The Office of the Privacy Commissioner of Canada (OPC) has developed these guidelines to explain how the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to transfers of personal information to a third party, including a third party operating outside of Canada, for processing. As the legislation itself states, PIPEDA is intended to "support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances…" This acknowledges that proper protection of personal information both facilitates and promotes commerce by building consumer confidence. Today's globally interdependent economy relies on international flows of information. These cross-border transfers do raise some legitimate concerns about where personal information is going as well as what happens to it while in transit and after it arrives at some foreign destination. Consumer confidence will be enhanced, and trust will be fostered, if consumers know that transfers of their personal information are governed by clear and transparent rules. There are different approaches to protecting personal information that is being transferred for processing. European Union member states have passed laws prohibiting the transfer of personal information to another jurisdiction unless the European Commission has determined that the other jurisdiction offers "adequate" protection for personal information.

Prop 8 maps, a mashup of Google Maps and Prop 8 Donors, shows the names of those who contributed money to the passage of California's Proposition 8, which prohibits same-sex marriage. The mashup also shows the streets where these people live. This kind of mashup is useful, but to some, it's also intrusive and scary. While these contribution records are public record, the idea that your name and mapped street are online could be considered unnecessarily invasive. The mashup offers great information, but is the backlash and privacy invasion worth it? This particular mashup, while not on a news site, raises questions about when and how journalists should use this type of online application.

Late last month, the House passed an economic recovery package containing $20 billion for health information technology, which would require the Department of Health and Human Services to develop standards by 2010 for a nationwide system to exchange health data electronically. The version of the recovery package passed by the Senate yesterday contains slightly less funding for health information technology ("health IT"). But as Congress moves to reconcile the two stimulus packages, conservatives have begun attacking the health IT provisions, falsely claiming that they would lead to the government "telling the doctors what they can't and cannot treat, and on whom they can and cannot treat." The conservative misinformation campaign began on Monday with a Bloomberg "commentary" by Hudson Institute fellow Betsy McCaughey, which claimed that the legislation will have the government "monitor treatments" in order to "'guide' your doctor's decisions." McCaughey's imaginative misreading was quickly trumpeted by Rush Limbaugh and the Drudge Report, eventually ending up on Fox News, where McCaughey's opinion column was described as "a report." In one of the many Fox segments focused on the column, hosts Megyn Kelly and Bill Hemmer blindsided Sens. Arlen Specter (R-PA) and Jon Tester (D-MT) with McCaughey's false interpretation, causing them to promise that they would "get this provision clarified." On his radio show yesterday, Limbaugh credited himself for injecting the false story into the stimulus debate, saying that he "detailed it and now it's all over mainstream media."

In a move that could reshape the federal government's cybersecurity efforts, President Obama on Monday said a former Booz Allen consultant would conduct an immediate two-month review of all related agency activities. The announcement indicates that the White House's National Security Council may wrest significant authority away from the U.S. Department of Homeland Security, which weathered withering criticism last fall for its lackluster efforts. Obama selected Melissa Hathaway, who worked for the director of national intelligence in the Bush administration and was director of an multi-agency "Cyber Task Force," to conduct the review with an eye to ensuring that cybersecurity efforts are well-integrated and competently managed. "The president is confident that we can protect our nation's critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties," said John Brennan, the president's homeland security adviser. Hathaway's appointment comes as Obama plans to overhaul the National Security Council, expanding its membership and effectively centralizing more decision-making in the White House staff. That would vest more authority in a staff run by James L. Jones, a former Marine Corps commandant who warned at a speech in Munich over the weekend that terrorists could use "cyber-technologies" to cause catastrophic damage. During a panel discussion that CNET News wrote about last fall, Hathaway defended Homeland Security's efforts to develop what it called a National Cyber Security Initiative, saying there was "unprecedented bipartisan support" for it. "Over the past year cyber exploitation has grown more sophisticated, more targeted, and we expect these trends to continue," she added. "Our cybersecurity approach to date has not kept up with the threats we've seen."

"Identity theft can happen to anyone," is the frequent refrain of government and advocacy groups warning consumers about bank fraud. What they don't add: The crime is far more likely when that "anyone" is a woman. A study released Monday by the fraud-tracking firm Javelin Research showed that women are 26% more likely than men to be the victims of identity theft. While 3.8% of men had their banking details stolen and used for fraud in the last year, 4.8% of women were victimized. And women took far longer on average to discover their financial identities had been compromised, leading to far greater risk of repeat fraud: Women took 83 days to detect they'd been targeted, compared with 45 days for men. The growing reason behind this disparity, argues Javelin President James Van Dyke, is an often-misunderstood trend: Digital commerce is making identity theft harder, rather than easier. Because men are statistically more likely than women to adopt newer technologies such as online banking and shopping, they more often have the benefit of high-tech safeguards, Van Dyke says. Women, because of their lesser use of Web banking and sales, suffer from more old-fashioned fraud caused by stolen credit cards or retail employees, he says. Fifty-eight percent of women, for instance, have never banked online, compared with 55% of men, according to Javelin's study. That means women are less likely to sign up for fraud protection programs like text message or e-mail alerts that warn of abnormal transactions. Twenty-three percent of men use e-mail alerts, compared with 15% of women; 8% of men receive text message warnings, compared with just 3% of women.

It's never been easier to get information on the run. Smart devices such as the G1 and Apple iPhone let you put the Internet in your pocket and go - down the block or across the country. But this convenience could cost plenty in lost privacy, consumer advocates and tech analysts say. Once data have been collected and warehoused, you lose control of it forever. "The Big Brother aspect of it is troubling," says Rep. Edward Markey, D-Mass., former chairman of the powerful House Subcommittee on Telecommunications and the Internet. Mobile consumers are especially vulnerable, Markey says. Unlike PCs, cellphones tend to be used by one person exclusively. The information they telegraph - on Web browsing, lifestyle and more - tends to be "highly personalized." That's the main reason mobile data are so prized: The information is incredibly accurate. It's also why Markey and other privacy advocates say the debate about online privacy will become even more intense as advertising migrates to the mobile Web. Mobile advertising is still relatively new - G1 users, for now, get ads only through search results, for instance - but it's clearly a hot spot. The market is expected to reach $2.2 billion by 2012, from about $800 million now, according to JupiterResearch. Ultimately, it could surpass the traditional Web, now a $20 billion ad market. Yahoo, Microsoft and other ad-supported search engines collect information as Google does. But the sheer size and scope of Google's data-mining operation - the Web giant performs more than 80% of all desktop searches worldwide - makes it a uniquely pervasive presence, says Chester. Google and Yahoo, the two biggest players in search advertising, say their self-imposed privacy policies are sufficient to protect consumers, noting that they do not collect or store information in a way that can be directly tracked to an individual. Peter Fleischer, global privacy counsel for Google, says Google tries to make privacy language as

The Senate and House appear headed for a clash over competing visions of how to protect the privacy of patients' electronic medical records, with the House favoring strict protections advocated by consumer groups while the Senate is poised to endorse more limited safeguards urged by business interests. President Obama has called creation of a nationwide system of electronic medical records fundamental to health-care reform, and both chambers of Congress have included about $20 billion to jump-start the initiative as part of their stimulus bills. But as with much in the stimulus package, it is not just the money but the accompanying provisions that groups are trying to influence. The effort to speed adoption of health information technology has become the focus of an intense lobbying battle fueled by health-care and drug-industry interests that have spent hundreds of millions of dollars on lobbying and tens of millions more on campaign contributions over the past two years, much of it shifting to the Democrats since they took control of Congress. At the heart of the debate is how to strike a balance between protecting patient privacy and expanding the health industry's access to vast and growing databases of information on the health status and medical care of every American. Insurers and providers say the House's proposed protections would hobble efforts to improve the quality and efficiency of health care, but privacy advocates fear that the industry would use the personal data to discriminate against patients in employment and health care as well as to market the information, often through third parties, to generate profits.

Kaiser Permanente says that the personal information of 29,500 employees in Northern California may have been exposed in a security breach. "A handful" of employees have reported identify theft, the Oakland, Calif.-based managed-care giant said. Police in San Ramon, Calif., seized a computer file containing the employee information from a suspect who was arrested. The suspect was not a Kaiser Permanente employee, and officials declined to provide further details. The file contained the names, addresses, phone numbers, Social Security numbers and dates of birth of the Kaiser workers. No health plan member information or personal health information was involved in the data breach, according to Kaiser officials. "We regret that this unfortunate incident occurred, and we understand the anxiety and worry that some employees may feel," said Gay Westfall, senior vice president for human resources at Kaiser Foundation Health Plan and Hospitals, Northern California, in a written statement. Kaiser is providing one year of free credit-monitoring to workers whose information was in the file.

Hackers broke into the Federal Aviation Administration's computer system last week, accessing the names and national identification numbers of 45,000 employees and retirees, a union leader says. Tom Waters, president of American Federation of State, County and Municipal Employees Local 3290, said FAA officials briefed union leaders Monday about the security breach. FAA spokeswoman Laura Brown confirmed the agency's computers were hacked last week. Story continues below ↓advertisement | your ad here Waters said union leaders were told hackers gained access to two files. One file had the names and Social Security numbers of 45,000 employees and retirees on the FAA's rolls as of February 2006. Social Security is the U.S. government-directed pension system, and in the absence of a national identity card, other people's social security numbers can be used to steal identities for illicit purposes. Waters said the other file contained medical information that was encrypted. "These government systems should be the best in the world, and apparently they are able to be compromised," said Waters, an FAA contracts attorney. "Our information technology systems people need to take a long hard look at themselves and their capabilities. This is malpractice in their world." FAA officials told union leaders the incident was the first of its kind at the agency. But Waters said his union complained about three or four years ago about an incident in which employees received anti-union mail that used names and addresses that appeared to be generated from FAA computer files.

Federal Trade Commission staff today issued a report describing its ongoing examination of online behavioral advertising and setting forth revisions to proposed principles to govern self-regulatory efforts in this area. The key issue concerns how online advertisers can best protect consumers' privacy while collecting information about their online activities. Over the last decade, the FTC has periodically examined the consumer privacy issues raised by online behavioral advertising - which is the practice of tracking an individual's online activities in order to deliver advertising tailored to his or her interests. The FTC examined this practice most recently at its November 2007 "Behavioral Advertising" Town Hall. The following month, in response to public discussion about the need to address privacy concerns in this area, FTC staff issued a set of proposed principles to encourage and guide industry self-regulation for public comment. Today's report, titled "Self-Regulatory Principles for Online Behavioral Advertising," summarizes and responds to the main issues raised by more than 60 comments received. It also sets forth revised principles. The report discusses the potential benefits of behavioral advertising to consumers, including the free online content that advertising generally supports and personalization that many consumers appear to value. It also discusses the privacy concerns that the practice raises, including the invisibility of the data collection to consumers and the risk that the information collected - including sensitive information regarding health, finances, or children - could fall into the wrong hands or be used for unanticipated purposes. Consistent with the FTC's overall approach to consumer privacy, the report seeks to balance the potential benefits of behavioral advertising against the privacy concerns it raises, and to encourage privacy protections while maintaining a competitive marketplace. The report points ou

Banks and financial firms are placing more emphasis on internal threats to cut the flow of data leakage as a result of employee mistakes or workers disgruntled with layoffs and downsizing during the economic crisis, according to a recent survey. The report, "Protecting What Matters: The Sixth Annual Global Security Survey," is based on a Deloitte survey of 250 CISOs in the financial-services industry. It found that 36% of respondents believe the internal threat represents the greatest risk to organizations, compared to 13% who said external threats are the biggest concern. Mark Steinhoff, head of Deloitte's financial services security and privacy practices, said an organization's biggest mistake would be to let its guard down. While the number of security breaches may have declined over the last year, cybercriminals are not rationing back their efforts. "The number of breaches that are occurring are really at the hands of insiders and organizations are understanding that there is a real threat of malicious attacks and exposure of personal information by insiders," Steinhoff said. The failing economy may be driving the increased concern over insider threats, Steinoff said. "The climate we're in today causes concerns about disgruntled employees," he said. "We are seeing the layoffs and other forms of downsizing. Frankly with limited budget and less than satisfied employees, it really raises the parameter on that threat." Human error is the leading cause of information systems failure, and is likely to be the main cause of security attacks in the near future, according to 86% of those surveyed. To protect against employee mistakes that lead to a breach, financial firms should focus on risk rather than compliance to protect themselves, Steinhoff said. "[Organizations] need to look at what they want to protect and look at various types of threats internally and evaluate who has access to the data and who has access to which system, and approach it from that persp

Update on Feb. 18, 8:33 a.m.: Facebook is backing off changes to its terms of service, informing users on their official blog that they will remain intact. "Over the past couple of days, we received a lot of questions and comments about the changes and what they mean for people and their information," Facebook CEO Mark Zuckerberg writes in the blog. "Based on this feedback, we have decided to return to our previous terms of use while we resolve the issues that people have raised." To learn more, read our original post below. Facebook is having trouble dousing the flames in a firestorm over its trustworthiness. A recent change in its terms of use -- the legalese tacked onto the bottom of most websites -- has sparked concerns that the social networking giant plans to own all users' information forever. Founder and CEO Mark Zuckerberg claimed in a blog post Monday that "on Facebook people own and control their information." But privacy advocates still aren't satisfied. "I think in simple terms it's a tug of war over user data," says Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC) in Washington. "People put information on a Facebook page to share with friends. But it's pretty much with the understanding that they're deciding what to post and who has access to it. Facebook, like any other company, is trying to obtain maximum commercial value from its users."

Up to 21,000 Floridians may have been affected by a data breach at Wyndham Hotels & Resorts last year, prompting Attorney General Bill McCollum to ask consumers to keep a close eye on their credit statements. According to a statement released today, Wyndham reported to the Attorney General's Office that it contacted affected consumers in December and notified them that unauthorized access to Wyndham systems had potentially compromised their personal data on their debit and credit cards. The data breach has since been disabled. McCollum encouraged consumers to report any suspicious activity on their accounts to law enforcement. Affected consumers are encouraged to take precautionary steps, including obtaining a free fraud alert from one of the credit reporting agencies. Anyone who believes they may be a victim of identity theft should also request that the national credit bureaus place a fraud alert on their credit reports. Consumers should notify banks and creditors involved of questionable charges or accounts, keep records of all telephone calls and follow up in writing with credit bureaus, banks and creditors.

Richard Acton-Maher of San Francisco was in nearby Berkeley last month and wanted to meet friends for lunch. Instead of making calls to see who was around, he looked at a digital map on his iPhone that plotted their locations. "One of my friends was also there," said Acton-Maher, 24, who used a service from a startup company called Loopt Inc. "I gave him a call and met him for lunch. It just enhances the communications tools that I already have." Google Inc., encouraged by people's willingness to share their personal lives on sites like Facebook, is betting more people like Acton-Maher will post their whereabouts online. The owner of the most popular search engine started a program this month called Latitude, seeking to compete with mobile networking services such as Loopt, Match2Blue, Whrrl and Limbo. Besides competition, Google's effort to turn mobile phones into tracking devices faces criticism from privacy advocates. Useful for friends and family, location data would also be valuable to the government, said Kevin Bankston, an attorney with the San Francisco-based Electronic Frontier Foundation, a not-for-profit organization focused on civil-liberties. "This is certainly valuable information to investigators and potentially to civil litigants," Bankston said. "This type of location information presents a very new sensitive data flow." Google says its privacy settings address such concerns. People using Google's mobile maps can opt not to use Latitude and choose whom they share their information with. The program also only stores the user's last known location, not a full history of their travels, said Steve Lee, a Google product manager. 'Ephemeral Data' While Google doesn't plan to store the data, the government could still go to court to ask for the company's help in tracking someone during an investigation, Bankston said.

Patients' advocates claimed victory in a battle over the privacy of health records as the U.S. Congress approved the economic stimulus bill, which contains $19 billion for health-care information. U.S. House and Senate negotiators' compromise reflects stricter standards that privacy advocates wanted for marketing, selling and disclosing health data. Both houses approved the $787 billion stimulus plan today and sent it to President Barack Obama for his signature. The legislation contains $2 billion in grants to create a national system of computerized health records and $17 billion in higher Medicare and Medicaid reimbursements for doctors and hospitals to adopt the technology. Electronic records will improve care and reduce costs, Obama said. The legislation also will boost the health-records industry, led by Allscripts-Misys Healthcare Solutions Inc., Quality Systems Inc. and Athenahealth Inc. "We've dramatically improved on the status-quo, wholly unregulated system where private patient data was bought and sold like any commodity," Caroline Fredrickson, director of the American Civil Liberties Union's Washington legislative office, said in an interview today.

There are three reasons for breach notification laws. One, it's common politeness that when you lose something of someone else's, you tell him. The prevailing corporate attitude before the law - "They won't notice, and if they do notice they won't know it's us, so we are better off keeping quiet about the whole thing" - is just wrong. Two, it provides statistics to security researchers as to how pervasive the problem really is. And three, it forces companies to improve their security. That last point needs a bit of explanation. The problem with companies protecting your data is that it isn't in their financial best interest to do so. That is, the companies are responsible for protecting your data, but bear none of the costs if your data is compromised. You suffer the harm, but you have no control - or even knowledge - of the company's security practices. The idea behind such laws, and how they were sold to legislators, is that they would increase the cost - both in bad publicity and the actual notification - of security breaches, motivating companies to spend more to prevent them. In economic terms, the law reduces the externalities and forces companies to deal with the true costs of these data breaches.

A U.S. appeals court on Friday denied a bid by the cable industry to overrule privacy rules that make it more difficult for them to share subscribers' personal information with other parties. The U.S. Court of Appeals for the District of Columbia Circuit denied a petition by the National Cable and Telecommunications Association, which argued that federal rules on telecom carriers' use of customer data violated free speech rights under the U.S. Constitution, federal law or both. At issue are rules set by the U.S. Federal Communications Commission that mandate telecommunications carriers must get an "opt-in" before disclosing customers' information to a carrier's joint venture business partner or an independent contractor.

Facebook founder Mark Zuckerberg has responded to the privacy concerns raised in this post by Consumerist. The post pointed out that a change Facebook made to its terms of service left the impression that the social network could keep and use copies of user content (e.g. photos, notes, and personal information) in perpetuity even if users removed the information and closed their accounts. "One of the questions about our new terms of use is whether Facebook can use this information forever," Zuckerberg wrote. But, oddly, he did not answer that question. Instead he opted for a rather roundabout explanation: if you send a friend a message via Facebook's e-mail system, Facebook must create mutliple copies of that message -- one for your "sent" message box and one for your friend's inbox. That way, if you leave Facebook, the copy your friend has would not be deleted. Fair enough. The implication is that, by extension, Facebook also keeps copies of all your other information, too. But the e-mail example has a major hole in it. Copying content makes sense for e-mails, where the medium itself depends on messages being copied. The thing is, Facebook users generally do not 'send' other types of content to one another, including photographs. Rather, they post them on their own profiles for others to stop by and see. There's no obvious reason that Facebook would need to perpetually store multiple copies of photographs -- because, as far as the user is concerned, they appear only in one place. Plus, Zuckerberg seems to underestimate his users' understanding of e-mail. My guess is most Facebook users don't think that if they close an e-mail account that all the e-mails they've ever sent will disappear. Frankly, it's not e-mails that are at issue here; it's this other, more personal category of content -- the stuff that people post within their own digital walls. Zuckerberg goes on to write that despite the presence of "overly formal and protective" language that Facebo

The global economic crisis has become the biggest near-term U.S. security concern, sowing instability in a quarter of the world's countries and threatening destructive trade wars, U.S. intelligence agencies reported on Thursday. The director of national intelligence's annual threat assessment also said al Qaeda's leadership had been weakened over the last year. But security in Afghanistan had deteriorated and Pakistan had to gain control over its border areas before the situation could improve. "The financial crisis and global recession are likely to produce a wave of economic crises in emerging market nations over the next year," said the report. A wave of "destructive protectionism" was possible as countries find they cannot export their way out of the slump. "Time is our greatest threat. The longer it takes for the recovery to begin, the greater the likelihood of serious damage to U.S. strategic interests," the report said. The report represents the findings of all 16 U.S. intelligence agencies and serves as a leading security reference for policymakers and Congress. Besides reviewing adversaries, it also considered this year the security impact of issues including climate change and the economy. It said a quarter of countries have already experienced at least "low-level" instability, such as government changes, linked to the economy.

In Deloitte's sixth annual Global Security Survey, people are the problem. "[P]eople continue to be an organization's greatest asset as well as its greatest worry," Adel Melek, global leader of security and privacy services at Deloitte Touche Tohmatsu, said in the report. "That has not changed from 2007. What has changed is the environment. The economic meltdown was not at its peak when respondents took this survey. If there was ever an environment more likely to facilitate an organization's people being distracted, nervous, fearful, or disgruntled, this is it. To state that security vigilance is even more important at a time like this is an understatement." On one level, that couldn't be more obvious: It's not as if anyone worries about squirrels hacking servers; security has always been about people. (Robots, the report says, are unlikely to replace the human workforce during the lifetime of anyone reading the report. Finally, some good employment news.) Yet despite the obviousness of the problem, the obvious solution -- complete denial of access -- doesn't work. People use computers and computers are more useful when connected and it just gets worse from there. That may explain why identity and access management remained top of mind for survey respondents. Deloitte's survey, drawn from major financial companies around the globe, focuses on governance, investment, risk, use of security technologies, quality of operations, and privacy. It includes some good news -- external breaches have declined sharply over the past year -- and troublesome news -- fewer companies say they have the commitment and funding to address regulatory compliance. In terms of risk, specifically information systems failure, people are identified as the most significant vulnerability. "Human error is overwhelmingly stated as the greatest weakness this year (86%), followed by technology (a distant 63%)," the report states. It attributes the rising risk to increased adoption of new techno