Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY TECH

OWASP Looking for Volunteers for Privacy Top 10 Project (February 28, 2014)
In the cybersecurity community, the OWASP Top 10 Project is something of a touchstone. An open-source list of “the most critical web application security flaws,” it represents a consensus of experts as to what threats organizations should be most concerned with as they go about developing their projects. The project, first developed in 2007 by the Open Web Application Security Project and refreshed in 2010 and 2013, has been translated into seven of the world’s major languages, so it is a truly global tool. Sound like something privacy pros could use? Well, Florian Stahl, CIPP/IT, thought so, too. So, this month, he has launched the OWASP Top 10 Privacy Risks Project, and he’s looking for help.

CYBERSECURITY—CHINA & U.S.

Why Privacy Pros Should Embrace NIST’s Framework (February 28, 2014)

Cybersecurity efforts are being bolstered around the globe. Chinese President Xi Jinping has announced he will preside over a cybersecurity and information security working group. And in the U.S., California is set to make it front-and-center after Attorney General Kamala Harris announced Thursday that cybersecurity will be a key focus for the California Department of Justice. This news comes less than a month after the National Institute for Standards and Technology (NIST) finalized its cybersecurity framework. The framework “marks a welcome change privacy professionals should embrace,” writes Rich Santalesa, CIPP/US, a data security expert and member of the Sm@rtedgeLaw Group. In this post for Privacy Perspectives, Santalesa looks into the final framework and why, ultimately, it may be good for privacy pros.
Full Story

PRIVACY TECH—U.S.

For Infosec Professionals, Privacy Can Be a Differentiator (February 28, 2014)

For information security professionals, privacy might seem like a secondary thought. Done right, however, incorporating strategic thinking about privacy into daily job functions could be an infosec professional’s ticket to the C-suite. Or at least strong relationships with the people in it. After all, breaches and other gaffes are expensive and damaging, and information security professionals are the data keepers who can avoid such pitfalls. That was the message from IAPP CTO Jeff Northrop, CIPP/US, CIPP/IT, who told a crowd at the RSA breakout session “Privacy as a Growing Risk” that privacy should be used as an advantageous tool to strategically make a leap up the command chain. Angelique Carson, CIPP/US, runs down the whys and hows for The Privacy Advisor.
Full Story

PRIVACY LAW—FRANCE

The CNIL Is Making Its Mark (February 28, 2014)

With an uptick in inspections, 43 formal compliance notices, its president named the new chair of the Article 29 Working Party and a record fine against Google for noncompliance with the French Data Protection Act, the French data protection authority, the CNIL, is asserting itself in the international data protection scene. In this Privacy Tracker post, Olivier Proust of Field Fisher Waterhouse offers concrete examples of the CNIL’s growth, resourcefulness and experience, noting “companies should pay close attention to the actions of the CNIL as it becomes a more powerful authority in France and within the European Union.” In a separate report, Proust looks at concerns regarding privacy and France’s new law on real-time geolocation. (IAPP member login required.)
Full Story

DATA PROTECTION—U.S.

Opinion: Hold Merchants to Same Standards as Financial Orgs (February 28, 2014)

In a column for The Hill, the National Association of Federal Credit Unions’ Katie Marisic argues that merchants should be held to the same standards as financial institutions. Marisic offers three suggestions to help ease “the burden of data breaches” on consumers: national standards for data privacy; notification and disclosure standards, and limits on consumer liability. With recent breaches hitting retailers, “credit unions were the ones who monitored … their members’ accounts for possible fraudulent charges; who reimbursed consumers whose accounts were compromised, and who replaced thousands of debit and credit cards,” she wrote, adding, “It is time for the government to step in and hold merchants that accept electronic payment transactions to the same standards that they hold financial institutions.”
Full Story

SURVEILLANCE—U.S.

Obama, NSA Take Heat for Crying “Privacy” (February 28, 2014)

Wired reports today on the Obama administration’s refusal to release the 28 proposals it has received from various corporations on managing the NSA’s database of phone metadata. In response to Wired’s questions, the Office of the Director of National Intelligence (ODNI) replied, “Upon review, ODNI has determined the material should be withheld in its entirety in accordance with FOIA exemptions … Exemption (b)(6) applies to information, which, if released, would constitute a clearly unwarranted invasion of personal privacy of individuals.” This led Venture Beat to comment, “So despite the questionable practice of collecting an individual’s private data without a warrant, the government has no problem keeping efforts to reform the NSA’s program under wraps because it would violate a corporation’s right to privacy.”
Full Story

PRIVACY LAW—U.S.

Judges: Users Have Right to Text Message Privacy (February 28, 2014)

The Washington State Supreme Court has ruled citizens have the right to privacy in the text messages sent from their mobile devices, the Associated Press reports. In two 5-4 decisions, justices overturned drug convictions that hinged on law enforcement access to text messages without warrants. Justice Steven Gonzalez wrote in one of the cases, “Text messages can encompass the same intimate subjects as phone calls, sealed letters and other traditional forms of communication that have historically been strongly protected under Washington law.” The Electronic Frontier Foundation’s Hanni Fakhoury said, “People have a right to have those messages delivered without fear of government intrusion or interception, and if the government wants to intrude of intercept them, they have to get a warrant or wiretap to do so.”
Full Story

BIG DATA—U.S.

Civil Rights Groups Challenge Data Collection (February 28, 2014)

The Washington Post reports that more than a dozen civil rights groups are backing a set of principles aimed at pushing back against data collection they argue is used to discriminate against minorities in law enforcement, hiring and commerce. Groups are backing principles to end “high-tech profiling,” introduce protections in automated decision-making systems, put pressure on the private sector to be more transparent about data and “protect people from inaccurate data,” the report states. “Big Data has supercharged the potential for discrimination by corporations and the government in ways that victims don’t even see,” said Leadership Conference on Civil and Human Rights’ Wade Henderson. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Man Sues FINRA for Violating His Privacy (February 28, 2014)

A former broker has sued the Financial Industry Regulatory Authority (FINRA) for violating his privacy by making a disciplinary document about him available on its website, Reuters reports. In 1997, Alan Santos-Buch settled charges for violating industry rules, believing the details would only be available publicly for two years. Now, a basic web search brings up his case, making it hard for him to get a job. His lawsuit, filed with the U.S. District Court for the Southern District of New York, asks the court to order FINRA to remove the disclosure and its reference to him. The continual publication of “personal disclosures,” he argues in a court affidavit, is a “willful, concerted and relentless assault on my reputation and well-being.”
Full Story

PRIVACY RESOURCES

Introducing the Casebook of FTC Privacy Law (February 27, 2014)
It used to happen once every year or two, but the pace has accelerated noticeably over the past few years: The Federal Trade Commission (FTC) issues a Decision and Order summarizing the terms of a settlement in an enforcement action under Section 5 of the FTC Act. Many of the best and brightest have been there. In fact, a recent survey by Jay Cline, CIPP/US, confirms that, in enforcement of privacy law, the FTC is in a league of its own among privacy regulators worldwide. This is why the IAPP Westin Research Center has undertaken a project to produce its FTC Privacy Casebook and make it available for you to search and use. It’s a big project. However, ahead of the largest-ever—yet again—IAPP Global Privacy Summit in Washington, DC, next week, the IAPP Westin Research Center has published a useful preview of the FTC Privacy Casebook, with analysis and collected documents surrounding 10 top settlements. In this piece for The Privacy Advisor, IAPP VP of Research and Education Omer Tene explains the project and this initial product.

PRIVACY—U.S.

RSA Dispatch: Talking FIPPs and Geeks with Google, Microsoft and McAfee (February 27, 2014)

These are uncertain times. User trust is at an all-time low, the models upon which governing data-use principles were built are outdated and it’s time for a shift in how policy people and engineers work together in order to address these problems. Heck, even the RSA Conference App isn’t safe. Those were just some of the takeaways from a highly attended and wide-ranging RSA session Wednesday on “Hot Topics in Privacy,” moderated by IAPP CEO Trevor Hughes, CIPP, and featuring a panel of Google CPO Keith Enright, CIPP/US, CIPP/G, Microsoft CPO Brendon Lynch, CIPP/US, and McAfee CPO Michelle Dennedy, CIPP/US, CIPM. Angelique Carson, CIPP/US, reports on this heavyweight panel, from a conference that has also featured sessions on mobile privacy and the release of Verizon’s 2014 Data Breach Report, which says “the bad guys are winning,” according to CNN.
Full Story

SURVEILLANCE—UK & U.S.

Agencies Spied on Millions Using Webcam Interception (February 27, 2014)

The Guardian reports on Optic Nerve, a program created by UK intelligence agency GCHQ in conjunction with the U.S. National Security Agency to intercept and store webcam images of millions of Internet users, many of whom were not suspected of wrongdoing. According to files leaked by Edward Snowden, the program collected images from Yahoo webcam chats in bulk and stored them in agency databases. In one six-month period, the GCHQ collected images from more than 1.8 million user accounts. Yahoo said it was unaware of the activity. “This report, if true, represents a whole new level of violation of users’ privacy that is completely unacceptable, and we strongly call on the world’s governments to reform surveillance law,” the company said.
Full Story

PRIVACY EDUCATION

From Data Assets to Vendor Management (February 27, 2014)

The value of personalized data and databases is fairly well-known, but less well-known is the intangible asset value of databases from a privacy perspective. On Thursday, April 10, experts will lead a discussion for this IAPP web conference on how to make data more or less valuable and the potential effect of new regulation. Meanwhile, on March 20, privacy experts will delve into vendor management and assurance by examining U.S. Federal Trade Commission and state attorneys general enforcement actions. With both enforcement bodies looking more closely at how companies are implementing appropriate data privacy measures, ensuring a robust data governance scheme—including vendor management and assurance—will be key for organizations moving forward.
Full Story

ONLINE PRIVACY

Making Online Privacy More User-Friendly (February 27, 2014)

With increased awareness about online privacy issues, both from the public and private sectors, a host of online privacy tools exist, but for the most part can be difficult to use. GigaOM reports on a group of experts attempting to make online privacy tools more user-friendly. Groups have been attempting to “redecentralize” the Internet, but, the report states, the open-source scene is often made up of users more concerned with function over the user experience. Eleanor Saitta, of the Open Internet Tools Project, said, “There are still a lot of people in the (developer) community who are, ‘If I can use this tool, why can’t everyone?’ A lot of people aren’t willing to acknowledge that if ordinary users can’t use it, they won’t.”
Full Story

MOBILE PRIVACY

Mozilla Rolling Out New Privacy Features (February 27, 2014)

In a partnership with Deutsche Telekom, Mozilla said it plans to release new privacy and security features for its Firefox operating system, ComputerWeekly reports. The focus of its Future of Mobile Privacy project is emerging markets. Mozilla has found the most prevalent concerns include lost/stolen mobile devices and the privacy of sharing personal information among friends and family. Mozilla Global Privacy and Public Policy Leader Alex Fowler said Mozilla will “be calling on the privacy and security community to start dreaming up what they think are exciting features and services, and we want to prototype and make those part of future releases as well.”
Full Story

DATA LOSS—U.S.

Target: Breach Knocked Down Profits (February 27, 2014)

Target has said the data breach that hit its stores over the holiday season has contributed to a loss in profits—to the tune of 46 percent, Associated Press reports, while sales fell 5.3 percent. “Target says it earned $520 million, or 81 cents per share, for the three months that ended February 1. That compares with a profit of $961 million, or $1.47 per share, a year earlier,” the report states, noting revenue also dropped from $22.7 billion to $21.5 billion.
Full Story

DATA RETENTION—U.S.

DoJ Asks FISC for Increase in Retention Limits (February 27, 2014)

The Department of Justice has asked the Foreign Intelligence Surveillance Court for a term limit extension for how long it can retain telephone metadata beyond the current five years, citing civil suits regarding the data, IDG News Service reports. In a filing made public on Wednesday, the DoJ wrote, “A party may be exposed to a range of sanctions not only for violating a preservation order, but also for failing to produce relevant evidence when ordered to do so because it destroyed information that it had a duty to preserve.” The American Civil Liberties Union, Sen. Rand Paul (R-KY) and the First Unitarian Church of Los Angeles have filed civil suits challenging the phone metadata collection program.
Full Story

BIG DATA

Surveys Offer Insights Into Consumer Perspectives (February 27, 2014)

Two recent studies offer insights to consumer perspectives on the use of their personal information (PI). A survey from content management and analytics firm SDL indicates “nearly two-thirds of consumers in the U.S. and around the world are worried about how marketers are using their personal information,” AdWeek reports. However, about 80 percent are willing to provide PI “to a trusted brand as long as brands are transparent about how they collect and use their information and as long as they get something in return.” A Fortinet study of Gen-Xers and Millenials, meanwhile, found differences in “philosophy about security and privacy” from one generation to the next.
Full Story

PRIVACY LAW—U.S.

Proposal: Use Oil Spill Remedies on Data Breach Problem (February 26, 2014)
After the string of data breaches that affected Target, Neiman Marcus and other retailers, the security vulnerability of Big Data has come under scrutiny. The proliferation of data breaches also has banks, retailers, credit card companies, regulators and others all asking one question: How do we solve the data breach problem? At the Maine Law Review 2014 Privacy Symposium last week, Capital University Law Prof. Dennis Hirsch suggested we look to environmental law to find an answer. While Hirsch admits his paper’s recommendations are “intended (to be) provocative suggestions (rather) than full-fledged proposals … to spark creative thinking about solutions,” IAPP Westin Fellow Dennis Holmes evaluates two of his major suggestions for The Privacy Advisor.

PRIVACY TECH

Cryptographers at RSA: “Users Seem To Now Mind Giving Up Privacy” (February 26, 2014)

If there are buzzwords at this year’s RSA conference, they are without question “mistrust” and “NSA.” And if there’s anywhere irrefutable impact of the “Summer of Snowden” reverberates, it’s through the corridors here at the Moscone Center in San Francisco, CA. During the Tuesday morning keynote, panelists Whitfield Diffie of SafeLogic, Brian LaMacchia of Microsoft Research, Paul Kocher of Cryptography Research, Inc., MIT’s Ron Rivest and Adi Shamir of Israel’s Weizmann Institute of Science expressed “shame” and “shock” at the NSA revelations but also offered up a vision of where cryptography is going and how it might affect the privacy industry. Angelique Carson, CIPP/US, gets you up-to-speed.
Full Story

BIOMETRICS—U.S.

NTIA’s Facial Recognition Talks Trigger Debate (February 26, 2014)

Yesterday, in the second in a series of meetings to develop a voluntary code of conduct around the application of facial recognition technology, the scope of the code was debated. Led by the National Telecommunications and Internet Administration’s (NTIA) John Verdi, the talks centered on whether or not there should be a dual use structure for facial recognition’s commercial and government use; specifics on how the technology actually works and links with databases, and how much more time should be spent fact finding on facial recognition. Jedidiah Bracy, CIPP/US, reports for The Privacy Advisor on where the contention, and possible consensus, lies.
Full Story

BEHAVIORAL TARGETING—U.S.

Ruback: Mobile Location Code of Conduct Good Step, But Needs More for Privacy (February 26, 2014)

More and more retailers rely on “sophisticated technologies like Bluetooth, iBeacons and RFID to track customers on their mobile devices,” writes Evidon CPO Todd Ruback, CIPP/US, CIPP/E, CIPP/IT. So much so, that the Federal Trade Commission recently held a seminar on it. There are many benefits of the technology, but, Ruback notes, “As a privacy guy, I am naturally concerned.” In this post for Privacy Perspectives, Ruback discusses the industry’s Mobile Location Analytics Code of Conduct and what can be further done to give consumers more transparency and choice. “The industry took a good first step,” he writes, “but I wish it was more meaningful. I can’t help but feel it was a wasted opportunity to get it right.”
Full Story

PRIVACY COMMUNITY

IAPP Global Privacy Summit Is Sold Out (February 26, 2014)

The IAPP Events Team announced today that the Global Privacy Summit, happening next week in Washington, DC, is officially sold out. Were you procrastinating? Sorry about that. However, we have a couple of pieces of good news: our Show Daily newsletter, to which you can subscribe, and a discount on our next big U.S. event.
Full Story

SURVEILLANCE—U.S.

If Gov’t Won’t Protect Privacy, Innovation Will (February 26, 2014)

Mike Janke spent 14 years as a Navy Seal. He’s been around the block, so to speak. And the U.S. government’s decision to circumvent the controls in place to protect innocent citizens’ communications en masse has him scared right now. Janke, now CEO of Silent Circle, was talking about the “Summer of Snowden” revelations during a Tuesday session at RSA 2014 entitled “Mission Impossible? Building and Defending Zero-Knowledge Privacy Services.” The Privacy Advisor reports on Ethan Oberman of cloud-based synchronization and sharing service SpiderOak, Nicko van Someren, CTO of Good Technology, and Janke’s discussion of the new premium on “zero-knowledge” technology models that allow users to maintain complete control of their data access and new technological solutions for privacy.
Full Story

HEALTHCARE PRIVACY—U.S.

HIPAA Changes Mean Tightening Vendor Relationships (February 26, 2014)

With the changes to the HIPAA Privacy and Security Rules, the responsibilities and relationships between covered entities and their vendors have moved to the forefront of information security management. Particularly, renewed emphasis has been placed on vendor security management and the responsibility that covered entities bear on performing appropriate due diligence. In this exclusive for The Privacy Advisor, David Holtzman, CIPP/G, and Erin McMillan drill down on how to comply with the changes. Editor’s Note: Holtzman will speak at next week’s IAPP Global Privacy Summit.
Full Story

DATA LOSS—U.S.

Info from 360M Accounts Available for Sale; Other Breaches Reported (February 26, 2014)

NBC News reports Hold Security LLC has announced uncovering “stolen credentials from some 360 million accounts that are available for sale on cyber black markets,” citing risk beyond stolen credit card data “because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system.” Separately, Identity Finder has released research indicating “an estimated 630,000 social security numbers on nonprofit organizations' tax returns … have been posted online,” and Indiana University has reported a breach involving the names, social security numbers and addresses of 146,000 current and former students. Meanwhile, the House Committee on Oversight and Government Reform is seeking documents related to the Target breach and has asked for all documents to be submitted by March 10.
Full Story

STUDENT PRIVACY—U.S.

Is PI Used for Online Educational Services Protected? “It Depends” (February 26, 2014)

The Department of Education (DoE) has weighed in with an answer to the question of whether personal information (PI) collected in the $8 billion preK-to-12th-grade education software industry is “federally protected from being shared or sold by technology vendors,” The New York Times reports. The answer? “It depends.” New DoE guidance includes that “careful wording,” the report states, in detailing “requirements and recommended practices for school management of online education services that directly involve students or their parents.” Meanwhile, Forbes reports on The Student Privacy Zone Summit in Washington, DC, aimed at ensuring student information “is restricted to educational use only.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—EU

Will Facebook-WhatsApp Deal Be Probed by EU DPAs? (February 26, 2014)

Bloomberg Businessweek reports on the Facebook-WhatsApp deal and whether it will trigger any privacy investigations from data protection authorities (DPAs) across the EU. Article 29 Working Party Chairman Jacob Kohnstamm said the acquisition may get the interest of DPAs. He said that DPAs “could, having heard about the merger, decide to do research into the product as well” and subsequently all “28 data protection regulators could open an investigation.” The main concern, he said, is the collection of data from users’ mobile address books when they download the application. Meanwhile, Finland-based Nokia is facing criticism after it was revealed that its Lumia line of Windows Phones transmitted personal data—including that of some senior members of Finland’s government—to Microsoft servers in the U.S.
Full Story

HEALTHCARE PRIVACY—U.S.

ONC Announces Plans for Privacy Tools for Providers (February 26, 2014)

The Office of the National Coordinator for Health Information Technology (ONC) is working to provide more tools to help providers, including a downloadable security risk assessment tool, reports Healthcare IT News. Laura Rosas, senior policy advisor at the Office of the Chief Privacy Officer said at the HIMSS14 conference on Tuesday that “small practices don't really understand what a risk assessment is and what the process entails," adding, "we know from Office for Civil Rights audits that these practices simply aren't doing the assessment." The ONC already offers tools in the way of a training game and notice of privacy practice templates. Editor’s Note: For more privacy tools, visit the IAPP’s online Resource Center.
Full Story

ONLINE PRIVACY

RSA Dispatch: How Do Brands Establish Trust in This Time of Distrust? (February 25, 2014)
What Silicon Valley knows how to do best is collect user data without notifying the user it’s doing so, or for what purpose, and then sell it for profit. But it shouldn’t be that way, and it doesn’t have to be. That’s how Reputation.com’s Michael Fertik led off the IAPP’s first panel discussion at RSA Conference yesterday, offering a springboard for Jules Polonetsky, CIPP/US, Anne Toth and Stan Crosley, CIPP/US, CIPM, to talk about how brands can establish trust while they collect and use data in the post-Snowden era. Hint: IT and privacy professionals are going to have to work closely together. Angelique Carson, CIPP/US, fleshes out their solutions for The Privacy Advisor.

SOCIAL NETWORKING—U.S.

A Riveting Read From Danah Boyd (February 25, 2014)

It’s Complicated: The Social Lives of Networked Teens, a new book by danah boyd, is available today. In this review for The Privacy Advisor, K Royal, CIPP/US, CIPP/E, describes the work as “easy to read, applicable to the privacy field and full of interesting, well-considered research.” Royal provides an overview of the book’s eight chapters and considers the relevance of the subject matter for privacy professionals and the general public alike. “I can do nothing less than highly recommend this book” to those interested in privacy or issues affecting teens, Royal writes.
Full Story

PRIVACY COMMUNITY

Frye, Stoddart, Stonier Join IAPP Board (February 25, 2014)

The IAPP announced this week the new composition of its Board of Directors, with three notable additions, plus its newly appointed Executive Committee. Joining the board are Bank of America CPO Christine Frye, CIPP/US, CIPM; Executive VP of Privacy and Information Guidance at MasterCard JoAnn Stonier, and former Privacy Commissioner of Canada Jennifer Stoddart. Further, Hewlett-Packard VP and CPO Scott Taylor, CIPP/US, has taken over for Past Chairman and Microsoft CPO Brendon Lynch, CIPP/US, as chairman of the board, and a new slate of officers have accepted positions. Please join us in thanking them for their service to the IAPP.
Full Story

PRIVACY LAW—U.S.

Media Orgs Want Gmail Docs Released (February 25, 2014)

MediaPost reports on the request by a coalition of news organizations asking U.S. District Court Judge Lucy Koh to unseal court documents related to a Gmail lawsuit. “This case has the potential to not only affect the rights of the millions of class members but also to set precedent on vital issues of first impression for privacy law,” the coalition wrote in papers filed in U.S. District Court. The news organizations contend that neither Google nor consumers involved in the suit have demonstrated a need for the documents to be sealed, writing, “Instead, the parties have asked the court to reflexively seal thousands of pages of documents in a case that could impact the privacy rights of millions of Americans.”
Full Story

BIOMETRICS—U.S.

NTIA Facial Recognition Talks Resume (February 25, 2014)

This afternoon, the Department of Commerce (DoC) will host its second in a series of talks on the implications of facial recognition technology, The Hill reports. The meeting will feature a presentation from Animetrics, whose CEO said the goal is to inform people so they “better understand (the technology) and maybe not be so afraid,” adding, “Let’s not jump the gun about making policies to control face recognition until we really understand the problem.” The DoC said the meeting will consider uses—such as mobile apps that identify individuals by their faces in public, devices that can be accessed by a faceprint and companies that mine faceprint databases for employment and marketing purposes—that should be covered by a National Telecommunications and Information Administration code.
Full Story

PRIVACY BUSINESS

Oracle To Buy BlueKai for $400M (February 25, 2014)

AdAge reports that Oracle has agreed to acquire BlueKai for a reported $400 million, though terms were not publicly disclosed. Among BlueKai’s offerings is technology that allows for data transfer independent of cookies but with “the same transparency and notices that cookies have.” The report says Oracle plans to integrate BlueKai with other cloud marketing products Responsys and Eloqua to “give its customers the ability to more precisely personalize messages to consumers and B-to-B buyers—the people those products are used to reach.”
Full Story

MOBILE PRIVACY

IoT Focus at MWC (February 25, 2014)

The Mobile World Congress (MWC) is home to all the hottest new mobile devices, Forbes reports, and at this year’s event, the Internet of Things (IoT) and data are key themes. “Consumers currently expect ‘mobile device’ to mean smartphone and the apps we use on it, but a plethora of other device types are changing that expectation,” TJ McCue writes. He suggests that the prevalence of IoT sessions at the MWC indicate “the mobile community is taking the potential and implications of data seriously. The amount of data from IoT devices and the number of mobile products that help us share and make sense of it will only increase.”
Full Story

BIG DATA—U.S.

White House, MIT Co-Host Privacy Workshop; Advocates Tell Obama Self-Regulation Isn’t Working (February 25, 2014)

The White House Office of Science and Technology Policy and MIT will co-host “Big Data and Privacy: Advancing the State of the Art in Technology and Practice” on March 3. The daylong event will include keynotes from White House Counselor John Podesta and Secretary of Commerce Penny Pritzker, along with panels and roundtable discussions. Meanwhile, more than a dozen advocacy groups have written a letter to the White House asking it to craft legislation that would put teeth into the Consumer Privacy Bill of Rights. The groups argue industry self-regulation is not working and an opt-out framework as it exists “forces consumers to check their privacy settings every time a company changes its business model.”
Full Story

DATA PROTECTION

On Breach Response, 50 Percent of Execs Are in the Dark (February 25, 2014)

According to The Economist Intelligence Unit’s Information Risk report, one half of executives surveyed have not been trained in what to do in response to a data breach. The report surveyed 341 senior business leaders from around the world, almost half of whom are C-suite-level executives. The unit then conducted a series of in-depth interviews with 17 senior executives on managing digital assets. Of the key findings, the report states that data risk awareness does not extend evenly across most organizations. The most knowledgeable departments tend to be IT and finance, due to the sensitive information they deal with. “This low level of awareness across the company is equally true vertically,” the report states.
Full Story

PRIVACY LAW—AUSTRALIA

Australian Privacy Principles Finalized, Effective March 12 (February 25, 2014)

The final iteration of the Australian Privacy Principles (APPs) has been issued by the Office of the Australian Information Commissioner following public consultation, Computerworld Australia reports. Public and private organizations must adhere to the APPs when they go into effect on March 12 along with the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, which gives Australian Privacy Commissioner Timothy Pilgrim a mandate to seek civil penalties of up to $340,000 for individuals and $1.7 million for businesses in cases of serious beach incidents. Pilgrim said, “Most of the requirements contained in the APPs are not new, and business and government should be ready to hit the ground running come March 12.”
Full Story

CYBERSECURITY

SSL Bug Found in Apple Operating Systems (February 24, 2014)
Security researchers and experts discovered a coding flaw late last week in the operating systems that run Apple’s mobile devices and computers that could allow hackers to circumvent encrypted connections, Reuters reports. A single line in the software omitted commands to authenticate an encrypted website’s certificate, meaning hackers could impersonate sites and capture all the electronic data being communicated by users. Cryptography expert Matthew Green said, “It’s as bad as you could imagine; that’s all I can say.” Apple has offered a software update for mobile devices and said it would release a patch for Mac computers “very soon.” The bug has allegedly been present for months, and some have questioned whether it was a spy’s attempt to create a “back door” into the devices.

PRIVACY LAW—EU & U.S.

Law Symposium Delves into Thorny Privacy Issues (February 24, 2014)

Who’s governing privacy? That was the main question asked at the Maine Law Review 2014 Privacy Symposium on Friday. Implementing public policy to create appropriate levels of regulation and data protection in the Digital Age is a thorny issue with no easy answers, but privacy and legal experts from the U.S. and Europe did their best to flesh out what’s possible and what’s needed in Portland, ME. In all, seven law review papers were presented at the symposium, covering topics as diverse as the privacy issues raised by license plate scanners, the effectiveness of the multistakeholder process and transnational surveillance. This exclusive for The Privacy Advisor gives you the lowdown on the event.
Full Story

PRIVACY LAW

State Court Says Warrant Needed for Cell Location Data; Brazil’s Impending Law Prompts Questions (February 24, 2014)

In this Privacy Tracker legislative roundup, read about privacy concerns related to Brazil’s proposed Internet privacy law and a bill Turkey’s president recently signed into law, and get some insight on complying with South Africa’s new law. In the U.S., states are moving along bills to prevent revenge porn in Illinois and protect readers’ privacy in New Jersey and student privacy in Wyoming and Kansas, among others. Also, the Massachusetts Supreme Court has determined police need a warrant in order to collect cellphone location data over a period of time. (IAPP member log in required.)
Full Story

PRIVACY LAW—U.S.

AG Holder Calls for National Breach Law (February 24, 2014)

Attorney General Eric Holder has called on Congress to enact federal data breach protection legislation, CNN reports. “A strong, national standard for quickly alerting consumers whose information may be compromised ... would empower the American people to protect themselves if they are at risk of identity theft,” he said. “It would enable law enforcement to better investigate these crimes—and hold compromised entities accountable when they fail to keep sensitive information safe." In response to claims this would overwhelm law enforcement, Holder said legislation should have exceptions for small breaches. Meanwhile, Bloomberg is reporting the hackers who compromised Neiman Marcus are almost definitely separate from those who attacked Target, and the number of cards affected is fewer than initially reported: a maximum of 350,000.
Full Story

CHILDREN’S PRIVACY—U.S.

Angwin: Start Early To Protect Kids Online (February 24, 2014)

In a feature for The Wall Street Journal, Julia Angwin writes that while persuading her children to care about their online privacy “wasn't easy,” if you search for them online, “barely a trace” will be found. Angwin, who will deliver a keynote address at the Global Privacy Summit next week, does not post information about her children, who are both under the age of 10, and has already “taught them to erase their own digital footprints.” She writes, “Why go to such extremes at such a young age? Because if I don't do anything to help my children learn to protect themselves, all their data will be swept up into giant databases, and their identity will be forever shaped by that information.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Countersurveillance Software Promoted at RSA (February 24, 2014)

Network World reports that among those attending this week’s RSA Conference in California will be Miss Teen USA Cassidy Wolf, promoting countersurveillance software maker SnoopWall. Wolf, who was extorted by an online hacker who had accessed her computer’s webcam to take pictures of her, wants to use her “Miss Teen USA platform to raise awareness about cybercrime and potentially help prevent others from being victimized too,” the report states. Privacy Perspectives recently examined privacy and security issues around webcams, including the case of teenager Jared James Abrahams, who “hacked into at least two dozen computers belonging to young women.” Editor’s Note: The IAPP is on the ground at RSA and will be reporting on privacy issues explored at the event.
Full Story

BIG DATA

Telecoms Press on With Biz Plans Despite Privacy Awareness (February 24, 2014)

Although the Snowden revelations brought privacy into the forefront of mainstream conversation, many telecoms will continue with business plans aimed at capitalizing on the vast data stores their customers create, Reuters reports. “Privacy is a hot-button issue right now, but we think we can take a leadership stance,” said Verizon’s Colson Hillier. “It’s not a reputational risk if you do it right and are proactive in communication with consumers and policy-makers.” However, some competitors are taking the opposite tack. The trend toward the monetization of Big Data led The New York Times to editorialize that a Big Data study commissioned by U.S. President Barack Obama needs to produce “not only a thorough description of how businesses are collecting private data but also specific legislative proposals to give consumers more control of that information.”
Full Story

SOCIAL NETWORKING—U.S.

Senate Candidate Posts “Gruesome” Medical Images Online (February 24, 2014)

A U.S. Senate candidate’s Facebook postings “of gruesome X-ray images of gunshot fatalities and medical injuries to his Facebook page” have raised ethics and privacy concerns, The Topeka Capital-Journal reports. Milton Wolf, a Kansas radiologist “anchoring a campaign for the Republican nomination with calls for federal healthcare reform,” has said the images are legal and were uploaded for educational purposes. However, the images included disparaging comments about the victims, the report states. “The dignity and privacy of the individual should be protected,” said Center for Practical Bioethics President John Carney. “It doesn't sound like they're being protected if they're, obviously, on Facebook.” Editor’s Note: In a Privacy Perspectives post this past summer, Valita Fredland, CIPP/US, wrote about healthcare providers and social media use.
Full Story

SURVEILLANCE—U.S.

ABA Asks NSA for Clarification on Attorney-Client Privilege (February 24, 2014)

After a report by The New York Times describing the alleged surveillance of a U.S. law firm and its clients by the National Security Agency (NSA) and its Australian counterpart, the president of the American Bar Association (ABA) has sent a letter to the NSA expressing concerns about the privacy of attorney-client privilege. ABA President James Silkenat has also asked for clarification on the NSA’s policies and practices concerning intercepted confidential data. “The attorney-client privilege is a bedrock legal principle of our free society and is important in both the civil and criminal contexts,” he wrote, adding, “It enables both individual and organizational clients to communicate with their lawyers in confidence, which is essential to preserving all clients’ fundamental rights to effective counsel.”
Full Story

TRAVELERS’ PRIVACY—U.S.

TSA Pre-check Gives Rise to Privacy Concerns (February 24, 2014)

USA Today reports on the privacy concerns coming out of the Transportation Security Administration’s (TSA) Pre-check expedited screening program. TSA Administrator John Pistole aims to move half of air travelers through expedited screening by the end of 2014. As the program expands, however, privacy experts warn against giving up more personal information in exchange for quicker travelling. “Either the assessments will be based on a laughable amount of information about people and will only be providing an illusion of security, or they will be so intrusive that the government will basically be doing background checks on everyone who flies,” said the American Civil Liberties Union’s Jay Stanley.
Full Story

PERSONAL PRIVACY

Privacy Issues Raised by 3D Room-Mapping Program (February 24, 2014)

Google recently announced Project Tango, an Android-based phone with built-in, super-advanced 3D sensors capable of mapping a given area around the device, including the interiors of buildings, Motherboard reports. In its announcement, Google asked, “What if you could capture the dimensions of your home simply by walking around with your phone before you went furniture shopping?” The technology is currently only available to 200 developers, and Google says the technology is still in the early stages, but the report suggests potential privacy implications, including where the maps would be stored and who would have access to them.
Full Story

CONSUMER PRIVACY—U.S.

FTC’s Brill Pushes for Data Privacy Laws (February 21, 2014)

Federal Trade Commissioner Julie Brill has called on Congress to pass three privacy laws, including transparency requirements for data brokers, The Hill reports. Consumers should have the right to view and correct information compiled about them, she said. “I believe we should be concerned about the damage that is done to our sense of privacy and autonomy in a society in which information about some of the most sensitive aspects of our lives is available for analysts to examine without our knowledge or consent and for anyone to buy if they are willing to pay the going price,” Brill said, adding, “I think it is increasingly clear that the United States needs data security legislation.”
Full Story

DATA PROTECTION—EU

On Leveraging Big Data While Complying with Law (February 21, 2014)

The Big Data Project (BDP), an Open University study, is looking into how organizations can leverage Big Data while complying with EU data protection principles. In this post for Privacy Perspectives, Sara Degli Esposti, a research fellow at the Open University Business School, discusses the study, asking, “What kind of legislation do we need to create that positive system of incentive for organizations to innovate in the privacy field?” The BDP “represents a chance for you to contribute,” she writes, “and learn about, the debate on the reform of the EU Data Protection Directive.” The BDP is open to employees concerned with data management or use “from all types of organizations … with interests in Europe.”
Full Story

ONLINE PRIVACY

How Baidu Wraps Privacy Into New Products (February 21, 2014)

The world's second-largest search engine, China-based Baidu, is continuing to look at expansion into emerging markets. Whenever it approaches a new market, Global Marketing Director Richard Lee explains, dedication to privacy is part of the company's communications. "China is actually doing a great deal to keep in line with modern times,” he tells The Privacy Advisor in this exclusive, adding, “I agree that maybe we at Baidu need to do more to prove that we respect privacy than some Western companies, but we don't lack those kinds of concepts here in China. We want to keep in line with international standards."
Full Story

ONLINE PRIVACY

Facebook-WhatsApp Deal Prompts Privacy Concerns (February 21, 2014)

Bloomberg Businessweek reports on next week’s Mobile World Congress, keynoter Facebook CEO Mark Zuckerberg and how privacy will take on a large role at the event this year. And while Telefonica, Deutsche Telekom AG, Orange SA and KPN have begun offering users more control, Facebook’s deal to buy WhatsApp has some concerned about its privacy implications. Schleswig-Holstein Data Protection Commissioner Thilo Weichert has said WhatsApp users should switch to a more secure messaging service. But, in a blog post, WhatsApp said “nothing” will change for its users. The Washington Post reports that WhatsApp Co-Founder Jan Koum’s years of living in the Ukraine contribute to the strong focus on user privacy.
Full Story

PRIVACY COMMUNITY

Last Call for Privacy Academy Proposals (February 21, 2014)

This year, the IAPP’s Privacy Academy and the Cloud Security Alliance’s Congress are merging, so that they will be held side-by-side with collaboration on content and tracks designed to specifically address the unique privacy issues presented by cloud computing. Know something about that or about other privacy issues with a tech bent? Now’s the time to raise your hand. The Call for Proposals for the IAPP Privacy Academy, to be held in San Jose, CA, September 17 through 19, ends today. Don’t waste time. Submit a proposal. (And we just might leave the submission window open over the weekend, too.)
Full Story

DATA LOSS—U.S.

Puerto Rico Health Org Faces $6.8M Penalty (February 21, 2014)

Triple-S Management has said the Puerto Rico Health Insurance Administration (PRHIA) plans to levy a $6.8 million fine stemming from a security breach to the health insurer’s subsidiary, Triple-S Salud (TSS), The Wall Street Journal reports. A filing with the Securities and Exchange Commission indicates the penalty is related to a breach affecting 13,336 Dual Eligible Medicare beneficiaries. TSS mailed notification letters to some recipients last September, which included some of the recipients’ Medicare Health Insurance Claim Numbers, which are considered protected health information. TSS said, “We take this matter very seriously and are working to prevent this type of incident from happening again.” (Registration may be required to access this story.)
Full Story

INTERNET OF THINGS

The Rise of Bring-Your-Own Wearable Device (February 21, 2014)

V3.co.uk reports on the rise of wearable technology and how it has been and will be integrated into the work environment. Early adopters include Tesco, which gives smart armbands to workers to help track goods, distribute tasks and measure location movements. Another firm, Pru Health, offers employees Fitbug health devices as part of its “Vitality” program. These devices supplied by employers, as well as bring-your-own wearable devices (BYOWD), have robust personal data-gathering potential—including swaths of sensitive personal information. As smart glasses and wearable cameras become more integrated into the work environment, businesses will have to consider BYOWD policies to protect employees’ privacy expectations, the report states.
Full Story

DATA PROTECTION—HONG KONG

PCPD Releases Guidance on Privacy-Management Programs (February 21, 2014)

The Office of the Privacy Commissioner for Personal Data (PCPD) has released a guide outlining the foundations of privacy management programs. The Privacy Advisor takes a closer look at the guide, aimed at helping organizations as they develop or improve programs. The South China Morning Post reports from the PCPD’s event, spotlighting how privacy scandals, such as the much-publicized Octopus incident, can result in businesses choosing “to reconsider their approach to data protection.” Octopus Holdings Chief Executive Sunny Cheung said, "Legal rights do not save you from dissatisfied customers," explaining the company now collects “minimal” personal data and avoids “vague terms that could mislead customers about data policies,” the report states. Editor’s Note: PCPD Allan Chiang will be one of the keynote speakers at The IAPP Asia Privacy Forum in Hong Kong on March 31.
Full Story

MOBILE PRIVACY

Digital Assistant To Offer Privacy Controls (February 21, 2014)

Microsoft plans to release a personal digital assistant, Cortana, in its new Windows Phone, complete with granular privacy controls for users, The Verge reports. Users will reportedly be able to control what data is shared with Cortana, including location data, behaviors, personal information, reminders and contact information. According to the report, Cortana will only store such data to Notebook if it's granted permission by the user to do so, and any stored data can be edited or deleted.
Full Story

PRIVACY PROFESSION

Ten Skills That Make a Good Privacy Officer (February 20, 2014)
While speaking to a group of law students recently, Align Technology Privacy Counsel K Royal, CIPP/US, CIPP/E, was asked what makes a good privacy officer. So she went to work. After searching related top 10 lists for compliance officers, salespeople, CEOs and managers, Royal compiled this list of 10 skills necessary to becoming a good privacy officer for Privacy Perspectives. From compliance to social work to janitorial skills, privacy officers need a swath of abilities to effectively do their jobs. “We need to follow from the front and make sure our employees succeed … Rarely do people comply with a mandate because it is a mandate."

DATA PROTECTION

Data-Centric Security: Reducing Risk at the Endpoints (February 20, 2014)

In this time of increased attacks on IT networks, the king's men are in overdrive attempting to stay ahead of these threats targeted at stealing our information. CIOs and CISOs are in a constant state of evaluating, implementing and reevaluating processes and solutions that secure the perimeter and safeguard the networks and the devices within the organization. In this exclusive for The Privacy Advisor, Jim Wyne, CIPP/US, looks at data-centric security as a method to mitigate risk and "ensure the most important asset of the business, the data, is protected."
Full Story

CYBERSECURITY—U.S.

300,000 Records Breached; Calls for Cybersecurity Continue (February 20, 2014)

A “sophisticated” cyber-attack has compromised the personal information—including names, Social Security numbers and birth dates—of more than 300,000 University of Maryland faculty, staff and students, CNET News reports. Meanwhile, The Hill reports calls for congressional action on cybersecurity are continuing. One expert hopes the release last week of a cybersecurity framework by the White House will help spur Congress to take action. In a video by The Wall Street Journal, experts discuss how Target managed the fallout from its breach and its effect on the company’s bottom line. According to one report, nearly 800 million personal records were exposed in 2013. One organization has put together a “Breach Level Index” to assess the varying degrees of a breach’s impact, and Steptoe & Johnson’s Jason Weinstein discusses preventative measures businesses can take.
Full Story

PRIVACY LAW—INDIA

Gov’t Plans To Create DPA, Give Citizens Privacy Rights (February 20, 2014)

The government plans to grant all residents a right to privacy and establish a data protection authority (DPA) to rule on issues involving privacy and impose penalties for violations, The Economic Times reports. Under the draft “Right to Privacy” bill, the DPA will investigate data breaches and issue orders to protect those affected. The draft bill also prohibits “covert surveillance of individuals which leads to breach of their privacy, unless authorized by law.” Exemptions to the bill have been proposed for national safety or security and maintenance of public order.
Full Story

SOCIAL NETWORKING

Dating App Vulnerability Allowed for Pinpointing User Locations (February 20, 2014)

Tinder, an app facilitating spur-of-the-moment dating, reportedly has a security problem leading to users’ exact physical locations being divulged without their consent, The Washington Post reports. Instead of rounding to the nearest mile when searching for potential dates in your immediate vicinity, the app’s servers were giving out data that would allow hackers with “rudimentary skills” to determine a user’s location within 100 feet. Security researchers told Tinder about the security lapse in October; the company responded in December and addressed the problem, the report states. (Registration may be required to access this story.)
Full Story

STUDENT PRIVACY—U.S.

Bill Would Restrict Use, Collection of Student Data (February 20, 2014)

California Sen. Darrell Steinberg (D-Sacramento) will today introduce a bill aimed at protecting student data, The New York Times reports. “The bill would prohibit education-related websites, online services and mobile apps for K-12 graders from compiling, using or sharing the personal information of those students in California for any reason other than what the school intended or for product maintenance,” the report states. A growing chorus of lawmakers believes laws on student data have been unable to keep pace with technological innovations. Steinberg said he doesn’t want to limit legitimate use of student data but believes the data should be used for “educational benefit and nothing else.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—GERMANY

Court: Facebook Must Comply with Data Protection Law (February 20, 2014)

The Higher Court of Berlin has ruled Facebook must comply with German data protection law, PCWorld reports. However, that decision, which confirms a 2012 decision finding the social network’s “Friend Finder” violated the country’s law, has “directly contradicted an earlier decision by another court,” the report states, citing a verdict of the Administrative Court of Appeals of the State of Schleswig-Holstein. The Higher Court of Berlin also found portions of Facebook’s privacy policy and terms of service violate the law. The Federation of German Consumer Organisations, or VZBV, called the decision “a milestone for data protection in the Facebook era.”
Full Story

BIOMETRICS—CANADA

Citizenship and Immigration May Share More Data (February 20, 2014)

The Canadian Press reports on a memorandum prepared for Citizenship and Immigration Minister Chris Alexander indicating “the government is building an information technology system that could be used for the systematic exchange of biometric data with Britain, Australia and New Zealand” in addition to the perimeter security pact with the U.S. "Systematic sharing is preferable to manual case-by-case sharing because it can generate faster responses and be done at higher volumes," according to the memo. The Office of the Privacy Commissioner has voiced concern “about high-volume, routine information sharing with other countries, saying it may be impossible to control what happens to that data once sent abroad,” the report states.
Full Story

CLOUD COMPUTING

On Contracting and Compliance: Are You Up-to-Speed? (February 19, 2014)
With more and more organizations embracing cloud computing while others in highly regulated industries such as government, healthcare and finance remain hesitant, “it is time to get to grips with cloud computing,” writes Christopher Millard, a professor of privacy and information law at the Centre for Commercial Law Studies, Queen Mary, University of London. In this Privacy Perspectives post, which also previews a full-day preconference workshop at next month’s IAPP Global Privacy Summit, Millard makes the case for why privacy pros need to get up-to-speed on what can be a very complex undertaking. Editor’s Note: Millard’s series of articles on cloud computing and European law are available to IAPP members in the IAPP Resource Center.

DATA PROTECTION

Dutch Telecom and Silent Circle To Encrypt Phone Calls (February 19, 2014)

Dutch telecommunications provider KPN has struck a deal with encryption service Silent Circle to provide customers in Belgium, Germany and The Netherlands with encrypted phone calls and text messages, PCWorld reports. Silent Circle currently has servers in Canada and has plans for one in Switzerland. KPN has said it plans to build a server in The Netherlands so that data doesn’t leave the country, the report states. This June, KPN customers will be able to download Silent Circle services Silent Phone and Silent Text. Silent Circle has also been working with Geeksphone to create the Blackphone, a smartphone designed to protect user privacy.
Full Story

PRIVACY LAW—U.S.

AGs Want State Breach Laws Kept on Books (February 19, 2014)

Given that there is no federal law regulating data breaches, most states have created their own rules on data breach disclosures. And state attorneys general (AGs) are interested in keeping it that way, Politico reports. While a federal baseline law would be welcome, the report notes that state AGs want to keep their laws in place. “States have been the leaders, the cops on the beat defining what is reasonable and not reasonable for their own states and heading up investigations on data breach cases for as long as there have been such things,” said Maryland Attorney General Doug Gansler. “It’s almost always a local issue. … We actually get things done.” Editor's Note: Divonne Smoyer, CIPP/US, and Aaron Lancaster, CIPP/US, recently examined the privacy protection efforts of AGs in the Privacy Perspectives post, “Think the FTC Is the De Facto U.S. Data Protection Authority? State AGs May Have Something To Say.”
Full Story

PRIVACY COMMUNITY—UK

Commissioner Graham Tenure Extended Two Years (February 19, 2014)

UK Information Commissioner Christopher Graham will remain in his current position for at least the next two years after the Queen officially approved his reappointment, V3.co.uk reports. The UK Ministry of Justice said the official start date of his reappointment begins on June 29. Graham said he is “delighted” to remain in office. “I don’t underestimate the challenge of leading the ICO at this time,” Graham said. “But unlike any other public body that I know, it falls to the ICO to champion both the right to privacy and the right to know for citizens and consumers—here in the UK, in Europe and internationally … It’s a big responsibility and the next phase certainly won’t be dull.”
Full Story

SURVEILLANCE—U.S.

AT&T Reveals Gov’t Requests for Data (February 19, 2014)

AT&T has revealed it received 302,000 data requests in 2013 related to criminal and civil cases, CNET News reports. The requests from local, state and federal authorities include more than 248,000 subpoenas, 37,000 court orders and 16,000 search warrants, the report states. AT&T was also asked nearly 38,000 times “to share real-time and historical locations of its customers” and another 94,000 times to share location data in an “emergency” situation. The AT&T report is similar to that of Verizon, which last month also released its report on government requests for data.
Full Story

SOCIAL NETWORKING

New Program Manages Privacy Settings (February 19, 2014)

GigaOM reports on My Face Privacy, a new product from Israeli software firm CallingID, designed to manage the privacy settings of multiple social networking sites—including Facebook, Twitter, Google+ and LinkedIn. The desktop-only application works like a password manager and offers four preset privacy settings. “Social networks are trying to make as much information visible to as many groups as they can,” said CallingID Executive Vice President Yair Nissan. “They have a default set of privacy policies, which is not restrictive at all. They complicated the way that you can change and manage your privacy settings—you have to go through many screens, and unless you’re an expert, you probably won’t find all the different parameters because they’re hiding them very well.”
Full Story

PRIVACY—U.S.

O’Connor Discusses CDT Priorities (February 19, 2014)

In an interview with TechNewsWorld, Center for Democracy & Technology (CDT) President and CEO Nuala O’Connor, CIPP/US, CIPP/G, discusses the CDT’s take on this “destabilizing but also exciting time to work on digital civil liberties.” O’Connor says individuals shouldn’t have to choose between taking advantage of the latest technology and maintaining their privacy. “I think we need to be vigilant about how these new technologies are impacting our life. I don’t buy the premise that just because I’m on Facebook, I have given up my right to privacy,” O’Connor says, adding that surveillance is the number one issue on her agenda for 2014.
Full Story

BEHAVIORAL TARGETING—U.S.

Reaching the Intended Viewer Made Easier with “Addressable TV” (February 19, 2014)

The Associated Press reports on the ability of political campaigns to target specific individuals. Addressable TV is a new technology that enables advertisers to pay broadcasters to pinpoint specific homes, the report states. “This is the power of a 30-second television commercial with the precision of a piece of direct mail targeted to the individual household level,” said Paul Guyardo, chief revenue officer at DirecTV. “Never before have advertisers had that level of precision when it came to a 30-second commercial.” Advertisers are looking at such data as voting histories, demographics and credit scores to find the viewers they aim to reach, the report states.
Full Story

HEALTHCARE PRIVACY—U.S.

Opinion: Surveillance Should Be “Last Resort” (February 19, 2014)

Hospitals are multimillion-dollar corporations that “look like shopping malls and function like factories,” but we do expect some degree of privacy there, an expectation bolstered by laws like HIPAA and the 2,000-year-old Hippocratic Oath doctors must take, writes Tim Lahey in an op-ed for The New York Times. However, the use of inexpensive, high-tech cameras to monitor the safety of children or the elderly or to ensure employee compliance with hospital policies, among other uses, is increasingly common—and the rules and ethics on such surveillance are a bit fuzzy, Lahey says, adding, hidden cameras “should be a last resort.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—EU & U.S.

Merkel Backs EU-Only Data Networks (February 18, 2014)
German Chancellor Angela Merkel has said she backs a proposal to establish European data networks to keep e-mails and other communications inside Europe and away from U.S. intelligence agencies, The New York Times reports. “We will, above all, discuss which European providers we have who offer security for our citizens … So that you don’t have to go across the Atlantic with e-mails and other things but can build up communications networks also within Europe,” she said. German-based Deutsche Telekom has said creating such a network is possible. Google has express concerns that regional data storage could cause a “splinternet,” and, in a recent post for Privacy Perspectives, privacy expert Eduardo Ustaran, CIPP/E, warned that “shutting down Europe” is not the answer to defending privacy. (Registration may be required to access this story.)

PRIVACY LAW

German Advocates Get Right To Sue; U.S. States Continue on Anti-Surveillance Path (February 18, 2014)

In this Privacy Tracker weekly legislative roundup, read about the prospects of German advocacy groups getting the right to sue businesses, the status of the Philippines’ cybercrime law and proposals in the U.S. pushing for less data collection and more consumer protections. The Utah attorney general has stopped using administrative subpoenas for cellphone and Internet data, saying “writing yourself a note to go after that stuff without any check is too dangerous,” while the Senate looks at a bill that would mean law enforcement needs a judge’s order as well. Also, Orin Kerr has published an article supposing what a communication privacy act might look like if the U.S. scrapped ECPA and started from scratch, and there’s a handy interactive map outlining the status of social media privacy laws throughout the U.S. (IAPP member login required.)
Full Story

PRIVACY COMMUNITY

The Perspectives Conversation, Past and Future (February 18, 2014)

Last February, we unveiled our very first blog, Privacy Perspectives, and in the year since, we’ve received a range of contributions from privacy pros working in the public and private sectors, across virtually all industries. This Perspectives installment pauses to take a look back at the last calendar year, one filled with major privacy news stories—from the EU-U.S. data protection debate, to the Snowden disclosures, to the Target breach. But not all contributions were based on breaking news. Perspectives also featured personal tales within the privacy profession, insider tips for day-to-day operations, our changing social and legal norms and the difficult debates that are shaping how organizations, policy-makers and privacy professionals think about privacy.
Full Story

PRIVACY LAW

Cline: U.S. Leads World in Privacy Violation Fines (February 18, 2014)

Jay Cline, CIPP/US, writes for Computerworld on EU leaders’ belief that the U.S. has not adequately enforced the EU-U.S. Safe Harbor agreement, citing research showing that is not the case. “Any way you cut the data,” Cline writes, “the U.S. dwarfs Europe and every other jurisdiction in doling out fines for data privacy violations. If privacy is measured by its weight in gold, America is the safest place on earth for personal data.” Cline’s report looks at the history of Safe Harbor, highlighting his team’s research on fines of $100,000 or more imposed by government agencies for privacy violations. “We also set out to rank-order the top privacy fines in history,” he writes. “When we did this, the U.S. dominated the leader board.”
Full Story

MOBILE PRIVACY—U.S.

Site To Allow Users To Opt Out of Location Tracking (February 18, 2014)

The Future of Privacy Forum (FPF) will today launch www.smartstoreprivacy.org, a website offering consumers the ability to opt out of location tracking by entering in their phones’ MAC address, MediaPost reports. A coalition of 11 mobile analytics companies have agreed to honor the requests to opt out, which will take effect in 30 days. The FPF is working with participating companies on developing signs to alert shoppers about the site, said FPF Executive Director Jules Polonetsky, CIPP/US.
Full Story

DATA LOSS—U.S.

Target Staff Warned of Vulnerability; Data Security, Notification Front-and-Center (February 18, 2014)

Target staff had urged the company to review the security of its payment system months prior to the breach, American Banker and The Wall Street Journal report. The company was updating its payment terminals at the time and allegedly postponed the review, the report states, and Courthouse News Service reports on a list of plaintiffs suing for the breach. In a separate incident, Kickstarter.com has notified users its systems were compromised. Meanwhile, The Washington Post reports on how quickly businesses should send breach notifications and on proposed breach response legislation. For the healthcare sector, the Workgroup for Electronic Data Interchange recently published guidance on required steps to determine if an event needs to be reported. And an IBM researcher has said that companies will not invest in data privacy until “society demands it.”
Full Story

DATA PROTECTION

Survey: Users More Hesitant To Click on Ads, Use Unknown Apps (February 18, 2014)

TRUSTe has released its third annual consumer confidence privacy research survey, which found that privacy concerns are up significantly from last year, with 74 percent indicating they are more concerned about privacy than they were a year ago. While 70 percent said they are more confident than one year ago that they can manage their online privacy, that may have negative repercussions for industry, with those surveyed indicating that means not clicking on ads or using apps they don’t recognize.
Full Story

SURVEILLANCE—U.S.

Leaked NSA Document Indicates Client-Lawyer Confidentiality Compromised (February 18, 2014)

Amidst a chorus of concerns by American lawyers with clients overseas that their confidential communications could be compromised by state surveillance, it appears at least one law firm has already been affected. The New York Times reports on a top-secret document obtained by Edward Snowden indicating a U.S. law firm’s communications with Indonesian officials over trade talks had been accessed. Meanwhile, the Privacy and Civil Liberties Oversight Board is turning its attention to another NSA program allowing the agency to monitor Internet traffic belonging to foreign intelligence targets, and the National Institute of Standards and Technology has released its Framework for Improving Critical Infrastructure Cybersecurity. (Registration may be required to access this story.)
Full Story

CHILDREN’S PRIVACY—U.S.

BBB Finds Site Did Not Comply With COPPA; Teens Seek Privacy Through Anonymity (February 18, 2014)

The Better Business Bureau Children's Advertising Review Unit has found that a Harper Collins website did not comply with the Children’s Online Privacy Protection Act (COPPA), MediaPost reports. “The Ruby Redfort site, touting a book series that features a 13-year-old girl detective, didn't have procedures in place to obtain verifiable parental consent before collecting names, street addresses and e-mail addresses from children,” the report states, noting COPPA prohibits websites from “knowingly collecting” such data from children under the age of 13. Meanwhile, The Washington Post and Forbes report on the emergence of anonymous apps and social networking sites filling “a growing demand among teens for more fun, less accountability and more privacy online.”
Full Story

SURVEILLANCE—U.S.

Newark Airport Surveillance System Poses Potential for Misuse, Advocates Say (February 18, 2014)

The recently installed 171 LED light fixtures at Newark Airport’s Terminal B are part of a new wireless network of sensors and video cameras that collect and feed data into software capable of recognizing license-plate numbers, identifying suspicious activity and sending alerts to staff, The New York Times reports. While officials with the Port Authority of New York and New Jersey plan to expand the project to other terminals and buildings, privacy advocates say the technology risks invading privacy. Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University, called the potential for misuse “terrifying,” the report states. (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY

Privacy Is Not Dead: “It’s Aliiiive” (February 14, 2014)
In honor of both Valentine’s Day and the zombie genre, Intel Chief Privacy and Security Counsel Ruby A. Zefo, CIPP/US, CIPM, shares her love of the undead by exploring 10 ways privacy is not dead. “At worst, it is the living dead,” she writes in this post for Privacy Perspectives. “Perhaps like Frankenstein’s monster, you thought it was dead, but in fact, it’s allliiiive!”

CHILDREN’S PRIVACY—U.S.

FTC Approves COPPA Self-Reg Program (February 14, 2014)

The Federal Trade Commission (FTC) has approved the kidSAFE Seal Program “as a safe harbor program under the Children’s Online Privacy Protection Act (COPPA) and the agency’s COPPA Rule.” The FTC is required by COPPA to review and approve all self-regulatory programs that would serve as safe harbors, according to an FTC press release. The commission determined in a 4-0 decision that the kidSAFE program provides “the same or greater protections for children” as those required in the COPPA Rule.
Full Story

BIG DATA—U.S.

DMA Says Data Broker Bill Would Weaken InfoSec (February 14, 2014)

The Direct Marketing Association (DMA) believes a new bill introduced by Sens. Jay Rockefeller (D-WV) and Ed Markey (D-MA) would create a security headache for companies that collect and share consumer data, AdAge reports. DMA Senior VP of Government Affairs Peggy Hudson said, “Imposing an access-and-correction regime on marketing data is not necessary to protect consumer privacy, and doing so would make it harder for companies to keep data secure at a time when consumers are more concerned about identity theft than ever before.” Rockefeller has called the data broker sector a “booming shadow industry” and recently said, “Consumers deserve to know what information about their personal lives is being collected and sold to marketers by data brokers.”
Full Story

DATA PROTECTION—EU & U.S.

MEPs: Trade Deal Should Not Pass Without U.S. Privacy Reforms (February 14, 2014)

The LIBE Committee approved a report Wednesday stating the European Parliament should not agree to the EU-U.S. trade deal, the TTIP agreement, unless it fully respects EU citizens’ data privacy, Help Net Security reports. The report, which passed the committee by a 33-7 vote, condemns the “vast, systemic, blanket collection of personal data of innocent people, often comprising intimate personal information.” The committee also “voted against calling for asylum protection for former U.S. intelligence agency contractor and whistleblower Edward Snowden,” EUObserver reports. Meanwhile, EDPS Peter Hustinx recently discussed NSA surveillance and the forthcoming reforms of the data protection regulation, and the European Agency for Fundamental Rights has released its official agenda for the EU, which includes recommendations on the EU data protection framework.
Full Story

DATA LOSS

Store, Healthcare Entities, Hotels, Bank Announce Breaches (February 14, 2014)

A number of brands have announced breaches this month, including Tesco, which was the victim of a breach not because of its own systems but as a result of breaches at various websites in which users employ the same username and password across multiple sites. A U.S. senator recently said data breaches are simply a “fact of life” these days, and an eSecurity Planet report explains why brands’ stock prices may actually rise after breaches. The Privacy Advisor examines these and other recent breach reports.
Full Story

PRIVACY COMMUNITY

Florian Thoma Joins Accenture (February 14, 2014)

Multinational consulting firm Accenture just got a boost in privacy experience after naming Florian Thoma, CIPP/US, CIPP/E, CIPM, as its new senior director of global data privacy. Thoma, who has served on the IAPP’s Board of Directors since 2010 and its European Advisory Board since 2009, started his new position on February 1.
Full Story

CYBERSECURITY—U.S.

Bank, Retail Groups Combine Efforts To Protect Consumers (February 14, 2014)

Bank and retail industry groups have announced a new partnership focused on sharing information about cybersecurity threats and improving consumer protection technologies, reports Reuters. While Tim Pawlenty, chief executive of the Financial Services Roundtable, notes, "There's going to continue to be differences on things like the costs of issuing replacement cards” after a breach, the groups can “benefit from learning from each other on internal system resiliency and improvement in best practices” as well as “state-of-the-art cyber defenses." The associations plan to form working groups and also focus on protecting mobile payments and thefts that don’t involve payment cards.
Full Story

HEALTHCARE PRIVACY—U.S.

HIPAA Changes Prompt Lab Data Privacy Priority (February 14, 2014)

InformationWeek reports on recent changes by the Department of Health and Human Services (HHS) giving patients the right to access their laboratory information. “Now that patients are legally entitled to their medical results from the lab,” the article states, “these laboratories must take further steps to ensure data doesn’t get into the wrong hands.” According to an HHS estimate, more than 22,000 laboratories will have to spend between $2 million and $10 million combined to develop interoperability systems to allow secure access, and, each year, labs could see as many as 3.5 million requests from patients or their representatives.
Full Story

SURVEILLANCE—U.S.

License-Plate Reading Company Sues Utah (February 14, 2014)

A Utah law aimed at protecting drivers’ privacy is being challenged by license-plate reading technology company Digital Recognition Network, the Associated Press reports. Utah Sen. Todd Weiler (R-District 23), one of the new law’s sponsors, said, “It’s one thing to take a photo … It’s another to take photos every 80th of a millisecond and then store that data you can later be identified by.” According to the lawsuit, the company is invoking its First Amendment rights to defend its business. A Digital Recognition Network attorney said, “People tend to invoke privacy and suspend judgment … We don’t track people.” With several states considering similar legislation, the case could represent a litmus test on surveillance and First Amendment rights.
Full Story

PRIVACY PROFESSION

Which Drives Leadership: Compliance or Strategy? (February 13, 2014)
The privacy profession has changed dramatically during the past 20 years, as has its role within an organization, prompting Information Accountability Foundation Executive Director Martin Abrams to query, “What drives leadership in 2014? Is it the need to have a highly compliant organization in an era where compliance is very complex? Or is a strategic approach to information governance when data moves from being a business facilitator to the driver of innovation?” In this post for Privacy Perspectives, Abrams looks into this debate, observes that skill sets are changing and warns that organizations that think privacy “is just another compliance program will be sitting ducks for strategic errors that will get in the way of innovation.”

MOBILE PRIVACY—U.S.

MeetMe Case Asks Important Questions About Notice (February 13, 2014)

Earlier this month, San Francisco City Attorney Dennis Herrera filed a complaint in California state court against MeetMe, Inc., alleging the app fails to inform users how it uses their geolocation data. Stephen Satterfield writes for Privacy Tracker that the case “raises the important question of whether failure to adequately disclose how information is shared can be a violation of California’s Unfair Competition Law” and, more broadly, “what it means to provide clear notice in the mobile environment and how, if it all, the answer changes when the user is a minor.” (IAPP member login required.)
Full Story

PRIVACY COMMUNITY

IAPP Hits 15k Members (February 13, 2014)

At about 10 a.m. EST yesterday, the IAPP gained its 15,000th active member, a milestone that was celebrated here in our Portsmouth, NH, offices with a company-wide e-mail containing 72-point font. And then everyone got back to doing the training, certification, education and member support work that got all those members to join us in the first place. We here on the IAPP Publications Team are grateful to all of you members for the trust you place in us by reading our work and the valuable feedback and volunteerism so many of you contribute on a daily basis.
Full Story

PRIVACY LAW—U.S.

“The Data Broker Industry Has for Too Long Operated in the Shadows” (February 13, 2014)

Sens. Jay Rockefeller (D-WV) and Ed Markey (D-MA) have introduced legislation that would require data brokers to be transparent about their data collection practices and provide consumers with opt-outs and would give the Federal Trade Commission civil penalty authority to enforce it, Broadcasting & Cable reports. The Data Broker Accountability and Transparency Act of 2014 (DATA Act) would also provide consumers with a means to correct data collected on them and prohibit brokers from being deceptive about their data collection. Markey said, “The data broker industry has for too long operated in the shadows, compiling dossiers on millions of Americans,” adding, “It is time to shine a light on this industry.” Last December, Rockefeller held a hearing and published a report on the industry.
Full Story

CYBERSECURITY—U.S.

White House Publishes Cybersecurity Framework; Privacy Appendix MIA (February 13, 2014)

A year after issuing an executive order, the Obama administration has released a cybersecurity framework for businesses to strengthen their networks against cyber-attacks, FierceGovernmentIT reports. Developed by the Commerce Department’s National Institute of Standards and Technology, the voluntary guidance provides critical infrastructure businesses a roadmap for preventing and responding to cyber-attacks. An earlier draft of the framework was released last October, including a full section on privacy and civil liberties. Based on comments received, however, the appendix was taken out and “integrated into the main body of the framework,” one administration official said.
Full Story

SURVEILLANCE—U.S.

PCLOB Testifies Against NSA Tactics; Rand Paul Files Suit Over Them (February 13, 2014)

Members of the Privacy and Civil Liberties Oversight Board (PCLOB) testified Tuesday at a Senate Judiciary Committee meeting that the NSA’s collection of phone records is unlawful, The Hill reports. The board condemned the phone surveillance program in a report last month after a 3-2 vote. Sen. Rand Paul (R-KY) has filed a lawsuit against President Barack Obama and the heads of several intelligence agencies over the data collection. Meanwhile, Google is asking Congress to update the Electronic Communications Privacy Act so government would be required to obtain a warrant before accessing private communications.
Full Story

PRIVACY LAW—U.S.

Group To Ask Judge To Throw Out Facebook Settlement (February 13, 2014)

Public advocacy group Public Citizen aims to pressure Facebook to change its practices on users’ comments, images and “likes” being used in advertisements, The New York Times reports. In a legal brief to be filed today at the Ninth Circuit Court of Appeals in San Francisco, the group will ask a judge to throw out a 2012 Facebook settlement on the matter, stating it violates laws in seven states because it doesn’t require Facebook to obtain permission from parents before using teens’ data. Meanwhile, Facebook has banned a couple of vendors from its site for privacy violations. (Registration may be required to access this story.)
Full Story

INTERNET OF THINGS—U.S.

Ford Motor Co. Reveals GPS Privacy Practices (February 13, 2014)

After comments from a Ford executive at the Consumer Electronics Show saying that Ford’s GPS system in its vehicles allows it to “know everyone who breaks the law” and a subsequent letter from Sen. Al Franken (D-MN), Ford sent a letter to Franken to reveal its privacy practices, Mashable reports. Ford said it “is absolutely committed to protecting our customers’ privacy.” Ford Vice President of U.S. Governmental Affairs Curt Magleby wrote, “No location data is wirelessly transmitted from the vehicle without consumer consent,” and “Location data is used only to support customer requests for services and to troubleshoot and improve our products.” Editor’s Note: Future of Privacy Forum Policy Director Joshua Harris recently wrote in Privacy Perspectives about building privacy protections into connected cars.
Full Story

PRIVACY—U.S.

Ride-Sharing Suit Alleges Data-Sharing Without Consent (February 13, 2014)

A lawsuit has been filed against ride-sharing company Lyft alleging it transmitted data about users to an analytics company, MediaPost News reports. In a complaint filed Friday in a San Francisco federal court, Miguel Garcia says Lyft’s “decision to disclose its users’ sensitive personal information not only demonstrates a brazen disregard for their privacy rights, it also violates the California Privacy Act.” Garcia’s suit—which seeks class-action status—also names Lyft’s parent company, Enterprise Holdings.
Full Story

ONLINE PRIVACY

Smart Cities Are Evolving, But Are We Ready? (February 13, 2014)

Computerworld reports on the not-so-distant future of smart cities. To some extent, they’re already here, as governments increasingly use wireless networks, Big Data, web portals and social media, among other technological tools. But a smart city—aimed at enhancing citizens’ quality of life, improving government processes and reducing energy use, among other goals—brings with it a multitude of privacy and data security implications, the report states. Five U.S. cities in particular are taking on initiatives to help manage the change to “smart.”
Full Story

INTERNET OF THINGS

The Privacy Pro’s Guide to the Internet of Things (February 12, 2014)
The rise in Internet of Things (IoT) technology has brought with it a slew of new and difficult challenges for privacy professionals and “will test our skills in the same way the more traditional Internet uses have been challenging our professional ability to identify risks, assess their likely impact and deploy practical solutions for everyone’s benefit,” writes privacy expert Eduardo Ustaran, CIPP/E. In this post for Privacy Perspectives, Ustaran provides privacy professionals with some tips—from notice to security—on navigating the IoT landscape today and into the future.

PRIVACY RESOURCES

Employee Awareness: Where the Rubber Hits the Road (February 12, 2014)

A workforce educated in proper data handling might be one of the most important tools an organization can have for preventing a data breach. Almost all of an organization’s employees touch data of some sort, yet multiple studies have shown insider negligence and disregard for policies are leading factors in breaches. This close-up on employee education and awareness offers tools, tips and insight on how to get everybody on the privacy bandwagon. Find new ways to convey the importance of privacy throughout your organization with posters, videos and tips sheets—including the IAPP’s own “Prudence the Privacy Pro” comic strip. (IAPP member login required.)
Close-Up: Employee Awareness and Education

PRIVACY LAW

Review: Transborder Data Flows and Data Privacy Law Is “Must-Have” (February 12, 2014)

Few people personify the field they work in as much as Christopher Kuner. As a lawyer, European-American, academic and professor, and longtime leader of the ICC, Kuner straddles the fault lines of the privacy world with ease,” IAPP Vice President of Research and Education Omer Tene writes for The Privacy Advisor in his review of Kuner’s latest work, Transborder Data Flows and Data Privacy Law. Tene examines the wealth of information included in Kuner’s book, suggesting it may “constitute one of the building blocks for a new legal edifice being designed and erected these very days, a regulatory model for a technologically borderless world.” Editor's Note: Kuner shares some thoughts from his book in this post for Privacy Perspectives.
Full Story

PRIVACY LAW—EU & U.S.

FTC Announces Settlement Over Safe Harbor Claims (February 12, 2014)

The Federal Trade Commission (FTC) has settled with children’s online gaming company Fantage.com after it “falsely claimed to be a certified participant” in the EU-U.S. Safe Harbor agreement, The Hill reports. In its settlement announcement Tuesday, the FTC noted the company had let its Safe Harbor certification lapse. “This does not necessarily mean that the company committed any substantive violations of the privacy principles of the Safe Harbor framework or other privacy laws,” the FTC said. The proposed settlement prohibits the site “from making similar false claims in the future,” the report states. The FTC is taking “a more proactive look at this program in terms of enforcement,” FTC Chairwoman Edith Ramirez said at an event this week.
Full Story

PRIVACY LAW—U.S.

Warrantless Searches of Drug Database Blocked, Judge Rules (February 12, 2014)

A federal judge has ruled that the federal law enforcement’s warrantless searches of a state’s prescription drug database violate the Fourth Amendment, Reuters reports. The Oregon Prescription Drug Monitoring Program was set up in 2009 to help pharmacists and doctors track certain prescription drugs covered by the Controlled Substances Act. The state requires law enforcement to obtain a warrant prior to access, but the U.S. Drug Enforcement Agency had argued federal law allowed it access to the data under an “administrative subpoena.” U.S. District Judge Ancer Haggerty said, “It is more than reasonable for patients to believe that law enforcement agencies will not have unfettered access to their records.”
Full Story

ONLINE PRIVACY—U.S.

Start-Up Offers Cash To Track Users (February 12, 2014)

MIT Technology Review reports on Datacoup, a company running a beta trial offering consumers money in exchange for access to their online habits. For $8 a month, users allow the company access to a combination of their social media accounts and the feed of their credit and debit card transactions. Datacoup plans on turning a profit by offering businesses access to mined, anonymized data. CEO Matt Hogan said, “If a consumer wants to make an educated decision, they should be able to sell their data to who they want.” Carnegie Mellon’s Alessandro Acquisti cautions that Datacoup doesn’t really give consumers control of their data because social media and financial sites still retain it, and consumers get money now, but may regret it later. “Measuring privacy trade-offs is exceedingly hard,” Acquisti added.
Full Story

CYBERSECURITY—U.S.

Platform Allows for Threat-Risk Data Sharing Between Gov’t, Public (February 12, 2014)

A platform for sharing cyber-threat intelligence is being opened to general availability, GCN reports. The Internet Identity’s ActiveTrust platform has been used for the last year by several dozen federal agencies, the report states, and aims to “leverage the convenience of social networking for information sharing while using the power of binding contracts to ensure the control of sensitive information.” The release follows an executive order last year calling for voluntary information-sharing systems between government and the private sector.
Full Story

HEALTHCARE PRIVACY—U.S.

Gov’t Launches Contest; Google Cloud Now HIPAA-Friendly (February 12, 2014)

The Office of the National Coordinator (ONC) for HIT and HHS Office for Civil Rights (OCR) recently developed new model notices of privacy practices and has launched a contest in pursuit of software developers to create an online privacy notice, Health Data Management reports. The Digital Privacy Notice Challenge will award $15,000, $7,000 and $3,000 prizes for first, second and third places, respectively. The submission period closes April 7. Meanwhile, Google has announced its cloud platform will now be “HIPAA-friendly.”
Full Story

DATA PROTECTION—U.S.

Citing Privacy Concerns, Dentist Now Accepts Bitcoin (February 12, 2014)

A Florida dentist is now offering patients the option of paying for services with Bitcoin, citing recent data breaches at major retailers and “the prevalence of medical identity fraud in the healthcare industry,” according to a PRWEB release. Dentist Mitchell A. Pohl explained, “I try to stay on top of cutting-edge technology and thought it was only natural to start accepting Bitcoin.” Bitcoin includes “guaranteed anonymity,” the release states, allowing patients to keep Bitcoin medical payments private from their financial institutions.
Full Story

PRIVACY LAW—U.S.

Harm Threshold Hard To Meet; Supreme Court May Soon Clarify Class-Action Questions (February 11, 2014)
In an exclusive for The Privacy Advisor, Dana Post of Freshfields Bruckhaus Deringer writes about the difficulty plaintiffs face in proving “future harm” after a data breach. “Where actual harm is sufficiently alleged—such as identify theft or fraudulent charges—a claim is more likely to proceed,” Post writes. Meanwhile, a Kansas federal judge recently dismissed two proposed class-actions filed over a breach at Nationwide Mutual Insurance Co., stating the plaintiffs couldn’t prove harm. Given the class-actions filed following Target’s recent breach, there is an increased focus on class certification, writes Amy Cadle Hocevar of Squire Sanders, adding the Supreme Court may soon provide guidance on who can and cannot comprise a class member.

SURVEILLANCE

Internet Giants, Users Worldwide Take Part in “The Day We Fight Back” (February 11, 2014)

Gizmodo reports on protests happening around the world today as part of “The Day We Fight Back,” a global initiative against governments’ surveillance programs. The Electronic Frontier Foundation is among those calling on Internet users worldwide to participate in the movement, which asserts mass surveillance violates human rights law. Google, Microsoft, Facebook and other tech giants have signed on to the roster of participating groups, National Journal reports. Rep. Matt Salmon (R-AZ) says the U.S. is locked in a “fight of epic proportions” over the constitutional right to privacy, The Hill reports.
Full Story

HEALTHCARE PRIVACY—U.S.

Are CEO’s Comments a HIPAA Violation? (February 11, 2014)

Some are wondering if AOL CEO Tim Armstrong’s comments about plans to change the company’s 401(k) plan after benefit cuts were needed because of two “distressed babies … that we paid a million dollars each to make sure those babies were OK” violated the Health Insurance Portability and Accountability Act (HIPAA). Patient Privacy Rights’ Deborah Peel suggested the comments could violate HIPAA because the remarks disclosed protected health information. Wiley Rein Partner Kirk Nahra, CIPP/US, told The Wire that any possible HIPAA violation here is “mainly going to depend on where the information came from,” noting Armstrong could have based his remarks on a legal report of healthcare distributions. Nahra said the likelihood of an investigation finding a major HIPAA violation would be “exceedingly small.”
Full Story

DATA COLLECTION—U.S.

Gov’t Considering Industry Alternative to NSA Data Storage (February 11, 2014)

The government may look to industry as an alternative to National Security Agency (NSA) storage of bulk phone records, IDG News reports. The government’s request for information (RFI) seeks information on commercially available services from U.S. industries, the report states, quoting comments from the Office of the Director of National Intelligence that the government is investigating options that would maintain “the current capabilities of that system and the existing protections for U.S. persons” without having the government store the metadata. The RFI follows President Barack Obama’s NSA speech last month calling for a new plan to “establish a mechanism that preserves the capabilities we need without the government holding this bulk metadata.”
Full Story

BIG DATA—U.S.

Coalition Demands Public Involvement on Study (February 11, 2014)

The White House met with a coalition of consumer, civil liberties and privacy groups Monday after the group called on President Barack Obama to review the recently announced study, “Big Data and the Future of Privacy,” The Hill reports. EPIC, the Center for Digital Democracy and the ACLU are among the groups that signed a letter to the White House’s Office of Science and Technology Policy requesting public involvement in the process. The meeting was the first in a series the White House has planned to gain varied perspectives.
Full Story

HEALTHCARE PRIVACY—U.S.

Hospital Faces Complaint; Device-Makers Hacked (February 11, 2014)

Dignity Health is facing a federal complaint alleging it violated its patients’ privacy by using their records to help leverage a contract dispute with the Nevada Health Insurance Coalition (NHIC), Las Vegas Review-Journal reports. The NHIC alleges hospitals owned by Dignity contacted former patients with NHIC plans to persuade them to take action “with their health plans favorable” to the hospitals, the report states. Meanwhile, hackers infiltrated the computer networks of the country’s top medical device makers—Medtronic, Boston Scientific and St. Jude Medical, San Francisco Chronicle reports. A representative from one of the companies said an investigation is underway.
Full Story

PRIVACY BUSINESS—U.S.

Recent App Launches Seize Privacy as Selling Point (February 11, 2014)

MIT’s Jean Yang has released a tool for app developers aimed at helping them relieve some of users’ privacy concerns when it comes to how apps use personal data, MIT Technology Review reports. The tool reduces the probability of human error in writing code. Meanwhile, a start-up aiming to help app developers comply with COPPA rules has landed funding, and a Florida-based start-up has launched an app that allows users to chat and share photos within a private group. In fact, a number of new apps aim to allow for a more private or anonymous online experience.
Full Story

ONLINE PRIVACY

Google, comScore Team Up; Alternative Search Traffic on the Rise (February 11, 2014)

Google and comScore have announced a partnership to better determine the effectiveness of web-based ads in real time and help businesses change ads on the fly, The New York Times reports. A Google representative said, “It’s going to, for the very first time, give advertisers and publishers real-time insights into whether their campaigns are delivering.” In a blog post, Google said it’s part of a larger plan to bring more transparency to advertising. Forbes reports on the rise in traffic to non-Google search sites. The CEO of Startpage and Ixquick said, “The consciousness is only slowly building on the dangers … It is very easy to see how this treasure trove of data can be misused in the future.” (Registration may be required to access this story.)
Full Story

BIOMETRICS

Facial Recognition Tech Used in Sochi; Expanded Uses Expected (February 11, 2014)

San Jose Mercury News reports on facial recognition software being used at the international airport in Sochi, Russia. Made by U.S.-based Artec Group, the technology uses a 3D camera to identify individual faces with the intent of improving airport security. Artec Group Chief Executive Artyom Yukhin said the software can differentiate between identical twins, isn’t fooled by disguises and has been tested in airports around the world, the report states. Meanwhile, a World Economic Forum report predicts that facial recognition will be implemented as part of fully automatic check-in systems at airports and border crossings by 2025. And last week, the U.S. NTIA kicked off talks aimed at creating a voluntary code of conduct for facial recognition technology.
Full Story

CYBERSECURITY—U.S.

Retailers Association Urging Privacy Self-Regulation (February 11, 2014)

The leading retail industry trade group, the Retail Industry Leaders Association (RILA), is pushing for a self-regulatory approach to data privacy and cybersecurity, The Hill reports. “Improperly conceived privacy regulations have the potential to unduly hamper the consumer experience, stifle innovation and make business practices too inflexible for customers with little, if any, additional privacy protection in return,” the RILA said in its 2014 Public Policy Agenda. Retailers have also asked financial organizations to begin issuing credit cards with chip-and-PIN technology.
Full Story

PRIVACY LAW

Two Countries Seek Increased Gov’t Access to Digital Data (February 10, 2014)
Nigeria and Turkey are both considering government-proposed legislation that would require service providers to turn over to law enforcement customers’ data upon request—with fines, and possible jail time for company officers, for noncompliance in Nigeria. In the U.S., senators are addressing breach response and online privacy concerns with bills of their own as the fallout continues from the Target and Neiman Marcus breaches as well as the Snowden revelations. And in Australia, the deadline for the Australian Privacy Principles looms large. The Privacy Tracker’s weekly legislative roundup covers all this and more. (IAPP member login required.)

ONLINE PRIVACY—U.S.

Revenge Porn, Copyrights and the Data We Own (February 10, 2014)

Last week, The Atlantic Monthly’s Amanda Levendowski wrote about revenge porn and copyright law. There are laws that can be used by victims, but they prosecute those who submit such material, not the websites that host it, and creating new laws, she cautions, though well-intentioned, could produce overly broad ones such as the Computer Fraud and Abuse Act. Instead, Levendowski points out that victims—without the aid of a lawyer—have the power to compel websites to take down the images because the victim created the photo and thus has a copyright on the image. This installment for Privacy Perspectives looks into these issues and asks whether, instead of more laws, the copyright concept could be one possible avenue to explore further to help empower users, without stifling free speech.
Full Story

PRIVACY—EU & U.S.

Letter to the Editor (February 10, 2014)

Last week, The Privacy Advisor covered Federal Trade Commissioner Julie Brill’s Twitter chat, in which Brill took live questions on the relationship between the EU and the U.S. on data processing, the use of mobile devices in healthcare and what the web might look like in a cookie-less world, among other topics. In our coverage, we indicated Brill “shut down the idea” of future EU-U.S. collaboration in her response to a question about whether discussion had “evolved” on plans for a mutual enforcement program between the EU and U.S. In this letter to the editor, Brill clarifies the FTC is “engaged in important ongoing dialogues” on enforcement cooperation in various organizations.
Full Story

DATA PROTECTION—U.S.

Snowden Used Cheap Web-Crawling Software To Scrape NSA Data (February 10, 2014)

Intelligence officials looking at how Edward Snowden gained access to “a huge trove of the country’s most highly classified documents” say he used inexpensive, widely available software to do so, The New York Times reports. Snowden used “web crawler” software to scrape data out of systems as he completed his daily tasks as a technology subcontractor for the NSA in a process that a senior intelligence official called “quite automated.” The NSA is currently collecting data on about 30 percent of phone calls in the U.S. (Registration may be required to access to this story.)
Full Story

BEHAVIORAL TARGETING

Verizon Ad Program Will Track Web Habits (February 10, 2014)

Computerworld reports on recent changes to Verizon Wireless’ Relevant Mobile Advertising Program allowing it “to track your desktop surfing habits on the web and use that information to help advertisers deliver targeted ads to your mobile phone.” In his report, Robert L. Mitchell discusses why he chose to opt out of the program, which will assign users “anonymous unique identifiers” that link back to mobile phones, allowing the company to offer advertisers information to deliver targeted ads. Mitchell writes, “Information is the coin of the realm. So if you have a choice, why give it away? What's your personal data worth? Are you giving it up? And if so, are you getting value in return?”
Full Story

SURVEILLANCE—U.S.

Law Enforcement Testing Predictive Analytics, Google Glass (February 10, 2014)

InformationWeek reports on the increased use of predictive analytics by law enforcement to help better identify where crimes will likely be committed, conduct investigations more efficiently and analyze behavioral trends and security threats. Meanwhile, the New York Police Department is testing out Google Glass, The New York Post reports, which could allow officers to see a suspect’s arrest record, mugshot and other profile data. “If it works, it could be very beneficial for a cop on patrol who walks into a building with these glasses on,” one source said, adding, “You can identify the bad guys immediately within seconds.”
Full Story

DATA LOSS

FBI Says Target Breach Just a Foreshadow; More Breaches Announced (February 10, 2014)

A Verizon report has found that a vast majority of companies who achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS) annually fail to maintain that status, leaving them exposed to potential breaches and other security risks, Computerworld reports. The report found that 11 percent maintained compliance status between each PCI DSS assessment. Meanwhile, the FBI recently warned retailers that the recent attacks against Target and other brands foreshadow events to come, and a number of brands have announced new breaches.
Full Story

PRIVACY COMMUNITY—U.S.

BakerHostetler Launches Info Governance Team (February 10, 2014)

BakerHostetler has announced it has introduced an information governance team based on the firm’s expertise in privacy and data protection as well as e-discovery advocacy and management. “Information is the lifeblood of businesses today, but many entities are overwhelmed by the volume of their data, as well as associated privacy, regulatory, legal and security concerns. A comprehensive information governance policy provides an important accountability framework for the effective management of information that permits an organization to maximize its value while reducing associated costs and risks,” said BakerHostetler Partner Judy Selby, who will lead the team with James Sherer, CIPP/US.
Full Story

SURVEILLANCE—UK & U.S.

With Drone Use, Privacy Concerns Persist (February 10, 2014)

The U.S. Federal Aviation Administration is investigating the use of a drone at a fatal crash in Connecticut, prompting concerns about safety and privacy, FOX CT News reports. A Hartford Police Department incident report indicated officers spotted the drone with an attached camera flying overhead while “bodies were still in the car,” the report states. Meanwhile, The Guardian examines the questions around drones in this “age increasingly shaped by our attitudes to, and our definition of, privacy.” While noting drones are banned in London, UK, and there are restrictions on their use in residential areas, the report questions “how many uses could there be for a small, silent, fast, remote-controlled drone?”
Full Story

CYBERSECURITY—U.S.

Calls for Mandated Data Security Increase (February 7, 2014)
The recent breaches of Target and Neiman Marcus and their subsequent testimony in front of Congress this week has been part of a trigger for an increasing chorus of lawmakers and government agencies calling for federal data security legislation. On Thursday, U.S. Federal Reserve Governor Daniel Tarullo joined in by testifying that retailers and companies with customer payments should follow the same obligations as banks to report data breaches. Additionally, a new survey of government employees reveals Congress may be part of the cybersecurity solution, while a Texas-based healthcare system may have been hit by one of the largest data breaches to ever affect an individual hospital. This roundup for The Privacy Advisor brings together the latest developments in cybersecurity and data breach response.

BIOMETRICS

NTIA Holds First Meeting on a Facial-Recognition Technology Code of Conduct (February 7, 2014)

The Department of Commerce’s National Telecommunications and Internet Administration yesterday held the first of a series of meetings aimed at creating a voluntary code of conduct for development and implementation of facial recognition technology. The meeting, which hosted stakeholders spanning advocacy and industry, was primarily a chance for the group, as well as the 100 or so watching the live webcast, to hear from experts on how the technology works, how it’s currently being applied and for what reasons and what it might be capable of accomplishing in the future. In this exclusive for The Privacy Advisor, Angelique Carson, CIPP/US, breaks down the most important testimony and summarizes the project’s goals and likely outcomes.
Full Story

MOBILE PRIVACY

Facebook Addresses New Vulnerability (February 7, 2014)

App privacy firm MyPermissions found this week what it called “a worldwide vulnerability” in Facebook’s mobile apps. Essentially, developers could force the app to crash every time a user tried to revoke that app’s permission to access information. Thus, access was left open to personal data on the tablet or phone. However, according to Yahoo! News, MyPermissions quickly contacted Facebook and Facebook quickly responded to fix the issue. “They did a fantastic job of getting in touch with us very quickly,” said MyPermissions CEO Olivier Amar. “Facebook takes this very seriously, and I’m very impressed by them.” While no official word has been issued, the report states the bug was likely fixed by end of day Thursday.
Full Story

PRIVACY—CANADA

Bernier: Expect a Challenging Year (February 7, 2014)

Appointed as Interim Privacy Commissioner just more than two months ago, Chantal Bernier is hardly new to the job. She served as Assistant Privacy Commissioner of Canada for five years under Jennifer Stoddart and she now looks forward to the most significant privacy issues facing Canadians in 2014 and beyond. In this exclusive for Privacy Perspectives, Bernier outlines what she sees as most likely to come across her desk in the coming year, including the conundrum of wearable computing, how drones will be appropriately deployed and regulated, biometric databases and the emerging field of predictive analytics. “The technological revolution,” she writes, “holds the promise of new opportunities but also brings new risks.”
Full Story

BIG DATA

When and How Your Middle Name Could Become “Is a Slut” (February 7, 2014)

How did political writer Lisa McIntire end up with “Is a Slut” as her middle name on the address line of a letter from Bank of America? And how did Mike Seay end up with information about his daughter’s death on his mailing from OfficeMax? “In tort law, we would call it negligence,” writes Ryan Calo for Forbes. “A data broker collected information about a tragic death and accidentally sold it,” he adds, and the companies’ screening processes didn’t catch these blunders. “The truth is that there are consequences to obsessively compiling information about consumers and promiscuously sharing it.”
Full Story

PRIVACY

Tips To Determine If Your Printer has Internal Storage (February 7, 2014)

Some high-end printers and copiers retain digital copies of documents in their internal storage. This PC Magazine report offers tips from its lead analyst for printers and scanners, M. David Stone, on how to determine whether your printer is one of those, and if it is, what precautions to take to be sure it’s inaccessible when you get rid of it. If your printer has private printing or the ability to re-order the print queue via an embedded webpage, it may have internal storage capabilities, Stone says. When in doubt, he recommends opening it up and poking around: “Take it out to the street, and bang on it with a hammer until the insides rattle nicely,” says Stone.
Full Story

PRIVACY LAW—FRANCE

Google Fights CNIL Request In Court (February 7, 2014)

The Wall Street Journal reports that Google has asked a French court to suspend an order requiring it to post a message on its French home page notifying users of the privacy fine levied by Frances data protection authority (the CNIL). A Google lawyer has argued that posting the notice of the 150,000 euro ($204,000) fine causes irreparable damage to the company’s reputation. Patrice Spinosi, a lawyer representing Google, said, “This is something we’ve never seen before … Google has always maintained that page in a virgin state.” The CNIL has said that users of Google’s home page have the right to know that Google has been sanctioned. (Registration may be required to access this story.)
Full Story

INFORMATION ACCESS

Twitter Wants To Tell Customers More (February 7, 2014)

Though the Department of Justice recently announced a deal with major Internet firms to “allow more detailed disclosures about the number of national security orders and requests,” Twitter says the deal doesn’t go far enough. A blog post by Jeremy Kessel, manager of global legal policy, reads, “While this agreement is a step in the right direction, these ranges do not provide meaningful or sufficient transparency for the public.” Twitter wants to disclose numbers of national security requests of all kinds separately from all other requests and believes the ranges are too broad to be meaningful. Further, Twitter wants to disclose “that we do not receive certain types of requests, if, in fact, we have not received any.”
Full Story

STUDENT PRIVACY—U.S.

Judge Dismisses EPIC’s Suit on Expanded Data Access (February 7, 2014)

A federal judge has ruled that the Electronic Privacy Information Center (EPIC) lacks standing to challenge the expansion of access of information to public school students’ data, Courthouse News Service. EPIC sued the U.S. Department of Education under the Family Educational Rights and Privacy Act “claiming the government exceeded its statutory capabilities by changing the definitions of key terms within the law,” the report states. Meanwhile, Fordham law Prof. Joel Reidenberg said recently that outsourcing, lack of transparency, vague contracts, outdated laws and new pushes for data analytics are to blame for the current risk to student privacy.
Full Story

DATA LOSS—U.S.

Was Target’s HVAC Vendor the Hackers’ Point of Entry? (February 6, 2014)
Target says the initial intrusion into its computer systems in its November breach can be traced back to a third-party vendor. KrebsonSecurity reports the network credentials used to gain access to Target’s system were stolen from its HVAC subcontractor, Fazio Mechanical Services, based in Pennsylvania. A cybersecurity expert said it’s common for large retailers to have a team monitoring energy consumption and temperatures, and they “need to be able to remote into the system” for maintenance. The Secret Service has visited Fazio in connection with the breach. Meanwhile, a study indicates 80 percent of Americans would support a Constitutional amendment on data privacy.

DATA PROTECTION—U.S.

Brill Talks Big Data, Cookies and Mobile Devices (February 6, 2014)

Federal Trade Commissioner Julie Brill took to Twitter yesterday, taking questions on the partnership between the U.S. and EU on data processing, the use of mobile devices in healthcare and a potentially cookie-less web ecosystem. The full conversation is at #FTCpriv. Here at the IAPP, we’ve collected the highpoints of the hour-long chat for your reading pleasure.
Full Story

PRIVACY COMMUNITY

What’s Bruce Schneier Doing at Co3? (February 6, 2014)

Why would an internationally known thinker on security issues leave a gig as chief security technology officer at a large telecom to serve as CTO of a much smaller software company? That was a question some observers might have been pondering when incident response software maker Co3 announced that Bruce Schneier was joining the company. In this exclusive for The Privacy Advisor, Schneier answers that question and shares his thoughts on how Co3 can help the security and privacy communities.
Full Story

BIOMETRICS—U.S.

Franken Wants Facial Recognition App’s Launch Delayed (February 6, 2014)

Sen. Al Franken (D-MN), who has expressed concerns over facial recognition technology for years, is displeased with a new app that makes use of Google Glass. Franken has sent a letter to the developer of Nevada-based NameTag asking that he delay launching the app, which it calls a “Minority Report for Dating” and would identify faces by pulling information from sex offender databases, dating sites and elsewhere via Google Glass, Forbes reports. Meanwhile, the National Telecommunications and Information Administration’s multi-stakeholder talks on facial recognition technology kick off today. Look for a story on how the first meeting went in tomorrow’s Daily Dashboard.
Full Story

CLOUD COMPUTING

CPO Discusses Data Sovereignty and Future of the Cloud (February 6, 2014)

In a Q&A with itbusiness.ca, McAfee CPO Michelle Dennedy, CIPP/US, CIPM, discusses data privacy and the cloud. “It’s great that there are a couple of companies … discussing privacy at all in the boardroom, but typically it is coming out of the audit committees or it’s coming as a reaction to fines that have been levied” when it should be thought of as an “asset value,” she said. Regarding in-country cloud providers, Dennedy said “the mentality that dirt can actually be a boundary for data is a mistake,” predicting a satellite cloud company will eventually be “the cloud provider of all.” Meanwhile, UpCloud, which complies with Finnish privacy law, plans to open a data center in the U.S., and ZDNet reports that hosting cloud services outside the U.S. may increase NSA surveillance.
Full Story

ONLINE PRIVACY—U.S.

Cable Home WiFi Defaults as Public Hotspot (February 6, 2014)

Ars Technica reports on a new program by Comcast that adds public hotspots to its users’ home-based modems by default. Customers can turn the signal off by opting out, but, according to the report, a Comcast FAQ does not provide instructions to turn off the service manually. Customers instead must call the company to find out how. Some customers are concerned about data privacy with the new program. Comcast has said “we anticipate minimal impact to the in-home WiFi network.”
Full Story

HEALTHCARE PRIVACY—U.S.

HIPAA Rule To Allow Direct Access to Lab Data; Papers Discuss Telehealth (February 6, 2014)

The Department of Health and Human Services recently released a final rule amending the Clinical Laboratory Improvement Amendments and the Health Insurance Portability and Accountability Act (HIPAA) giving patients the right to directly access their lab data, The National Law Review reports. As a result, HIPAA-covered laboratories must provide patients with such access within 30 days. Meanwhile, a new report discusses the legal and liability issues of mobile health applications, predicting increased regulatory roles for the Food and Drug Administration and the Federal Trade Commission over health apps. The Center for Democracy & Technology’s Joseph Lorenzo Hall and Deven McGraw write, “For telehealth to succeed, privacy and security risks must be addressed.”
Full Story

SURVEILLANCE—U.S.

New Technology “Can Track Everyone” for Hours at a Time (February 6, 2014)

The Washington Post reports on what new surveillance cameras can reveal: tracking “every vehicle and person across an area the size of a small city, for several hours at a time.” The cameras are unable to record license plates or faces, but “they provide such a wealth of data that police, businesses and even private individuals can use them to help identify people and track their movements,” the report states. There are clear law enforcement benefits to the technology, as the ACLU’s Jay Stanley acknowledges, stating, “If you turn your country into a totalitarian surveillance state, there’s always some wrongdoing you can prevent.” However, he warns, “The balance struck in our Constitution tilts toward liberty, and I think we should keep that value.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Judge: Pedophile Investigators Can Use Metadata (February 6, 2014)

A federal judge has ruled that investigators may use metadata to track sources of inappropriate photos of children, Houston Chronicle reports. In his order, U.S. District Judge Gregg Costa wrote the metadata embedded in a photo of a four-year-old girl shared online solved the "needle-in-the-haystack problem" investigators face. The perpetrator’s attorney had argued phones retrieve GPS coordinates without notifying users, so “although the image was contraband, the legitimate expectation of privacy as to location and identity is not rendered unreasonable.” Costa disagreed, writing, "He gave up his right to privacy in that image once he uploaded it to the Internet … There is no basis for divvying up the image … into portions that are now public and portions in which he retains a privacy interest."
Full Story

CYBERSECURITY—U.S.

Target, Neiman Marcus: We Did All We Could (February 5, 2014)
Representatives from Target and Neiman Marcus appeared yesterday in front of the U.S. Senate Judiciary Committee to testify on the highly publicized breaches that hit each company in recent months and what can be done to bolster cybersecurity. What was clear during testimony was the sophistication of the cyber-attacks on both companies, the complicated forensics investigations used to detect and contain the malware, the need for chip-and-PIN technology for card payments and the need for a concerted effort by public and private stakeholders to counter the growing, lucrative and sophisticated cybercriminal industry. This exclusive for The Privacy Advisor covers the hearing and explores whether government is ready to—or should—pass federal data security legislation to confront these issues.

CYBERSECURITY—U.S.

What the Target Incident Means for the SEC and Cybersecurity (February 5, 2014)

“With the news that Target intends to wait until it files its annual report in March with the Securities and Exchange Commission (SEC) on the investment consequences of its massive cybersecurity intrusion from 2013, the SEC and cybersecurity once again gains attention,” write Jenner & Block’s Mary Ellen Callahan, CIPP/US, and Elaine Wolff. In this post for Privacy Perspectives, Callahan and Wolff look into the SEC’s guidance on cybersecurity, including recent comments by the agency that “underscore the need to disclose costs associated with any preventative or remedial measures that may have a material effect on a company’s results of operations, liquidity and financial condition.” The Target incident, they point out, “highlights some of the limitations in the SEC guidance.” Editor’s Note: Callahan and Wolff will speak as part of a panel discussion on the SEC and cybersecurity at the IAPP Global Privacy Summit, March 5-7, in Washington, DC.
Full Story

DATA PROTECTION—U.S.

State AGs as Privacy Regulators—Q & A with Maryland AG Doug Gansler (February 5, 2014)

In this Q&A exclusive for The Privacy Advisor, Divonne Smoyer, CIPP/US, speaks with Maryland AG Doug Gansler, who has been at the forefront of privacy protection efforts by state attorneys general. In 2013, as president of the National Association of Attorneys General, Gansler's focus was "Privacy in the Digital Age." He tells Smoyer, "State attorneys general have long been champions of consumers' privacy in the physical marketplace, where breaches of privacy are more easily contained," explaining, "if a company improperly disposes of a file with sensitive personal information a consumer shared, it may only be seen by a few people. In the Digital Age, however, the risks of sharing sensitive personal information are far greater." Editor’s Note: Smoyer, and Aaron Lancaster, CIPP/US, wrote about the role of the AG in privacy enforcement in a recent post for Privacy Perspectives.
Full Story

MOBILE PRIVACY

Apple Cracks Down on Tracking Apps; Developers Unhappy (February 5, 2014)

NBC News reports that Apple has started cracking down on mobile apps that collect Identifiers for Advertisers (IFAs) without actually showing any advertisements to the user. Until this week, a clause Apple added in its developer license agreement had gone unenforced. Mixpanel’s Suhail Doshi said, “I really believe that most developers using IFA are trying to (understand) if spending money on advertising was cost effective—as opposed to ‘spying on their users.’” Doshi also warned, “The new policies around it are now likely to cause app developers, as a last resort, to do things that will be worse for consumer privacy as they work around IFA—with far less transparency.”
Full Story

BYOD

One CIO’s Tech Solution (February 5, 2014)

As part of Forbes’ guest post series, Steven DeLuca, CIO of government contractor The SI Organization, outlines his thoughts on the BYOD conundrum. “BYOD seemed like a stretch for us years ago because of security considerations,” he writes, “but the reality of the situation is that all devices are personal these days … With the workforce becoming increasingly mobile, I had to find a way to balance productivity, affordability and security to meet current and future workforce demands.” He then outlines the guiding principles behind his search for a solution and the eventual tech selection. “Overall, the initiative has been very successful,” he writes, “yielding more than $400,000 in recurring operational-expense savings.”
Full Story

INTERNET OF THINGS—U.S.

As DOT Pushes For Connected Cars, Senators Want Privacy Considered (February 5, 2014)

While the Department of Transportation (DOT) is pushing for a mandate on connected cars before President Barack Obama leaves office, there are a number of privacy and security concerns that need to be ironed out, Politico reports. Vehicle-to-vehicle technology could eventually see driverless cars on the road that “virtually never crash,” said DOT Secretary Anthony Foxx. But the Alliance of Automobile Manufacturers’ concerns about privacy are shared by Senate Commerce Chairman Jay Rockefeller (D-WV), who applauds the potentially life-saving features of the technology but worries about driver privacy. Reps. Diana DeGette (D-CO) and Joe Barton (R-TX) have also voiced concerns about privacy. Editor’s Note: Future of Privacy Forum’s Joshua Harris wrote about the issue of privacy and connected cars in a recent post for Privacy Perspectives.
Full Story

PRIVACY COMMUNITY—IRELAND

Hawkes Will Not Seek Reappointment as DPC (February 5, 2014)

When his current term comes to an end next year, Data Protection Commissioner (DPC) Billy Hawkes will not be seeking reappointment. That’s according to a Bloomberg BusinessWeek story on Hawkes’ work in the nine years since he was appointed DPC—back when “Gmail was still in beta; Facebook was only open to a handful of colleges, and Steve Jobs was secretly designing a mobile phone.” Mark Milian writes that although “Hawkes says he won’t seek reappointment in 2015 when his current term as commissioner ends … he should have plenty to do before then” with Twitter and Dropbox operations in Ireland, the current examination of LinkedIn’s policies and the DPC’s placement “in the middle of a tech tug of war.”
Full Story

DATA PROTECTION—IRELAND

Yahoo Moves to Ireland, Preps for DPC’s Audit (February 5, 2014)

Yahoo will undergo a privacy audit by the Irish Data Protection Commissioner (DPC) following the company’s announcement to the DPC that it would move all of its data processing facilities in Europe to Ireland, the Independent reports. DPC Billy Hawkes said it’s standard procedure to audit any Internet firms processing personal information in Ireland; Hawkes’ office is now completing an audit of Dublin-based LinkedIn. Hawkes has recently voiced disapproval of public-sector entities’ handling of personal data—even calling out the Department of Social Protection as being “substandard” in its protection methods.
Full Story

HEALTHCARE PRIVACY—U.S.

Patient Access to Info Strengthened (February 5, 2014)

UPI reports on the Department of Health and Human Services strengthening patient rights to access laboratory reports. “The right to access personal health information is a cornerstone of the Health Insurance Portability and Accountability Act Privacy Rule,” HHS Secretary Kathleen Sebelius said. The final rule allows labs to give patients or their designees “access to the patient's completed test reports on request,” the report states. The changes allow patients to “obtain their test reports directly from the laboratory while maintaining strong protections for patients' privacy.”
Full Story

PRIVACY LAW—U.S.

Courts Tackle Privacy of Delivered Texts, Voicemails (February 5, 2014)

Courthouse News Service reports the Oklahoma Court of Criminal Appeals has found that senders of text messages have no expectation of privacy once the text has been delivered. Judge Clancy Smith wrote for the five-judge panel, “This is similar to mailing a letter; there is no expectation of privacy once the letter is delivered. It is like leaving a voicemail message, having the recipient receive and play the message and then claiming the message is private.” Meanwhile, Law360 reports that U.S. Magistrate Judge Nathanael M. Cousins has denied a motion to dismiss a case claiming that InterContinental Hotels Group PLC illegally recorded consumers’ phone calls to its reservation hotline, saying the plaintiffs properly stated a claim under California’s Invasion of Privacy Act.
Full Story

PRIVACY LAW—U.S.

Legislators Considering Regulating Biometrics (February 5, 2014)

Florida lawmakers are considering legislation “to sharply regulate the use of fingerprint, palm print, iris scans and other biometric identification systems,” Reuters reports. The legislators are examining the issue in the wake of outrage from parents who learned last year that “students' eyes were being scanned as a condition of boarding school buses in central Florida's Polk County School District.” The Florida Senate Education Committee is reviewing a bill “that would require school districts choosing to use biometrics to establish strict policies on the public disclosure, use and maintenance of the stored data, and require parents to choose to participate in the program before their children's data is taken,” the report states.
Full Story

DATA PROTECTION

How To Change Employee Password Habits (February 4, 2014)
Password reuse across multiple websites and company logins is a major weak link in company security systems. In a survey CSID conducted in 2012 on password habits, 61 percent of the respondents reused the same password for multiple sites, and 44 percent of respondents reported they change their passwords once a year or less. Employee password reuse creates a new layer of risk for businesses, especially when major enterprises are hacked. A breach today can affect more than just the initial company—it can affect your business and many others, writes Joe Ross in this exclusive for The Privacy Advisor.

INTERNET OF THINGS

Thierer: Let’s Not Hit the Panic Button Just Yet (February 4, 2014)

The rise of Internet of Things (IoT) connectivity has brought with it increasing concerns about privacy protection and “the potential for massive security threats and privacy violations in a world of always-on, always-sensing devices,” writes Adam Thierer, a senior research fellow at George Mason University’s Mercatus Center. Though “there are some valid reasons for concern,” he notes, “it may be the case that some of the problems we fear today never come about.” In this post for Privacy Perspectives, Thierer argues that there isn’t yet need to hit the panic button as “most of us will likely quickly adapt to this new era” and “will likely find practical solutions to many of the problems that arise.”
Full Story

DATA PROTECTION

Lawmakers Optimistic Data Privacy Law Will Pass; PCI DSS “Remains Solid” (February 4, 2014)

While SC Magazine reports on the current state of global data breach legislation, The Hill reports some U.S. lawmakers are optimistic that a data privacy law will pass this year. Rep. Joe Barton (R-TX) said, “It’s one of the few issues in the next 10 months that the House and Senate can work with the president on … I’ll go out on a limb here and predict that we’ll actually do that.” Meanwhile, in an interview with Computerworld, the Payment Card Industry Security Standards Council's Bob Russo said the standards are solid, and the Independent Community Bankers of America said at a hearing Monday that retailers should ultimately pay for a breach when hit by one. In healthcare, a recent study revealed that breaches cost healthcare providers $1.6 billion per year.
Full Story

ONLINE PRIVACY—U.S.

Sen. Wants Data Brokers To Name Clients (February 4, 2014)

The head of the Senate Commerce Committee wants data brokers to disclose the names of their clients—especially those that categorize people as financially vulnerable or by their health status, MediaPost reports. Sen. Jay Rockefeller (D-WV) wrote a letter to Acxiom, Epsilon, LexisNexis, NextMark and MEDbase 200 asking that they name all of their clients for the last five years. Rockefeller’s concerns include that customers are being treated unfairly as a result of the personal data stored on them. He recently said he’s “revolted” by reports that brokers sell such lists as “genetic disease sufferers.”
Full Story

PRIVACY—U.S.

Senate Committee Meeting Today; NTIA Aiming To Develop Voluntary Standards (February 4, 2014)

The National Telecommunications and Information Administration (NTIA) will meet Thursday with an eye toward developing standards on facial recognition technology, The Hill reports. Without standards regulating how the increasingly deployed technology may be used, the Obama administration has directed the NTIA to gather privacy advocates and the tech industry to develop voluntary standards. Meanwhile, the Senate Judiciary Committee, representatives from Target and Neiman Marcus, Department of Homeland Security officials and others are meeting today on “privacy in the digital age.” Speaking before the committee, a Target official said the retailer is “deeply sorry” about its recent data breach. Look for a report tomorrow in The Privacy Advisor.
Full Story

SURVEILLANCE

Tech Giants Publish Updated Government Data Request Stats (February 4, 2014)

Google, Microsoft, Apple, Yahoo, Facebook and LinkedIn published new U.S. government data request statistics on Monday, CNet News reports, a week after the resolution of a lawsuit with the U.S. Department of Justice. The reports show a dramatic uptick in NSA data requests over the past year, the report states. A representative from the ACLU said though the reports were helpful, “they’re not nearly enough” for the public to assess the scope of the requests. In other surveillance-related headlines, Wired reports on a case involving the government order to Lavabit to hand over its SSL keys, and the Chaos Computer Club is suing the German government for allegedly helping foreign intelligence services—including the NSA and the UK’s GCHQ—monitor German citizens and compromise their privacy, ZDNet reports.
Full Story

PRIVACY TRAINING—U.S.

CIPP/G Training Now Available Online (February 4, 2014)

Training for the IAPP’s Certified Information Privacy Professional/U.S. Government (CIPP/G)—the first publicly available privacy certification created for U.S. federal, state, county and local government employees—is now available online. This feature for The Privacy Advisor takes a closer look at what is included in the CIPP/G, who should be considering this certification option and the benefits of having online training available with the same content as in-person training options. The IAPP’s CIPP/G was created with assistance from multiple state and federal agencies as well as government services vendors IBM Corporation, SRA International and MITRE Corporation.
Full Story

DATA LOSS—CANADA & U.S.

Schools, Tax Preparer, Others Suffer Breaches (February 4, 2014)

The personal information of 685 of Fairfax County students was mistakenly posted on the school system’s website, The Washington Post reports. The data was online for about 24 hours. Meanwhile, Texas State Technical College is notifying employees of a data breach affecting just under 2,000 individuals. H&R Block says the private information of some of its customers was visible through the envelope windows in a recent mailing, while Easton-Bell Sports says hackers stole information on about 6,000 customers, and Bell Canada has reported more than 22,000 of its small business customers have had their account information compromised. (Registration may be required to access this story.)
Full Story

PRIVACY

Ten Steps to a Quality Privacy Program, Part Six: Test Your Incident Response Program (February 3, 2014)
In part six of the series "Ten Steps to a Quality Privacy Program," Deidre Rodriguez, CIPP/US, looks at testing incident response programs. This can involve key stakeholders from various departments and potentially happen twice a year, involving a number of action items. "You do not want to find yourself in the middle of an incident and realize that you do not have what is needed to respond efficiently and effectively," Rodriguez writes in this exclusive for The Privacy Advisor.

DATA PROTECTION—U.S.

The Customer Service-Privacy Protection Balancing Act (February 3, 2014)

Two reports came out last week about seemingly different topics altogether, representing opposite ends of the customer service/data protection dial. TheNextWeb featured a blog post from a web developer whose Twitter handle, @N, was extorted from him when a hacker took over the victim’s web domains by fooling the company’s customer service agents through social engineering. Meanwhile, an ex-Transportation Security Agency employee wrote a tell-all in Politico called, “Dear America, I Saw You Naked: And yes, we were laughing.” The former case exemplified lax security protocol, while the latter exemplified too much security. Seen through the lens of risk management, privacy controls and customer service would seem to be at odds with each other. This Privacy Perspectives post looks at both issues to see what role transparency can play in tuning this balance appropriately.
Full Story

PRIVACY LAW—U.S.

Forecast: Drone Laws with a Chance of Social Media Legislation (February 3, 2014)

In the U.S., eight states have been in the news for movement on drone legislation over the past week. While most are fairly similar, bills in California and Utah put restrictions on use and retention of the data, and one of the two drone bills in front of the Georgia House focuses on a 100-foot “protected zone.” In Montana, a suicide review board has been given authorization to begin looking into the healthcare records of suicide victims in an attempt to lower the incidents in the state, causing some privacy concerns. And Maine has opted for a study instead of furthering a social media privacy bill. Read about these developments and more in this week’s Privacy Tracker legislative roundup. (IAPP member login required.)
Full Story

DATA PROTECTION—U.S.

Sens. Introduce Data Breach Legislation; Breach May Affect Hotels (February 3, 2014)

A number of U.S. senators have introduced data security and breach notification legislation following the Target and Neiman Marcus incidents. Sens. Diane Feinstein (D-CA), John Rockefeller (D-WV), Mark Pryor (D-AR) and Bill Nelson (D-FL) have introduced the Data Security and Breach Notification Act. The bill would require the Federal Trade Commission to release a set of security standards for businesses holding consumer data. Calls for chip-and-PIN technology are increasing as well. Sen. Robert Menendez (D-NJ) also plans to introduce the Commercial Bill of Rights, noting that, “Target was just the tip of the iceberg.” Representatives from Target and Neiman Marcus will testify before the Senate Judiciary Committee on Tuesday. Meanwhile, a recent PricewaterhouseCoopers survey canvassed those who oversee privacy within their organizations and found that though some data security awareness is growing, “privacy awareness isn’t quite where it should be.” In other breach news, KrebsonSecurity reports that White Lodging, a business with connections to Hilton, Marriot, Sheraton and Westin, has allegedly suffered a data breach exposing credit and debit card information on thousands of customers.
Full Story

INTERNET OF THINGS—U.S.

Though Connected Cars Are Here, Privacy Is Being Considered (February 3, 2014)

Connected devices of all shapes and forms were showcased at the recent Consumer Electronics Show, but perhaps leading that charge was the “wide range of autos offering connected technologies,” writes Future of Privacy Forum Director of Policy Joshua Harris. Noting the emergence of connected cars is “already reshaping the auto industry,” Harris highlights many of the benefits of the technology in this Privacy Perspectives installment while noting many of these benefits “depend on the collection, analysis and use of personal data, and data privacy issues have figured prominently in the recent discussions.” Editor’s Note: Harris will moderate the breakout session “From 0-60: Privacy and the New Generation of Connected Cars” at the IAPP Global Privacy Summit in Washington, DC, this March.
Full Story

PRIVACY LAW—U.S.

CA AG To Release Best Practices for DNT Compliance (February 3, 2014)

California Attorney General (AG) Kamala Harris is planning to soon release final best practice guidelines for compliance with California’s new Do-Not-Track (DNT) law, MediaPost News reports. AB 370 amends California’s privacy statute by requiring some web companies to disclose how they respond to DNT requests and state in their privacy policies whether third parties have access to tracking data. “Say what you do, and do what you say,” is the bottom line, said Joanne McNabb, CIPP/US, CIPP/G, CIPP/IT, the AG’s director of privacy education and policy. Editor’s Note: For more on complying with the new law, see The Privacy Advisor exclusive, How Should I Respond to California’s Do-Not-Track Requirements?
Full Story

BIOMETRICS—JAPAN & U.S.

As Facial Recognition Uses Expand, Privacy Concerns Abound (February 3, 2014)

The New York Times reports companies working on facial recognition-based “VIP identification” for hotels and other businesses expanding “shoplifter-identification services with parallel programs to help retailers recognize customers eligible for special treatment.” Meanwhile, law enforcement agencies in one California county are “testing facial recognition technology to help identify people in the field. A National Telecommunications and Information Administration event this week is expected to look at issues related to facial recognition technology, the report states, noting that on the topic of facial recognition, the Federal Trade Commission’s Jessica Rich has said, “This is another reason that we need omnibus privacy legislation.” Across the globe, Japan’s National Institute of Information and Communications Technology plans to test facial recognition at Osaka’s train station. (Registration may be required to access this story.)
Full Story

DATA BREACH—U.S.

Students Expelled After Hacking Into School Computers (February 3, 2014)

A California high school has expelled 11 students “accused of using keyloggers to spy on their teachers' computer systems, infiltrate the network and change their grades electronically”—the maximum discipline penalty allowed by the education code, CNet reports. The students allegedly worked with a tutor to learn how to hack into Corona del Mar High School’s systems with the goal of changing their grades and stealing tests, the report states, noting police are seeking to interview the tutor. Officials have said they are unsure how many grades were changed, but a total of 52,000 grades issued over a one-year period are being audited.
Full Story

SURVEILLANCE—U.S.

Obama’s NSA Speech Saw Last-Minute Privacy Adds (February 3, 2014)

The day before President Barack Obama delivered a speech on the National Security Agency (NSA), White House officials “rushed to include additional surveillance restrictions to address concerns of privacy advocates and the president’s own review panel,” The Wall Street Journal reports. The last-minute additions—indicating the tension between Obama’s national security responsibility and widespread concerns about privacy—meant Obama would require the NSA to obtain a warrant before it could search a database of Americans’ phone calls. Sen. Bernie Sanders (I-VT) recently held a packed town meeting in Vermont on NSA surveillance. Meanwhile The Hill reports Obama’s nominee to take over the NSA is a stranger to the privacy advocacy community. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—RUSSIA

Olympics Security Trumps Privacy at Sochi (February 3, 2014)

QMI Agency reports on the “unprecedented” security measures being taken around the upcoming Olympic Games in Sochi, Russia. With terrorist groups threatening the safety of the participants and fans, Russian President Vladimir Putin has bolstered a “ring of steel” around the venues with “an unmatched level of monitoring in cyberspace,” the report states. With help from the U.S., Canada and other nations, people attending the games have been warned to expect to be under surveillance at all times—including via telecommunications, the Internet and physical movement.
Full Story

DATA PROTECTION—U.S.

Who Can See My Fitness Data? (February 3, 2014)

MotherJones reports on wristband fitness devices and the potential risk the data they collect could end up in corporate hands. In a speech last week, the Federal Trade Commission’s Jessica Rich discussed the potential implications, such as that health data could be “collected and then sold to data brokers and other companies she does not know exist”—a concern, considering the devices collect data such as sleep quality, weight and even GPS location at times. Meanwhile, a new mobile app allows users to determine if other mobile apps are collecting their location information.
Full Story