It was the annual crunch time between Thanksgiving and the new year, and Nuala O'Connor Kelly had just sent to the printer the first-ever report to Congress by a chief privacy officer. This was it, the historic reporta 40-page description of what O'Connor Kelly had been doing during her first year as the first CPO of the U.S. Department of Homeland Security. Like addressing concerns about DHS's policies with privacy officers from other countries. Examining the department's growing use of biometrics. And reading irate e-mails from the public about controversial initiatives like the Transportation Security Administration's passenger screening program. If O'Connor Kelly was nervous about the grilling she was likely to get once members of Congress got their mitts on her report, she wasn't letting on. "It's actually a great moment for the [privacy] office to sit back and take stock of where we are now and where we're going for the next two, three, four, five years," says O'Connor Kelly, dashing from one meeting to the next with one of her staff members. At the time, O'Connor Kelly was the only federal government CPO whose position was mandated by law and who was required to file an annual report to Congress. But this seemed on the brink of change. Congress's consolidated 2005 appropriations bill, signed by President Bush in December, contains a provision thatdepending on how the White House's Office of Management and Budget interprets itwould create a handful or more of CPOs at federal agencies.

Travelers arriving at U.S. borders may soon be confronted with their laptops, PDAs, and other digital devices being searched , copied and even held by customs agents -- all without need to show suspicion for cause. Notices are being proposed by the Privacy Office at the U.S. Department of Homeland Security (DHS), which last week released a report approving the suspicionless searches of electronic devices at U.S. borders. The 51-page Privacy Impact Assessment also supported the right of U.S. Immigration and Customs Enforcement agents to copy, download, retain or seize any content from these devices, or the devices themselves, without assigning any specific reason for doing so. Also, while in many cases searches would be done with the knowledge of the traveler in some situations, the report says, "it is not practicable for law enforcement reasons to inform the traveler that his electronic device has been searched." In arriving at the assessment, the Privacy Office argued that such searches of electronic devices were really no different from searches of briefcases and backpacks. They are needed to interdict and investigate violations of federal law at U.S. borders and have been supported by courts in the past, the assessment said.

A privacy and consumer protection expert in the North Carolina attorney general's office and an Hispanic ally of President Barack Obama are being considered for the Federal Trade Commission, according to antitrust sources with knowledge of the administration's thinking. The five-person commission, which shares antitrust duties with the Justice Department and oversees consumer issues, has been short one commissioner since Deborah Majoras resigned in March 2008. The term of a second commissioner, Pamela Jones Harbour, ends this month. Harbour, an independent, has told the White House that she would like to remain in place but this is unlikely, according to the antitrust sources. Two women are under consideration for the FTC, the sources told Reuters. Julie Brill, North Carolina's senior deputy attorney general and chief of consumer protection, previously worked in the Vermont Attorney General's consumer protection and antitrust divisions.

Even as the Canadian government is fighting against "Buy American" policies that discriminate against Canadian firms, the federal government appears to be quietly continuing with policies that effectively block U.S. firms from winning some kinds of federal contracts. Case in point: a contract worth $150 million to help relocate nearly more than 18,000 public servants every year was awarded to the only Canadian bidder in mid-August. American firms were interested in the contract but say they were essentially blocked from the bidding because of a provision that personal information about Canadians cannot be stored on computerized databases outside of Canada. Canada Post, a Crown corporation, is about to award its own multimillion-dollar relocation services contract and it, too, has effectively blocked U.S. companies from bidding with a requirement that personal information be stored only on computers in Canada.

TJX Companies Inc. has agreed to pay $525,000 to settle a lawsuit brought by several banks in connection with the massive data breach disclosed by the retailer in January 2007. The money will reimburse AmeriFirst Bank, HarborOne Credit Union, SELCO Community Credit Union, and Trustco Bank a portion of the expenses they incurred in connection with the breach, TJX said in a statement. As part of the agreement, the banks will drop all other claims against TJX. The discount retailer admit no wrongdoing. The settlement money is part of the $118 million the company had set aside in the second quarter of 2007 to cover breach related costs.

Google has released a more detailed privacy policy for its Google Books product, a move demanded in recent weeks by several critics of its settlement with publishers and authors. The company announced the new policy in a blog post late Thursday afternoon, saying it developed the policy following conversations with the U.S. Federal Trade Commission. Google had previously said it was unable to release a detailed policy because the Google Books product was incomplete due to the fact that the settlement allowing its Book Search project to display certain types of books has yet to be formally approved. However, criticism of Google's lack of detailed information on the subject appears to have forced its hand. "To provide all users with a clear understanding of our practices, and in response to helpful comments about needing to be clearer about the Books product from the FTC and others, we wanted to highlight key provisions of the main Google Privacy Policy in the context of the Google Books service, as well as to describe privacy practices specific to the Google Books service," wrote Jane Horvath, general privacy counsel for Google, in a blog post.

Healthcare organizations are losing more than just names, addresses and Social Security numbers. When their data gets stolen, patients lose the privacy of their medical conditions, treatments and medications while at the same time falling prey to identity theft, medical billing fraud and other criminal schemes. Theft of electronic medical records is on the rise, and the implications are getting more serious. In a 2008 survey of identity theft victims, the Identity Theft Resource Center found that 67% had been charged for medical services they never received and 11% were denied health or life insurance due to unexplained reasons.

In a little more than three years, Twitter has become "the SMS of the Internet" for millions of people. Many find it a useful and productive form of communication, but recent attacks against the service and its users have highlighted the potential dangers of Twitter and other social networking sites. Enterprises have had to tackle not only the productivity and privacy issues associated with Twitter, but also a number of direct security threats. Unfortunately, the success of microblogging sites like Twitter relies on the same elements of human nature as social engineering attacks, particularly a natural desire and willingness to share and engage with those we trust. Most people have learned not to open attachments or links in emails from people they don't know. Yet because Twitter is seen as a friendly, group-based service, many will not hesitate to click on a shortened Twitter link, having no clue as to where it will take them.

Both panels that advise the national coordinator for health IT plan to focus on privacy and security standards needed to support meaningful use of electronic health records when they meet later this month, according to notices in today's Federal Register. The Health IT Policy Committee, led by Dr. David Blumenthal, the national coordinator for health IT, will direct more of its discussion at its upcoming Sept. 18 meeting on health information privacy and security as it makes progress in defining meaningful use under the stimulus law, according to the notice. Likewise, the companion Health IT Standards Committee, which meets Sept. 15, will concentrate on refining standards recommendations made by its privacy and security work group. At the Standards Committee's previous meeting Aug. 20, its privacy and security workgroup presented standards for authentication, authorization, auditing and secure data transmission of health information in EHR products as well as the infrastructure that hosts them. The work of the panel includes protecting data inside an enterprise as well as data exchange between enterprises, "because security is an end to end process," noted Dr. John Halamka, the committee's chairman in a post on his blog, "Life as a Healthcare CIO."

Americans are about to re-learn that bank deposit insurance isn't free, even as Washington is doing its best to delay the coming bailout. The banking system and the federal fisc would both be better off in the long run if the political class owned up to the reality. We're referring to the federal deposit insurance fund, which has been shrinking faster than reservoirs in the California drought. The Federal Deposit Insurance Corp. reported late last week that the fund that insures some $4.5 trillion in U.S. bank deposits fell to $10.4 billion at the end of June, as the list of failing banks continues to grow. The fund was $45.2 billion a year ago, when regulators told us all was well and there was no need to take precautions to shore up the fund.

Tax deadbeats are finding someone actually reads their MySpace and Facebook postings: the taxman. State revenue agents have begun nabbing scofflaws by mining information posted on social-networking Web sites, from relocation announcements to professional profiles to financial boasts. In Minnesota, authorities were able to levy back taxes on the wages of a long-sought tax evader after he announced on MySpace that he would be returning to his home town to work as a real-estate broker and gave his employer's name. The state collected several thousand dollars, the full amount due.

Travelers arriving at U.S. borders may soon be confronted with their laptops, PDAs, and other digital devices being searched, copied and even held by customs agents -- all without need to show suspicion for cause. Notices are being proposed by the Privacy Office at the U.S. Department of Homeland Security (DHS), which last week released a report approving the suspicionless searches of electronic devices at U.S. borders. The 51-page Privacy Impact Assessment also supported the right of U.S. Immigration and Customs Enforcement agents to copy, download, retain or seize any content from these devices, or the devices themselves, without assigning any specific reason for doing so.

PCI - better than nothing, but still vastly inadequate. - Karl The Heartland Payment Systems and Network Solutions data breaches have thrust the Payment Card Industry Data Security Standard (PCI DSS) into the spotlight, raising the question: Does PCI compliance help in the fight against fraud? David Taylor, founder of PCI Knowledge Base, recently administered new research on PCI compliance, and in an exclusive interview he discusses: Goods news - and not-so-good-news - about PCI compliance; Unique PCI challenges for merchants and banking institutions alike; What needs to be done to raise awareness of PCI compliance. Taylor founded the PCI Knowledge Base and before that the PCI Alliance. He worked with many leading edge companies as an analyst for Gartner for 14 years. The PCI Knowledge Base is a research community that shares information and knowledge to help merchants, banks and other organizations achieve PCI compliance.

The Heartland Payment Systems and Network Solutions data breaches have thrust the Payment Card Industry Data Security Standard (PCI DSS) into the spotlight, raising the question: Does PCI compliance help in the fight against fraud? David Taylor, founder of PCI Knowledge Base, recently administered new research on PCI compliance, and in an exclusive interview he discusses: Goods news - and not-so-good-news - about PCI compliance; Unique PCI challenges for merchants and banking institutions alike; What needs to be done to raise awareness of PCI compliance. Taylor founded the PCI Knowledge Base and before that the PCI Alliance. He worked with many leading edge companies as an analyst for Gartner for 14 years. The PCI Knowledge Base is a research community that shares information and knowledge to help merchants, banks and other organizations achieve PCI compliance.

Online crime is increasingly hitting small and mid-size companies in the U.S., draining those entities' bank accounts through fraudulent transfers. The problem has gotten so bad that a financial services group recently sent out a warning about the trend, and the Federal Deposit Insurance Corporation (FDIC) issued an alert today. "In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," says a bulletin sent on Aug. 21 to member financial institutions by the Financial Services Information Sharing and Analysis Center, (FS-ISAC). The FS-ISAC is part of the government-private industry umbrella working with the Department of Homeland Security and Treasury Department to share information about critical threats to the country's infrastructure. The member-only alert described the problem and told its members to implement many of the precautions and monitoring currently used to detect consumer bank and credit card fraud.

Look for almost a dozen consumer groups and privacy advocates to launch a full-court press on targeted behavioral advertising and online privacy on Capitol Hill next week. According to a source, those groups on Sept. 1 will release a background paper, letters to House members and other documents to make their case for stronger government oversight of online marketing targeted to kids. "A growing number of child advocacy and health groups have called on the FTC and Congress to prohibit the behavioral targeting of both children and teens, next week, many leading consumer and privacy groups will send a letter to congressional leaders calling for similar safeguards," confirms Jeff Chester, executive director of the Center for Digital Democracy. Chester saidd that 10 groups will be involved in the push, and that they will be "pressing Congress to write legislation that truly protects consumer privacy, but enables online marketing to flourish in a more responsible fashion." The effort comes as Congress prepares to return from its summer break. House Communications Subcommittee Chairman Rick Boucher (D-Va.) has made an online privacy bill a legislative priority in this session of Congress.

The man accused of masterminding the largest identity theft in U.S. history agreed to plead guilty to related charges, according to court papers filed in Boston federal court on Friday. Albert Gonzalez is accused of helping to steal millions of credit card and debit card numbers from major U.S. retail chains, leading to tens of millions of dollars in fraudulent transactions. A former government informant who is already in jail, Gonzalez, 28, agreed to plead guilty to 19 counts in Massachusetts by September 11. The agreement also resolves charges pending in federal court in New York.

A new privacy law in Maine is facing a court challenge from media organizations as well as a coalition of online companies including AOL, News Corp. and Yahoo. The new law, officially titled "An Act To Prevent Predatory Marketing Practices against Minors," prohibits companies from knowingly collecting personal information or health-related information from minors under 18 without their parents' consent. The measure also bans companies from selling or transferring health information about minors that identifies them, regardless of how the data was collected. Wednesday, opponents asked the federal district court in Maine to issue an injunction against the measure, slated to take effect Sept. 12. In its court papers, the groups opposing the law say it has consequences far beyond limiting the marketing of health-care information. They contend the measure would "prevent common marketing practices used to serve teens information on colleges, test prep services, class rings, etc." The groups who are suing include the Maine Independent Colleges Association, Maine Press Association, Reed Elsevier and NetChoice -- a coalition of Web companies like AOL, eBay, Yahoo, IAC, News Corp. and Overstock.com.

Recommend watching this Frontline report on the secret life of credit cards. Interesting: http://www.pbs.org/wgbh/pages/frontline/shows/credit/view/ - Karl ------------------------------------------------------------------------------- Millions of Americans have already seen their credit card limits shrink, and millions more face the same fate as lenders prepare for tougher U.S. consumer protection rules. Since the financial crisis deepened a year ago, credit card companies have been closing millions of inactive accounts, cutting credit limits and raising interest rates to cushion themselves from record loan losses. This is just the beginning of the biggest shake-up in the credit card industry in at least 20 years, analysts said. Credit Suisse analyst Moshe Orenbuch estimated available credit card lines will be cut by about 20 percent, or $1.2 trillion, in coming months, and warned that "further cuts could result from the provisions of the new credit card law."

Millions of Americans have already seen their credit card limits shrink, and millions more face the same fate as lenders prepare for tougher U.S. consumer protection rules. Since the financial crisis deepened a year ago, credit card companies have been closing millions of inactive accounts, cutting credit limits and raising interest rates to cushion themselves from record loan losses. This is just the beginning of the biggest shake-up in the credit card industry in at least 20 years, analysts said. Credit Suisse analyst Moshe Orenbuch estimated available credit card lines will be cut by about 20 percent, or $1.2 trillion, in coming months, and warned that "further cuts could result from the provisions of the new credit card law."

Facebook has agreed to make changes to better protect users' personal information on the social networking site and comply with Canadian privacy laws within one year, Canada's privacy commissioner said Thursday. "These changes mean that the privacy of 200 million Facebook users in Canada and around the world will be far better protected," said privacy commissioner Jennifer Stoddart.

Federal Reserve chief Ben Bernanke was among hundreds of victims of an identity fraud ring that stole more than $2.1 million from consumers and financial institutions across the United States, Newsweek magazine reported on its website. The head of the U.S. central bank and his wife were swept up in a case against the ring after her purse, with personal checks inside, was snatched at a coffee shop in August 2008, Newsweek reported, citing recently filed court documents. Someone soon began cashing checks on the Bernanke family bank account, a crime that became part of a wide-ranging federal identity theft investigation that was already underway.