CIPP Information Privacy & Security News

BBC Click's tweet states that they took legal advice following comments on the potential violation of U.K's Computer Misuse Act. There's a slight chance that you may have unknowingly participated in a recent experiment conducted by the BBC. In a bit of an awkward and highly unnecessary move, a team at the BBC's technology program Click has purchased a botnet consisting of 22,000 malware infected PCs, self-spammed themselves on a Gmail account, and later on DDoS-ed a a backup site owned by security company Prevx (with prior agreement), all for the sake of proving that botnets in general do what they're supposed to - facilitate cybercrime. A video of the experiment is already available. Here are more details : Upon finishing the experiment, they claim to have shut down the botnet, and interestingly notified the affected users. Exposing cybercrime or exposing the obvious, the experiment raises a lot of ethical issues. For instance, how did they manage to contact the owners of the infected hosts given that according to the team they didn't access any personal information on them? It appears that they modified the desktop wallpapers of all the infected hosts to include a link notifying them that they've been part of the experiment. Thanks, but no thanks.

A Microsoft-led group set up three years ago has backed away from its original goal of pushing for comprehensive U.S. privacy legislation. Originally, the Consumer Privacy Legislative Forum was set up to bring a diverse array of consumer companies, technology vendors and even advocacy groups together and help drive privacy legislation. But now the group has been renamed the Business Forum for Consumer Privacy and is instead being billed as "an organization focused on fostering innovation in consumer privacy governance," according to the group's new mission statement. The Forum has released a white paper at the International Association of Privacy Professionals conference held in Washington this week. "What the organization is doing is developing the framework that would make new governance possible," said Martin Abrams, an adviser to the Forum who is executive director with the Centre for Information Policy Leadership at Hunton & Williams, an international law firm. Two of the Forum's original members, Symantec and the Center for Democracy and Technology, say they have dropped out. Eastman Kodak has also dropped out, according to Abrams. He was not authorized to say who the current members are, but the group appears to include Microsoft, Hewlett-Packard, eBay and Google. U.S. consumers are covered by a patchwork of state and federal laws that are confusing for companies, and which often force consumers to work hard to protect their own data. Many of the Forum's members would like to change things, but it appears that coming up with legislative proposals was too much.

There are many websites that sell or provide for free, personal information about individuals. This information is gathered from many sources including white pages listings (directory assistance), publicly-available sources and public records. * Data vendors that offer an opt out policy * Data vendors that do not offer an opt out policy Directory Listings: To prevent the cross-referencing of your address with your phone number, you can choose to not have your information available in the phone book or through directory assistance. If your number is "unlisted," your name, address and phone number will not be printed in the phone book, but the information is available through both directory assistance and reverse directory assistance. If your number is "unpublished," your information will not be printed in the phone book and is not available through directory assistance or reverse directory assistance. Or you can list your name and phone number, but not your address. Telephone companies usually charge a monthly fee to be unlisted or unpublished. Public Records: Please note that public records are often that--public. Web sites that provided personal information gathered from various sources are not required to offer a way to have that information removed or suppressed, though many will as a courtesy. The table below notes many of the more common online providers of public and non-public information that do offer an opt out mechanism. The opt out notes below usually only apply to non-public information. Not all web sites that sell personal information allow individuals to have their information removed or suppressed. Check the privacy policy of the site to see if they offer an opt-out mechanism. If one is provided, ask the online data broker for clarification on whether opting out also applies to public records information they may maintain. Some online data vendors will request information from you (such as your Social Security number or date of birth) to proce

Privacy is a central element of the FTC's consumer protection mission. In recent years, advances in computer technology have made it possible for detailed information about people to be compiled and shared more easily and cheaply than ever. That has produced many benefits for society as a whole and individual consumers. For example, it is easier for law enforcement to track down criminals, for banks to prevent fraud, and for consumers to learn about new products and services, allowing them to make better-informed purchasing decisions. At the same time, as personal information becomes more accessible, each of us - companies, associations, government agencies, and consumers - must take precautions to protect against the misuse of our information. The Federal Trade Commission is educating consumers and businesses about the importance of personal information privacy, including the security of personal information. Under the FTC Act, the Commission guards against unfairness and deception by enforcing companies' privacy promises about how they collect, use and secure consumers' personal information. Under the Gramm-Leach-Bliley Act, the Commission has implemented rules concerning financial privacy notices and the administrative, technical and physical safeguarding of personal information, and it aggressively enforces against pretexting. The Commission also protects consumer privacy under the Fair Credit Reporting Act and the Children's Online Privacy Protection Act.

The U.S. government's director for cybersecurity resigned on Friday, criticizing the excessive role of the National Security Agency in countering threats to the country's computer systems. "He has tendered his resignation," Amy Kudwa, a Department of Homeland Security spokeswoman told Reuters. Former Silicon Valley entrepreneur Rod Beckstrom said in a resignation letter published by the Wall Street Journal it was a "bad strategy" to have the National Security Agency, which is part of the Department of Defense, play a major role in cybersecurity. Beckstrom headed the National Cybersecurity Center, which was created last March to coordinate all government cybersecurity efforts and answers to the Department of Homeland Security. Homeland Security said in a statement that it has a strong relationship with the NSA and continues to work closely with all of its partners to protect the country's cyber networks. Beckstrom wrote to Homeland Security Secretary Janet Napolitano on Thursday in his resignation letter that the NSA currently dominates most national cyber efforts. "While acknowledging the critical importance of NSA to our intelligence efforts, I believe this is a bad strategy on multiple grounds," he wrote in the letter posted by the Wall Street Journal on its website. National Security Agency officials could not immediately be reached for comment. Beckstrom said in his letter that the cybersecurity group did not receive adequate support to accomplish its role during the previous administration of President George W. Bush, which only provided the center with five weeks of funding in the last year. His resignation will be effective March 13, the letter said. The newspaper said the Obama administration was conducting a 60-day review of the cybersecurity program started by Bush last year to protect government networks.

The more things change, the more they stay the same. Such is the case for information security management, which has been voted - for the seventh consecutive year - the most important issue affecting IT strategy, investment and implementation over the coming 12 to 18 months, according to the American Institute of CPAs' 20th Annual Top Technology Initiatives Survey. Employing a new strategy this year, the institute's 10-member tech task force distributed surveys to approximately 50,000 of the institute's members and then advertised the survey in an electronic newsletter. "We changed the voting audience," said David Cieslak, CPA, CITP and co-chair of the task force, noting that they sought responses from all institute members, without feedback from outside technology groups, as in past years. "It's a big year - our 20th - we wanted to make sure it was reflective of our membership." This year's survey received more than 700 responses, which ranked 33 technology initiatives that they perceived as having the most impact over the next 12-to-18 months. The most pressing initiative, according to respondents - information security management - is an integrated, systematic approach that co-ordinates people, policies, standards, processes and controls used to safeguard critical systems and information from internal and external security threats. "Integrity, confidentiality and the relationship that CPAs have with their clients is something that has always been important to accountants," said Mary MacBain, CPA, CITP and a task force co-chair. "Security is going to continue to be important." Jim Bourke, a member of the task force and partner-in-charge of technology at CPA and business advisory firm Withum Smith+Brown in Red Bank, N.J., said that it's no surprise to see information security management make the top slot yet again: "Look at the top three - what's the theme? Security and the concern about the privacy issues involving data. For the past few years, many CPAs ha

Enforcing Privacy Promises: Section 5 of the FTC Act A key part of the Commission's privacy program is making sure companies keep the promises they make to consumers about privacy, including the precautions they take to secure consumers' personal information. To respond to consumers' concerns about privacy, many Web sites post privacy policies that describe how consumers' personal information is collected, used, shared, and secured. Indeed, almost all the top 100 commercial sites now post privacy policies. Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers' personal information. The Commission has also used its unfairness authority to challenge information practices that cause substantial consumer injury.

If behavioral targeting is the key to providing Web users with advertising that's better tailored to their particular needs and interests--instead of banner ads that they ignore--then what's the harm to consumers? That was a central question tackled by a panel of privacy and online marketing experts Thursday at the OMMA Behavioral conference in New York. Whether online user tracking--even when anonymous--represents a growing threat to privacy has become a hotly debated issue in the last year, with FTC, Congress and state governments considering increased regulation of behavioral targeting. For Jules Polonetsky, co-chair and director of the AT&T-funded think tank Future of Privacy Forum, that debate has become almost superfluous. Whatever side one takes, he emphasized that there is now a widespread perception among consumers and regulators that online tracking is creepy at the very least. The key to diffusing the controversy is for publishers and marketers to give Web users notice that their behavior is being tracked in order to provide them with more relevant content, recommendations and marketing offers.

The enormous international focus on privacy is growing more urgent in the face of business and government pressure to get the economy moving again and restore trust in our most basic institutions. To help rebuild trust and bolster bottom lines in a down market, it pays to prioritize privacy. The time is right to make smart investments in an organization's privacy professionals-the experts in the eye of the storm that must work collectively to find the right solutions to privacy challenges. The IAPP, which now boasts 6,000 members across 47 countries, is convening its annual Privacy Summit in Washington DC from March 11-13, 2009-the largest and most global privacy event in the world. Attendees will have the unique opportunity to interact with privacy regulators from Canada, France, Spain, Israel, the UK, Italy, the U.S. and the experts who help shape their policies across 60 different educational and networking sessions. Keynote speakers include Frank Abagnale (of Catch Me if You Can fame), one of the world's most respected authorities on forgery, embezzlement and secure documents as well as internationally renowned security technologist Bruce Schneier. The Future of Privacy Forum will be strongly represented at this year's Summit. Jules Polonetsky and Chris Wolf will be co-presenting a session entitled Cheers & Jeers: Who is Doing Privacy Right and Who Deserves Detention. Jules and Chris will also cover Behavioral Advertising Secrets: What Your Marketing and IT Team Didn't Think You Needed to Know. Both topics should be big draws for the expected 1500 attendees at the Summit! It's this sort of event that advances our profession and helps privacy professionals work together to reclaim trust. Registration is open and we look forward to seeing you in DC.

The organization charged with administering the Payment Card Industry Data Security Standard (PCI DSS) is trying to give merchants a compliance blueprint. The Prioritized Approach Tool offers six "milestones" that businesses should try to reach in their pursuit of compliance, said Lib de Veyra, the newly appointed chairman of the PCI Security Standards Council, which manages the guidelines. When faced with a standard as robust as PCI DSS, many companies, particularly the smaller merchants, need help deciding which risks they should address first, de Veyra told SCMagazineUS.com on Friday. The tool, to be published Tuesday on the council's website, also helps retailers and their acquiring banks demonstrate and measure progress. Rated by order of criticality, the milestones are: Limit data retention, secure the perimeter, secure applications, control system access, protect stored cardholder data and finalize remaining compliance efforts, ensuring all controls are in place. "You take care of Milestone One and you've significantly reduced the risk in the event of a data breach because, where's the data?" de Veyra said.

A health care industry coalition on Monday released a prescriptive security framework that organizations can use to safeguard patient records as they increasingly move online. The framework, released by the Health Information Trust Alliance (HITRUST) -- which represents health care providers, pharmacies, insurers, biotech firms and medical device manufacturers -- is based on well-known standards such as COBIT, NIST and ISO 270001. But this is the first benchmark developed specifically for protecting health data. "It's tailored to protecting health information right out of the gate," Michael Wilson, vice president and chief information security officer of McKesson, the largest U.S. pharmaceutical distributor, told SCMagazineUS.com on Monday. "It's just a different sort of data. It's still structured [like other verticals], but there's a lot more of it in health care." The framework was created to improve adoption rates with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and increase patient confidence in the security of their information. It also arrives on the heels of the new $787 billion economic stimulus bill, about $20 billion of which is earmarked to encourage health care organizations to adopt electronic health records as a way to reduce the number of medical errors and save money. The stimulus bill, in itself, contains srict privacy and security regulations for patient information. The standards took about 18 months to devise and can be implemented by organizations of any size, according to HITRUST. "2009 will be a turning point for information security in the health care industry, when organizations will begin implementing the framework...and create a cascading effect that will impact and benefit the entire health care ecosystem," Daniel Nutkis, CEO of HITRUST, said in news release. Wilson said the framework also will enable companies such as McKesson to show their customers and business partners that they are taki

Two firms certified to asses a company's compliance with the Payment Card Industry Data Security Standards (PCI DSS) have been placed under remediation by the PCI Security Standards Council. Two firms certified to asses a company's compliance with the Payment Card Industry Data Security Standards (PCI DSS) have been placed under remediation by the PCI Security Standards Council. "We have a contractual relationship with the PCI Security Standards Council and they can pull our certification at any time," Bates said, adding that the firm is working wholeheartedly to remedy the situation. Chris Konrad, senior vice president of client services at Fortrex, did not return a phone call seeking comment. Fortrex's business is U.S-based. The company is in its sixth year assessing service providers and merchants. In addition to being certified to conduct payment application quality security assessments, the firm sells risk management consulting services. It is a reseller in security vendor Qualys Inc.'s PCI Partner Program, according to the company website. Qualys said its "program gives partners generous margins based on their level of certification." The PCI Council launched its quality assurance program for assessors in September to address growing concerns from merchants about the quality of their assessments and other issues. Merchants have complained that some QSAs don't appear to have the technical skills necessary to conduct a thorough assessment. Other merchants have raised issues with QSA's pitching security products during the assessment process. Merchants that receive negative feedback are placed on probation and a revocation process is in place if assessors do not address the issues identified by the council.

Cablevision Systems announced it will expand its addressable-advertising capabilities to be able to deliver TV spots based on an individual subscriber's demographic data to some 500,000 households across the New York metro area this summer. The half-million-homes deployment -- representing cable's largest with addressable advertising to date -- comes after an 18-month trial covering 100,000 households, in which Cablevision tested the targeted form advertising for its Optimum-branded services. According to Cablevision, the trial showed a "double-digit" lift in sales in areas that received the addressable ads compared with homes that did not. After building out to 500,000 households across multiple zones within the New York DMA, Cablevision ultimately expects to bring addressability to all of its 2.8 million digital TV subscribers. The expanded deployment includes unidentified "top national brands," represented by media agencies GroupM, Starcom MediaVest Group and Universal McCann. Cablevision said it already has placed addressable ads from outside advertisers, but it has not identified those customers publicly. Addressable advertising, considered a holy grail of advertising in combining broad reach with demographic targeting, is also a core part of the mission for Canoe Ventures, the joint venture of Cablevision and five other MSOs. But Canoe, at least initially, will provide targeting at the zone level not the household level. Independent of Canoe, Cablevision is moving ahead on several advanced-advertising initiatives. Earlier this week Cablevision and its Rainbow Media programming unit announced plans to offer interactive advertising products and applications to media buyers during this year's upfronts, which would be available in inventory on five Rainbow networks and be viewable to Cablevision digital cable subscribers. To deliver addressable advertising, Cablevision is using technology from Visible World, a New York-based company that works with more than

Google, Microsoft, Yahoo support self-regulation in the UK AOL, Google, Microsoft, NebuAd, Phorm, and Yahoo promise to behave. All of these companies - along with a few others - have volunteered to honor the Internet Advertising Bureau's just-announced set of Good Practice Principles. So on to the guts of the agreement. First, companies are supposed to tell users whenever they're collecting data for the sake of behavioral advertising. They're also expected to make sure users understand what the procedure entails. Then comes the key part: users should get the chance to opt out of the collection process. Ad companies are probably hoping that users will either be too lazy to take action or will actually prefer better-targeted ads. If so, the companies will continue to make money and improve their public image. But since privacy advocates may still complain that data collection isn't an opt-in matter, the issue isn't likely to go away. Mark Howe, the country sales director of Google UK, sidestepped the mess, simply stating, "Google believes in two core principles of transparency and choice when it comes to user privacy. That is why we are supportive of these new, self-regulatory principles for online advertising which will enable consumers to increase their understanding of their web surfing options." IAB described the Principles as "the UK's first self-regulatory guidelines to set good practice for companies that collect and use data for online behavioural advertising purposes." The Principles have been approved by the Information Commissioner's Office, which reports directly to Parliament.

Last month, the digital advertising industry's use of behaviorally targeted advertising gained a reprieve of sorts when the Federal Trade Commission issued a final report confirming its earlier support of self-regulation. But some commission members remained concerned about ads that are shown to Web users based on their previous online activities, and in particular the possibility of violations of online privacy. Some form of legal restrictions may be imposed on the industry, the FTC indicated, if the online ad industry isn't up to the task of regulating itself. "Privacy is definitely the biggest concern today," said Joe Apprendi, CEO of Collective Media, an online advertising network based in New York. "There has been the concern that through such approaches as deep-packet technology, companies can leverage information through subscriber-based providers to marry anonymous behavioral segment data and identify real people. "The fact is, online advertising is subject to a higher standard that offline direct marketing tactics," Apprendi said. The FTC report, "Self-Regulatory Principles for Online Behavioral Advertising," continues to advocate voluntary industry self-regulation, in keeping with its principles governing online behavioral advertising issued at the end of 2007, despite the urgings of consumer advocacy groups that it impose rules regulating online advertising. The commission's new guidelines are based on four principles: * Transparency and consumer control. The commission advises that Web sites that collect data for behavioral advertising provide "a clear, concise, consumer-friendly and prominent statement" that the data are being collected to provide ads tailored to the user's interests and that the user has an easy and obvious way to choose whether to allow this. * Security for data retention. Companies that collect data for behavioral advertising should provide "reasonable" protection of that information and reta

To help parents better understand their childrens' online privacy rights, the Federal Trade Commission has developed a new article, Protecting Kids' Privacy. The article is posted at OnGuardOnline.gov, a Web site sponsored by the federal government and the technology industry to help users stay on guard against Internet fraud, secure their computers, and protect their personal information. Parents can learn what Web sites must do to protect the privacy of kids younger than 13 under the Children's Online Privacy Protection Act (COPPA). For example, with very few exceptions, sites must get parents' permission if they want to collect or share their kids' personal information. Parents also will find tips for talking to their kids about online privacy, knowing what their kids are doing online, reporting a Web site that may be violating COPPA, and more. To learn more about online privacy for kids, view this article on OnGuardOnline.gov at www.OnGuardOnline.gov/topics/kids-privacy.aspx or view it as an FTC Facts for Consumers publication at http://www.ftc.gov/bcp/edu/pubs/consumer/tech/tec08.shtm. The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC's online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC's Web site provides free information on a variety of consumer topics.

A consumer reporting agency that failed to properly screen prospective customers and, as a result, sold at least 318 credit reports to identity thieves, has agreed to settle Federal Trade Commission charges that it violated federal law. Under the settlement, the company and its principal must ensure that they provide credit reports only to legitimate businesses for lawful purposes, use a comprehensive information security program, and obtain independent audits every other year for 20 years. The settlement also imposes a $500,000 penalty but suspends payment due to the defendants' inability to pay. According to the FTC, the defendants use sensitive financial data from other consumer reporting agencies to create reports that landlords use to assess potential renters. These reports contain consumers' names, Social Security numbers, birth dates, bank and credit card account numbers, credit histories, and other personal information. The Commission alleges that the company failed to properly screen new customers. The company allegedly requested only publicly-available information from applicants seeking credit reports, and it did not request supporting documentation to establish that an applicant was actually a landlord renting property. As a result, identity thieves posing as property owners were given an account with unlimited online access to credit reports, and the account was used to access at least 318 reports containing sensitive personal information. The FTC charged the defendants with violating the Fair Credit Reporting Act (FCRA) by furnishing credit reports to persons who did not have a permissible purpose to obtain them, and by failing to maintain reasonable procedures to prevent such impermissible disclosures and to verify their customers' identities and how they intended to use the information. The agency also charged them with violating the FTC Act by failing to employ reasonable and appropriate security measures to protect sensitive consumer inform

Interactive tutorial from the FTC on how businesses should go about protecting personal information

To address important consumer privacy concerns associated with online behavioral advertising, the staff of the Federal Trade Commission today released a set of proposed principles to guide the development of self-regulation in this evolving area. Behavioral advertising is the tracking of a consumer's activities online - including the searches the consumer has conducted, the Web pages visited, and the content viewed - in order to deliver advertising targeted to the individual consumer"s interests. For more than a decade, the FTC has engaged in investigation, law enforcement, studies, and other privacy developments to protect consumers' privacy online. Concepts used to develop the principles emerged from the agency's longstanding privacy program and, more recently, from two conferences hosted by the FTC. In the fall of 2006, a three-day public hearing, "Protecting Consumers in the Next Tech-ade," examined technology developments that could raise consumer protection policy issues, including privacy, over the next decade. This past November, building on the Tech-ade hearings, the FTC hosted a Town Hall entitled "Ehavioral Advertising: Tracking, Targeting, and Technology," to focus in on privacy issues raised by behavioral advertising. "The purpose of this proposal is to encourage more meaningful and enforceable self-regulation to address the privacy concerns raised with respect to behavioral advertising. In developing the principles, FTC staff was mindful of the need to maintain vigorous competition in online advertising as well as the importance of accommodating the wide variety of business models that exist in this area," according to its proposal "Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles." The proposal states that behavioral advertising provides benefits to consumers in the form of free content and personalized advertising but notes that this practice is largely invisible and unknown to consumers. To address the

With Twitter firmly established as the "conversation place to be," marketers are beginning to look for where they fit in. And that means tools. For the uninitiated, Twitter is a service that lets individuals exchange 140-character messages-via computer or mobile device-with groups of "followers." The result is a fast-and-loose, multidimensional conversation that falls somewhere in between blogging and text messaging, happening in real time between millions of users around the world. Luckily, the Web interface for Twitter.com is just the start of many ways to interact with and glean intelligence from Twitter conversations. There is big potential value for tapping into the Twitter-stream for insights into what customers are saying about your company's brand and its market. "Millions are leaning on Twitter pretty hard as a way to network and communicate with contacts new and old," said John Jatsch, a social marketing expert and operator of Duct Tape Marketing. He added that marketers have many options for how to use Twitter, including connecting with customers, monitoring conversations and testing new ideas. To use Twitter to its fullest, b-to-b marketers should consider using the following handful of tools and services: ??Twitter clients. It doesn't take long for most Twitter users to move beyond using Twitter.com to post and monitor their posts or "tweets." There are much more powerful tools at your disposal for reading, filtering, searching and posting to Twitter.com. The list of Twitter clients includes popular Mac client Twitterific; Adobe Air-based clients such as Twhirl, Tweetr and Spaz; Firefox add-ons like Twitterfox and TwitBin; and software that lets you track multiple social engines-such as Facebook, FriendFeed and even instant messaging as well as Twitter-like Digsby and AlertThingy. A new client receiving a lot of buzz is TweetDeck, which features a huge but customizable user interface that makes it easier to track posts, re