CIPP Information Privacy & Security News

ACTA (Anti-Counterfeiting Trade Agreement) has concerned many consumer rights organizations for some time now. Given that it could easily affect criminal laws in many countries around the world, it's not hard to see why there is demand for public disclosure and allow public debate in the matters. Still, to this day, ACTA is being negotiated behind closed doors by many countries around the world and now consumer groups want to, at least, have the negotiations disclosed to them. When it comes to the privacy and surveillance debates, which are in various stages in different countries right now, many say that for national security concerns, further surveillance measures should be taken in the law books. Many policy makers want to know every detail of day-to-day communications of millions of people including who you talk to, when, how, where, and, with a warrant, what the contents of those messages are. Unsurprisingly, consumer rights groups have a problem with that. Meanwhile, when it comes to the highly secretive negotiations happening with ACTA, many consumer rights organizations want a clear indication on how the new international standard is forming and the contents of the legislation and to have such things disclosed to the public. Ironically, policy makers seem to have a problem with that.

More than 50 per cent of internet users say they would be more interested in advertisements if they were tailored to their own interests, according to a new report from Q Interactive. Furthermore, another 50 per cent of respondents said they would view an advertiser favourably if they received personalised ads. Despite a number of obstacles that prevent marketers from obtaining too much personal information, 53 per cent of internet users would rather have free online services and insider information in exchange for relevant targeting data. However, 32 per cent of the respondents said they would accept worse service in exchange for privacy, and 15 per cent would prefer to pay for premium service and view no advertising whatsoever. Last year, a survey from Dynamic Markets on behalf of Coremetrics, found that half of UK consumers were happy for marketers to use behavioural targeting to track their online behaviour.

Likely a bit of bias in the survey, but indicitive that targeted ads are not going away. Like most things digital, doing it safely is important for consumers. - Karl More than 50 per cent of internet users say they would be more interested in advertisements if they were tailored to their own interests, according to a new report from Q Interactive. Furthermore, another 50 per cent of respondents said they would view an advertiser favourably if they received personalised ads. Despite a number of obstacles that prevent marketers from obtaining too much personal information, 53 per cent of internet users would rather have free online services and insider information in exchange for relevant targeting data. However, 32 per cent of the respondents said they would accept worse service in exchange for privacy, and 15 per cent would prefer to pay for premium service and view no advertising whatsoever. Last year, a survey from Dynamic Markets on behalf of Coremetrics, found that half of UK consumers were happy for marketers to use behavioural targeting to track their online behaviour.

The Federal Trade Commission today approved a final consent order settling claims that CVS Caremark violated customers' privacy and the Health Information Portability and Accountability Act (HIPAA) when it failed to dispose of records properly last year. Earlier this year, CVS Caremark agreed to settle FTC charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company's pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated HIPAA regulations. "This is a case that will restore appropriate privacy protections to tens of millions of people across the country," said FTC chairman William Kovacic following the settlement. "It also sends a strong message to other organizations that possess consumers' protected personal information. They are required to secure consumers' private information." Under the final consent order, CVS Caremark is required to rebuild its security and confidentiality program, which will be audited every two years for the next 20 years. The HHS settlement requires the company to develop a new training program to instruct employees on how to handle patient data.

Rogue employees and hackers were the most commonly cited sources of data breaches reported during the first half of 2009, according to figures released this week by the Identity Theft Resource Center, a San Diego based nonprofit. The ID Theft Center found that of the roughly 250 data breaches publicly reported in the United States between Jan. 1 and Jun. 12, victims blamed the largest share of incidents on theft by employees (18.4 percent) and hacking (18 percent). Taken together, breaches attributed to these two types of malicious attacks have increased about 10 percent over the same period in 2008. Some 44 states and the District of Columbia now have laws requiring entities that experience a breach to publicly disclose that fact. Yet, few breached entities report having done anything to safeguard data in the event that it is lost or stolen. The ITRC found only a single breach in the first half of 2009 in which the victim reported that the lost or stolen data was protected by encryption technology. "It is a dual problem here undeterred by law or common sense," said ITRC co-founder Linda Foley. "You would think if all these organizations have to notify, that they would take some steps to make sure their data doesn't get exposed in the first place."

It's not exactly what anyone might expect to find at a garbage dump in Ghana. Journalism students from the University of British Columbia discovered intact hard drives containing secret international security data and personal information at a digital dumping ground in Ghana, said their teacher, Peter Klein. Mr. Klein, a producer for the PBS television program Frontline and an Emmy Award winning journalist, said the drives included information about U.S. Homeland Security and Pentagon defence contracts as well as social security numbers, credit card numbers, and family photos. The dumps are frequented by criminal gangs in the country, he said. The findings are part of a project by Mr. Klein's graduate students investigating electronic waste, or e-waste. The team also travelled to Guiyu, China, and India, piecing together the afterlife of discarded computers, drives and parts. To find out if cyber criminals could get information stored on the computers, the students bought several hard drives from vendors near the Ghana dumps to test at home in Vancouver. One of the drives came from Northrop Grumman, a large U.S. military contractor. It contained "details about sensitive, multimillion-dollar U.S. government contracts" as well as contracts with the defence intelligence agency and NASA, according to a synopsis of the project on the PBS website.

Cornell University officials are investigating the theft of a school computer that may have compromised the personal information of about 45,000 current and former students, faculty and staff. University spokesman Simeon Moss says the university has sent e-mails about the incident to everyone whose data was on the computer. They're being offered one year of free credit reporting, credit monitoring and identity restoration services. A Cornell Web page on the theft says there have been no known misuses of the data, which include Social Security numbers. The page says the laptop was in the possession of a Cornell technician who was doing some troubleshooting. Moss says police are investigating the theft.

A recent talk by some Federal Trade Commission officials confirms that the agency is taking a hard look at online advertising practices. Speaking at an American Bar Association conference, new consumer protection chief David Vladeck had harsh words for the behavioral targeting industry's current privacy practices. The "current approach is not working," he said, according to the law firm Arnold & Porter, which blogged about the speech. Vladeck reportedly said many companies' current practice of notifying users about online ad targeting and allowing them to opt out is inadequate, largely because people don't understand the policies. He's not the first to make this observation. Advocates and policymakers have said for years that privacy policies are incomprehensible even to sophisticated users. A recent study by UC Berkeley School also shows that the policies are filled with enough loopholes as to be meaningless. Meanwhile, consumer protection deputy Eileen Harrington, who also talked at the same event, reportedly called deep packet inspection the most dangerous form of data collection, according to a blog post by the law firm Perkins Coie.

TJX Companies, Inc., which has undergone a barrage of lawsuits as a result of a massive data breach of its systems, agreed to pay $9.75 million, settling a lawsuit brought on by Attorneys Generals from 41 states.

The loss of personally identifiable information, such as an individual's Social Security number, name, and date of birth can result in serious harm, including identity theft. Identity theft is a serious crime that impacts millions of individuals each year. Identity theft occurs when such information is used without authorization to commit fraud or other crimes. While progress has been made protecting personally identifiable information in the public and private sectors, challenges remain. GAO was asked to testify on how the loss of personally identifiable information contributes to identity theft. This testimony summarizes (1) the problem of identity theft; (2) steps taken at the federal, state, and local level to prevent potential identity theft; and (3) vulnerabilities that remain to protecting personally identifiable information, including in federal information systems. For this testimony, GAO relied primarily on information from prior reports and testimonies that address public and private sector use of personally identifiable information, as well as federal, state, and local efforts to protect the security of such information. GAO and agency inspectors general have made numerous recommendations to agencies to resolve prior significant information control deficiencies and information security program shortfalls. The effective implementation of these recommendations will continue to strengthen the security posture at these agencies. Identity theft is a serious problem because, among other things, it can take a long period of time before a victim becomes aware that the crime has taken place and thus can cause substantial harm to the victim's credit rating. Moreover, while some identity theft victims can resolve their problems quickly, others face substantial costs and inconvenience repairing damage to their credit records. Some individuals have lost job opportunities, been refused loans, or even been arrested for crimes they did not commit as a result of identit

The loss of personally identifiable information, such as an individual's Social Security number, name, and date of birth can result in serious harm, including identity theft. Identity theft is a serious crime that impacts millions of individuals each year. Identity theft occurs when such information is used without authorization to commit fraud or other crimes. While progress has been made protecting personally identifiable information in the public and private sectors, challenges remain. GAO was asked to testify on how the loss of personally identifiable information contributes to identity theft. This testimony summarizes (1) the problem of identity theft; (2) steps taken at the federal, state, and local level to prevent potential identity theft; and (3) vulnerabilities that remain to protecting personally identifiable information, including in federal information systems. For this testimony, GAO relied primarily on information from prior reports and testimonies that address public and private sector use of personally identifiable information, as well as federal, state, and local efforts to protect the security of such information. GAO and agency inspectors general have made numerous recommendations to agencies to resolve prior significant information control deficiencies and information security program shortfalls. The effective implementation of these recommendations will continue to strengthen the security posture at these agencies. Identity theft is a serious problem because, among other things, it can take a long period of time before a victim becomes aware that the crime has taken place and thus can cause substantial harm to the victim's credit rating. Moreover, while some identity theft victims can resolve their problems quickly, others face substantial costs and inconvenience repairing damage to their credit records. Some individuals have lost job opportunities, been refused loans, or even been arrested for crimes they did not commit as a result of identit

Yet another breach of sensitive, unencrypted data is making news in the United Kingdom. This time the breach puts Royal Air Force staff at serious risk of being targeted for blackmail by foreign intelligence services or others. The breach involves audio recordings with high-ranking air force officers who were being interviewed in-depth for a security clearance. In the interviews, the officers disclosed information about extra-marital affairs, drug abuse, visits to prostitutes, medical conditions, criminal convictions and debt histories - information the military needed to determine their security risk. The recordings were stored on three unencrypted hard drives that disappeared last year. The interviews were conducted to ensure that the officers "can be trusted with sensitive government information and property," the Ministry of Defense said. But the interviews have now become a huge security risk for the officers and the Ministry of Defence, which has proven itself to be untrustworthy when it comes to guarding sensitive information and property.

Veterans suffering anxiety and paranoia following the theft of a government hard drive containing the medical histories and Social Security numbers of 198,000 of their brethren cannot recover financial damages, a federal appeals court says. The 11th U.S. Circuit Court of Appeals, in largely dismissing a class-action, ruled Wednesday that the veterans could recoup at least $1,000 under the Privacy Act if they could show financial damages, not mental anguish. What's more, the Atlanta-based court noted that the veterans - some already suffering post-traumatic stress syndrome from their Vietnam War days - likely could recover damages for mental anguish associated with the data breach if the lawsuit was before a different court. That's because the courts of appeal across the nation have issued conflicting interpretations of the Privacy Act of 1974, which allows people to sue the government for privacy breaches and recover "actual damages." Precedent in the 11th Circuit, which includes Alabama, Florida and Georgia, interprets "actual damages" as money losses only. So 198,000 veterans - whose life history was on a hard drive that vanished from a Birmingham, Alabama Veterans Administration hospital - are out of luck, even if their war-time paranoia was exacerbated by the breach. The 11th Circuit noted (.pdf) that the 5th U.S. Circuit Court of Appeals and the 10th U.S. Circuit Court of Appeals "do not restrict 'actual damages' under the Privacy Act to pecuniary losses." And the Supreme Court has refused to resolve the circuit splits.

Internet companies came under fire on Capitol Hill on Thursday, with lawmakers questioning how well the companies protect information that they collect online about consumers for advertising purposes. "I think it's a big deal if someone tracks where you go and what you look at without your personal approval. We wouldn't like that in the non-Internet world and I personally don't like it in the Internet world," said Rep. Joe Barton (R., Texas). Lawmakers in the House are drafting Internet-privacy legislation designed to provide consumers more information about what is being collected online and to give them greater control about how that data can be used. It could also set rules for how consumers could prevent their personal data from being shared with advertisers. "Consumers are entitled to some baseline protections in the online space," said Rep. Rick Boucher (D., Va.) chairman of the House Internet subcommittee.

What would you think if I told you that I could walk into your datacenter, grab 10 of your servers and walk out without lifting any equipment or leaving any trace forensic evidence behind? With the growing momentum in the federal government for cloud computing and virtualization, this worst case scenario will become reality for some agencies leading the charge into the cloud. Here's why:

Heartland Payment Systems chief executive Robert Carr remembers what it felt like when he first heard about the massive data breach at his company earlier this year. "I wanted to throw up. It was devastating," says Carr, recalling how he felt upon realizing that one of his worst fears had come true. "People had asked me for years 'what keeps you awake at night' and I would keep telling them it was the fear of a data breach," he told Computerworld. Five months after Heartland announced what some think may be the biggest data breach ever, Carr is working over-time to limit the fallout from the incident, and the damage to the company's reputation.

CSOs in healthcare organizations know that the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law in February 2009, includes new privacy requirements that experts have called "the biggest change to the health care privacy and security environment since the original HIPAA privacy rule." These include: New requirements that widen the definition of what Personal Health Information (PHI) information must be protected and extend accountability from healthcare providers to their business associates; Lower thresholds, shorter timelines, and stronger methods for data breach victim notification; Effective immediately, increased and sometimes mandatory penalties with fines ranging from $25,000 to as much as $1.5 million; More aggressive enforcement including authority to pursue criminal cases against HIPAA-covered entities or their business associates. No doubt, the HITECH Act raises the stakes for a data breach. But regulations aside, data breaches can hurt your organization's credibility and can carry huge medical and financial risks to the people whose data is lost. We've managed hundreds of data breaches and helped thousands of identity theft victims. Through this we've learned firsthand that compliance doesn't necessarily equal low risk for data breach. For the well being of the business and patients, healthcare organizations and their partners need to take the most comprehensive approach to securing PHI.

Across the country, many major-college athletic departments keep their NCAA troubles secret behind a thick veil of black ink or Wite-Out. Alabama.Cincinnati. Florida. Florida State. Ohio State. Oklahoma. Oregon State. Utah. They all censor information in the name of student privacy, invoking a 35-year-old federal law whose author says it has been twisted and misused by the universities. Former U.S. Sen. James L. Buckley said it's time for Congress to rein in the Family Educational Rights and Privacy Act, which he crafted to keep academic records from public view. A six-month Dispatch investigation found that FERPA, as it's commonly called, is a law with many conflicting interpretations. And that makes it virtually impossible to decipher what is going on inside a $5 billion college-sports world that is funded by fans, donors, alumni, television networks and, at most schools, taxpayers.

Hunch.com helps users search for answers -- but first, it performs a detailed search on the users themselves. Launching today after a year in development, Hunch aims to supply users with computer-generated advice on thousands of lifestyle and consumer questions: What kind of dog should I buy? What should I get dad for Father's Day? Which book by George Orwell would I like? Most important, though, Hunch is not a search engine. Rather than scouring the open Web for information, as Google, Microsoft's new Bing and scores of others do, or collating written opinions, as Amazon.com does, Hunch computes answers by comparing what it knows about you to what it knows about people like you. "Ultimately, what we're doing is providing a kind of shortcut through human expert systems," said Hunch founder Caterina Fake, who also started Flickr.com, the popular photo-sharing site that was acquired by Yahoo in 2005. By first inviting users to answer as many as 1,500 questions about themselves -- an addictive kind of personality test that involves such diverse questions as political orientation, relationship status and whether you believe in UFOs and keep your closet organized -- Hunch looks to assemble a demographic profile whose depth could rival anything in the commercial universe. The New York company also believes that users stand to benefit from this kind of large-scale data farming -- not just from getting better answers, but also from discovering the many microdemographics to which they belong. Hunch also says it will not sell user data to marketers. But this promise, written into the site's privacy policy, is not precisely a legal contract, said Siva Vaidhyanathan, a new-media scholar at the University of Virginia, and the difference leaves the data it collects in a fuzzy domain.

Social networkig may seed malware spread. Education is still one of the most successful computer security tools

Websense CTO Dan Hubbard outlines four ways companies can protect their information from threats and compromise on the social Web. 1) Most Web Posts on Blogs and Forums are Actually Unwanted Content (Spam and Malware) As more and more people interact with each other on sites allowing user-generated content, such as blogs, forums and chat rooms, spammers and cybercriminals have taken note and abuse this ability to spread spam, post links back to their wares and direct users to malicious sites. Websense research shows that 85 percent of all Web posts on blogs and forums are unwanted content - spam and malware - and five percent are actually malware, fraud and phishing attacks. An average active blog gets between 8,000 and 10,000 links posted per month; so users must be wary of clicking on links in these sites. Click here to find out more! Additionally, just because a site is reputable, doesn't mean its safe. Blogs and message boards belonging to Sony Pictures, Digg, Google, YouTube and Washington State University have all hosted malicious comment spam recently, and My.BarackObama.com was infected with malicious comment spam.

Behavioral targeting is not bad as a concept but advertisers would have the public opt-in by default without knowing what is being collected and what it is being used for. On the other hand not many in the public seem very concerned about this subject.

The Internet contributes about US$300 billion a year to the U.S. economy, and U.S. lawmakers should be careful about tinkering with the advertising-supported Internet content model in the name of privacy, the Interactive Advertising Bureau (IAB) said. An IAB-commissioned study by two Harvard University professors, released Wednesday, found that 1.2 million U.S. residents are directly employed in Internet-related jobs, and another 1.9 million U.S. jobs support those Internet workers. IAB released the study Wednesday, as 30 publishers of small Web sites converged on Washington, D.C., to urge U.S. lawmakers to avoid passing legislation that would harm their ad-supported business models. Chief among those publishers' concern was talk in the U.S. Congress about requiring Web sites to gain opt-in permission from users before tracking their Web habits as a way to deliver personalized advertising to them. Many users wouldn't give the permission, and without offering targeted advertising, many small Web sites could fold, some small publishers said. Small Web publishers and sellers "are the face of small business" in the U.S. in recent years, said Susan Martin, publisher of Ikeafans.com, a home improvement site.

Another test of who owns what data, what can be done with it and the power of State's Rights.

IMS Health (RX) has built a lucrative niche collecting data on which drugs physicians prescribe, then selling the information to pharmaceutical companies. But legislators in more than 20 states have questioned whether the company has a constitutional right to do so. The Supreme Court could shine a spotlight on this topic in the next few weeks if it decides to hear a closely watched case IMS has been fighting in New Hampshire. The court's ruling would quickly reverberate beyond the pharmaceutical industry, affecting virtually any business that uses information about consumer buying behavior to guide its sales strategies.