Group items tagged

Stunned applicants filling out immigration forms are now being warned their personal information can be shared with the RCMP, national security and intelligence agents, and even foreign cops. The immigrants, many who arrive here from brutal regimes, are being told that they must sign a consent form or their requests will not be dealt with by federal immigration officials. One form, which was obtained by Sun Media, said the data can be shared with the Canada Border Services Agency, RCMP, Canadian Security Intelligence Service and foreign police. TARGET FRIENDS The information can be used to target friends or family members of those who say negative things about their homelands, said Jamal Kaker, of the Afghan Association of Ontario. "This will impact a lot of immigrants in many communities," he said yesterday. "This is scary because the information will get back to Afghanistan in no time." Toronto lawyer Guidy Mamann said it can be deadly for immigrants who give information that may be negative to their governments and are then refused by Canada. "The rights of these immigrants are being trampled," Mamann said. "All this was done under the radar without an announcement." He said foreign police -- some working for the worst regimes -- will be able to find out where their nationals who fled to Canada live and allegations they have leveled against their homelands. "All this information will now be shared," Mamann said. "The lives of immigrants and some Canadian citizens will become an open book." SIGN FORMS He said Canadian citizens are affected if they sign forms to sponsor a spouse or loved ones. "It's another nail in the coffin for civil rights in Canada," Mamann said. "Negative information against governments will now be open for sharing." Toronto lawyer Mendel Green called the changes troubling. "This is a serious breach of our privacy laws," he said. "It appears to be an excess of authority. Big Brother wants to watch our visitors." Federal immig

Payment processor Heartland Payment Systems has been sued over a data breach it disclosed publicly on Inauguration Day last week. The lawsuit, filed on Tuesday in U.S. District Court in Trenton, N.J., alleges that Heartland failed to adequately safeguard the compromised consumer data, did not notify consumers about the breach in a timely manner as required by law, and has not offered to compensate consumers for costs they may incur in protecting themselves from identity fraud. In a statement that coincided with President Barack Obama's inauguration events, Heartland said the breach occurred last year but that it found evidence of the intrusion only in the previous week and immediately notified law enforcement and credit card companies. Heartland was alerted in late October to suspicious activity surrounding processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, said Robert H.B. Baldwin Jr., chief financial officer of Heartland, last week. The lawsuit seeks damages and relief for the "inexplicable delay, questionable timing, and inaccuracies concerning the disclosures" with regard to the data breach, which is believed to be the largest in U.S. history. Heartland executives have declined to specify how many consumers or accounts were affected. The company handles 100 million transactions per month for more than 250,000 merchants. The lawsuit, first reported by SearchSecurity news site, also accuses Heartland of negligence in taking more than two months to determine the existence and scope of the breach and criticizes the company for failing to identify which merchants were affected by the breach. The suit was filed on behalf of Woodbury, Minn., resident Alicia Cooper, who was notified last week by her credit union that a card associated with her account was included in the breach. It seeks class action status. A Heartland spokesman said the company could no

One of the nation's largest time-share companies is going to be shelling out nearly a $1 million for making phone calls to people on the national "Do Not Call" list, federal regulators said Tuesday. Westgate Resorts, based in Orlando, Fla., was named in a complaint filed on behalf of the Federal Trade Commission. The agency alleged that Westgate and two other companies placed thousands of telemarketing calls to people on the list. The FTC says Westgate has agreed to pay $900,000 to settle the charges. The commission on Tuesday also announced a $275,000 settlement with another Florida-based travel company, Accumen Management Services Inc., and its subsidiary, All in One Vacation Club, LLC. The company made telemarketing calls to consumers who had filled out entry forms for a sweepstakes to win vacation packages. Many of those called, the FTC said, were on the Do Not Call registry and did not agree to receive the telemarketing pitches for timeshares and vacation getaways. In the case of Westgate, the agency received several thousand complaints from consumers. The commission said Westgate bought phone numbers from an Internet-based lead generator that collected contact information in connection with offerings on its Brandarama.com web site. The two other companies named in the Westgate complaint are: Central Florida Investments Inc., and CFI Sales and Marketing, LLC., which both did telemarketing for Westgate. The combined fines of $1.17 million will go to the U.S. Treasury. Calls to Westgate and Accumen seeking comment were not immediately returned. The latest enforcement actions bring to 40 the number of Do Not Call cases the government has filed against companies since the registry began in June 2003. The biggest case to date involved satellite television provider DirecTV Inc., which paid a $5.3 million settlement. More than 167 million phone numbers have been placed on the Do Not Call registry.

The Veterans Affairs Department has agreed to pay up to $20 million to veterans for exposing them to possible identity theft in 2006 after losing their sensitive personal information. In court filings Tuesday, lawyers for the VA and the veterans said they had reached agreement to settle the veterans' lawsuit alleging invasion of privacy. The money will be used to pay for veterans who suffered actual harm, such as emotional distress or expenses incurred for credit monitoring. The lawsuit came after a VA data analyst in 2006 admitted that he had lost a laptop and external drive containing the names, birth dates and Social Security numbers of up to 26.5 million veterans and active-duty troops. The laptop was later recovered intact.

Jan 15, 2009 There may be only a handful of days left in the Bush administration, but the brouhaha over White House e-mail retention policies promises to continue right up to the last day. A federal court yesterday extended a preservation order to ensure that the outgoing administration does everything it can to recover any missing White House e-mails. The White House IT staff now has five days to scour workstations for missing e-mail before administration data records are archived on Jan. 20. The ruling, by U.S. District Judge Henry Kennedy Jr., also orders staff of the Executive Office of the President (EOP) to relinquish any digital media that may contain e-mails from March 2003 and October 2005. The legal action is the latest resulting from a lawsuit filed in September 2007 by the National Security Archive against the EOP, seeking to preserve and restore White House e-mails it alleged were missing. "There is nothing like a deadline to clarify the issues," Tom Blanton, the National Security Archive's director, said in a statement. "The White House will complain about the last-minute challenge, but this is a records crisis of its own making." The Archive, an independent nongovernmental research institute based at George Washington University, is a repository of government records and does not receive U.S. government funding. The Citizens for Responsibility and Ethics in Washington (CREW), a left-wing public advocacy group, also filed suit, but its legal action was subsequently consolidated with the Archive's legal action, which is taking place in the U.S. District Court for the District of Columbia. Last May, the White House's top tech staffer acknowledged that three months of data were missing from backup tapes. In earlier testimony before a congressional committee, White House technical staff said millions of e-mails from the past eight years could potentially have been erased. Also yesterday, Magistrate Judge John M. Facciola held an emergency status con

Big Brother may be at it again. Behavioral advertising -- the tracking of consumer's Internet surfing activity to create tailored ads -- has triggered an intense legal controversy that has law firms scrambling to stay on top of a burgeoning practice. Attorneys say that behavioral advertising is raising privacy, litigation and regulation fears among consumer advocates, the electronic commerce and advertising industries and legislators. Law firms are busy helping companies come up with a transparent way of letting consumers know that their online activities are being tracked and possibly shared. "Lawmakers and companies are having a tough time keeping up with this new frontier of Internet privacy issues, and there is growing consumer unrest about behavioral advertising, leading in some cases to consumer rebellion," said Lisa Sotto, a partner and head of the privacy and security data group in the New York office of Richmond, Va.-based Hunton & Williams. "Consumers find this type of tracking intrusive, and businesses are starting to take the consumer reaction seriously," she said. The buzz over behavioral advertising has been building since congressional hearings that were held last year, during which Congress called on Internet service providers (ISPs) to testify about a highly controversial advertising practice known as "deep-packet inspection." The practice gives companies the ability to track every Web site consumers visit and provides a detailed look at everything they're doing, such as where they're going on vacation, who is going, how much they spent on the trip and what credit card was used. But then came the first class action targeting behavioral advertising, filed against Foster City, Calif.-based NebuAd Inc., an online advertising company accused of spying on consumers from several states and allegedly violating their privacy and computer security rights. The lawsuit specifically alleges that NebuAd engaged in deep-packet inspection. Valentine v. Ne

All but one of the legal claims filed against Hannaford Bros. -- the Maine-based retailer that suffered a security breach exposing some four million credit and debit cards -- has been dismissed. U.S. District Court Judge Brock Hornby threw out the civil claims against the grocer for its alleged failure to protect card holder data and to notify customers of the breach in a timely fashion. In dismissing the claims, Hornby ruled that without any actual and substantial loss of money or property, consumers could not seek damages. The only complaint he allowed to stand was from a woman who said she had not been reimbursed by her bank for fraudulent charges on her bank account following the Hannaford breach.

Better to settle with the FTC than get your company's reputation as consumer-friendly (deserved or not) dragged through the court of public opinion.

Sears Holdings has agreed to settle allegations it collected personal data from customers without adequate disclosures, the Federal Trade Commission said on Thursday. The FTC had accused Sears Holdings, created in 2005 with the merger of Sears and Kmart, of paying online customers $10 to allow the company to track their online browsing. But the FTC said Sears also collected information on non-Sears sites, such as online bank statements, drug prescription records and emails. "The software would also track some computer activities that were not related to the Internet," the FTC said in a statement. Sears did disclose all it would monitor in a lengthy user license agreement, but the FTC argued it was not enough. "The complaint charges that Sears' failure to adequately disclose the scope of the tracking software's data collection was deceptive and violates the FTC Act," the FTC said in a statement. Sears did not immediately reply to two telephone calls and one email seeking a comment. Under the settlement, Sears is required to destroy the data collected and make future disclosures more prominent.

The Interior Department's inspector general has found widespread mishandling and erratic tracking of special passports issued to department officials traveling overseas, alleging that in numerous instances employees violated federal privacy laws by improperly securing passports and passport application forms. In some cases, officials couldn't account for expired passports of former employees, and could not locate a passport once issued to former Interior secretary Gale Norton. The inspector general's report warned that such mismanagement and lax protection could result in cases of fraud or identity theft impacting current and former employees. "Given the risk of misuse that missing and unsecured passports, visas and passport applications pose, we cannot understate the importance of acting swiftly to address these violations and prevent their recurrence," Acting Inspector General Mary L. Kendall wrote in a memo sent with a copy of the report last week to Interior Secretary Ken Salazar.

Defunct behavioral targeting company NebuAd did not just spur complaints by lawmakers and privacy advocates. This week, NebuAd's defense lawyers filed papers with the federal district court in San Francisco asking to withdraw as counsel in a privacy lawsuit. In a motion dated Monday, attorney Thomas Gilbertsen alleges that NebuAd is behind on its legal bills -- in some cases by more than 45 days. He also argues that because NebuAd is out of business, no officers or employees are available to help with the defense. "Because NebuAd has essentially ceased to exist, it can no longer participate in this case," states the motion. Gilbertsen also asked that the case be delayed pending NebuAd's liquidation and the resolution of creditors' claims. Gilbertsen also says in court papers that counsel and NebuAd have "irreconcilable differences." He did not elaborate in the motion or return messages seeking comment.

A former IT analyst at the Federal Reserve Bank of New York and his brother were arrested Friday on charges that they took out loans using stolen information, including sensitive information belonging to federal employees at the bank. Prosecutors allege that Curtis Wiltshire, 34, took out student loans totalling US$73,000 using the stolen information. His brother, Kenneth Wiltshire, 40, is charged with using the identities of two federal employees to try and obtain a loan for a 2006 Sea Ray 340 Sundancer speedboat. The charges (pdf) come two months after federal investigators found two 2006 student loan applications on a thumb drive attached to the work computer of Curtis Wiltshire, who had worked at the Reserve Bank for nearly eight years as an information and technical analyst. According to court documents, that investigation was unrelated to the fraud charges. Wiltshire was dismissed soon after the drive was found on around Feb. 15, prosecutors said. The charges were filed in the federal court in Manhattan. The two men could not be reached for comment Friday and the names of their lawyers were not included in the court documents. Curtis Wiltshire had "access to computer files containing information about employees of the [federal bank], including their names, dates of birth, Social Security numbers, and photographs," U.S. Federal Bureau of Investigation Special Agent Cordel James said in an affidavit filed in the case. Curtis Wiltshire was charged with bank fraud and identity theft and faces more than 30 years in prison if convicted. His brother was charged with mail fraud and identity theft and faces a maximum of 22 years in prison.

Maintaining privacy is on many people's minds these days, but sometimes that's the last thing they do. Allegations last week that two British tabloids, The Sun and The News of the World, had employed high-technology snoops to listen in on the mobile phone messages of public figures highlighted fears of what can happen when digital data fall into dubious hands. The reports came only days after another privacy debacle, this one self-inflicted. Photos and family information about Sir John Sawers, soon to be Britain's chief spy, appeared in another newspaper, The Mail on Sunday, after his wife posted them on Facebook. While attitudes toward privacy can appear paradoxical, the seeming contradiction is really about something else: control. When people bare their bodies on Facebook or their souls in the digital confessional of Google's search engine, they feel as if they are in charge. Not so, when the private embarrassments come to light unexpectedly.

U.S. authorities announced what they believed to be the largest hacking and identity theft case ever prosecuted on Monday in a scheme in which more than 130 million credit and debit card numbers were stolen. Three men were indicted on charges of being responsible for five corporate data breaches in a scheme in which the card numbers were stolen from Heartland Payment Systems, 7-Eleven Inc and Hannaford Brothers Co, federal prosecutors said in a statement. The suspects also hacked two unidentified corporate victims, the U.S. attorney's office in New Jersey said in the statement. Prosecutors allege Albert Gonzalez, 28, of Miami, and two unnamed Russian coconspirators targeted large corporations by scanning the list of Fortune 500 companies and exploring corporate websites before setting out to identify vulnerabilities. The suspects would seek to sell the data to others who would use it to make fraudulent purchases, the statement said.

The Federal Trade Commission today approved a final consent order settling claims that CVS Caremark violated customers' privacy and the Health Information Portability and Accountability Act (HIPAA) when it failed to dispose of records properly last year. Earlier this year, CVS Caremark agreed to settle FTC charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company's pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated HIPAA regulations. "This is a case that will restore appropriate privacy protections to tens of millions of people across the country," said FTC chairman William Kovacic following the settlement. "It also sends a strong message to other organizations that possess consumers' protected personal information. They are required to secure consumers' private information." Under the final consent order, CVS Caremark is required to rebuild its security and confidentiality program, which will be audited every two years for the next 20 years. The HHS settlement requires the company to develop a new training program to instruct employees on how to handle patient data.

Naturally, privacy watchdogs answer the question in this post title with a resounding "Yes!" The answer is so emphatic, in fact, that the Center for Digital Democracy and U.S. Public Interest Research Group are filing a 52-page complaint with the FTC today alleging that mobile marketers collect so much "non personally identifiable information" that it infringes on users' privacy-and are "unfair and deceptive." Mobile devices, which know our location and other intimate details of our lives, are being turned into portable behavioral tracking and targeting tools that consumers unwittingly take with them wherever they go. (Shh! Don't tell them the FBI can remotely turn on the microphone of several cell phone brands and convert your phone into a roving bug, even when it's off!) But is the Internet private-and should it be? Is a profile that states that you are interested in outdoor rec and currently in the Santa Clara, CA, area an invasion of your privacy? And if so, should we ban all outdoor rec stores and centers in Santa Clara from collecting personally identifiable information like, say, a picture of you when you walk in their lobby? Should we prohibit all employees from asking your name and if you slip and mention it, make sure they never call you by it?