CIPP Information Privacy & Security News

The theft in 2006 of an employee laptop that contained personal information on millions of veterans taught the Veterans Affairs Department some hard lessons. VA became "the poster child of data breaches," said Kathryn Maginnis, the department's associate deputy assistant secretary for risk management and incident response. As a result of that incident and several breaches that followed, the department developed a comprehensive incident response program and incident resolution team that evaluates all serious exposures of sensitive data. "We have a culture of report, report, report," Maginnis said at the recent FOSE conference in Washington. The incident response program received a perfect score last year in the VA inspector general's Federal Information Security Management Act audit, and Maginnis said she expects to get another perfect score this year. The department developed two in-house online tools to help track and evaluate incidents, said Amanda Graves Scott, director of the incident resolution team. The Formal Event Review and Evaluation Tool uses a 56-question questionnaire to determine the risk category of a data breach, and the VA Incident Response Tracking System automates a manual tracking process for information technology incident response.

Should responsibility for defending against cyberattacks be moved from the Dept. of Homeland Security to the military? Air Force Gen. Kevin Chilton suggested as much at a Congressional hearing where he warned of U.S. vulnerability to cyberwarfar "across the spectrum." Such attacks "potentially threaten not only our military networks, but also our critical national networks," Chilton told a House Armed Services subcommittee, the Washington Post reported. As head of Strategic Command, the general isn't responsibel for defending civilian networks, just government computers. [Stratcom's responsibility is] "to operate and defend the military networks only and be prepared to attack in cyberspace when directed. I think the broader question is, who should best do this for the other parts of America, where we worry about defending power grids, our financial institutions, our telecommunications, our transportation networks, the networks that support them." Well, that's where the 60-day interagency overview of cybersecurity comes in. At the end of that, Chilton said, responsibility for protecting private sector networks may well fit under Stratcom's duties. So what impact in having the military at the center of cybersecurity? Importantly, it brings offensive ops into the defense game. And where the military is involved, can NSA be far behind? No. Operational control over both [offensive and defensive ops], Chilton said, has been delegated to Lt. Gen. Keith B. Alexander, the head of the National Security Agency. … NSA, according to Chilton, already has a role in information security, and the agency's support "has been instrumental in our efforts to operate and particularly to defend our networks," he said. Combining oversight of cyber defense and offense made sense, Chilton said, "because they're so interconnected. . . . As you consider offensive operations, you want to make sure your defense are up."

Since its inception, IT has focused on reducing costs through process automation and the implementation of applications. However, that is no longer enough to sustain competitive advantage in a rapidly changing world. Today, important business decisions depend on having up-to-date, trustworthy information. At the same time, you need to assess the internal and external risks involved in such decisions. This is not easy, which is why organizations need to build an Information Strategy to guide them

Legislation aimed at protecting the privacy rights of car owners is drawing objections from auto manufacturers and Progressive Insurance, which hopes to introduce a program in Washington state that charges drivers based partly on how and when they drive.\n\nThe American Civil Liberties Union of Washington is pushing for the legislation, which would require automakers and other companies to inform car owners of the presence of devices that record information about their driving habits.\n\nThat includes event data recorders, or black boxes, installed on most newer cars, as well as electronic equipment such as GPS devices and OnStar, the wireless subscription service from General Motors.\n\nIn addition to requiring notification, a bill sponsored by state Sen. Claudia Kauffman, D-Kent, would clarify that vehicle owners are the owners of the data. With a few exceptions, a court order or the owner's permission would be required in order for a third party to obtain it.\n\nCarrie Tellefson, a lobbyist for Progressive Insurance, testified last week at a House Transportation Committee hearing that Substitute Senate Bill 5574 would prevent the insurance company from introducing its pioneering MyRate insurance program into Washington.\n\nProgressive Insurance first tested the idea of usage-based insurance in 1999. The company introduced the current plan, called MyRate, in 2004 and now offers it in nine states, including Oregon.\n\nCustomers who agree to opt into the program plug a device into their car's onboard diagnostic system, usually somewhere under the dashboard near the steering column. The device records information about how, when, and how much the car is driven, and wirelessly transmits the data back to Progressive's servers.\n\nCustomers are either rewarded with a discount or penalized with a higher rate depending on the information collected.\n\nThe discount can be as much as 30 percent, and the surcharge up to 9 percent.\n\nCustomers can go online and look at perso

Emily Riley of Forrester Research presented a lot of data during her keynote presentation at today's OMMA Behavioral Conference but one point she made seemed rather salient to me: many of those marketers and data firms involved in behavioral targeting seem to skip over social media as a source of information. They might look at the data surrounding the usage of those sites but they seem to rarely do any actually monitoring, let alone interacting there. It reminded me of an experience I had with my wife. We once lived in a building where we didn't have much interaction with our neighbors, very little beyond an occasional wave in the hallway. We could, however see their mail mixed with ours and our landlord's. My wife began to notice that the landlord and our neighbor were starting to get similar envelopes from law firms. I, being the incurious mail sorter I am, didn't really think much of it. She, on the other hand, was convinced that one of them must be suing the other and was able to spin out some fairly detailed scenarios based on other clues from the hallway, the presence of exterminators one day, the thickness of paint on the front door etc. One day I encountered our neighbor in the hallway and did my customary wave. "Oh by the way," He said, "We're moving out next week." Oh really? He then regaled me with the entire story which involved a variety of things including an exterminator, paint thickness, and law firms. My wife and I were both able to glean essentially the same information. However if I had approached him and said, without any warning, "I bet you and our landlord are having one heckuva legal squabble," he probably would have punched me in the nose. I also believe that the ease with which I was able to get the whole story out of him suggests that had we interacted more it would have been I scooping my wife and not the other way around. These two approaches to gathering information are akin to the difference between following

Paperwork containing the personal medical information of at least 66 patients at Massachusetts General Hospital was lost this month when an employee apparently left it on an MBTA train. The hospital sent out letters last week to patients whose identities were included in the lost paperwork, telling them the information listed their names and dates of birth, and private medical information, including their diagnoses and the name of the provider with whom they met. The material constituted billing records for patients who attended the hospital's Infectious Disease Associates outpatient practice on Fruit Street on March 4. Deborah A. Adair, the hospital's privacy officer and director of health information services, said in a statement released yesterday that while the incident was regrettable, the hospital followed privacy laws by immediately alerting affected patients and authorities, including the state attorney general's office and the Department of Consumer Affairs and Business Regulation. "[Hospital] police and security are thoroughly investigating this matter not only with an eye toward recovering the missing information but also toward making sure that this will not happen again," Adair said. "Our information privacy and security policies and procedures are among the strongest in the healthcare industry, but incidents such as this remind us that we must continue to review and revise them, as well as continue to educate our staff on best practices to avoid incidents such as this." According to hospital security reports, a manager in the infectious disease center's billing unit told supervisors that she left the paperwork on a Red Line train the morning of March 9. The manager said she had brought the paperwork home with her to work over the weekend and left the material sometime between 7:30 and 9 a.m. The Transit Police were notified, but the paperwork was not found.

Ask a room full of security practitioners for a list of security settings that'll make Internet Explorer (IE) safe to use and you'll either hear laughter or advice to get a new browser like Mozilla Firefox, Opera, Safari or Google Chrome. Even as Microsoft has worked diligently to improve security in its troubled browser, especially in IE7 and the newly-released IE8, security pros simply don't trust it. Most have turned to alternative browsers, especially Firefox. [See: Microsoft Releases IE8, Stresses Security] But the intoxication security pros find in Firefox and the other alternatives comes with a big hangover. When one wakes up from an evening of online adventuring on one of the alternative browsers, the painful reality is that they will never be able to get away from IE completely. The obvious reason is that IE is so tightly integrated into the Windows operating system, though some industry voices have called on Microsoft to divorce it from the OS. [See: Security Expert: Microsoft Should Sever IE from Windows] "We aren't going to be able to get away from IE in the corporate world anytime soon," said Christopher Mendlik, a threat analyst at Wachovia. Besides the tight integration with Windows, there's the simple reality that some business applications will only work when used in IE. At CSOonline and other media outlets, for example, the programs used to post content online tend to be allergic to non-IE browsers. Those who have no choice but to use IE have turned to a number of coping mechanisms.

Big Brother may be at it again. Behavioral advertising -- the tracking of consumer's Internet surfing activity to create tailored ads -- has triggered an intense legal controversy that has law firms scrambling to stay on top of a burgeoning practice. Attorneys say that behavioral advertising is raising privacy, litigation and regulation fears among consumer advocates, the electronic commerce and advertising industries and legislators. Law firms are busy helping companies come up with a transparent way of letting consumers know that their online activities are being tracked and possibly shared. "Lawmakers and companies are having a tough time keeping up with this new frontier of Internet privacy issues, and there is growing consumer unrest about behavioral advertising, leading in some cases to consumer rebellion," said Lisa Sotto, a partner and head of the privacy and security data group in the New York office of Richmond, Va.-based Hunton & Williams. "Consumers find this type of tracking intrusive, and businesses are starting to take the consumer reaction seriously," she said. The buzz over behavioral advertising has been building since congressional hearings that were held last year, during which Congress called on Internet service providers (ISPs) to testify about a highly controversial advertising practice known as "deep-packet inspection." The practice gives companies the ability to track every Web site consumers visit and provides a detailed look at everything they're doing, such as where they're going on vacation, who is going, how much they spent on the trip and what credit card was used. But then came the first class action targeting behavioral advertising, filed against Foster City, Calif.-based NebuAd Inc., an online advertising company accused of spying on consumers from several states and allegedly violating their privacy and computer security rights. The lawsuit specifically alleges that NebuAd engaged in deep-packet inspection. Valentine v. Ne

The country's largest office products store sold a returned computer hard-drive on clearance containing hundreds of personal files on it - a move privacy experts say violates key provisions of a privacy law requiring businesses to safeguard personal information of customers. The transaction occurred recently at a Staples Business Depot store in Ottawa, one of about 300 across the country. When the purchaser booted up the Maxtor mini, he found hundreds of files on the external hard drive. The files, totalling about 400, belonged to Jill Vickers, a retired political science professor from Carleton University. They included some research papers already in the public domain, but some were sensitive documents. "It is especially of concern to me as the files contain some 20 years of reference and assessment letters which are confidential documents," said Vickers, who recently purchased a new computer system for her home that initially included the Maxtor backup drive. When her son, who was tasked with transferring her files to the drive, noticed the daily automatic backup function was not functioning properly, he returned it to Staples. He thought he had deleted the files. "Even though it's not in my possession, it's my data. They should wipe it clean," Vickers said of Staples. Canwest News Service last week provided Staples with the model and serial number of equipment, as well as the receipt for the clearance purchase. A company spokeswoman said it required more time to gather the facts to comment on the specific incident. "We will continue to look into this," said Alessandra Saccal. In a statement, she reiterated, "privacy of any kind is of great concern to us, that is why we have procedures in place to clear any items with memory before being resold."

Every day for one hour, Olympic-level athletes all over the world have an appointment they cannot break. The swimmer Dara Torres, a 12-time Olympic medalist, squeezes her hour into training, running errands and caring for her 3-year-old daughter. The curler Nicole Joraanstad schedules her hour at dawn, but says it often interrupts her sleep. The Olympic decathlon champion Bryan Clay makes himself available at night, when he is most likely to be home with family. Since Jan. 1, Olympic-level athletes have had to schedule their daily availability - hour and place - three months in advance so drug testers can find them, according to new World Anti-Doping Agency rules. And violating those rules can have serious repercussions. Three missed drug tests within an 18-month period during an athlete's appointed hour count as a positive drug test and can result in a one- to two-year ban from competition. Because the element of surprise is crucial to effective testing, athletes are also subject to random out-of-competition tests at any time. And they are tested at competitions. Jacques Rogge, the president of the International Olympic Committee said, "Sports today has a price to pay for suspicion." But some athletes say the rules have gone too far. "It's absolutely too much," Torres said in a telephone interview. "Why make this more cumbersome when we do so much already? We're at the point where we have to find a middle ground." Never before has there been so much protest regarding out-of-competition testing. Athletes in nearly every sport as well as organizations like FIFA, soccer's international governing body, have publicly criticized the doping agency's regulations. At least one lawsuit challenging the rules is in court. Sixty-five Belgian athletes, including the world-class Quick Step cycling team and its star Tom Boonen, filed a class-action lawsuit claiming that the new rules violate European privacy laws.

Is your company keeping information secure? Are you taking steps to protect personal information? Safeguarding sensitive data in your files and on your computers is just plain good business. After all, if that information falls into the wrong hands, it can lead to fraud or identity theft. A sound data security plan is built on five key principles: * Take stock. Know what personal information you have in your files and on your computers. * Scale down. Keep only what you need for your business. * Lock it. Protect the information in your care. * Pitch it. Properly dispose of what you no longer need. * Plan ahead. Create a plan to respond to security incidents. To learn more about how you can implement these principles in your business, play our interactive tutorial. You'll see and hear about practical steps your business can take to protect personal information. After you experience the tutorial, we hope you'll take advantage of the other resources on this site to educate your employees, customers, and constituents. Order copies of our brochure, Protecting Personal Information: A Guide for Business, or publish an article on information security in your newsletter, magazine, or website. All of the information on this site is in the public domain; we hope you'll share it freely.

The European Commission has prepared a set of questions and answers as well as a flowchart to help companies understand when they can and when they cannot send personal data abroad. The European Union's Data Protection Directive protects the personal data of EU citizens from abuse and misuse. Organisations have a duty to protect it, and that means ensuring that it is not sent to countries with poor data protection. The Directive says that data can be sent to another country "only if... the third country in question ensures an adequate level of protection". Only a handful of countries have been deemed acceptable destinations for data by the European Commission. Those are Switzerland, Canada, Argentina, the Bailiwick of Guernsey, the Isle of Man, the Bailiwick of Jersey and the US, when the data's treatment is in the Safe Harbor Privacy Principles of the US Department of Commerce The advice has been prepared by the Data Protection Unit of the Directorate-General for Justice, Freedom and Security at the European Commission. It is designed particularly to help small and medium sized companies to understand the law when it comes to transferring personal data outside of the European Economic Area (EEA). The guidance points out that in order for a transfer to be legal, data has to be properly handled in the first place according to the data protection laws of the country where the processing organisation is established. If the transfer is to a country not listed as having adequate data protections in place, a transfer can still take place, the guidance says, but only if "the data controller offers 'adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights'," says the guidance, quoting the Directive. "These safeguards may result from appropriate contractual clauses, and more particularly from standard contractual clauses issued by the Commission," it sai

New Jersey lawmakers are considering new legislation that would require Facebook, MySpace and others to police social networking sites for offensive posts or else face potential consumer fraud lawsuits. But some lawyers say that even if the measure is enacted, it's not likely to have much impact on social networking sites because the federal Communications Decency Act immunizes such sites from lawsuits based on material posted by users. The bill is part of state Attorney General Anne Milgram's Internet safety initiative. "The social networking site safety act is intended to deter cyber-bullying and the misuse of social networking Web sites," the Office of Attorney General said in a statement about the measure. "The bill empowers users of social networking sites to take steps to stop harassment or exploitation." Last year, Milgram garnered headlines by launching a fraud investigation of gossip site JuicyCampus.com -- where users frequently posted insults about college students -- but no legal action resulted. (That site folded last month for financial reasons.) Attempts to rein in cyberbullying might be politically popular, but this type of state effort to regulate global Web sites is also likely to prove useless, say cyber lawyers. "We need to recognize that legislating on the Internet can't be done on a state-by-state basis," said Parry Aftab, an expert on Web safety and cyber-abuse. "We can't have a different law in each state."

Google will unveil new privacy measures today that will give consumers more control over behavioral targeting. Now, when Google serves banner ads on outside publishers' sites, the ads will include links that provide more information explaining why they were served. Clicking through will lead to details about the company's behavioral advertising program, which categorizes consumers as interested in particular types of goods or services based on the sites they visited. The program is only in beta for now, but once Google signs up publishers, consumers will be able to view the categories they have been placed in--such as "interested in travel"--and also tell Google to remove them from whatever buckets they wish. Consumers also will be able to opt out of the program permanently via a browser plug-in. Or, if people want to receive ads for certain types of products, they can edit their profiles to reflect that--in effect, opting in to particular types of ads. Google's new measures come at a time when online behavioral targeting is facing increased scrutiny. Last month, two Federal Trade Commissioners warned that the online advertising industry could face new laws if it didn't take steps to self-regulate on privacy issues. Recently, Google rival Yahoo announced enhancements to its privacy policies. Among other changes, Yahoo said it would allow consumers to opt out of behavioral targeting on its own site. Google's move drew praise from the Interactive Advertising Bureau's Mike Zaneis, vice president for public policy. "It's really a consumer empowerment tool, which is great," he said. "It's one more example of how industry is competing on the privacy issue, to the benefit of consumers--and also to the benefit of businesses."

The authorities in Brussels fired a warning shot across the bows of online advertisers today, signalling new rules to combat surfer profiling and breaches of privacy in the interests of commercial gain. In the strongest denunciation of the conduct of online advertisers, Meglena Kuneva, the European commissioner for consumer affairs, argued that personal data has become "the oil of the internet and the new currency of the digital world". She warned that surfers' privacy rights were being abused by the amassing of personal information and its supply to advertisers who targeted individuals who were often unaware of what was happening. "From the point of view of commercial communications the world wide web is turning out to be the world wild west. This could be very damaging," Kuneva told a meeting of industry professionals and analysts in Brussels. "Consumer rights must adapt to technology, not be crushed by it. The current situation with regard to privacy, profiling, and targeting is not satisfactory." The commissioner outlined European laws regulating the protection of privacy, commercial contracts, and countering discrimination, and indicated that the regulations were failing to keep up with the pace of developments on the internet. She called on the online advertising industry to come up with a voluntary code of conduct to protect consumer and privacy rights, but clearly signalled that the EU authorities would probably have to legislate to prevent abuses. The volume of personal data collected on the internet was growing exponentially and was increasingly being used for commercial purposes by tracking surfers' browsing habits, using cookies, and making the information available for individual profiling and targeting of consumers, she said.

The Payment Card Industry Data Security Standard (PCI DSS) is ineffective and major payment processing infrastructure improvements are needed to secure credit and debit card transactions, lawmakers said Tuesday. The House Subcommittee on Emerging Threats, Cybersecurity, Science, and Technology, part of the House Committee on Homeland Security, held a hearing in Washington, D.C., on Tuesday to examine the effectiveness of PCI DSS. "The bottom line is that if we care about keeping money out of the hands of terrorists and organized criminals, we have to do more, and we have to do it now," said U.S. Rep. Yvette Clarke (D-N.Y.), who chairs the subcommittee. "The payment card industry and issuing banks need to commit to investing in infrastructure upgrades here in the United States." Clarke called on the industry to implement encryption on its credit and debit card processing networks and said the deployment of chip and PIN technology could significantly reduce the amount of stolen payment data. Chip and PIN technology is used in Asia and Europe. The technology replaces the magnetic strip on the back of a card and adds a four-digit personal identification number (PIN) to confirm a payment.

Complimentary Webinar: Managing Data Breach Litigation You are cordially invited to attend a complimentary Webinar hosted by Debix Titled: Managing Data Breach Litigation. Proskauer Rose, Partner, Tanya Forsheit, will discuss recent developments in data breach litigation and other privacy class actions. Tanya also will discuss lessons to be learned from recent decisions and what these court opinions mean for companies facing privacy litigation. Kroll Ontrack, Senior Managing Director, Alan Brill, will provide lessons learned from the field on litigation strategies. The presentation will include practical tips on avoid litigation, getting litigation dismissed or in the unfortunate scenario of a lawsuit, winning strategies. Debix, VP of Emerging Technologies, Julie Fergerson has been working with data breached organizations for over 10 years and will moderate the call.

From the Heartland data breach to the new Massachusetts data protection law, privacy is the hot topic in business and government. In an exclusive interview, Peter Kosmala, assistant director of the International Association of Privacy Professionals (IAPP), discusses: The top privacy topics in business and government; How organizations are tackling these issues; The potential impact of state and federal privacy legislation; The value of the Certified Information Privacy Professional (CIPP) credential. Kosmala oversees product management for the IAPP with specific oversight of distance learning products, privacy certifications and industry awards programs. He also manages business development efforts between the IAPP and peer organizations in the information security, information auditing and legal compliance arenas as well as organizations based in the Asia-Pacific region. The IAPP, based in York, Maine, was founded in 2000 with a mission to define, promote and improve the privacy profession globally. Kosmala oversees product management for the IAPP with specific oversight of distance learning products, privacy certifications and industry awards programs. He also manages business development efforts between the IAPP and peer organizations in the information security, information auditing and legal compliance arenas as well as organizations based in the Asia-Pacific region. The IAPP, based in York, Maine, was founded in 2000 with a mission to define, promote and improve the privacy profession globally.

Consumers save their e-mail and documents on Google's data centers, put their photos on Flickr and store their social lives on Facebook. Now a host of companies including Amazon and Microsoft wants government agencies to similarly house data on their servers as a way to cut costs and boost efficiency. But federal officials say it's one thing to file away e-mailed jokes from friends, and another to store government data on public servers that could be vulnerable to security breaches. The push toward "cloud computing," so named because data and software is housed in remote data centers rather than on-site servers, is the latest consumer technology to migrate to the ranks of government. Companies such as Amazon and Salesforce, which do not typically sell services to the government, want a piece of the business. Google opened a Reston office last year to sell applications such as Google Docs to federal employees. Silicon Valley-based Salesforce, which has focused on selling to corporations, established a team dedicated to government contracting. Microsoft spent $2.3 billion in 2007 to build data centers for cloud computing, and IBM, Sun Microsystems and HP want to provide the government cloud.

Taking genetic tests to assess potential health risks could mean cheaper medical insurance even if the results are not disclosed, a senior industry executive has told The Times. Customers who take personal DNA scans will pay lower premiums because insurers believe that they encourage a healthier lifestyle, according to Gil Baldwin, the managing director of Norwich Union Healthcare. The advent of tests for DNA variants that affect common disorders such as diabetes and heart disease has prompted fears of discrimination and the creation of a "genetic underclass" who cannot buy cover. Mr Baldwin insisted that his company did not see genetics as a tool for cherry picking low-risk customers but as a way of helping them to manage and reduce their risk of disease with the aim of lowering costs for both parties. In an interview with The Times, he said that people who take genetic screening are likely to act on the results and therefore present a much better risk profile. Insurers will reflect this in premiums, regardless of whether results are disclosed.