Group items tagged

THE Government is looking to develop a way to protect individuals' personal data that can 'best address' three issues. These are privacy concerns, commercial requirements and national interest. An inter-ministry committee is already reviewing the issue, said Minister for Information, Communications and the Arts Lee Boon Yang. 'As data protection is a complex issue, with extensive impact on all stakeholders, this review will take some time,' he said. He said this in a written reply to a question posed by Ms Lee Bee Wah of Ang Mo Kio GRC in Parliament on Monday. She had asked if his ministry will consider a comprehensive privacy law, and wanted to know what laws there are to protect people from spam mail and the unauthorised sale of personal information. Also, what about those whose photographs have been posted on blogs and other new media platforms without their authorisation, she had asked. This would be considered a 'civil matter', said Dr Lee. 'The aggrieved persons could first ask the site's webmaster to remove the pictures,' he said. 'As with matters relating to online libel and personal defamation, they could also seek professional legal advice to determine the most appropriate legal recourse.' As for the protection of personal data, the minister said that although no generic data protection law exists, such data is still protected. He listed the various measures that are already in place. For instance, there are 'strict provisions' in sectoral laws such as the Banking Act, and codes for medical professionals to protect sensitive financial and health information, he said. There are also other industry codes of practices against the unauthorised use of personal information, he added. For example. the Telecom Competition Code requires licensees to take 'reasonable measures' to prevent the unauthorised use of consumers' information. In addition, there is a voluntary privacy code, which has been adopted by many companies in the private sector, said Dr

The Heartland data breach is an opportunity for the US government to standardise data breach notification laws. Bill Conner, chairman, president and CEO of Entrust, claimed that following the revelation that more than 100 million credit cards could have been compromised, the government needs to continue to move quickly to standardise data breach notification laws and call for technology, such as encryption and stronger authentication, that truly protects consumer information. Conner said: "Cybercrime continues to grow and is increasingly affecting more and more of this country's citizens. To slow the upward trend of cybercrime in this country, all organisations - enterprise, consumer and even governments - need to carefully review current security approaches and identify key gaps within their infrastructures." He further called for Congress to pass a data breach notification law that better protects consumer identities through stronger data security standards with strong encryption. "This is an opportunity to do something about a security issue that impacts all Americans", said Conner.

This year was an interesting year in privacy and information security, and by looking back, we can clearly discern trends that will likely be a major part of the security management landscape in 2009. More and more states passed breach-notification laws and several enhanced or extended existing legislation. Software-as-a-Service (SaaS) and virtualization really took off, and compliance's looming presence grew with PCI DSS version 1.2 and some actual enforcement of HIPAA. Of particular note was Massachusetts' data breach law 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth. This is to date the most comprehensive law of its kind, setting a new standard for what breach-notification laws should look like; it covers both paper and electronic records, it mandates appropriate security awareness training as well as security and risk assessments and, most importantly, requires companies to make changes to their security programs in accordance with the findings of those risk assessments. Similarly, California enhanced the well-known CA-1386 to include not just traditional financial information, but also health care and health insurance data as well. With new mandates popping up all the time, it's no wonder compliance was one of the biggest focus areas for enterprise information security teams in the past year, and this trend will clearly continue in 2009; there will be more regulation on both the state and federal levels, and stronger enforcement of existing regulations. Fines and other penalties for violations of PCI DSS and HIPAA will continue to rise, along with the inevitable rise in discoveries of malfeasance. As a result, there will be an even larger focus on compliance by upper management, which also means decreased time and budget for necessary security controls that don't clearly fall under a compliance umbrella.

Data Privacy Trends: Randy Sabett, Information Security Attorney March 26, 2009 Activity at the State Level Points Toward a Federal Data Breach Notification Law Data privacy legislation -- the trend started in California and is being discussed heatedly in Massachusetts today. Data breach notification and privacy laws have now been enacted in 40 separate states, and government observers think we're close to seeing federal legislation proposed. In an exclusive interview, Randy Sabett, a noted privacy/information security attorney, discusses: Trends in state data privacy legislation; What these laws mean to businesses; The Obama Administration's approach to data privacy; Trends to keep an eye on throughout 2009. Randy V. Sabett, CISSP, is a partner in the Washington, D.C. office of Sonnenschein Nath & Rosenthal LLP, where he is a member of the Internet, Communications & Data Protection Practice. He counsels clients on information security, privacy, IT licensing, and patents, dealing with such issues as Public Key Infrastructure (PKI), digital and electronic signatures, federated identity, HIPAA, Gramm-Leach-Bliley, Sarbanes-Oxley, state and federal information security and privacy laws, identity theft and security breaches. He served as a Commissioner for the Commission on Cyber Security for the 44th Presidency.

An Italian judge on Wednesday gave the go-ahead to a case in which Google (GOOG) could be held responsible for content it hosts but does not produce. The case centers on a 2006 video of four Italian youths taunting a child with Down syndrome. In the video, one of the youths incorrectly claims to be part of a small Down syndrome advocacy group called Vivi Down. The video was uploaded to the Google Video site, where it stayed for two months. Prosecutors have filed charges against five Google executives, saying they were in violation of Italian privacy laws and of contributing to the defamation of Vivi Down. At the heart of the case are two main questions: Should sites such as Google Video be held responsible for the content they host? And should such non-brick-and-mortar New Economy companies be subject to the laws in countries where they are not based? "The outcome of this will be to determine how big companies like Google should be expected to act," said Raffaele Zallone, a former chief counsel for IBM's Italian offices and the attorney representing a woman seeking damages in a secondary case tacked onto the main charges. FIND MORE STORIES IN: Italy | Google Inc | International Bus. Machines | Milan | New Economy Zallone, along with Milan prosecutors, the city's ombudsman and an attorney for Vivi Down, the advocacy group, say Google should have become aware of the offending video sooner and removed it sooner. Guglielmo Pisapia, Google's lead attorney in the case, denies any wrongdoing and says Google could not have acted differently. "Google did not produce the video, and when they received an official complaint, they removed it within five hours," said Pisapia, a former member of the Italian parliament. "If the argument is that they should have evaluated the video before it was posted, then that is a dangerous precedent." Oliviero Rossi, an author and commentator on technology issues, says unusual cases that push the limits of the law as this one does are

Should individual states mandate that businesses comply with the Payment Card Industry's Data Security Standard (PCI DSS)? The answer is "yes," according to Nevada, which has passed a new law that, as of next year, requires businesses to comply with PCI when collecting or transmitting payment card information. Nevada is the first state to mandate full PCI compliance for businesses. Minnesota in 2007 incorporated only a portion of PCI in its Plastic Card Security Law. According to Nevada's new law, if a data collector doing business in that state accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of PCI DSS, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization. Is it a Game-Changer? As states rush to adopt or strengthen privacy legislation, Nevada's move is seen by some observers as a potential "game-changer." But they question whether states should be in the business of mandating compliance with an industry standard.

A new privacy law in Maine is facing a court challenge from media organizations as well as a coalition of online companies including AOL, News Corp. and Yahoo. The new law, officially titled "An Act To Prevent Predatory Marketing Practices against Minors," prohibits companies from knowingly collecting personal information or health-related information from minors under 18 without their parents' consent. The measure also bans companies from selling or transferring health information about minors that identifies them, regardless of how the data was collected. Wednesday, opponents asked the federal district court in Maine to issue an injunction against the measure, slated to take effect Sept. 12. In its court papers, the groups opposing the law say it has consequences far beyond limiting the marketing of health-care information. They contend the measure would "prevent common marketing practices used to serve teens information on colleges, test prep services, class rings, etc." The groups who are suing include the Maine Independent Colleges Association, Maine Press Association, Reed Elsevier and NetChoice -- a coalition of Web companies like AOL, eBay, Yahoo, IAC, News Corp. and Overstock.com.

"In a sign that state attorneys general may be flexing the HIPAA enforcement muscle granted by the HITECH Act provisions in the Recovery Act, the Connecticut and Arizona attorneys general are investigating health plans that recently experienced data breaches that they failed to disclose for several months. Typically, state attorneys general prosecute only violations of state laws, but they now have authority to investigate and levy fines for violations of HIPAA and the HITECH Act, which requires mandatory notifications within two months of knowledge of a breach. Connecticut Attorney General Richard Blumenthal (D) has emerged as possibly the first AG to take on a HIPAA investigation, and Arizona's AG may also be pursuing a similar course. The larger of the two breaches that have come to the AGs' attention was experienced by Health Net, Inc., which lost a portable external hard drive containing seven years of data for 446,000 Connecticut residents. The lost data came from 1.5 million individuals in total, who also hailed from New Jersey and New York. Health Net reported the loss to the Connecticut AG on Nov. 19, and on the same day Blumenthal issued a scathing statement demanding answers and promising action. He specifically said he was investigating whether Health Net may have violated "federal laws," as well as his state's own data protection laws."

"All Facebook users can deactivate their profiles, but doing so quietly might not make quite the same statement as using another service to slam the door on the site. One such service, Seppukoo.com, created by the Italian group Les Liens Invisibles, drew attention late last year after launching a campaign to convince people to commit Facebook suicide. Wannabe ex-Facebook members can provide Seppukoo.com with their names and passwords and Seppukoo then not only deactivates their profiles, but also creates a "memorial" page that it sends to users' former Facebook friends. Facebook evidently isn't happy about this development. Last month, the company fired off a cease-and-desist letter to Les Liens Invisibles, complaining that users who provide log-in data are violating Facebook's terms of service. The company also alleges that the scraping of its data violates a host of laws, including an anti-hacking law, the federal spam law and the copyright statute. "

FaceBook is sooooo concerned about our privacy!

"We all know that Internet and communications technology is changing rapidly, creating huge opportunities for business innovation and individual self-expression. Most people are probably not aware, however, that privacy law is not evolving nearly as quickly. It is time to update legal protections to reflect the impact the digital revolution is having on modern life. Cloud computing -- a bit of tech-jargon meaning the use of remote servers to store and process data -- is a great example. The movement of personal and proprietary data off desktop computers and into "the cloud", which is made up of server farms and broadband connections, is a major disruptive trend in computing. Unless our laws change to account for cloud computing and other equally momentous technology developments, the Constitution's protection against unreasonable search and seizure will become a relic of the past. The federal law setting standards for government access to personal communications -- the Electronic Communications Privacy Act (ECPA) -- was written more than two decades ago, before the Internet took off. "

"The U.S. Supreme Court Monday will hear arguments for and against the constitutionality of the oversight board established to monitor public company financial activity as part of the Sarbanes-Oxley regulation. The Sarbanes-Oxley Act was created and enacted into law partly in response to corporate accounting scandals such as Enron and WorldCom. The regulatory standard set out to reduce such fraudulent financial activities and provide an oversight mechanism for public companies. Part of the law includes the establishment of the Public Company Accounting Oversight Board (PCAOB), which consists of five members appointed by the Securities and Exchange Commission (SEC). The arguments to be heard this week relate directly to the PCAOB. While set up to regulate financial accounting at companies, those opposed to the board's powers argue that because its members are not appointed by the president, the board's control is unconstitutional based on the country's tenets of three branches of government. The challengers to the law say that the PCAOB lacks the presidential control required for executive branch agencies because the five members are appointed by the SEC, which doesn't fall under presidential powers. As a private agency in essence, the PCAOB is able to act as a government authority, which the Free Enterprise Fund believes to be unconstitutional. "

European Union's move indicates growing government concern over how Internet companies are using individuals' private data The European Commission began legal action against the U.K. Tuesday over its failure to protect Internet users from Phorm -- a covert behavioral advertising technology tested by the U.K.'s biggest fixed line operator, BT, in 2006 and 2007. The move signals growing concern in Brussels over the way new Internet-based technologies are using people's personal data. In addition to taking legal action against the U.K., the Commission also issued a general warning to all 27 E.U. countries to uphold privacy laws, especially regarding social-networking Web sites and users of RFID (radio frequency identification) technologies. In Canada, the federal government has even proposed a legislation that will provide law enforcement agents sweeping powers to obtain user information from ISPs. The Commission, the executive body of the European Union responsible for upholding laws, said the U.K. had failed to enforce E.U. data protection and privacy rules, because broadband Internet subscribers were not informed that their browsing was being tracked.

By now, many employees are uncomfortably aware that their every keystroke at work, from email on office computers to text messages on company phones, can be monitored legally by their employers. What employees typically don't expect is for the company to spy on them while on password-protected sites using nonwork computers. But even that privacy could be in jeopardy. A case brewing in federal court in New Jersey pits bosses against two employees who were complaining about their workplace on an invite-only discussion group on MySpace.com, a social-networking site owned by News Corp., publisher of The Wall Street Journal. The case tests whether a supervisor who managed to log into the forum -- and then fired employees who badmouthed supervisors and customers there -- had the right to do so. The case has some legal and privacy experts concerned that companies are intruding into areas that their employees had considered off limits. "The question is whether employees have a right to privacy in their non-work-created communications with each other. And I would think the answer is that they do," said Floyd Abrams, a First Amendment expert and partner at Cahill Gordon & Reindel LLP in New York. The legal landscape is murky. For the most part, employers don't need a reason to fire nonunion workers. But state laws in California, New York and Connecticut protect employees who engage in lawful, off-duty activities from being fired or disciplined, according to a report prepared by attorneys at the firm Proskauer Rose LLP. While private conversations might be covered under those laws, none of the statutes specifically addresses social networking or blogging. Thus, privacy advocates expect to see more of these legal challenges. In February, three police officers in Harrison, N.Y., were suspended after they allegedly made lewd remarks about the town mayor on a Facebook account. The officers mistakenly thought the remarks were protected with a password, but city officials view

The French parliament on Thursday voted down an Internet piracy law, which had largely been expected to pass. The "Creation and Internet" law, which won the preliminary approval of the parliament last week, would compel Internet service providers to take graduated actions against customers accused of illegally downloading copyrighted material. After warning a customer against such actions for a third time, an ISP could suspend the person's Internet access for up to a year. Because the bill was expected to pass, few members of parliament were present for the final vote on the bill, according to the Associated Press. Opponents of the legislation, led by the Socialist party, rejected the measure by a vote of 21 to 15. The legislation had the support of the ruling UMP party, to which President Nicolas Sarkozy belongs, as well as the support of the Recording Industry Association of America. Backers of the bill intend to re-introduce an amended version within the coming weeks, according to reports. The entertainment industry has suggested to the United States' Congress that it should consider adopting European methods of combating copyright infringement. The United States, members of the European Union, and other countries may also consider making ISPs liable for infringement through international treaties.

making best indexing in goggle and bing. RADJASEOTEA is a master of backlinks. You want indexing in goggle and bing. LOOK THIS www.fiverr.com/radjaseotea/making-best-super-backlink-143445

Hundreds of medical records kept by a longtime Acton family doctor who abruptly closed his practice last year are about to be destroyed, leaving patients without crucial information and exposing a gap in state law about who owns abandoned medical records. On April 8, a Lynn storage company is scheduled to discard the records and auction the equipment left by Dr. Ronald T. Moody, who was evicted from his office last September as state regulators pursued him, saying he was practicing without a license. Many of Moody's former patients have no idea that their records are slated for destruction: None has been notified, nor does the law require such notice. "We throw people's lives away on a daily basis, and, believe me, we go out of our way to try and find someone" to salvage belongings, said Jim Appleyard, owner of the storage company that was hired by Moody's former landlord to clean out the office and store the items for six months, as required by law. But the idea of dumping hundreds of patients' files without them knowing about it bothered Appleyard. Unable to find Moody, he contacted the state Board of Registration in Medicine and pleaded to take the dozens of boxes of records. The board regulates doctors and administers rules governing medical records of physicians in private and group practices.

We've all heard the argument before: "Why should you worry about the government looking into your personal records if you have nothing to hide?" Daniel J. Solove, an associate professor of law at The George Washington University Law School, analyzes that argument in a recently published paper titled "I've Got Nothing to Hide and Other Misunderstandings of Privacy." Solove argues that "the question assumes faulty assumptions about privacy and its value." Those who make the "nothing to hide" argument fail to understand the chilling effect that surveillance has on public discourse, the fact that small bits of private data (which an individual may not object to being uncovered) when put together form a larger and more intimate profile (which an individual may object to), and the mistake of having one's profile mistakenly associated with a group that is labeled as threatening. Here's an excerpt from the paper, which was published in the latest issue of the San Diego Law Review: [T]he problem with the "nothing to hide" argument is that it focuses on just one or two particular kinds of privacy problems - the disclosure of personal information or surveillance - and not others. It assumes a particular view about what privacy entails, and it sets the terms for debate in a manner that is often unproductive. It is important to distinguish here between two ways of justifying a program such as the NSA surveillance and data mining program. First is to not recognize a problem. This is how the "nothing to hide" argument works. It denies even the existence of a problem. The second manner of justifying such a program is to acknowledge the problems but contend that the benefits of the NSA program outweigh the privacy harms. The first justification influences the second, for the low value given to privacy is based upon a narrow view of the problem. The key misunderstanding is that the "nothing to hide" argument views privacy in a particular way - as a

Consumers and companies are vulnerable to hackers and identity thieves even after U.S. authorities arrested a man they said was a master hacker who stole 170 million credit and debit card numbers. Estimates on the total financial impact of breaches vary, but a study by Forrester Research put the cost at $90 to $305 per compromised record when considering the cost of upgrades, notifying customers and legal and marketing expenses. "Under our banking laws, it's the financial institutions that will be stuck paying for fraudulent use of credit cards. We have the consumers responsible for $50 and the rest winds up on the card issuer," said Joel Reidenberg, a professor at Fordham Law School who teaches privacy law. Banks in turn pass along costs to retailers as fines and fees. On Monday, three men were indicted on charges of stealing more than 130 million credit and debit card numbers in what U.S. authorities said they believed was the largest hacking and identify theft case ever prosecuted in the United States

A few weeks ago, I was very relieved to find out I had passed the IAPP exam to be a "Certified Information Privacy Professional" or CIPP. I got this certificate and even a pin, which is more than I ever got for passing the bar exams of New York and California. So what exactly did I need to know to become a CIPP? To be certified in corporate privacy law, you're expected to know what's covered in the CIPP Body of Knowledge, primarily major U.S. privacy laws and regulations and "the legal requirements for the responsible transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions." You're also expected to pass the Certification Foundation, required for all three certifications offered by IAPP. That covers basic privacy law, both in the U.S. and abroad, information security principles and practices, and "online privacy," which includes an overview of the technologies used by online companies to collect information and the particular issues to be considered in this context. So what do you think? Should you be able to pass an all-objective, 180 question, three-hour exam (counting the CIPP and Certification Foundation exams together) on the above topics and be able to call yourself a "privacy professional"?

"The school's policy seems to violate the Genetic Information Nondiscrimination Act (GINA), says Susannah Baruch of the Genetics and Public Policy Center at Johns Hopkins University. "Most generally," she says, "GINA prohibits health insurers and employers from using your genetic information against you." The law went fully into effect Nov. 21, and it prevents health insurers from collecting genetic information to make decisions about the insurance people get or how much it costs. The law also says an employer can't use it to make decisions about hiring, firing or job promotions. There are a few exceptions. The law doesn't apply to employers with fewer than 15 workers. And while it covers health insurance, it doesn't apply to life or long-term care insurance."

"On October 6, 2009, the Federal Trade Commission ("FTC") announced proposed settlement agreements with six companies over charges that they falsely claimed membership in the U.S. Department of Commerce Safe Harbor program. In six separate complaints, the FTC alleged that ExpatEdge Partners LLC, Onyx Graphics, Inc., Directors Desk LLC, Collectify LLC, and Progressive Gaitways LLC deceived consumers by representing that they maintained current certifications to the Safe Harbor program when such certifications had previously lapsed. The terms of the proposed settlement agreements prohibit the companies from misrepresenting their membership in any privacy, security or other compliance program. The six enforcement actions are significant as they mark a considerable uptick in the FTC's enforcement related to the Safe Harbor program. The FTC recently brought its first enforcement action relevant to the program, which is detailed in our post titled FTC's First Safe Harbor Enforcement Action. The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide "adequate" protection for personal data. Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000. The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU. To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU's adequacy standard. To maintain its certification to the Safe Harbor