buy and shipping such items toward a user’s given location.
Full Story

DATA LOSS—SOUTH KOREA & U.S.

Consultant Alleged as KCB Breach Source; Were Teenagers Behind Target Hack? (January 21, 2014)

A temporary consultant for Korea Credit Bureau (KCB), a credit rating firm, “is alleged to have sold the personal details of up to 20 million South Koreans to marketing firms in a classic example of the insider threat,” ComputerWeekly reports. The consultant stole customer names, Social Security numbers and credit card details from KCB servers, a Korean Financial Supervisory Service statement alleges. Meanwhile, Bloomberg Businessweek reports on the story behind the headlines suggesting two Russian teenagers were “creators of the malware used in a massive cyber-heist of customer data from Target,” reaching the conclusion they may not be the ones behind the breach.
Full Story

CONSUMER PRIVACY

Nest CEO Seeks To Assuage Privacy Concerns (January 21, 2014)

ArsTechnica reports on Nest CEO Tony Fadell’s conversation at the DLD Conference in Munich with CNNMoney correspondent Laurie Segall, wherein he sought to clarify Nest’s privacy position now that Google has acquired his company. “The data we collect is all about our products and improving them,” he said, and he promised transparency with any future data-use policies and an opt-in philosophy. However, when Segall asked whether there were plans to serve her sweater ads in the future since she’s always turning up the heat, the report says Fadell gave a coy answer of, “Not that I know of … If we ever change it, I’ll let you know.”
Full Story

PRIVACY LAW

Making a Privacy Law for the 21st Century (January 20, 2014)
With the EU’s proposed General Data Protection Regulation (GDPR) hanging in the balance, some think it a good time to go back to the drawing board. “Better, I think, to start again and design a good law than to adopt legislation for the sake of it—no matter how ill-suited it is to modern-day data processing standards,” writes Field Fisher Waterhouse Partner Phil Lee, CIPM, CIPP/E. In this post for Privacy Perspectives, Lee reflects on what a “21st-century data protection law ought to achieve, keeping in mind the ultimate aims of protecting citizens’ rights, promoting technological innovation and fostering economic growth.”

PRIVACY LAW

Trend Towards Legislating for Increased Privacy Continues in U.S. (January 20, 2014)

Looking at the federal and state bills being introduced in the U.S., this Privacy Tracker weekly roundup reports on lawmakers’ efforts to get privacy-protecting laws on the books; however, FTC Commissioner Maureen Ohlhausen has called for legislators to look to existing laws, saying, “We simply do not need new talk, new laws or new regulations.” Also take a look at new compliance hurdles for organizations in Canada and Australia as new laws are set to roll out in those countries. Finally, in the EU, the LIBE has published amendments it would like to see in the Network and Information Security (NIS) Directive. (IAPP member login required.)
Full Story 

SURVEILLANCE—U.S.

Reactions to Obama’s Plans for NSA Reform (January 20, 2014)

Reaction to President Barack Obama’s speech announcing plans for National Security Agency (NSA) reforms on Friday swirled over the weekend. The New York Times reports on the next stage of the reform process, noting that much reform would have to come from Congress—an institution already divided—meaning “the future shape of the surveillance apparatus … remains far from certain.” The Times also broke down the proposed changes in relation to the NSA review panel recommendations. Obama’s speech also did little to reassure private industry. “The most interesting part of this speech was not how the president weighed individual privacy against the NSA,” said Indiana University Prof. Fred Cate, “but that he said little about what to do about the agency’s practice of vacuuming up everything it can get its hands on.” On Sunday, NBC’sMeet the Press” devoted a segment to the future of the NSA programs. And, according to a new study, the NSA revelations could cost the U.S. cloud computing industry between $22 billion and $35 billion. (Registration may be required to access this story.) Editor’s Note: Look for a Privacy Perspectives post later this week on what Obama’s plans mean for Europeans.
Full Story

PRIVACY—U.S.

Calo: “Daughter In A Car Crash” Letter May Be Privacy’s “Whale Song” (January 20, 2014)

A letter from OfficeMax to the father of a teenage girl killed in an automobile crash may prove to be privacy’s “whale song”—the equivalent of those “ethereal noises” that gave the anti-whaling movement the inspiration it needed, University of Washington School of Law Prof. Ryan Calo writes for Forbes. “The privacy community has been waiting for its proverbial whale song since the database debates from that same time period,” Calo writes. The letter read “Daughter Killed In Car Crash Or Current Business” under the recipient’s name and above his address. “Let that sink in for a second,” Calo writes. “A father lost his daughter, and OfficeMax or its provider used this fact to select how to market to him … reducing the Seay family to some category peddled by data brokers. On paper, for the world to see.”
Full Story

CYBERSECURITY—U.S.

Privacy Appendix Dropped from NIST Framework (January 20, 2014)

Nearly a month prior to the final release of its Cybersecurity Framework, the National Institute of Standards and Technology (NIST) has announced it will not include with it a separate appendix for privacy controls, FierceGovernmentIT reports. According to the update from NIST, a separate methodology for privacy and civil liberties “did not generate sufficient support.” Sources said the appendix was added late in the process and caused trepidation and uncertainty. There were also concerns regarding corporate liability, particularly in the face of a data breach. NIST will instead incorporate a methodology developed by Hogan Lovells Partner Harriet Pearson, CIPP/US. In comments submitted to NIST, Pearson wrote, “To incentivize use of the Cybersecurity Framework, the privacy methodology must be clear and straightforward for the private sector to use.” Editor’s Note: Pearson will discuss the NIST Cybersecurity Framework, with Karen Zacharia, CIPP/US, CPO at Verizon, and a White House representative at the IAPP Global Privacy Summit, March 5-7.
Full Story

BIG DATA

Privacy, Security Leading Issues for Big Data, IoT (January 20, 2014)

A 2014 predictions report from Stratecast finds “privacy will ‘almost certainly’ be the leading Big Data issue this year,” InformationWeek reports, questioning how that could impact such retail “Big Data” uses as “in-store analytics systems that use WiFi-enabled devices—typically smartphones—to gather information on customers' shopping and purchasing habits.” Meanwhile, Financial Post reports on similar concerns for the Internet of Things, where questions about security and privacy continue to grow with the use of “smart home” devices. "It's getting more complicated," Gartner’s Angela McIntyre said, citing the broadening types of data being collected. "Companies are realizing they need to update their privacy policies and terms of service (with) easy-to-read disclosure of privacy up front."
Full Story

PRIVACY LAW—U.S.

Plaintiffs Ask Appeals Court To Revive Facebook, Zynga Complaints (January 20, 2014)

Plaintiffs are asking the Court of Appeals, San Francisco, to revive complaints filed in 2010 and dismissed a year later, seeking that Facebook and Zynga “be ordered to face claims that users’ identities and activities on the social networking platforms were disclosed to third parties without their consent,” Bloomberg Businessweek reports. Judge Richard Tallman said Congress could not have envisioned “the alleged violations of the Stored Communications Act in its ‘wildest dreams’ when it wrote the law,” the report states. He indicated he was “skeptical anyone was misled by the privacy policies that are being challenged” but acknowledged “there has to be substantial value to the information” or companies would not gather it, the report states.
Full Story

PRIVACY LAW—U.S.

SCOTUS To Hear Cellphone Privacy Cases (January 20, 2014)

Politico reports that the Supreme Court has agreed to hear two cases involving warrantless searches by law enforcement of suspects’ cellphones. The two cases—Wurie v. U.S. and Riley v. California—were granted cert by the court last Friday. In Riley, police searched a suspect’s text messages, photos and videos, finding evidence of gang-related activity and images implicating him in a separate crime. In Wurie, law enforcement went through the call logs of the suspect. The Electronic Frontier Foundation’s Hanni Fakhoury said, “These cases give the court the chance to determine to what extent the Fourth Amendment applies to newer technologies and whether the breadth and scope of information stored on a smartphone matters under the Constitution. We think it does and hope the Court agrees with us.” Editor’s Note: Privacy Perspectives recently opined on an Associated Press report on the wariness expressed by Supreme Court justices about ruling on technology-related cases.
Full Story

PRIVACY COMMUNITY

Cavoukian: “So Glad You Didn’t Say That” (January 17, 2014)
In the latest response in an ongoing Privacy Perspectives dialogue, Ontario Information and Privacy Commissioner Ann Cavoukian responds to this week’s post by Oxford Prof. Viktor Mayer-Schönberger. “My first thought … was, ‘I’m so glad he didn’t mean that!’ In sum, Mayer-Schönberger assures me that our views are aligned as follows: The belief that individuals have an interest in privacy protection; privacy should be anchored in the OECD Fair Information Practice Principles; the public should have control over their personal information, and privacy does not impede innovation,” she writes. Cavoukian later writes, “it is nonetheless important to voice other perspectives, such as Privacy by Design, that are not currently reflected in his view of how the OECD principles should be revised,” noting she will hold a live webinar on January 24 on the topic “Big Data Calls for Big Privacy—Not Only Big Promises” with Commissioner Alexander Dix, Professor Khaled El Emam and CDT President Nuala O’Connor, CIPP/US. Mayer-Schönberger participates in a separate webinar, “Privacy Models: The Next Evolution,” alongside Fred Cate, O’Connor, David Hoffman and Peter Cullen, on January 21.

PRIVACY PROFESSION—U.S.

Privacy 101 for Small- and Medium-Sized Business (January 17, 2014)

Though today’s headlines are filled with privacy-related coverage involving large businesses such as Target, small- and medium-sized businesses (SMEs) can just as easily fall prey to a breach or the unwanted gaze of a regulator. “Privacy and security must be strategic considerations for every business, including garage entrepreneurs developing cool apps or analytics companies with half a dozen employees,” write NAI President and CEO Marc Groman, CIPP/US, and IAPP VP of Research and Education Omer Tene. This Privacy Perspectives post delves into what SMEs should consider and provides “some down-and-dirty tips to help you safeguard your data, build trust and avoid boosting newspaper sales with sensationalist business titles.”
Full Story

SURVEILLANCE—U.S.

Obama Announces NSA Revisions (January 17, 2014)

President Barack Obama announced today changes to the National Security Agency’s (NSA) phone data collection program. Speaking from the White House this morning to announce the release of the Presidential Policy Directive: Signals Intelligence Activities, Obama said it is not enough for governments to simply say “trust us” that your data won’t be breached. “It depends on the law to constrain those in power,” he said, noting the basic values of most Americans on surveillance and privacy are more closely aligned than media reports of recent months would indicate. “The challenge is getting the details right,” he said. “And that is not simple.” He spoke of “concrete and substantial reforms.” The Washington Post highlights those changes, which include restrictions on spying of U.S. allies; the creation of a new panel to serve as advocates to provide an independent voice before the Foreign Intelligence Surveillance Court, and, as Obama put it, an “end to the bulk metadata program as it currently exists.”
Full Story

PRIVACY LAW—EU

Is the EU’s “Anti-FISA” Clause Practical? (January 17, 2014)

The Snowden revelations have helped reintroduce into the EU’s proposed General Data Protection Regulation a provision that would limit and control personal data transfers to third countries. Often referred to as the “anti-FISA” clause, the provision gives rise to a number of concerns regarding practicality and legality, writes Danish Ministry of Finance Senior Policy Advisor Christian Wiese Svanberg in this installment of Privacy Perspectives. Svanberg notes, “the issues raised by the proposal are numerous,” adding, “does the word ‘judgment’ also cover court orders, subpoenas, letters of request … And what constitutes an ‘international agreement’ for the purposes of the provision?”
Full Story

PRIVACY ENFORCEMENT—U.S.

TeleCheck To Pay $3.5M for FCRA Violations (January 17, 2014)

The Federal Trade Commission (FTC) announced yesterday that TeleCheck Services, a check authorization service company, along with its associated debt-collection entity, TRS Recovery Services, has agreed to pay $3.5 million as part of a settlement. The FTC charged the firm with violating the Fair Credit Reporting Act (FCRA) by not following proper dispute procedures and sometimes not investigating disputes at all when consumers had their checks denied by retailers based on TeleCheck’s information. Further, the FTC claimed TRS did not abide by the “Furnisher Rule,” which mandates that those providing credit information ensure that information’s accuracy and integrity. The settlement amount is the second-largest for a FCRA violation.
Full Story

CYBERSECURITY—U.S.

Target To Testify Before Congress (January 17, 2014)

Reuters reports that Target has agreed to testify before the U.S. Congress next month on the data breach compromising more than 100 million customers. According to Rep. Lee Terry (R-NE), the subcommittee on commerce, manufacturing and trade of the House Committee on Energy and Commerce will also expect testimony from law enforcement officials, along with at least one representative from Target. “By examining these recent breaches and the consequences on consumer, we hope to gain a better understanding of the nature of these crimes and what steps can be taken to further protect information and limit cyber threats,” Terry said. Reuters and USA Today also each report on the current state of breach notification law in the U.S., and The Washington Post reports that the Target incident may be part of a much wider attack.
Full Story

PRIVACY LAW—U.S.

Google Privacy Lawsuit Revised, Says Execs Made “Conscious Decision” (January 17, 2014)

Bloomberg reports on a revised privacy lawsuit against Google. The suit alleges the company comingled data across its services and products—in a Google project called Emerald Sea. U.S. Magistrate Judge Paul Grewal ruled in December that the plaintiffs failed to demonstrate harm caused by Google’s actions, and for the case to proceed, the plaintiffs must show how the comingling of data deprived them of the “economic value” of their data, the report states. Thursday’s revised complaint alleges Google executives in 2010 “made a conscious decision to withhold from the public information pertaining to the Emerald Sea plan, including Google’s intention to violate all existing privacy policies that placed any limitations on Google’s ability to combine information across platforms by doing precisely that once Emerald Sea became a reality.”
Full Story

CONSUMER PRIVACY

Privacy and the Power of Paperless Receipts (January 17, 2014)

Upstart Business Journal reports on an address by Jack Dorsey, co-founder of Twitter and Square, to the National Retail Federation this week. His message? Internet firms have two concurrent tasks when it comes to their data: Keep ahead of the hackers and give consumers tools for ensuring privacy. “Privacy and security is not an endpoint,” he said. “All you can be is 10 steps ahead of everyone else, constantly refreshing.” If you don’t, consumers will “feel lost and angry and turn away from the Internet.” This is something that concerns Square, he said, as the company sees receipts as “more of a communication channel and as a publishing medium.”
Full Story

PRIVACY BUSINESS

IAPP and CSA Announce New Strategic Alliance (January 16, 2014)
The IAPP announced today that it has created a new strategic alliance with the Cloud Security Alliance, a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. The alliance’s most tangible result will be the joining of the IAPP Privacy Academy and CSA Congress into a single event to be held September 17 to 19 at the San Jose Convention Center in San Jose, CA. “Cloud security and privacy matters continue to twist and turn, especially given events of late, with the industry in constant pursuit for the best knowledge and practices to stay ahead of what’s next in securing all forms of computing,” said CSA CEO Jim Reavis. “Through this union, this event is now the center of gravity for information governance and management professionals to navigate the continually evolving challenges of the digital economy,” said IAPP President and CEO Trevor Hughes, CIPP.

DATA PROTECTION—EU

The Baffling Case of the Headless EDPS (January 16, 2014)

On Thursday, in his last speech of his mandate as European Data Protection Supervisor (EDPS), Peter Hustinx urged Germany to take the lead in reform of the EU data protection framework. And now, after 10 years of service, Hustinx is retiring from “what is in essence the EU’s top data protection authority.” But the future leadership of the office is in question. Earlier this month, news came out that a “selection board” found that none of the successor candidates were “sufficiently qualified” for the position, thereby delaying the selection, possibly by months. “After working in Brussels for the last 15 years,” writes Wilson, Sonsini, Goodrich & Rosati Senior of Counsel Christopher Kuner, “I have become accustomed to the byzantine machinations of European politics.” But, in this installment of Privacy Perspectives, Kuner notes the “spectacle that is currently unfolding … paints a particularly dismal picture of how data protection in the EU can become a political football.”
Full Story

PRIVACY LAW—CANADA

CASL: What You Need To Know and When (January 16, 2014)

Shaun Brown of nNovation offers a detailed breakdown of the newly published regulations under Canada’s Anti-Spam Legislation (CASL) in this Privacy Tracker blog post. Implementation of CASL will come in three waves, the first of which, rules that apply to computer programs, is already in force. While many of the regulations mirror those pre-published in the draft released at this time last year, there are some changes, including new exceptions for closed platforms, limited-access accounts where organizations communicate directly with recipients, messages targeted at foreign persons and fundraising by charities and political parties. (IAPP member login required.)
Full Story

BEHAVIORAL TARGETING—CANADA

OPC: Google Ads Violated Privacy Law (January 16, 2014)

After an investigation, the Office of the Privacy Commissioner (OPC) has said Google violated a Canadian citizen’s privacy rights when he was targeted with health-related advertisements. After a man searched the Internet for information on sleep apnea, he began receiving advertisements for devices related to the health disorder. In response to the OPC’s order, Google has said it will take steps to stop the privacy-intrusive advertisements. “We are pleased Google is acting to address this problem,” said Interim Privacy Commissioner Chantal Bernier in a press release, adding, “It is inappropriate for this type of information to be used in online behavioral advertising.” Bernier, whose office received support from the U.S. Federal Trade Commission, also said, “We will be contacting various advertising stakeholders in the near future to share these investigation results and remind them of their privacy obligations.”
Full Story

SURVEILLANCE—U.S.

Feinstein on Drones: “Proceed with Caution” (January 16, 2014)

Politico reports on an experience Sen. Dianne Feinstein (D-CA) once had, finding “a drone peeking into the window of her home—the kind of cautionary tale she wants lawmakers to consider as they look at allowing commercial drone use.” Speaking as a special witness at Wednesday’s Senate Commerce Committee hearing on drones, Feinstein urged that her fellow legislators “proceed with caution.” Feinstein indicated privacy concerns are “significant” and, according to the report, called for “close scrutiny and recommended a search warrant requirement” for government-operated drones and “strong, binding enforceable privacy policies that govern drone operations … before the technology is upon us.”
Full Story

CYBERSECURITY—U.S.

Kentucky May Become 47th Breach Notification State; Target Has $100M of Cyberinsurance (January 16, 2014)

Breach notification bills are beginning to pile up in the U.S. Senate, GovInfoSecurity reports, and lawmakers in Kentucky have introduced data breach notification legislation that, if passed, would make Kentucky the 47th state to enact such legislation. One expert says there currently isn’t support for a bill covering the private sector, but there is for the public sector. In separate reports, Krebs on Security looks into the Target hack and the malware used to penetrate the retailer’s point-of-sale systems, and Business Insurance reports Target has $100 million of cyberinsurance and $65 million of directors and officers liability coverage. Meanwhile, secure messaging apps maker Wickr has announced it will offer a $100,000 bounty to hackers who can find any vulnerability “that substantially affects the confidentiality or integrity of user data.”
Full Story

PRIVACY COMMUNITY

“I Never Said That” - A Response to Cavoukian et al. (January 15, 2014)
In response to a Privacy Perspectives post and announcement of a whitepaper from last week, author and Oxford University Internet Governance Prof. Viktor Mayer-Schönberger writes that “assumptions” made by Ontario Information and Privacy Commissioner Ann Cavoukian et al. “are not borne out in fact.” Mayer-Schönberger adds, “I very much appreciate a robust debate about the future of how we best protect information privacy … But without knowing exactly what I said, the whitepaper may respond to a straw man’s argument and thus offer much reduced value.” In this new Privacy Perspectives installment, Mayer-Schönberger aims to offer readers “the opportunity to appreciate what I actually said…”

PRIVACY RESOURCES

Looking To Hire or To Hone Your Interview Prowess? (January 15, 2014)

New to the IAPP’s online Resource Center is a list of interview questions submitted by several dozen subscribers to the IAPP Privacy List. With the help of Jay Cline, CIPP/US, of Minnesota Privacy Consultants, the IAPP compiled this collection of list subscribers’ favorite questions to find the privacy job candidates with the highest potential. Topics covered include incident management, running a privacy program, legal concepts and EU privacy.
Full Story

PRIVACY BUSINESS

Privacy-Enhancing Phone, Dating App Unveiled (January 15, 2014)

The creators of Silent Circle have announced they will unveil a privacy-enhancing smartphone called Blackphone, GigaOM reports. The device, which will be available for preordering on February 24, uses a secure version of Android called PrivatOS and will have the capability to transmit secure phone calls, texts, file exchanges and storage, and video chat, and anonymizes use via a virtual private network. Creator Phil Zimmerman said the phone “provides users with everything they need to ensure privacy and control of their communications, along with all the other high-end smartphone features they have come to expect.” Meanwhile, the makers of SinglesAroundMe have announced a patent-pending technology that allows users to change their locations to preserve their privacy. The “Position-Shift” algorithm gives users control over their location and who knows it. Fujitsu Labratories have announced an encryption search that keeps data encrypted to maintain privacy, and Twitter has announced it is enforcing SSL encryption for apps connected to its API. Editor’s Note: Privacy Perspectives recently posted “Data-Driven Dating: How Data Are Shaping Our Most Intimate Personal Relationships.”
Full Story

SURVEILLANCE—U.S.

Obama To Endorse Some NSA Changes; Telcos Off the Hook (January 15, 2014)

The Associated Press reports on what President Barack Obama is expected to say regarding possible changes to National Security Agency (NSA) surveillance reform. Though he is “expected to endorse changes to the way government collects millions of Americans’ phone records,” he will likely leave specific changes and decisions to an already divided Congress, the report states. In his speech this Friday, Obama is also expected to announce further privacy protections for non-U.S. citizens, and according to The New York Times, he will propose an advocate within the Foreign Intelligence Surveillance Court (FISC) but will not back a plan to have telecommunications firms retain metadata. PC World reports that FISC judges are not supporting calls for a privacy advocate within the court, and Politico reports that the Center for Security Policy has issued a report rejecting most of the recommendations set forth by an intelligence review group. Meanwhile, all five members of Obama’s intelligence review group testified before the Senate Judiciary Committee yesterday.
Full Story

DATA BREACH—U.S.

Lawmakers Want Update from Target; States Investigating Neiman Marcus Incident (January 15, 2014)

Lawmakers are seeking answers from Target’s chief executive on the company’s response to its recent breach. Sens. John Rockefeller (D-WV) and Claire McCaskill (D-MO) have asked that the company’s information security officials brief committee staff on its latest internal findings. A Target spokeswoman said, “We have received the chairmen’s letter and are continuing to work with them and other elected officials to keep them informed and updated as our investigation continues.” The heads of the Senate Banking and Judiciary committees are also responding to the breach. Meanwhile, three states have begun investigating a breach at Neiman Marcus. Editor’s Note: For a related examination of this issue, see Jason Weinstein’s recent post in Privacy Perspectives, "Is the Congressional Response to the Target Breach Off-Target?"
Full Story

GEO PRIVACY—U.S.

Ford CEO Calls for Driver Privacy Provisions (January 15, 2014)

Ford Motor Company CEO Alan Mulally says drivers’ privacy must be protected by law as vehicles increasingly use data for location tracking, Bloomberg reports. The company is “supportive and participating” in talks with regulators considering such legislation, the report states. “It’s just really important that we have boundaries and guidelines to operate,” Mulally said. Sen. Al Franken (D-MN) recently questioned Mulally on what kind of data the company collects via vehicles’ GPS systems and how driver consent is obtained. Franken’s questioning comes after a company executive said last week the company can infer a person’s driving habits via the navigation systems in Ford vehicles, as referenced in this recent Privacy Perspectives post.
Full Story

PRIVACY PROFESSION

How Privacy Engineers and Lawyers Can Get Along (January 14, 2014)
The burgeoning technological landscape is increasing the need for lawyers to work with engineers on privacy protection initiatives. In this post for Privacy Perspectives, two Georgia Tech professors—one a law professor, the other a software engineering professor—consider four points showing “how to bring together and leverage the skill sets of engineers, lawyers and others to create effective privacy policy with correspondingly compliant implementations.” Profs. Peter Swire, CIPP/US, and Annie Antón look into how lawyers and engineers make the simple complicated, why using the term “reasonable” works in privacy rules but not software specifications and, perhaps most importantly, “how to achieve consensus when both lawyers and engineers are in the same room.”

MOBILE PRIVACY

Turnstyle: Making a Business on Phones’ Continuous Broadcasting (January 14, 2014)

The Wall Street Journal profiles Turnstyle Solutions, a start-up in Toronto using small sensors placed throughout downtown to track the movements of individual consumers. The firm then sells that data, showing businesses where else their customers frequent, in the name of customizing offerings. One restaurant emblazoned its logo on tanktops when it became clear that customers also frequented a local gym. Turnstyle’s success, the report says, along with that of other startups like Euclid Analytics, “speaks to the growing value of location data … but Turnstyle is among the few that have begun using the technology more broadly to follow people where they live, work and shop.” (Registration may be required to access this article.)
Full Story

INTERNET OF THINGS

Google Acquires Nest for $3.2 Billion (January 14, 2014)

Google has announced it will acquire Nest Labs—maker of smart home thermostats and smoke alarms—for $3.2 billion, according to a Google Investor Relations blog post. Nest CEO Tony Fadell said, “We’re thrilled to join Google. With their support, Nest will be even better placed to build simple, thoughtful devices that make life easier at home and that have a positive impact on the world.” According to The New York Times, Nest’s products use software, hardware, sensors and algorithms to learn the behavior of home dwellers in order to program a home's system and allow users to remotely access and control it. Fadell said Google has agreed that Nest’s privacy policy will remain unchanged. “That was a major concern or question we had,” he said, “and they have done an amazing job convincing us that our privacy policies are going to be well-respected in their organization.”
Full Story

PRIVACY LAW—U.S.

Court Denies Suit Alleging Data Broker’s Liability (January 14, 2014)

The U.S. Supreme Court has denied a New York man’s request to hold a data broker liable for illegally selling data taken from Department of Motor Vehicles records, Law360 reports. The records were sold to a stranger who allegedly tracked down Erik Gordon and harassed him. The court “refused to grant certiorari” to Gordon’s challenge to a Second Circuit ruling, which rejected his efforts to sue Softech International for the alleged privacy breach. (Registration may be required to access this story.)
Full Story

PRIVACY COMMUNITY—U.S.

Google’s Public Policy Vet Moves To LinkedIn (January 14, 2014)

LinkedIn has hired Google veteran Pablo Chavez as its vice president of public policy, Silicon Valley Business Journal reports. Chavez has worked at Google since 2006 and was responsible for engineering the company’s political strategy, the report states. Chavez’s LinkedIn profile notes his political advocacy efforts for Google on issues including privacy, security and online free expression.
Full Story

SURVEILLANCE—U.S.

Telecos Not Warming Up to Obama’s Retention Plan (January 14, 2014)

The Associated Press reports that telephone companies are “quietly hesitating” at a potential plan to have them alter how they collect and retain Americans’ phone records to help the National Security Agency’s (NSA) surveillance programs. President Barack Obama is expected to announce his proposed changes on Friday. According to the report, phone company executives and their lawyers have said they prefer the NSA to keep control over the records. A representative from CTIA-The Wireless Association said, “Our members would oppose the imposition of data retention obligations that would require them to maintain customer data for longer than necessary.” One key concern for the phone companies is liability. Former NSA official Stewart Baker said Congress “grudgingly” gave legal protection to phone companies after the 2001 terrorist attacks. “The phone companies were seared by their experience in Congress and can’t be enthusiastic about a return engagement,” he added.
Full Story

TRAVELERS’ PRIVACY—U.S.

Court Upholds “Reasonable Suspicion” Requirement for Device Searches (January 14, 2014)

The U.S. Supreme Court has upheld a U.S. Circuit Court of Appeals ruling from last year that said officials at U.S. borders must have “reasonable suspicion” of criminal activity in order to run forensic analysis software on travelers’ mobile devices, Wired reports. While agents are allowed to search devices on a whim—just as they would a vehicle—the court upheld the appeals court ruling that using software to “decrypt password-protected files or to locate deleted files” cannot be done without facts pointing to illegal activity, the report states.
Full Story

DATA LOSS

Snapchat Assures Users Spam Is Unrelated to Breach (January 14, 2014)

Following reports recently from some Snapchat users that they’ve received an excessive amount of spam, the company has apologized but assured users the messages are unrelated to a recent breach that exposed millions of usernames and phone numbers, Los Angeles Times reports. “While we expect to minimize spam, it is the consequence of a quickly growing service,” Snapchat said in a blog post.
Full Story

DATA LOSS—U.S.

Target, Neiman Marcus May Just Be Tip of the Breach Iceberg (January 13, 2014)
Reuters reports the breaches affecting Target and Neiman Marcus may have also hit other retailers who have not yet publicly disclosed the incidents. According to the report, at least three other “well-known” retailers were hit by cyber thieves using similar techniques found in the Target case. Law enforcement sources suspect the culprits may be based out of Eastern Europe. Reuters also reports state attorneys general from around the nation are investigating the Target incident, and Sen. Ed Markey (D-MA) says the problem needs to be addressed. A Los Angeles Times op-ed suggests companies leave consumer data vulnerable because stronger data protection costs money. Since January 1, breaches have hit a hospital system in southern Georgia, some customers of T-Mobile, China’s largest e-payment service provider and North Carolina’s Department of Health and Human Services. Editor's Note: The IAPP Web Conference Bricks and Mortar Is Back—Emerging Privacy Issues for U.S. Retailers, now available on demand, addresses privacy concerns including those around in-store data collection.

PRIVACY—U.S.

SCOTUS Is Scared of Tech, But Privacy Pros Can Help (January 13, 2014)

Last week’s Consumer Electronics Show in Las Vegas, NV, showcased a slew of emerging technology, some of which raised privacy concerns across the media spectrum. In contrast, the Associated Press reported last week on the Supreme Court’s wariness when it comes to making decisions on cases involving technology. As Justice Elena Kagan said last summer, “The justices are not necessarily the most technologically sophisticated people.” For tech startups, the landscape is fertile for innovation but fraught with cybersecurity issues and potential harms to personal privacy. This post for Privacy Perspectives looks into the parallel issues and notes that privacy professionals and privacy engineers can be in a position to fill the gap created by rapidly developing technology.
Full Story

PRIVACY LAW—U.S.

Which States Have Privacy on the Docket for 2014? Almost All of Them (January 13, 2014)

While states don’t have the authority to shut down National Security Agency surveillance, many state lawmakers are doing their best to enact legislation that will put limits on state and local law enforcement’s abilities. From cellphone location data to drones, online browsing to license-plate scanning, coast to coast and left to right, state lawmakers are proposing anti-surveillance laws. This Privacy Tracker roundup offers a glimpse of what’s coming down the pike. (IAPP member login required.)
Full Story

SURVEILLANCE—EU & U.S.

Obama To Announce NSA Recommendations This Week (January 13, 2014)

President Barack Obama will announce the results of his review of the National Security Agency (NSA) surveillance programs on Friday, January 17, the Associated Press reports. Privacy and Civil Liberties Oversight Board (PCLOB) Chairman David Medine, who met with the president last Wednesday, said, “We wanted to be able to provide input into the decision-making process.” The PCLOB is expected to release its own findings on January 23. The Hill reports on how Obama’s decisions around NSA reform have put his legacy on the line. Meanwhile, the European Parliament’s decision to have Edward Snowden testify on NSA surveillance programs has divided MEPs due to fears it could damage EU-U.S. relations. Politico reports that, based on last week’s Consumer Electronics Show, fears of NSA spying have not affected consumers’ excitement for emerging technology. However, according to a new survey, a quarter of Canadian and UK businesses are looking away from U.S.-based cloud storage companies due to NSA spying.
Full Story

PRIVACY BUSINESS—U.S.

Twitter Scores Points for Privacy; Messaging Apps Compete (January 13, 2014)

An Electronic Frontier Foundation (EFF) report on how companies respond to government data requests has given Twitter its highest rating for protecting privacy, Business Insider reports. The EFF examined companies on criteria including transparency, whether they require warrants and if they fight for users’ privacy in courts. Twitter and Internet access company Sonic.net alone “earned a ‘star’ for all six categories,” the report states. Meanwhile, in the wake of a recent breach, Snapchat has reportedly “at times, given law enforcement unopened snaps.” New iOS application Confide is responding with its own message service, and one investigative report finds that “Confide's encrypted storage of message contents are indeed a step above Snapchat's plain text storage … But totally self-destructing, these messages are not.” Separately, The Exchange reports on concerns over a new tracking feature on Apple’s iPhone.
Full Story

HEALTHCARE PRIVACY—U.S.

Social Media Posts Risk Patient, Public Mistrust (January 13, 2014)

Slate reports on increasingly common violations of patients’ privacy when medical practitioners take photos of patients on their personal devices and share them on social media. Approximately 30 percent of state medical boards have reported receiving complaints of “online violations of patient confidentiality,” according to a recent survey published in the Journal of the American Medical Association. The violations have the potential to “undermine a proper physician-patient relationship and the public trust,” says the Federation of State Medical Boards.
Full Story

PRIVACY LAW—U.S.

Lawmakers To Introduce Bill on Driver Privacy (January 13, 2014)

The New York Times reports on privacy concerns based on increasingly sophisticated technology systems in cars. While automakers say they are responding to consumer demand, privacy advocates disagree. Sens. John Hoeven (R-ND) and Amy Klobuchar (D-MN) will soon introduce a bill that would put car owners in control of the data collected on the vehicle event data recorders commonly known as black boxes. “We’ve got real privacy concerns on the part of the public,” Hoeven said. “People are very concerned about their personal privacy, especially as technology continues to advance.” (Registration may be required to access this story.)
Full Story

GEOLOCATION—U.S.

Tracking Device Lets Mom and Dad Track Junior (January 13, 2014)

The New York Times reports on a new tracking device that allows parents to track their children’s movements. FiLIP is a phone for children allowing parents to install a free app on their mobile devices to link to FiLIP to follow its location. It allows parents to set a “safe zone,” which sounds an alarm if a child wearing a FiLIP device travels beyond it. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—U.S.

Opinion: Dislike Data Breaches? Stop Handing Over Data (January 13, 2014)

In an opinion piece for The New York Times, Nicole Perlroth discusses the ways in which we, as consumers, are a big part of the problem when it comes to massive data breaches and hacks. “We regularly hand over data simply because we’re politely asked. We don’t read privacy policies or ask companies whether our e-mail addresses and passwords will be ‘salted’ or ‘hashed’ … And we don’t stop doing business with companies that don’t take data protection seriously,” she writes. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Is Congressional Response to Target Breach Off-Target? (January 10, 2014)
Following the high-profile hack of Target just before Christmas—an incident affecting as many as 70 million customers—“there has been understandable anxiety on the part of consumers and concern by lawmakers about how to respond to large-scale breaches of this type,” writes Steptoe & Johnson Partner Jason Weinstein. Several lawmakers are calling for hearings on Capitol Hill and some have reintroduced data privacy legislation. In this post for Privacy Perspectives, Weinstein notes that the “congressional focus on consumer protection is certainly laudable,” but adds, “if the congressional response focuses entirely on breach notification and on strengthening the hand of the FTC, then Congress will be, well, off-target.”

ONLINE PRIVACY—U.S.

Consumers Trusting Fewer and Fewer With Their Data (January 10, 2014)

“People are becoming more aware of the data being collected about them online. And that's eroding the trust they have with collecting companies,” Ad Age reports. The statement is based on research by McCann Truth Central shared at this week’s Consumer Electronics Show (CES). The McCann Truth Central survey examines which companies consumers see as “the greatest threat to the future of privacy” while also highlighting which they trust with their data. The Ad Age report also highlights comments by Federal Trade Commissioner Julie Brill at CES that “we need legislation around privacy … We actually need specific data-broker legislation.” Meanwhile, amidst privacy concerns, anonymous search engine DuckDuckGo has announced 2013 saw more than one billion searches made—its biggest year to date.
Full Story

SURVEILLANCE—U.S.

Lawmakers Unsure of Obama’s NSA Reform (January 10, 2014)

President Barack Obama met with a group of “hand-picked” lawmakers on Thursday to discuss potential reform to the National Security Agency (NSA) surveillance programs. The meeting included proponents of existing programs—such as Sen. Diane Feinstein (D-CA)—and vocal critics, including Rep. Jim Sensenbrenner (R-WI), and according to the National Journal, several of the lawmakers left the meeting unconvinced the president was going to reform the programs enough. House Judiciary Chairman Bob Goodlatte (R-VA) said, “it’s increasingly clear that we need to take legislative action to reform” the agency’s intelligence gathering. Sen. Ron Wyden (D-OR) said, “The debate is clearly fluid” and that the president “is wrestling with these issues.” The Wall Street Journal reports Obama will extend privacy protections to noncitizens and will restructure the phone data program. Phone carriers could foot a bill of up to $60 million per year if they’re required to retain data for intelligence agencies. The NSA fallout is also prompting several states into action.
Full Story

HEALTHCARE PRIVACY—U.S.

One-Hour Breach Mandate Is Wasteful, Says GAO Report (January 10, 2014)

FierceGovernmentIT analyzes a GAO report released last month that calls into question the effectiveness of new U.S. Office of Management and Budget (OMB) rules that require federal agencies to report PII-related data breaches to the Department of Homeland Security within an hour of their discovery. Further, "OMB staff said that they were unaware of the rationale for the one-hour timeframe, other than a general concern that agencies report PII incidents promptly,” the report reads, while saying that agencies are likely to have little to report with so little time to investigate what happened and why. Meanwhile, FierceHealthIT says there are privacy hurdles to overcome with teenagers and new online patient portals. How much information should parents be allowed to see, and how can that be controlled?
Full Story

SOCIAL NETWORKING—U.S.

Privacy Advocates Concerned About New Google Feature (January 10, 2014)

In its Official Gmail Blog, Google updates users on a new feature that allows those using Gmail and Google+ where “Gmail will suggest your Google+ connections as recipients when you are composing a new e-mail.” The blog notes “your e-mail address is only shared with the people you want … You control whether people can reach you this way with a new setting in Gmail.” However, Los Angeles Times reports, privacy advocates believe the feature should have been opt-in. The Electronic Privacy Information Center’s Marc Rotenberg alleges the new feature is "eerily similar” to Google Buzz, which resulted in a settlement with the Federal Trade Commission.
Full Story

SURVEILLANCE—U.S.

Tracking Equipment Keeps Getting Cheaper, Study Finds (January 10, 2014)

New research published in The Yale Law Journal by independent researcher Ashkan Soltani and New America Foundation’s Open Technology Institute Policy Director Kevin Bankston has found that the cost of tracking the location of an individual is growing dramatically cheaper. Based on work submitted to the Privacy Law Scholars Conference in 2013, Soltani writes on his personal blog, “tracking a suspect using a GPS device is 28 times cheaper than assigning officers to follow him.” Soltani also notes, “If technical and financial barriers previously provided some protection from large-scale surveillance by the government, these implicit protections have been essentially eliminated by the low costs of new surveillance technology,” adding, “Once the cost approaches zero, we will be left with only outdated laws as the limiting function.”
Full Story

EMPLOYEE PRIVACY—U.S.

Balancing Wellness Programs and Proper Data Sharing (January 10, 2014)

HR pro Michelle Hicks writes for the Idaho Business Journal on the proper way to balance implementation of wellness programs at your firm while being mindful of employee privacy. While these programs offer many benefits both for the employees themselves and for the corporate bottom line, they also “ask employees to share information that is so personal that they may not even tell their spouse,” Hicks writes, “like their weight and their body mass index.” She then walks you through the important questions to be asking, information to be sharing and practices to put in place so that both employer and employee are protected.
Full Story

HEALTHCARE PRIVACY—U.S.

How Kevin Haynes, CPO at Nemours, Gets Things Done (January 10, 2014)

HealthITSecurity profiles Kevin Haynes, CPO at Nemours, a children’s health company with two hospitals and 30 other locations spread throughout New Jersey, Florida, Pennsylvania and Delaware. The article focuses on Haynes’ primary roles, including the implementation of the company’s privacy practices and representation of all of the firm’s stakeholders, from patients and their families to the employees who work there. Haynes said he’s focusing on taking the burden off of the providers, so they can focus on delivering quality care, and tries to empower the patients and their families. “Haynes’ approach to privacy training is a reminder that training should involve proactive outreach and user awareness,” the article says, “rather than only signage and ‘Beware of HIPAA’ warnings.”
Full Story

INTERNET OF THINGS—U.S.

U.S. Commerce Secretary: New Rules Needed for Potential $19T Market? (January 9, 2014)
As the Consumer Electronics Show continues in Las Vegas, NV, this week, privacy remains a hot topic. Particularly, the Internet of Things is getting close attention, as wearables and micro computers are among the most common new products. Cisco Systems CEO John Chambers made headlines with his keynote on Tuesday, predicting the Internet of Things market could be as large as $19 trillion by 2020. This and other news led U.S. Commerce Secretary Penny Pritzger to tell IDG News Service, “I think we need to … have a real look at the issue of privacy and where you draw the lines and what are the rules … I don’t think there is consistency or clarity right now … in terms of what companies are collecting and what they can do with that data.”

SURVEILLANCE—EU & U.S.

Shutting Down EU Is Not the Way To Defend Privacy (January 9, 2014)

In reaction to yesterday’s release of the European Parliament’s LIBE Committee draft report on U.S. National Security Agency (NSA) mass surveillance, Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E, writes, “Shutting down pretty much all transatlantic data flows in order to prevent unreasonable access to data by the U.S. intelligence services would not only be disproportionate, but it would be hugely damaging to the information society we all rely on.” In this post for Privacy Perspectives, Ustaran looks at several specific provisions of the draft report, noting that though it’s extreme, there is no need to panic. Meanwhile, TechCrunch reports that the LIBE Committee has invited former NSA contractor Edward Snowden to testify on U.S. surveillance.
Full Story

PRIVACY LAW—U.S.

Sens. Push For More Data Privacy; FTC Commish Wants “Regulatory Humility” (January 9, 2014)

The Hill reports on senators’ calls to take action on data privacy legislation in the wake of the Target breach, while on the same day, Federal Trade Commissioner Maureen Ohlhausen called for “regulatory humility” in light of the emerging Internet of Things market. Sen. Deb Fischer (R-NB) said, “Our nation’s entire data security system is in desperate need of revamping … That’s going to require congressional action.” Sen. Patrick Leahy (D-VT) also reintroduced his Personal Data Privacy and Security Act. Amidst such calls for legislative action, Ohlhausen said in prepared remarks at the Consumer Electronics Show that if new technologies do give rise to harms, “we should carefully consider whether existing laws and regulations are sufficient to address them before assuming that new rules are required.” Meanwhile, in light of a recent GAO report, Sens. Tom Coburn (R-OK) and Susan Collins (R-ME) are calling on agencies to adhere more strictly to federal guidelines and for the Office of Management and Budget to update its policies and increase oversight of breach procedures. Editor’s Note: Ohlhausen will be a speaker at this year’s IAPP Global Privacy Summit in Washington, DC, March 5-7.
Full Story

PRIVACY LAW—FRANCE & U.S.

CNIL Issues Its Largest-Ever Fine to Google (January 9, 2014)

French privacy regulator the CNIL has fined Google $204,000 for breaking the law with its unified privacy policy—its biggest fine to date, GigaOM reports. The CNIL said the company implemented its shift to one privacy policy across all its services without properly informing users of the ways in which their data would be combined and for what purposes. That’s similar to The Netherlands’ data protection authority assertion in November, while Spain’s data protection authority fined the company $1.2 million last month. The fines are the latest in European displays of dissatisfaction with online tracking, which may impact EU-U.S. business relations, The Wall Street Journal reports.
Full Story

SURVEILLANCE—U.S.

Obama May Preempt PCLOB Recommendations (January 9, 2014)

Bloomberg reports that President Barack Obama will announce changes to U.S. surveillance programs ahead of a report from the Privacy and Civil Liberties Oversight Board (PCLOB). Obama met with the PCLOB on Wednesday to discuss reform to the NSA’s collection of phone metadata as well as operations within the Foreign Intelligence Surveillance Court. The PCLOB said it plans to publish a report in late January or early February on the legality of the metadata collection and produce recommendations on “the right balance between national security and privacy and civil liberties.” The president said he will announce his surveillance reform plans prior to his State of the Union address on January 28.
Full Story

HEALTHCARE PRIVACY—U.S.

Survey: Privacy Officers Need More Staff, Anticipate Greater Enforcement (January 9, 2014)

A recent survey indicates healthcare privacy, information security and compliance officers most desire increased budget, compliance software, more staff, training and audit help, HealthITSecurity reports. In the ID Experts survey, respondents said an increased budget would help with investing in audit software and increasing training and proper staffing in an effort to meet regulations, among other needs. Asked to make predictions for 2014, respondents expected increased enforcement on privacy and security by the government and intensified auditing.
Full Story

PRIVACY—EU

Hustinx Departs, Successor Remains Unknown (January 9, 2014)

The European Data Protection Supervisor’s (EDPS) five-year term ends January 16, and it seems the post could remain vacant for the foreseeable future after current EDPS Peter Hustinx departs, PCWorld reports. The EDPS is appointed by the European Parliament and Council, but the list of candidates created by the European Commission after a public call for candidates was deemed insufficient. Commission Spokesman Antony Gravili said the “selection panel concluded that none of the candidates had the qualities that are needed for the job.” The commission is seeking candidates with experience in data protection in a large or public organization as well as with experience implementing data protection rules, the report states. Hustinx expressed alarm in a letter to the Commission that this successor has yet to be determined. Editor’s Note: For more on outgoing EDPS Peter Hustinx and the search for his replacement, see The Privacy Advisor exclusive, “Ten Years and Two Terms Later, A Look at Peter Hustinx’s Legacy.”
Full Story

DATA LOSS

Need Help With Data Breach Regulations? (January 9, 2014)

Breach notification laws can pose significant compliance challenges. What should be put into place at your organization to create a culture of compliance, to ensure customer satisfaction and to build an environment of best practices for managing federal and state breach obligations? Join CNO Financial Group’s Stephanie Pasky and ID Experts’ Mahmood Sher-Jan on January 23 for a free web conference to talk about CNO’s incident management framework, including internal and third-party breach control, as well as suggestions on what regulated entities can do to protect their members and reputations while complying with federal and state breach notification laws.
Full Story

PRIVACY COMMUNITY—U.S.

Pamela Jones Harbour Moves to BakerHostetler (January 9, 2014)

Former Federal Trade Commissioner Pamela Jones Harbour has moved to BakerHostetler where she will help lead its privacy and data protection team, The Hill reports. Harbour, who served as a commissioner for six years, will work as a partner assisting clients with data breach notifications and assessments as well as advising on data transfers. “This is an exciting time to join the firm’s antitrust and privacy teams,” Harbour said in a statement.
Full Story

DATA PROTECTION—EU & U.S.

Reding Urges Action on GDPR; LIBE NSA Report Leaked (January 8, 2014)
EU Justice Commissioner Viviane Reding has said the proposed EU General Data Protection Regulation (GDPR) must “move full speed ahead,” Bloomberg reports. The clock is ticking on the GDPR with European Parliament elections coming this May. “We have lost too much time already,” Reding said in a prepared statement for a speech in Brussels. Not everyone agrees, however, that the GDPR will move forward. In discussing the two main privacy surprises of 2013, Google Global Privacy Counsel Peter Fleischer wrote on his personal blog, “the old draft is dead…” Meanwhile, after months of inquiry, the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) committee draft report on U.S. National Security Agency surveillance has been leaked. This report for The Privacy Advisor looks at these developing stories and includes commentary from Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E.

NOTICE & CONSENT

Counterpoint: Consent, User Control Are Not Things of the Past (January 8, 2014)

In response to arguments presented by privacy scholar and author Victor Mayer-Schönberger on notice, choice and the regulation of use, Ontario Information and Privacy Commissioner Ann Cavoukian, Berlin State Parliament (Germany) Commissioner Alexander Dix and Prof. Khaled El Emam collectively contend that consent and personal control are not things of the past. In this Privacy Perspectives post, they write, “In fact, in the wake of Edward Snowden’s revelations, we are witnessing the opposite: A resurgence of interest in strengthening personal privacy.”
Full Story

ONLINE PRIVACY—U.S.

Suits Claim Consent Isn’t Carte Blanche (January 8, 2014)

Bloomberg reports on lawsuits against Google, LinkedIn and Yahoo based on questions surrounding the use of consent, where consumers claim the companies “unfairly appropriated their personal information for profit.” U.S. District Judge Lucy Koh—who last year told Google it wasn’t being clear enough in its disclosures on data use—will hear the cases. The suits claim that “click-to-agree” screens, opt-out buttons and privacy policies don’t give enough information about how user data will be used.
Full Story

BEHAVIORAL TARGETING—U.S.

YP Acquires Sense Networks (January 8, 2014)

Search and advertising company YP has confirmed its acquisition of Sense Networks, Tech Crunch reports. YP’s David Lebow confirmed that “acquiring Sense’s technology, with its ability to create custom consumer profiles for use in mobile ad targeting, will give YP a real competitive advantage,” the report states. Lebow has suggested the deal is part of YP’s shift from more traditional publishing models to “placing a premium on technology.”
Full Story

PRIVACY LAW—U.S.

Changes in Employee Privacy Laws, and What’s To Come (January 8, 2014)

In the past year, legislative trends in workplace privacy have steadily been moving in “a direction that favors employee privacy,” writes Philip Gordon of Littler Mendelson in this Privacy Tracker blog post, and indications are that this shift will continue. Gordon sums up laws that went into effect as of January 1, including “ban-the-box” laws, employee social media laws and laws that limit the use of credit information for employment purposes and offers recommendations for employers on how to navigate these laws and the challenges of BYOD. (IAPP member login required.)
Full Story

PRIVACY—U.S.

Will 2014 Bring Us Closer to Privacy’s Death Knell? (January 8, 2014)

In a feature for Computerworld, Jay Cline, CIPP/US, weighs in on the question of whether privacy is in its death throes. Citing headline-makers who’ve made that claim, Cline questions, “Are they right? Is privacy passé?” Recapping the year that was 2013—from “all of the new digital innovations hitting the streets” to the seemingly limitless possibilities of Big Data to “the vast capabilities of the National Security Agency, which seemed to leave nothing digital out (of) its hearing range” and looking to 2014, Cline creates a “privacy death index” and suggests the road to privacy’s demise “is littered with legal and constitutional obstacles. Traveling this path would require a governmental encroachment into the personal space not seen even in revolutionary colonial times.” Editor's Note: Jedidiah Bracy, CIPP/US, CIPP/E, recently explored this topic on the Privacy Perspectives blog. Hint: Privacy wasn't in its dying days in 1970 either.
Full Story

SURVEILLANCE

Yahoo Implements Default Encryption; Speakers Canceling Due To NSA Claims (January 8, 2014)

Yahoo has begun automatically encrypting Yahoo Mail users’ connections. Automatic HTTPS is now the default. The move is in response to concerns about government surveillance. Google recently made a similar change, and Microsoft and Facebook have announced stronger encryption keys will be coming in the future. Meanwhile, following allegations that a major security firm accepted $10 million from the National Security Agency to implement an “intentional cryptographic flaw” in one of its encryption tools, several high-profile security experts have begun canceling their appearance at the firm’s annual conference, CNET reports.
Full Story

BIOMETRICS—U.S.

At CES, Company Announces New Open Standards (January 8, 2014)

Hoyos Labs announced yesterday at the Consumer Electronics Show the formalization of its Biometric Open Standards Protocols. The document sets up rules for secure communications between devices and the server “managing the acquisition and manipulation of biometric data captured by those devices,” according to a press release in Dark Reading. CEO Hector Hoyos said the company “created a rule-based system by building upon the U.S. Department of Defense's core infrastructures” that “is available to any company that wants to implement it" upon request. The document addresses identity assertion, role gathering, access controls, auditing and assurance.
Full Story

CONSUMER PRIVACY

Unsurprisingly, CES Buzzes With Privacy News (January 7, 2014)
With more than 150,000 attendees descending on Las Vegas, the Consumer Electronics Show, which kicked off yesterday, is the largest event of its kind in the world and is often the venue where electronics manufacturers make their big product unveilings. This year, privacy has more prominence at the event than ever before. The Privacy Advisor wraps up the big privacy news, from the latest in wearables to biometrics to smart cars and TVs. Further, the news makes two upcoming web conferences seem relevant. Rebecca Herold, CIPM, CIPP/US, CIPP/IT, hosts an event with ISACA on Thursday at noon, “Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things.” And at 1 p.m. on Thursday, the IAPP hosts a web conference on “Working with Third-Party Vendors: Moving Toward a Standardized Solution,” featuring Jules Polonetsky, CIPP/US; Ellen Giblin, CIPP/US, CIPP/C, CIPP/G; and Al Silipigni, CIPP/US.

DATA PROTECTION

10 Tips for Data Privacy in 2014 (January 7, 2014)

Several recent data breaches continue to show how “the disclosure of sensitive data can have dramatic financial impacts on an organization and erode consumer trust.” In this Privacy Perspectives post, AvePoint Vice President of Risk Management and Compliance Dana Simberkoff, CIPP/US, writes, “The good news here is that this should be highly preventable.” With Data Privacy Day around the corner, Simberkoff shares 10 tips for improving an organization’s privacy and data protection programs—from identifying the “Crown Jewels” to building bridges, not walls, to creating a pervasive culture of compliance and more.
Full Story

PRIVACY BUSINESS—U.S.

Schneier Moves to Co3; Evidon Hires First COO (January 7, 2014)

Co3 Systems has hired security and privacy expert Bruce Schneier as its chief technology officer, while Evidon has hired its first chief operating officer. Schneier currently serves as a fellow at Harvard’s Berkman Center for Internet and Society, board member of the Electronic Frontier Foundation and advisory board member of the Electronic Privacy Information Center. AdAge reports Emily Riley comes to Evidon from her prior role as a digital ad industry analyst for Jupiter Research and Forrester Research and, most recently, as a VP at behavioral targeting firm Audience Science. Riley says Evidon aims to help people understand the trade-off between free digital content and tracking technologies.
Full Story

ONLINE PRIVACY

Are Data-Use Policies Useless? (January 7, 2014)

In an op-ed for Ars Technica, Casey Johnston questions whether the recent hack of Snapchat and the company’s allegedly questionable data security practices shows how data-use policies fail. Privacy policies and terms of use “make plenty of promises about all of the third-party evils they will protect our data from,” Johnston writes, “But those policies contain few limits on what the companies themselves can do with our info or how they will secure it.” Meanwhile, The Hill reports that Snapchat has hired lobbyists in Washington, DC, to work on “educating policymakers regarding the application’s operation and practice.” According to The Guardian, the integration of Google+ into its Android operating system “has made it too easy for users to leak personal information.” And in a column for Computerworld, Evan Schuman looks into what app developers should include in their mobile privacy policies.
Full Story

DATA PROTECTION—U.S.

State Capital Dictates Rules to Silicon Valley; Franken Repeats Call for Bill (January 7, 2014)

Forbes reports on regulatory efforts in Sacramento, CA, and the impact they are having on nearby Silicon Valley—“the world’s technology capital.” At a recent informal hearing at Santa Clara University, experts and politicians discussed Sacramento’s role in regulating the Internet in California; the disconnect between state and federal privacy laws, and transparency, among other topics. Meanwhile, Sen. Al Franken (D-MN) recently repeated his call for a location privacy law citing a recent Government Accountability Office report indicating a need for clearer privacy practices when it comes to in-car navigation systems, The Hill reports.
Full Story

HEALTHCARE PRIVACY—U.S.

IMS Health Goes Public; When Docs Google Patients (January 7, 2014)

Forbes reports on plans by IMS Health to go public. According to the report, the company has assembled “85 percent of the world’s prescriptions by sales revenue and approximately 400 million comprehensive, longitudinal, anonymous patient records.” IMS Health then sells the data and reports to the top 100 global pharmaceutical and biotechnology companies, advertisers, consulting firms and other government and financial organizations. In a recent filing with the Securities and Exchange Commission, IMS Health said it processes data from 45 billion health records per year. Meanwhile, an All Voices article looks into the fine line between marketing and health privacy, and according to The California Report, health kiosks pose several privacy risks. In a column for The New York Times, one doctor opines on the pros and cons of “Googling” his patients. “I am tempted to prescribe that physicians should never look online for information about their patients, though I think the practice will become only more common,” he writes.
Full Story

SURVEILLANCE—U.S.

Intelligence Reforms Expected To Include Public Advocate in FISC (January 7, 2014)

A package of intelligence reforms from President Barack Obama, which is expected to be released in advance of the State of the Union address later this month, “will probably put a public advocate for the first time in the secret court that approves surveillance practices and remove a controversial telephone records database from direct government control,” Los Angeles Times reports. However, the report states, Obama’s advisors are skeptical about a proposal that would require a federal judge to approve national security letters, with one official noting, “There is concern that this proposal makes it more cumbersome to investigate a terrorist than it does a criminal.” The report comes on the heels of December’s announcement of 46 recommended reforms from the NSA review panel.
Full Story

PRIVACY—U.S.

Advocates See Their Day in the Sun (January 7, 2014)

Law Technology News reports on what may be the privacy advocate’s golden age. “There’s never been a better time for privacy advocates than today,” said one privacy consultant. “And I suspect I’ll be saying the same thing in five years.” While privacy advocates have been around for decades, they are attracting more attention than ever before. That’s thanks in part to former NSA-contractor Edward Snowden’s revelations last summer. However, funding is often a problem, and various groups—while at times working together to fortify their influence—find themselves scrambling for a limited amount of funding from donations or cy pres awards. (Registration may be required to access this story.) Editor’s Note: For more on this topic, see The Privacy Advisor exclusive, Changing Tactics: The Rise of The Privacy Advocates.
Full Story

PRIVACY LAW—SINGAPORE

Companies Can Send Certain Messages Without Checking DNC Registry (January 7, 2014)

The Personal Data Protection Commission (PDPC) of Singapore has determined companies are allowed to “send marketing messages to customers that have registered to be listed on a new Do-Not-Call (DNC) Registry under certain circumstances,” Out-Law.com reports. While businesses are required to consult the DNC Registry before sending messages—and face fines in certain circumstances—“a new exemption allows businesses to send either text or fax messages to promote ‘related products and services’ to individuals they have an ‘ongoing relationship’ with,” the report states, noting in such instances, companies are not required to consult the registry first. “As the exemption order does not apply to voice calls, organizations are still required to check against the DNC Registry before making telemarketing calls,” the PDPC said. (Editor’s Note: The IAPP Asia Privacy Forum comes to Singapore in April.)
Full Story

PRIVACY—U.S.

The Politics of Privacy in 2014 (January 6, 2014)
Though it’s not a presidential election year, 2014 looks to have some important campaigns. House Republicans will try to bolster their majority, while Democrats hope to maintain their hold on the Senate. Many campaigns will run on typical issues—taxes, gun control, immigration—but a new issue is making its way into campaign platforms and partisan politics: privacy. This installment of Privacy Perspectives looks at one such senatorial campaign in Maine and the latest political strategy by House Republicans that takes aim at the Affordable Care Act by introducing legislation that would crack down on potential security breaches of personal information and require “prompt” notification.

PRIVACY LAW—U.S.

Need To Comply with CalOPPA Amendments on DNT? Here’s How (January 6, 2014)

The current privacy regulatory environment can be characterized as a "perfect storm" of more data, more regulation and more enforcement. A microcosm of the confluence of these trends is illustrated in the recent Do-Not-Track amendments to the California Online Privacy Protection Act. The law requires the operator of a website or online service to display a privacy policy that meets certain content requirements. In this exclusive for The Privacy Advisor, Brian Hengesbaugh, CIPP/US, and Amy de La Lama discuss five key questions on how to approach the new rules.
Full Story

FINANCIAL PRIVACY—U.S.

Startup Looks To Thwart Credit Card Hacking (January 6, 2014)

A Texas-based start-up is planning to introduce new technology aimed at thwarting credit card hacking attacks like the 2013 holiday shopping season’s high-profile Target breach, Forbes reports. Epic One is developing technology that protects credit cards with biometric readers that scan the cardholder’s fingerprint to avoid such hacks. The start-up will introduce its pilot cards later this year. “The root cause of fraud is the exposure of this information,” said Epic One CEO William Gomez Jr., adding, “The Epic One card does not hold any details of any credit cards. Neither does the Epic One application that runs on your smartphone. None of these devices hold any of your credit card information.”
Full Story

PRIVACY LAW

States See Anti-Surveillance Proposals; Caymans To See New Draft (January 6, 2014)

This week’s Privacy Tracker legislative roundup includes legislation introduced in both Missouri and Kansas aiming to protect electronic communications and data from government intrusion. This comes after an Arizona state senator announced she will propose legislation to effectively ban the National Security Agency from that state. This roundup also includes news of Pennsylvania considering an expansion of its DNA collection to those arrested for felonies and misdemeanors that require registration as sex offenders and the release of a new draft of the Data Protection Bill in the Cayman Islands. (IAPP member login required.)
Full Story

CONSUMER PRIVACY—U.S.

FTC Director of Consumer Protection Talks Priorities (January 6, 2014)

In a feature for AdWeek, the Federal Trade Commission’s (FTC) Jessica Rich discusses her new role as director of the FTC’s Consumer Protection Bureau. Rich says “native advertising” will be big with the FTC in the near future. “I want to make a broader push into mobile, mobile security, mobile payments, making sure we are able to bring mobile investigations, just as we are able to bring brick-and-mortar investigations.” She adds that the time for privacy legislation has come. Meanwhile, recent data breaches at Target and Snapchat have incited calls from Washington, DC, for legislative action and raised questions about the FTC’s efficacy on data protection.
Full Story

PRIVACY LAW—U.S.

Court of Appeals Denies Google’s Wiretap Act Argument (January 6, 2014)

The U.S. Court of Appeals for the Ninth Circuit has ruled against an appeal by Google, holding that payload data transmitted over a WiFi network is not considered “radio communications” as defined under the federal Wiretap Act, Business Standard reports. In the case, Google defended its collection of data transmitted over open WiFi networks during its Street View mapping project, saying the data it collected was unencrypted and available to the general public.
Full Story

INTERNET OF THINGS—U.S.

When the Quantified Self Is In the Office (January 6, 2014)

As the quantified-self movement continues to grow more popular, Fast Company reports on how it fits into the workplace. Stanford Graduate School of Business Associate Prof. Harikesh Nair said, “It’s definitely an incredible revolution that is going to happen in workplace measurement,” adding it can be a positive development for businesses, giving employers clearer insight on how their employees interact with one another and what makes them successful, the report states. One company is using wearable devices to track its sales staff to improve responsiveness and productivity—which has shown a five- to 10-percent raise in productivity gains.
Full Story

SURVEILLANCE—U.S.

FISC Approves Gov’t Metadata Collection (January 6, 2014)

National Intelligence Director James Clapper on Friday released a memo stating that the government has filed an application with and received approval from the Foreign Intelligence Surveillance Court to collect telephony metadata in bulk, NBC News reports. “It is the administration’s view … that the telephony metadata collection is lawful,” the memo states. Meanwhile, The New York Times reports on a federal appeals court ruling that allows the Justice Department to continue to withhold a memo that allegedly “opened a loophole in laws protecting the privacy of consumer data.” The Times also reports on Jill Kelley, who is seeking damages and an apology from the government for revealing her name in the David Petraeus scandal. Washington University in St. Louis Prof. Neil Richards said, “This case shows that privacy is really important and that the legal rules we have are not tailored for modern technology.”
Full Story

BIG DATA

How Algorithms Can Probe and Influence Consumer Behavior (January 6, 2014)

The New York Times reports on Pandora’s Internet radio service and how the company has begun mining user preferences to better determine the types of ads that will be most engaging. Pandora’s chief scientist said, “It’s becoming quite apparent to us that the world of playing the perfect music to people and the world of playing perfect advertising to them are strikingly similar.” According to the report, some businesses are attempting to differentiate themselves by creating algorithms that not only understand their consumers’ behavior but also try to influence their behavior. One computer science professor said, “I would guess, looking at music choices, you could probably predict with high accuracy a person’s worldview,” including “people’s stance on issues like gun control or the environment” or, in some cases, political party affiliation. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

Gov’t Seeks Access to Gun Buyers’ Mental Health Data (January 6, 2014)

The White House has announced two new executive actions “that would expand the government’s access to mental health information during background checks on gun buyers,” The Daily Caller reports, noting these “clarify what constitutes a mental health problem that might prohibit gun ownership and allow states more wiggle room in disclosing such personal medical information.” One executive action modifies the HIPAA Privacy Rule and allows mental health data “relevant to gun ownership” to be included in the National Instant Criminal Background Check System (NICS), while the other “clarifies what exactly in someone’s mental health history would prohibit them from owning or purchasing a gun.”
Full Story

PRIVACY COMPLIANCE—U.S.

Trends for 2014? Try Increased Enforcement (January 3, 2014)
AdAge offers its top three privacy changes to plan for in 2014. California’s Do-Not-Track (DNT) law has gone into effect, mandating websites indicate in their privacy policies how they respond to DNT signals. Interactive Advertising Bureau Senior VP and General Counsel Mike Zaneis said, “There’s always smoke in a handful of state legislatures, but there’s only fire in California.” In light of NSA surveillance of Europe, the EU is expected to come down strong on its Safe Harbor agreement with the U.S. ZwillGen Privacy Counsel Mason Weisz said, “The Europeans are upset, and I think there will be some attempt to placate them in the U.S.” Finally, industry and federal enforcement is expected. The Better Business Bureau has promised to increase enforcement in the behavioral advertising ecosystem, while the Federal Trade Commission is expected to bolster enforcement of the recently updated Children’s Online Privacy Protection Act. With pressure from industry and federal regulators, Weisz said it will “encourage companies to make more representations … and more representations means more risk.”

HEALTHCARE PRIVACY—U.S.

At Pivotal Juncture, OCR To Get New Director (January 3, 2014)

Personnel changes at the Office for Civil Rights (OCR) would have a “major impact on healthcare IT security in 2014,” HealthITSecurity reports. President Barack Obama reportedly intends to nominate OCR Director Leon Rodriguez to fulfill a role in immigration services, leaving questions as to who would replace Rodriguez, especially during such a critical time as the OCR prepares for its 2014 HIPAA audits. In other healthcare-related headlines, a breach lasting four years was discovered at a Virginia health system during a random company audit in November, and patients affected by the data breach at Kaiser Foundation Hospital Orange County have filed a class-action lawsuit in California.
Full Story

PRIVACY LAW—U.S.

Facebook Users File Suit Over Data-Mining (January 3, 2014)

Two Facebook users are suing the social network for allegedly intercepting the “content of the users’ communications” to “mine user data and profit from those data by sharing them with third parties—namely, advertisers, marketers and other data aggregators,” Ars Technica reports. In their December 30 class-action, the plaintiffs allege “Facebook’s use of the word ‘private’ in relation to its messaging system is misleading, given the way the company treats the info contained within those messages,” the report states. Facebook has denied the allegations, calling them “without merit.” The class-action is seeking $100 for each day of violation or $10,000 per class member and “statutory damages of either $5,000 per class member or three times the amount of actual damages, whichever is greater,” the report states.
Full Story

PRIVACY

A Standard Way To Work With Third-Party Vendors? (January 3, 2014)

Sure, you know you’ve got proper procedures in place for working with PII, but do your vendors? This may be the single biggest stressor for privacy professionals today. Luckily, privacy regulations, industry best practices and audit standards are moving companies and government bodies toward a standardized process for confirming compliance and risk management treatment of the vendor, third-party service provider chain. In a January 9 web conference from the IAPP and featuring Ashcroft’s Ellen Giblin, CIPP/US, CIPP/C, CIPP/G, the Future of Privacy Forum’s Jules Polonetsky, CIPP/US, and HSBC CPO Al Silipigni, CIPP/US, you can learn how to get over the biggest stumbling blocks in RFPs, contract negotiations and fulfillment processes.
Full Story

DATA PROTECTION

Security Firm Buys Mandiant for $1 Billion (January 3, 2014)

FireEye, a major security firm, announced on Thursday that it is bolstering its security offerings in the purchase of Mandiant for $1 billion, IDG News Service reports. Mandiant, which does $100 million in sales per year, made headlines last January after it helped The New York Times discover alleged Chinese hackers lying dormant within the publisher’s network. Though the companies reside in the same industry, each specializes in different offerings. FireEye specializes in network monitoring and intrusion detection, while Mandiant provides an incident response platform, helps clients determine what data has been compromised and closes vulnerabilities, The Washington Post reports. FireEye Chairman and CEO David DeWalt said the combination of firms will allow it to move more quickly from detection to response.
Full Story

SURVEILLANCE—U.S.

Quantum Computer Could Crack Most Encryption (January 3, 2014)

The Washington Post reports on alleged plans by the U.S. National Security Agency (NSA) to build “a cryptologically useful computer” that could break virtually all encryption on the Internet, including banking, medical, business and government records. Documents provided by former contractor Edward Snowden reveal the plans are part of a $79.7 million research program going by the name “Penetrating Hard Targets.” Unlike classical computers, which run on binary bits—ones or zeroes—quantum computers seek to use bits that are simultaneously ones and zeroes, making it exponentially quicker and more efficient. Some experts, however, are skeptical that such a full-scale system would be ready in the near term. (Registration may be required to access this story.)
Full Story

BIOMETRICS—UK

More Than One Million Students Fingerprinted (January 3, 2014)

Big Brother Watch, a UK-based privacy advocacy group, estimates that 1.28 million students have been fingerprinted at their secondary schools, nearly one-third without parental consent, The Independent reports. Based on a Freedom of Information request, data shows that four out of 10 schools employ biometric technology to identify students. Big Brother Watch has said the development is concerning because students will grow up thinking “it is normal to be tracked like this all the time.” Big Brother Watch Director Nick Pickles said, “Going to school should not mean kids are taught that they have no privacy, especially at a time when we are sharing more data about ourselves than ever before.”
Full Story

SURVEILLANCE—U.S.

“Granny Cams” Raise Privacy Concerns (January 3, 2014)

AARP Blog examines the use of surveillance cameras or “granny cams” in nursing homes, a practice that is currently legal in Oklahoma, New Mexico and Texas, “to collect evidence of abuse and neglect.” While their use has positive implications for stopping abuse, the report cautions there are privacy implications not only for patients but for roommates, visitors and caregivers. In addition to the potential invasion of patients’ privacy during such personal activities as bathing, the report notes that those with dementia may be unable to consent to the surveillance.
Full Story

PRIVACY ENFORCEMENT—U.S.

FTC’s Accretive Settlement Means 20 Years of Audits; Brill Recuses Herself from LabMD Case (January 2, 2014)
Medical billing and revenue management services firm Accretive Health has settled charges with the Federal Trade Commission (FTC) that its inadequate data security exposed sensitive consumer information. The FTC said the company, which had access to such sensitive data as birthdays, names, Social Security numbers and billing information, failed to provide “reasonable and appropriate” security measures to protect the data and failed to ensure employees destroyed data that was no longer needed. Accretive must now establish a comprehensive program to be audited every two years for the next 20 years. Meanwhile, FTC Commissioner Julie Brill has recused herself from the case against LabMD.

DATA LOSS

Target Breach Incites Action; Snapchat Is Latest High-Profile Breach Victim (January 2, 2014)

Following the breach at Target affecting approximately 40 million consumers, Sens. Robert Menendez (D-NJ), Mark Warner (D-VA) and Charles Schumer (D-NY) have called for a Senate Banking Committee hearing to examine whether stronger industry-wide standards are needed and if all necessary actions are being taken to safeguard consumer data against fraud and identity theft. Missouri’s attorney general and a New York assemblyman are also looking into the breach, and a number of consumers have filed lawsuits. Meanwhile, a number of breaches spanning the globe affected healthcare providers, bankers and casino frequenters, among others that include private-texting provider Snapchat, which lost 4.6 million usernames and phone numbers. This roundup for The Privacy Advisor catches you up on what you may have missed over the holidays.
Full Story

PRIVACY LAW—U.S.

Judge: Hulu Privacy Lawsuit Will Continue (January 2, 2014)

A federal judge has ruled that a privacy lawsuit against video-streaming service Hulu must continue. U.S. Magistrate Judge Laurel Beeler rejected an argument submitted by the company that users must show actual injury to recover damages, even if they could be considered “aggrieved” persons under the Video Privacy Protection Act, Reuters reports. The now-rejected argument by Hulu stated the law “was not adopted to impose multi-billion dollar liability on the transmission of anonymous data where no one suffers any actual injury.” Beeler ruled that “the statute requires only injury in the form of wrongful disclosure…” The judge did not rule on the merits of the case. Courthouse News Service reports that a summary judgment hearing is scheduled for February 6.
Full Story

PRIVACY LAW

2013 Review; Court Strikes Down Drug Screening Law (January 2, 2014)

In this week’s Privacy Tracker legislative roundup, see BakerHostetler’s year-in-review on international privacy laws and read about cases you may have missed while enjoying the holiday season. For example, a U.S. District Court has deemed a Florida drug-screening law unconstitutional; U.S. Magistrate Judge Laurel Beeler ruled in the Hulu privacy lawsuit that no proof of injury is needed for viewers to recover damages, and the U.S. Federal Trade Commission settled with Accretive Health over the company’s failure to protect consumer data. Also, read about the contradicting rulings over the NSA data collection practices. (IAPP member login required.)
Full Story

SURVEILLANCE

What Will 2014 Hold for the NSA and Snowden? (January 2, 2014)

The tail end of 2013 brought with it continued news and reaction to the disclosures of the U.S. National Security Agency’s (NSA) surveillance programs by former contractor Edward Snowden. Perhaps most significantly, a U.S. federal judge on Friday December 27 ruled the NSA’s bulk collection of metadata on phone calls was legal. The ruling came less than two weeks after another federal judge came to virtually the opposite conclusion. In this roundup for The Privacy Advisor, we gather together the major developments and opinion stemming from Snowden’s disclosures and what may lay ahead in for the NSA in 2014.
Full Story

DRONES—U.S.

Commercial UAV Use in U.S. Takes Next Step Forward (January 2, 2014)

While the use of unmanned aerial vehicles (UAVs) is regulated in various ways across the globe, the Federal Aviation Administration (FAA) still tightly controls their use in the U.S. Currently, only law enforcement operations and certain educational institutions, or those who’ve expressly received clearance, are allowed to use what have commonly come to be referred to as “drones.” However, CNN reports, the FAA approved six research sites in late December at which it will test the best ways in which to safely, and with consideration for privacy, bring UAVs into “the heavily used U.S. airspace.” In this roundup for The Privacy Advisor, we look at the latest news in the use of UAVs from the holiday season.
Full Story

DATA TRANSFER

Expect APEC Privacy “Stocktake” in 2014 (January 2, 2014)

Australia Privacy Commissioner Timothy Pilgrim has said officials charged with developing a privacy policy for the Asia-Pacific Economic Cooperation (APEC) are planning a “stocktake” of the APEC Privacy Framework, Bloomberg BNA reports. Pilgrim also said APEC’s Data Privacy Subgroup will work with the EU to map the APEC’s Cross Border Privacy Rules system with the EU binding corporate rules system. “The idea there is to see if they can identify any gaps for the purposes of possible future interoperability between the systems,” Pilgrim said, adding, “The next step is to sit down and identify where are the similarities and where are the gaps if we want to try to move to interoperability.”
Full Story

PRIVACY

Opinion: 2014 Is “Time To Rethink” Privacy (January 2, 2014)

Privacy—the word itself and the concept—got plenty of attention in the media’s end-of-year wrap-ups. Not surprisingly, it got a bit of attention in looks forward to 2014 as well. Evan Schuman suggests 2014 is “Time to Rethink Privacy,” noting, “Every industry—nay, every company—will come to very different decisions based on the concerns of their employees and customers.” In this roundup for The Privacy Advisor, Publications Director Sam Pfeifle looks at what those opining about privacy had to say in the final days of 2013 and their predictions for the New Year.
Full Story

CONSUMER PRIVACY

Are Your Books Reading You? (January 2, 2014)

The New York Times reports on new services that track our habits—including an exercise game that monitors our fitness and e-books that “read” us. For example, the report states, start-ups “get reading data from subscribers who, for a flat monthly fee, buy access to an array of titles, which they can read on a variety of devices. The idea is to do for books what Netflix did for movies and Spotify for music.” As one author put it, “What writer would pass up the opportunity to peer into the reader’s mind?” Meanwhile, Gregory Schmidt writes a column on his use of Nintendo’s Wii Fit Meter. The device “clips on a belt or waistband and records your activity,” which can then be downloaded to the Wii U controller. (Registration may be required to access this story.)
Full Story