CIPP Information Privacy & Security News

"Barack Obama's consumer-friendly FCC is asking Verizon Wireless to explain why it recently doubled Early Termination Fees for its customers. The company has until Dec. 17 to explain "the rationale" behind the higher fees. The inquiry comes after Sen. Amy Klobuchar (D-Minn) introduced a bill that would curb the penalties customers are required to pay for early cancellation of a wireless contract. On Nov. 15, Verizon raised the early termination fee for "advanced devices" to $350, from $175 earlier. "

"It could be quite a manic Monday for digital advertisers. Privacy advocates are calling Dec. 7 "Pearl Harbor Day" for the Internet advertising industry as the Federal Trade Commission launches its public roundtables on consumer privacy issues. Certainly many members of the public as well as legislators are up in arms over practices such as behavioral tracking and targeting, but a great deal of this anxiety comes down to a lack of knowledge regarding practices. The Interactive Advertising Bureau has been applying preventative measures, including releasing "Self-Regulatory Principles for Online Behavioral Advertising". Its latest effort is the consumer education campaign "Privacy Matters," which will be featured on a broad array of media sites. It's a conciliatory recognition that the industry has released paranoia in the general populace by not clearly explaining the nuts and bolts of targeting and other advances."

"A federal prosecutor tracked down a Seattle fraud suspect in Mexico this year through his Facebook posts. A man's Twitter messages to fellow demonstrators at a recent protest in Pittsburgh led to an FBI search of his home and short-lived charges of interfering with police. The CIA and other U.S. intelligence agencies reportedly are investing in a software firm that monitors half a million social networking Web sites each day. There's nothing wrong with law enforcement agencies' using Internet technology to investigate crimes, Bay Area privacy advocates say. But they want the federal government to say how, when and why its agents look at Americans' social networking accounts."

"Beginning next week, the FTC will hold a series of public roundtables covering the growing number of challenges to consumer privacy on the Internet. Dubbed "Exploring Privacy," the daylong discussions will focus on "the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses." Hold that yawn. Behavioral tracking and ad targeting have everything to do with the pesky "Warning!" pop-up blinking behind your browser window right now. The one that could shatter your online privacy. In advance of the roundtables, Fast Company spoke with online privacy advocates Jules Polonetsky, co-chair and director of the Future of Privacy Forum, and Ari Schwartz, vice president and chief operating officer of the Center for Democracy and Technology. Below, Polonetsky and Schwartz highlight five of most nefarious techniques used to trick and track you." 1. "Malvertising Gangs" 2. Flash Cookies 3. "Cookie appends" 4. Personal Health Data 5. ISP Tracking

"The Federal Trade Commission will host a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation."

"With a lot of prodding from the Federal Trade Commission, the Internet advertising industry has committed to telling Web site users about how they collect and use data to customize the ads they display. And it has agreed to find a more prominent and clear way to do this than the cryptic privacy policies you can find if you click a tiny link at the bottom of many Web pages. But how do you communicate something very complex in a way that is clear but doesn't bog down people who just want to check the latest sports scores?"

"Faced with increasing pressure from Washington, the Interactive Advertising Bureau launched a public service campaign on Thursday aimed at educating consumers about behavioral targeting. The online campaign, created pro bono by WPP's Schematic, features rich media banner ads with copy like "Advertising is creepy" and "Hey, this banner can tell where you live. Mind if we come over and sell you stuff?" More than one dozen publishers -- including Microsoft, Google's YouTube, and AOL -- have committed to donate a combined 500 million impressions for the initiative. The campaign comes as policymakers are questioning whether data collection by marketers violates consumers' privacy. Rep. Rick Boucher (D-Va.) has said he plans to introduce a bill that could require Web companies to notify users about online ad targeting, and in some circumstances, obtain their explicit consent. In addition, the Federal Trade Commission has criticized the industry for using dense privacy policies to inform people about behavioral targeting, or tracking people online and sending them ads based on sites visited. In a meeting with reporters Thursday morning, IAB President and CEO Randall Rothenberg said one goal of the campaign is to address regulators' concerns that consumers don't understand behavioral advertising. "

"A Little Rock doctor was reprimanded and fined $500 by the Arkansas State Medical Board on Thursday for illegally accessing Anne Pressly's medical records as she lay unconscious in intensive care at St. Vincent Infirmary Medical Center before she died. Dr. Jay Douglas Holland, who has a family-practice clinic in the Hillcrest neighborhood, was also ordered to pay $265 to cover the cost of the board's investigation into the matter. Pressly, 26, was a news anchor for KATV-TV, Channel 7, when she was found raped and badly beaten in her Hillcrest home the morning of Oct. 20, 2008. She spent five days in intensive care before succumbing to her injuries."

"Doctor rapped over peeking at TV anchor's files Little Rock, Ark., doctor Jay Douglas Holland was reprimanded and fined $500 by the Arkansas State Medical Board for illegally accessing Anne Pressly's medical records as she lay unconscious in the intensive-care unit at St. Vincent Infirmary Medical Center before she died."

"In light of a spike in identity theft and the frequency with which personal information is stored on portable devices, the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) have expanded Generally Accepted Privacy Principles (GAPP) to include protocols for securing and disposing of personal information. "Safeguarding personal information is one of the most challenging responsibilities facing an organization, whether such information pertains to employees or customers," said Everett C. Johnson, CPA, chair of AICPA/CICA Privacy Task Force and a past international president of ISACA, a global information technology association. "We've updated the criteria of our privacy principles to minimize the risks to personal information." GAPP offers guidance and best practices on securing portable devices, breach management and ensuring continued effectiveness of privacy controls. The guidance additionally covers disposal and destruction of personal information. The principles are designed for chief privacy officers, executive management, compliance officers, legal counsel, CPAs and CAs offering technology advisory services. "Portable tools such as laptops and memory sticks provide convenience to employees but appropriate measures must be put in place to secure them and the data they contain," said Donald Sheehy, CA.CISA, CIPP/C, associate partner with Deloitte (Canada) and a member of the AICPA/CICA Privacy Task Force. "We must stay abreast of technological advances to assure that proper measures are put into place to defend against any new threats." Created by the AICPA/CICA Privacy Task Force, GAPP is designed to help an organization's management team assess an existing privacy program or address privacy obligations and risks. The principles provide a framework for CPAs and CAs to offer privacy services to their clients and employers, such as advisory services, privacy risk assessments and attestation or

"According to IT Skills and Certifications Pay Index released by Foote Partners, every category of IT certification, save one, saw a decline in pay premiums over the last 12 months. The percentages shown are the change in pay premium over the given period of time. "

"Today, the Federal Trade Commission opened new areas of a "virtual mall" with content that will help kids learn to protect their privacy, spot frauds and scams, and avoid identity theft. The FTC Web site, www.ftc.gov/YouAreHere, introduces key consumer and business concepts and helps youngsters understand their role in the marketplace. The FTC is the nation's consumer protection agency. "YouAreHere presents practical lessons about money and business in a fun and familiar setting," said David Vladeck, Director of the FTC's Bureau of Consumer Protection. "The new content takes kids behind the scenes to raise their awareness of advertising and marketing, pricing and competition, fraud and identity theft. At the FTC's online mall, visitors play games, watch short animated films, and interact with customers and store owners. They can design and print advertisements for a shoe store, investigate suspicious claims in ads and sales pitches, learn to identify the catches behind bogus modeling schemes and vacation offers, and guess the retail prices of various candies based on their supply, demand, and production costs. At the Security Plaza, visitors can build a social networking page and see the unintended consequences of posting personal information. They also get tips on how to keep their computers safe while they're online. In the arcade, visitors can play Info Defender 3 and protect Earthlings from Cyclorian invaders who would steal their identities. The game teaches the importance of protecting personal information, including Social Security numbers. For parents and teachers, the site offers detailed fact sheets with ideas for related activities. Teachers can use the site to complement lessons in consumer economics, government, social studies, language arts, and critical thinking. The National Council for Economic Education has developed a lesson plan that prominently features YouAreHere; it is available on the Parents and Teachers page. "

"Yesterday, the U.S. District Court for the District of Columbia issued the attached opinion upholding the American Bar Association's challenge to the FTC's Identity Theft Red Flags Rule and enjoining the FTC from enforcing its Rule against lawyers. This memorandum opinion follows an October 29 oral argument and bench ruling. This ruling may have significance beyond the legal profession, and may limit the FTC's ability to enforce its Red Flags Rule against professionals, retailers, health care providers and other businesses that bill their clients and customers in a manner similar to lawyers. "

"Want to know how much phone companies and internet service providers charge to funnel your private communications or records to U.S. law enforcement and spy agencies? That's the question muckraker and Indiana University graduate student Christopher Soghoian asked all agencies within the Department of Justice, under a Freedom of Information Act (FOIA) request filed a few months ago. But before the agencies could provide the data, Verizon and Yahoo intervened and filed an objection on grounds that, among other things, they would be ridiculed and publicly shamed were their surveillance price sheets made public. Yahoo writes in its 12-page objection letter (.pdf), that if its pricing information were disclosed to Soghoian, he would use it "to 'shame' Yahoo! and other companies - and to 'shock' their customers.""

"Hackers can use maliciously rigged PDF files to hack into corporate systems hosting the BlackBerry Attachment Service, according to a warning from the makers of the popular smartphone. Research in Motion (RIM) issued an advisory with patches for multiple flaws in the PDF distiller service and warned and an attacker could exploit the issues by simply e-mailing a booby-trapped PDF file to a BlackBerry user. The vulnerabilities exist in the PDF distiller of some released versions of the BlackBerry Attachment Service component of the BlackBerry Enterprise Server:"

"Malicious hackers are using fake alerts around H1N1 (Swine Flu) vaccines to trick end users into installing malware on Windows computers, according to warnings issued by computer security firms. The latest malware campaign begins with e-mail messages offering information regarding the H1N1 vaccination. The e-mail messages contain a link to a bogus Centers for Disease Control and Prevention site with prompts to create a user profile. During this process, a malware file gets planted on the user's machine."

"Temporary workers brought in to help during the busy holiday shopping season can sometimes pose a data security risk for companies. Retailers that hire temporary help need to keep a watchful eye on them to reduce the risk of data compromises, said Bob Russo, general manager of the PCI Security Standards Council. The council oversees the implementation of mandatory security standards for protecting credit and debit card data across the payment industry. With many retailers hiring temporary workers to handle extra business, vigilance is key, Russo said. "Management needs to hover at this time of the year, especially with temps," he said. Temporary workers who handle credit card data or are involved in any form of payment processing need to follow appropriate security procedures. Proper access controls also need to be in place to prevent temporary workers from gaining access to other systems, he said."

"A key, centrist digital rights group is set to put out a report calling for strong federal privacy laws and guidelines to regulate the growing tracking and targeting of Americans online. It argues that the self-regulation approach that industry fights for just hasn't worked. The online ad industry has "historically failed to fully implement its self-regulatory principles," according to the 34-page draft report by the Center for Democracy and Technology. CDT is a centrist D.C. group that works with and is substantially funded by the tech industry, including companies like Facebook, Google and AOL that are deeply invested in targeted ads. "Recently revised self-regulatory principles still fall short (.pdf) even as written," charges the draft, obtained by Wired.com. These tough words spearhead a new tactic for a group more used to convening inside-the-Beltway tech policy forums than launching ACLU-style send-outraged-e-mail campaigns. The CDT, which splintered off from the rabble-rousing Electronic Frontier Foundation 15 years ago, is also planning to launch a "Take Back Your Privacy" campaign on Thursday, designed to garner support for its call for comprehensive federal privacy legislation. Dozens of tech firms, known and obscure, record users' behaviors as they interact with search engines, blogs, e-commerce sites and even government websites. The tracking goes on in the background with little knowledge by consumers and even less oversight from government authorities. The tech industry - like others subject to potentially blunt-forced government regulation - has argued that policing itself was enough to prevent egregious privacy intrusions that could proliferate without any real chance individuals would even be aware of them."

"In dire economic times such as these, companies are scouring their internal functionalities seeking ways to run "leaner and meaner." Operations and personnel that do not ostensibly contribute to profit are at risk. And nowhere are employees more vulnerable than in New York City, the nation's center for financial services, an industry particularly devastated. Because the influence of privacy on profit is not immediately apparent, managers searching for excisable fat will doubtless be attracted to the privacy function, concluding that it makes no contribution to the bottom line. But although many view privacy solely as a legal concept, it often provides important commercial benefits. Where privacy does indeed contribute to profit, chopping away at privacy will be counterproductive, slicing off meat and bone, rather than fat. If management is not educated to this fact, the privacy function will be at unnecessary risk. There are 11 reasons why privacy may benefit the bottom line, which should be raised with management."

"Facebook CEO Mark Zuckerberg has just written an open letter to Facebook users regarding a privacy overhaul that is due to hit the site in the next few weeks. Soon, users will be able to selectively choose, on a per-post basis, who can see the content they post to the site. Facebook is also going to remove regional networks entirely, largely because some of those networks (like China) consist of millions of users, which makes them useless from a privacy standpoint. If these changes sound familiar, it's because Facebook actually announced them way back in July. Zuckerberg also notes that Facebook now has 350 million users ? it has added a whopping 50 million of them in the last two and a half months. Alongside the regional network change, privacy controls will be simplified. As Facebook rolls out the new privacy settings, users will be presented with a page designed to walk them through the new options. Depending on your current privacy level, Facebook will make recommendations, though you'll be able to change them as usual. "