"There's a known weakness in browsers which we wrote about in the book. Every time we talked with someone about it, they'd ask us why we didn't start a company that took advantage of the loophole, and the answer was, well, it's creepy. The loophole basically lets you see where else your visitors have been on the Internet. Well, it's now out in the open, in two forms: Beencounter, and Haveyourfriendsbeenthere. To be perfectly clear, the site won't show you everything your visitors surf-just whether or not they've been to a set of sites you define. Here's how it works:"

"It was fascinating to read your thoughts about our recent conversation in CSO (see The Many Challenges of Finding Work as a CISO/CSO"). And when I say "fascinating," I mean in the sense of watching Nascar: a lot of predictable left turns and some really embarrassing, squirm-inducing shots of the fans. I do like you, I think you're a nice guy, and so I wanted to give you some feedback about the interview process and what you're going to need to change to be successful. I don't think you're going to enjoy reading this. But maybe some of those hours that you're spending maintaining that "vast database" of yours could be better spent understanding why we hired someone who understands they're an engineer."

One of the most enlightening articles I have seen on the value of security to corporate America.

"In a case that could prove to be one of the most important privacy rights battles of the modern era, the 3rd U.S. Circuit Court of Appeals will hear argument this week on the proper legal standard to apply when prosecutors demand cell phone location data. The data, which are recorded about once every seven seconds whenever a cell phone is turned on, effectively track the whereabouts and the comings and goings of every cell phone user. Justice Department lawyers argue that, by statute, they need only show "reasonable grounds" to believe that such records are "relevant and material to an ongoing criminal investigation." But a federal magistrate judge in Pittsburgh strongly disagreed in February 2008, issuing a 52-page opinion that said the prosecutors must meet the "probable cause" standard. "This court believes that citizens continue to hold a reasonable expectation of privacy in the information the government seeks regarding their physical movements/locations -- even now that such information is routinely produced by their cell phones -- and that, therefore, the government's investigatory search of such information continues to be protected by the Fourth Amendment's warrant requirement," U.S. Magistrate Judge Lisa Pupo Lenihan wrote."

Turn the cell phone off and put on your tin foil hat so the government and aliens can't track you!

"A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises. The incident, which was first reported by blogger Brian Krebs this week, involves Lubbock-based PlainsCapital bank and its customer Hillary Machinery Inc. of Plano. In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary's bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital. Hillary demanded that the bank repay it the rest of the stolen money. In a letter to the bank in December, Hillary claimed that the theft happened only because PlainsCapital had failed to implement adequate security measures. PlainsCapital promptly filed a lawsuit in the U.S. District Court for the Eastern District of Texas asking the court to certify that its security procedures were "commercially reasonable." In its complaint, the bank noted that it had made every effort to recover the stolen money."

Bank sues theft victim in pre-emptive strike

Tomorrow is Data Protection and Privacy Day. Events around the world will mark the occasion. In Brussels, the European Parliament, European Commission and EDPS will host a variety of workshops and the winners of the "Think Privacy," competition will be unveiled. In Canada, events will be held in Newfoundland and Labrador, Ontario, Alberta and elsewhere, with regulators and companies hosting various forums. For a comprehensive list of global events, visit the Data Privacy Day Web site. After hours, privacy pros will gather in cities across the world for IAPP Privacy After Hours events. Click here to find an event near you.

Data Protection & Privacy Day Tomorrow

"If there was anything even vaguely comforting about the data breaches that were announced this year, it was that many of them stemmed from familiar and downright mundane security failures. Companies continued to be felled more by usual issues such as lost laptops, un-patched or poorly coded software, inadvertent disclosures and rogue insiders, rather than by sneaky new attack techniques or devastating new hacker tools. "

Preventable data loss damages customer trust and corporate trust.

"The cost of a data breach increased last year to $204 per compromised customer record, according to the Ponemon Institute's annual study. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009. "

Cost of data breaches continue to increase while IT looks the other way.

"A UN watchdog has called for a new international agreement on privacy following a review of the expanding global array of surveillance measures and databases advanced by governments in the cause of counter-terrorism. The special rapporteur on human rights, Martin Scheinin, said the UN should create a "a global declaration on data protection and data privacy" in response. His report, delivered to the UN's Human Rights Council, describes the expansion of watchlists, border checks, financial data sharing, interception of communications, biometrics and ID registers in recent years. "States no longer limit exceptional surveillance schemes to combating terrorism and instead make these surveillance powers available for all purposes," he added."

"You probably don't analyze the chatter or quality of your social media connections, but creditors may be doing just that. In their quest to identify creditworthy customers, some are tapping into the information you and your friends reveal in the virtual stratosphere. Before calling the privacy police, though, understand how it's really being used."

The social media outlets you use may affect credit offers!

"A Concord, New Hampshire, financial services company is sending data breach notification letters to customers after discovering that shared passwords, set up to simplify administrative functions nearly 10 years ago, could have exposed the private data of 1.2 million customers."

Shared administrative passwords lead to privacy breach notification of 1.2 million customers. Nobody out there still using such bad process! Right?

"A privacy watchdog's criticisms of Facebook appear to have captured the attention of the Federal Trade Commission. In a letter dated Jan. 14, David Vladeck, head of the FTC's Bureau of Consumer Protection, told the Electronic Privacy Information Center that its complaint about recent privacy changes at Facebook "raises issues of particular interest for us at this time." Vladeck added that he has asked an official to arrange a followup meeting with EPIC, but also said he can't currently confirm or deny whether the FTC has opened an investigation. FTC investigations are not public until the agency either issues a complaint or closes the matter. The FTC's consumer protection chief also said in his letter to EPIC that the commission plans to focus on privacy issues raised by social networks at the next roundtable, scheduled to be held in Berkeley, Calif. on Jan. 28. "

FTC may investigate privacy issues on FaceBook? Equal bang for the buck by identifying and educating users who post way too much personal information.

"Web users are not yet deleting Flash cookies as often as they shed more traditional cookies, but that doesn't mean it's a good idea to use Flash technology to track consumers online. That's according to a new report commissioned by media audit company BPA Worldwide. The report, authored by analytics expert Eric Peterson, warns that the use of Flash cookies, also called "local shared objects," to override consumers' choices could invite new privacy laws. "With the attention given to consumer privacy on the Internet at both individual and governmental levels, we believe that companies making inappropriate or irresponsible use of the Flash technology are very likely asking for trouble, (and potentially putting the rest of the online industry at risk of additional government regulation)," writes Peterson, CEO and principal consultant at Web Analytics Demystified. "

Flash cookies may draw additional legislation for the online advertising industry.

Marcia Angell MD is a well-known, respected physician, long-time editor of NEJM. So it was a bit of a shock today when Amy Romano, blogger for Lamaze International, sent me this quote: "It is simply no longer possible to believe much of the clinical research that is published, or to rely on the judgment of trusted physicians or authoritative medical guidelines. I take no pleasure in this conclusion, which I reached slowly and reluctantly over my two decades as an editor of The New England Journal of Medicine".

Interesting quote by former editor of the New England Journal of Medicine

"Medical records for about 15,500 Northern California Kaiser patients - about 9,000 of them in the Bay Area - were compromised after thieves stole an external drive from a Kaiser employee's car last month, Kaiser officials said Tuesday." Kaiser officials said the electronic device contained patients' names, medical record numbers and possibly ages, genders, telephone numbers, addresses and general information related to their care and treatment. No Social Security numbers or financial information was contained on the drive, and Kaiser officials said there's no evidence that the information has been used inappropriately. The device was not encrypted, but some of the information was password protected. Kaiser has sent letters to the 15,500 members and the employee, who Kaiser would not identify, has been fired.

Another hospital employee fired for inappropraite access of medical records. More damage to a medical group reputation because someone failed to get the message.

"For five days as her husband lay in his hospital bed suffering from kidney cancer, Regina Holliday begged doctors and nurses for his medical records, and for five days she never received them. On the sixth day, her husband needed to be transferred to another hospital -- without his complete medical records. "When Fred arrived at the second hospital, they couldn't give him any pain medication because they didn't know what drugs he already had in his system, and they didn't want to overdose him," says Holliday, who lives in Washington. "For six hours he was in pain, panicking, while I ran back to the first hospital and got the rest of the records." Despite a federal law requiring hospitals and doctors to release medical records to patients who ask for them, patients are reporting they have a hard time accessing them leading to complications like the ones the Holliday family experienced. 'What part of "Give us our damn data" do you not understand?'"

Privacy law matters in ways not readily apparant until they hit home.

"The Identity Theft Resource Center (ITRC) reported its annual breach data for 2009 last week, and for the first time malicious attacks were more frequently identified as the source of those breaches than human error. In its "2009 Data Breach Report," the ITRC found 498 publicly disclosed breaches last year, down from 657 the year before. The downturn could have resulted from changes in breach disclosure, rather than a real drop-off in system compromises, the organization says. Interestingly, paper breaches now account for 26 percent of data leaks, up 46 percent compared to 2008. Malicious attacks outnumbered breaches attributed to human error for the first time in the three years the report has been compiled. The business sector accounted for 41 percent of data breaches, up from 21 percent the year before. Approximately 222 million records were compromised, the organization says -- and about 130 million of those came from the single breach at Heartland Payment Systems. Out of 498 breaches, only six reported they had either encryption or other strong security features protecting the exposed data, the ITRC says . "

Expect more action from the FTC on data privacy breeach

"The last quarter of 2009 should be partly remembered in the advertising community as a juncture when big agencies -- namely Omnicom Media Group, The Nielsen Company, and WPP -- announced consumer data mergers. The deals entailed the marriages of offline and online data and appeared to reveal a potentially major stepping stone in the evolution of "hyper-targeting." Some of the agencies have trumpeted their newfound ability to create consumer segments related to behavioral elements such as "passion points" (e.g., shown interest in electronics, photography, fantasy football, etc.), as well as geographic location, beverage preferences, favorite social media sites, activity levels at the sites, and so on. Augustine Fou, group chief digital officer for Omnicom's Healthcare Consultancy Group and a ClickZ columnist, said that while increased hyper-targeting would likely result from the data marriages, unresolved issues remain before the use of combined online/offline data is widely adopted by brands. "For example, as diverse data sets begin to be integrated, it will become painfully apparent what data can be integrated -- or not -- and specific tradeoffs will have to be made to move forward," he explained. "In particular, privacy policies of sites and ad networks will need to be revisited." The growing ability for marketers to target online ads using data gathered offline has generally raised concern among consumer privacy advocates. To that end, Fou suggested that brands are cautiously optimistic about hyper-targeting and slightly wary of public/consumer perception. "

Marriage of offline and online data sources to target advertising may make tracking more interesting for consumers and advertisers alike.

"Drug store chain Walgreens now enables its pharmacy patients to download their prescription history from the Walgreens.com Web site to a personal health record on the Microsoft HealthVault platform. The Deerfield, Ill.-based chain announced last June it would link to HealthVault. Patients registered on Walgreens' site already can access their complete prescription history. Now, that history can also reside in a HealthVault PHR and be automatically updated. Patients can enroll with HealthVault directly from the Walgreens site. The partnership will promote stronger collaboration among patients, pharmacists, physicians and other providers, says Don Huonker, senior vice president of health care innovation at Walgreens. More information is available at walgreens.com/pharmacy and healthvault.com. "

Think twice before giving MicroSoft your personal health care information.

"Fomer UCLA Healthcare System researcher Huping Zhou has pleaded guilty to violating parts of the Health Insurance Portability and Accountability Act and could be one of the first people in the country convicted under the law, federal authorities announced Friday. After learning he was to be let go, the 48-year-old is alleged to have accessed the UCLA patient records system 323 times during the three-week period, mostly to check out the files of celebrities, according to the U.S. Attorney's Office. The names of the targeted stars have not been revealed. Federal authorities say Zhou admitted to accessing the records -- cruising files that were not necessary to view as part of his job -- under a plea agreement. He'll face a judge for sentencing March 22. It's not clear what kind of punishment the U.S. Attorney's Office will recommend in exchange for his cooperation."

"Facebook founder Mark Zuckerberg told a live audience yesterday that if he were to create Facebook again today, user information would by default be public, not private as it was for years until the company changed dramatically in December. In a six-minute interview on stage with TechCrunch founder Michael Arrington, Zuckerberg spent 60 seconds talking about Facebook's privacy policies. His statements were of major importance for the world's largest social network - and his arguments in favor of an about-face on privacy deserve close scrutiny. Zuckerberg offered roughly 8 sentences in response to Arrington's question about where privacy was going on Facebook and around the web. The question was referencing the changes Facebook underwent last month. Your name, profile picture, gender, current city, networks, Friends List, and all the pages you subscribe to are now publicly available information on Facebook. This means everyone on the web can see it; it is searchable. I"

Zuckerberg should not be trusted with your personal data. The range of reader comments in response to this article are worth a read.