CIPP Information Privacy & Security News

Hartmut Mehdorn's days as the boss of German rail operator Deutsche Bahn look to have come to an end as the embattled executive offers his resignation amid a damaging, ongoing data privacy scandal. Mehdorn said he was offering to go because the "destructive debates" over his future were damaging the company. "I have made an offer to terminate my contract with the supervisory board chairman," Mehdorn said Monday, March 20, at a press conference to announce Deutsche Bahn's annual financial results. "I assume that a successor will be appointed before the summer holidays" begin in July. Mehdorn, who has run the state-owned firm since 1999, has been under increasing pressure ever since it was revealed earlier this year that Deutsche Bahn accessed confidential staff data as far back as 1998.

Two companies that collect, analyze and sell prescription information are mounting a Supreme Court challenge to New Hampshire's first-in-the-nation law making doctors' prescription writing habits confidential. In an appeal filed March 27, IMS Health Inc. of Norwalk, Conn., and Verispan LLC of Yardley, Pa., tell the high court that the law violates their First Amendment right to free speech in pursuit of their business. The law, aimed at thwarting hard-sell tactics by drug companies to doctors, makes it a crime for pharmacies and others to transfer information disclosing a doctor's prescribing history if the information could be used for marketing of prescription drugs in New Hampshire. Patients' names are not included in the data. The companies say that the ruling by the 1st U.S. Circuit Court of Appeals in Boston that upheld the law's constitutionality could be broadly applied to newspaper publication of stock market information and many other services that gather large amounts of information. The money made by selling the information to drug makers, the companies say, allows them to provide the same material to researchers and humanitarian organizations at little or no cost. The law first took effect in 2006. The following year, U.S. District Judge Paul Barbadoro in Concord ruled in the companies' favor and said the law violated the First Amendment. Another federal judge subsequently ruled against a similar law in Maine, relying heavily on the New Hampshire decision. But the 1st Circuit overruled Barbadoro, calling the law a valid step to promote the delivery of cost-effective health care. "Even if the Prescription Information Law amounts to a regulation of protected speech - a proposition with which we disagree - it passes constitutional muster," the court said. "In combating this novel threat to cost-effective delivery of health care, New Hampshire has acted with as much forethought and precision as the circumstances permit and the

A 10-month cyberespionage investigation has found that 1,295 computers in 103 countries and belonging to international institutions have been spied on, with some circumstantial evidence suggesting China may be to blame. The 53-page report, released on Sunday, provides some of the most compelling evidence and detail of the efforts of politically-motivated hackers while raising questions about their ties with government-sanctioned cyberspying operations. It describes a network which researchers have called GhostNet, which primarily uses a malicious software program called gh0st RAT (Remote Access Tool) to steal sensitive documents, control Web cams and completely control infected computers. "GhostNet represents a network of compromised computers resident in high-value political, economic and media locations spread across numerous countries worldwide," said the report, written by analysts with the Information Warfare Monitor, a research project of the SecDev Group, a think tank, and the Munk Center for International Studies at the University of Toronto. "At the time of writing, these organizations are almost certainly oblivious to the compromised situation in which they find themselves." The analysts did say, however, they have no confirmation if the information obtained has ended up being valuable to the hackers or whether it has been commercially sold or passed on as intelligence. Although evidence shows that servers in China were collecting some of the sensitive data, the analysts were cautious about linking the spying to the Chinese government. Rather, China has a fifth of the world's Internet users, which may include hackers that have goals aligning with official Chinese political positions.

Fraud on the Internet reported to U.S. authorities increased by 33 percent last year, rising for the first time in three years, and is surging this year as the recession deepens, federal authorities said on Monday. Internet fraud losses reported in the United States reached a record high $264.6 million in 2008, according to a report released on Monday from the Internet Fraud Complaint Center, run by the FBI and the National White Collar Crime Center. Online scams originating from across the globe -- mostly from the United States, Canada, Britain, Nigeria and China -- are gathering steam this year with a nearly 50 percent increase in complaints reported to U.S. authorities in March alone. "2009 is shaping up to be a very busy year in terms of cyber-crime," the report's author, John Kane, told reporters in a telephone briefing. Last year's losses compared with $239.1 million in 2007 and dwarfs the $18 million of losses of 2001.

Industry Insiders Discuss HIT and HIPAA Issues March 30, 2009 by Astrid Fiano, Writer A significant part of President Obama's health care reform agenda is the push for implementing more health care technology. In the health care field privacy is always a major concern, and was the impetus of the Health Insurance Portability and Accountability Act of 1996--protecting the privacy of individually identifiable health information in all formats, and the confidentiality provisions of the Patient Safety Act--protecting identifiable information being used to analyze patient safety events. So those in the health care industry now wonder will the Administration's focus on health IT (HIT) present more challenges to privacy concerns? As part of a continuing focus on HIT issues, DOTmed interviewed industry expert Kirk J. Nahra, a partner in the Washington D.C. legal firm of Wiley Rein LLP, specializing in privacy and information security for the health care and insurance industries, and named an expert practitioner by the Guide to the Leading U.S. Healthcare Lawyers. DOTmed also interviewed Lise Rauzi, Vice President, Training Development, for Health Care Compliance Strategies (HCCS). HCCS provides online training compliance for employees. Nahra notes that regardless of the rising concern over privacy and the new HIT legislation, there have already been formal HIPAA security rules on electronic information in place for several years--the health care industry compliance has just been inconsistent. The problem -- to the extent there is one -- is that HIPAA rules are process-oriented, Nahra explained. The rules don't tell an entity what to do, but rather what to evaluate--a standard set of questions, but without a standard set of answers. For example, a covered entity has to have an internal audit, but the rules do not tell the entity how best to carry out that internal audit. Not surprisingly, different businesses have different ideas on how to implement their HIPAA evaluations

Privacy rights are accepted and, generally, honored in Europe. The wealth - literally and figuratively - of personal information made available through the internet staggers the imagination. Staggering, too, is the prospect of privacy rights being trampled. EC Consumer Protection Commissioner Meglena Kuneva has a bone to pick with internet snooping. And she's launching an investigation into deep data mining. In an official statement (to be released March 31) she will outline concerns of vague and misleading 'term of use' for access to Web sites that can breach EC privacy rules. Commissioner Kuneva was born and raised in Bulgaria during a time when snooping on people was common, legal and nasty. The European Parliament (EuroParl) voted (March 27) overwhelmingly for recommendations in a report linking data surveillance, advertising and cybercrime. The report recommends safeguards for the privacy rights of internet users. The EuroParl called for "making use of existing national, regional, and international law." The MEPs raised the "imbalance of negotiating power between (internet) users and institutions." Internet users, said the MEPs, have the right to "permanently delete" personal details. Facebook's recent change in 'terms of use' allowing it to retain personal information brought a firestorm of criticism and the social networking portal backtracked. And the EC was watching. "It wasn't regulators who spotted the proposed change of terms at Facebook, it was one of the 175 million users," said Commissioner Kuneva's spokesperson Helen Kearns. Collecting and analyzing profile data is big business. It is "the new petroleum of the Internet world," said Ms Kearns, quoted in PC World (March 30). "If you are happy trading your data that's fine, but you should at least know how valuable it is." As Google and Microsoft have learned European Commission rules, unlike American rules, tend to set a low bar for compliance. The former pr

VANDALS who attacked Fred Goodwin's mansion could have been helped by Google's new Street View, it was claimed yesterday. Security experts say the attackers may have "cased" the shamed banker's £3million Edinburgh home using the detailed images provided by the controversial new service. It could have helped them plan the attack, in which windows were smashed and a car wrecked, by showing them how to get in and escape unnoticed.

When the CISO asks to speak to you with that look on his face, you know the news isn't good. We were contacted by one of our third-party vendors, whom we had hired to do analysis on our website traffic. It appears that we have been passing sensitive information to them over the Internet. This sensitive information included data, such as customer names, addresses and credit card information. Because we are a public company, there are many regulatory guidelines that we have to follow like Sarbanes-Oxley (SOX) and the Payment Card Industry's (PCI) data security standard. Fortunately for us, our vendor has retained a copy of everything that we have sent to them. Unfortunately for us, it was six months of information totaling over a terabyte. Since our website is international, the legal department needed to obtain outside council to assist us in this matter. It will be a few days until I receive the data from the vendor.

Symantec may not be concerned about the much-discussed Conficker virus, but the company is now dealing with an incident involving its own data security. Two weeks ago, the BBC published an investigative report in which reporters, working with an India-based middleman, bought credit-card information obtained from a Symantec call center. Cris Paden, a spokesman for the Cupertino, Calif., security-software firm, said it sent warning letters to the slightly more than 200 customers affected by the theft. It began an internal investigation immediately after being notified by the BBC. "We believe this was an isolated incident," Mr. Paden said, "but as the investigation continues, we will promptly notify any additional customers affected by the situation and will take appropriate action to protect their interests." In a letter to New Hampshire's attorney general, Symantec said, "We have no evidence that the credit card information of any United States resident was actually compromised." Mr. Paden added that to his knowledge, none of the stolen credit cards were used before their owners canceled them.

Supercharging the HVA Engineering and Maintenance Risk Assessment in the Healthcare Setting Webinar Registration Hospitals have been under close scrutiny for years to insure they evaluate and mitigate risks and exposures that could impact their ability to deliver healthcare services under all conditions. A staple of this activity is the "Hazard Vulnerability Assessment". A traditional HVA looks at specific threats within four categories (natural, technological, human and hazardous materials). While the HVA is useful for auditors looking to confirm minimum compliance, it does not properly arm the organization to assess how risk, mitigation strategies and limited capital can effectively be deployed for maximum benefit. Come hear from leaders of Deaconess Health Systems Engineering and Maintenance team on how they partnered with Virtual Corporation to execute an effective risk assessment methodology and toolkit across the DHS enterprise. Participants will see examples of innovative risk mapping and reporting methods that yield high information density in simple, understandable format. Presenters: Mark Merrill, Facility Engineer, Deaconess Health System Tom Barnett, Manager, Engineering and Maintenance, Deaconess Health System Scott Ream, President, Virtual Corporation Webinar Registration Hospitals have been under close scrutiny for years to insure they evaluate and mitigate risks and exposures that could impact their ability to deliver healthcare services under all conditions. A staple of this activity is the "Hazard Vulnerability Assessment". A traditional HVA looks at specific threats within four categories (natural, technological, human and hazardous materials). While the HVA is useful for auditors looking to confirm minimum compliance, it does not properly arm the organization to assess how risk, mitigation strategies and limited capital can effectively be deployed for maximum benefit. Come hear from leaders of Deaconess H

LOS ANGELES-Fifteen hospital workers have been fired and another eight disciplined for looking at medical records of octuplet mother Nadya Suleman without permission, hospital officials said Monday. Kaiser Permanente reported the violations of health care privacy laws to the state and has warned employees at its Bellflower facility to keep away from Suleman's records unless they have a medical purpose, said hospital spokesman Jim Anderson. "Despite the notoriety of this case, to us this person is a patient who deserves the privacy that all our patients get," Anderson told The Associated Press. Anderson would not elaborate on how the other eight employees were reprimanded, saying only that the punishments were significant. A similar privacy breach at UCLA hospitals led to celebrities' medical information getting leaked to tabloids in recent years, including details of Farrah Fawcett's cancer treatment showing up in the National Enquirer. Anderson said Kaiser does not believe any of Suleman's information was shared with the media, based on the results of their inquiry. The 33-year-old single mother of 14 gave birth to her octuplets on Jan. 26 at Kaiser's hospital in Bellflower, about 17 miles southeast of Los Angeles. Her attorney Jeff Czech said Suleman does not plan to file a lawsuit, though he suspects Kaiser employees were looking for medical information on Suleman's sperm donor. He said the name is not listed on the Advertisement medical records. "She trusts Kaiser and they said they'd look into it," Czech said. "We feel that they're on top of it and are taking care of it." Anderson could not provide details about when Suleman's medical records were accessed and by what kind of hospital employee. He said Kaiser had warned its employees about patient confidentiality rules before Suleman checked into the hospital in December. "Even though no one knew she was there, they knew she was going to have a lot of babies," Anderson said. "The extra monitoring he

Overview Privacy is a fundamental human right. It underpins human dignity and other values such as freedom of association and freedom of speech. It has become one of the most important human rights of the modern age.[1] Privacy is recognized around the world in diverse regions and cultures. It is protected in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional human rights treaties. Nearly every country in the world includes a right of privacy in its constitution. At a minimum, these provisions include rights of inviolability of the home and secrecy of communications. Most recently written constitutions include specific rights to access and control one's personal information. In many of the countries where privacy is not explicitly recognized in the constitution, the courts have found that right in other provisions. In many countries, international agreements that recognize privacy rights such as the International Covenant on Civil and Political Rights or the European Convention on Human Rights have been adopted into law. Defining Privacy Of all the human rights in the international catalogue, privacy is perhaps the most difficult to define.[2] Definitions of privacy vary widely according to context and environment. In many countries, the concept has been fused with data protection, which interprets privacy in terms of management of personal information. Outside this rather strict context, privacy protection is frequently seen as a way of drawing the line at how far society can intrude into a person's affairs.[3] The lack of a single definition should not imply that the issue lacks importance. As one writer observed, "in one sense, all human rights are aspects of the right to privacy."[4]

Forrester has a recommendation for CISOs struggling with how to secure corporate data: Stop trying so hard. Despite years of investments in technology and processes, protecting enterprise-wide data remains a maddeningly elusive goal for chief information security officers (CISOs). Software-as-a-service (SaaS), Web 2.0 technologies, and consumerized hardware increase the number of escape routes for sensitive information. Regulations, statutes, and contractual expectations drown CISOs in audit requests and ratchet up the pressure to do something about the problem. Hordes of vendors confuse CISOs with innumerable sales pitches. Instead of beating your head against the wall, devolve responsibility to the business, keeping controls closest to the people who use the data. IT security should be primarily responsible only for deploying data protection technologies that require minimal or no customization.

Beware of web sites offering free money Iain Thomson in San Francisco vnunet.com, 04 Mar 2009 The Federal Trade Commission (FTC) is warning of a rash of online scams offering payouts under the economic stimulus plan passed by Congress. Businesses and individuals are being targeted by the scammers using web sites and emails, the organisation warned. Recipients are typically offered 'grants' from the government, and must either surrender bank details to get the funds or make a small payment. Advertisement"Web sites may advertise that they can help you get money from the stimulus fund. Many use deceptive names or images of president Obama and vice president Biden to suggest that they are legitimate. They are not," said Eileen Harrington, acting director of the FTC's Bureau of Consumer Protection. "Don't fall for it. If you do, you'll get scammed." Several variants have also been discovered that use malware to steal important data. These include pages that purport to offer links to sites that show how to get the federal funds. The pages are loaded with malware that can penetrate an improperly patched browser. "Consumers who may already have fallen for these scams should carefully check their credit card bills for unauthorised charges, and report the scam to the FTC," said Harrington.

There are plenty of rumors out in the cyberworld about the future of Twitter, a popular social networking site, and whether the company will be acquired or partner with another company. Some believe one of the suitors is Google Inc. Rumor has it, the two companies are considering collaborating on a Google real time search engine. To make it work, Google could pay cash, stock or a combination of both. Google wouldn't comment on these rumors. Nevertheless, it's an intriguing idea for a company created three years ago that has, to date, not made any money. Analysts think this would be a good marriage, according to MarketWatch. Gartner Inc. analyst Jeff Mann, for one, told the website it's a pretty good idea. "The culture and ambitions of Twitter and Google match." Not only that, there are lots of indications of growth. Twitter's content is now growing by 6 million tweets per day, and that's a win-win situation for Google, for sure.

Is it a violation of privacy that should be banned or a tool necessary to keep the internet running? Canada's privacy commissioner has opened an online discussion on deep packet inspection, a technology that allows internet service providers and other organizations to intercept and examine packets of information as they are being sent over the internet. "We realized about a year ago that technologies involving network management were increasingly affecting how personal information of Canadians was being handled," said Colin McKay, director of research, education and outreach for the commissioner's office. The office decided to research those technologies, especially after receiving several complaints, and realized it was an opportunity to inform Canadians about the privacy implications. Over the weekend, the privacy commissioner launched a website where the public can discuss a series of essays on the technology written by 14 experts. The experts range from the privacy officer of a deep-packet inspection service vendor to technology law and internet security researchers. The website also offers an overview of the technology, which it describes as having the potential to provide "widespread access to vast amounts of personal information sent over the internet" for uses such as: * Targeted advertising based on users' behaviour. * Scanning for unlawful content such as copyright or obscene materials. * Intercepting data as part of surveillance for national security and crime investigations. * Monitoring traffic to measure network performance.

Electronic medical recordkeeping may not cut the overall cost of care, but by eliminating redundant procedures and reducing errors, quality may be improved. When physician Andrew Wiesenthal needs to work out a problem, he runs around Lake Merritt, across the street from his Oakland (Calif.) office at Kaiser Permanente. As one of the main drivers behind Kaiser's decades-long, multibillion-dollar effort to overhaul the way patient health records are kept, Wiesenthal has had a lot of laps to run. Doctors and other medical professionals across the country will be working through similar challenges in the coming years. President Barack Obama plans to spend $17.2 billion to induce care providers to maintain patient records electronically, scrapping the current paper-based system. The Obama Administration wants electronic health records for every American by 2014. Obama's predecessor also made a big push for electronic recordkeeping, and many doctors and hospital administrators see upgrading recordkeeping as a good way to improve care. Yet, fewer than 2% of acute care hospitals have a comprehensive electronic health record system in place, with another 8% to 12% using a basic system, according to a study published by The New England Journal of Medicine in March. Adoption isn't much better among physicians. Only 4% have a comprehensive system in place, with another 13% using basic systems, according to a study published in the journal in July. Kaiser Permanente is one of the few exceptions. Today, all of its medical clinics and two-thirds of its hospitals operate in a paperless environment and the rest are scheduled to be completely digitized by next year. Across the system, about 14,000 physicians access electronic medical records for 8.7 million patients in nine states and the District of Columbia.

WASHINGTON -- Few tech policy debates are plumped up with more rhetoric than those concerning Net neutrality and privacy restrictions for advertisers. It should be a noisy year at the Federal Communications Commission. Here at the Cable Show, the annual conference hosted by the National Cable and Telecommunications Association, advisors to the three current commissioners outlined some of the simmering issues that are likely to boil up at the FCC this year, and those two are on the short list. Rick Chessen, acting chief of staff for interim FCC Chairman Michael Copps, said the agency could move toward adding to its Internet policy statement a fifth principle that would explicitly bar ISPs from discriminating against certain traffic on their networks. "The principle would be one of nondiscrimination, but you would recognize the need for reasonable network management," Chessen said. The FCC's broadband principles comprised the policy document that was at the center of last year's action against Comcast, where the agency found that the cable giant had unfairly blocked peer-to-peer traffic on its network without notifying its subscribers it was doing so. The new principle Chessen suggested would seek to clarify the agency's stance against the selective blocking of traffic. Comcast is challenging last year's ruling in a court case where the outcome could broadly shape how Congress proceed with Net neutrality policy. Rosemary Harold, the legal advisor to Republican Commissioner Robert McDowell, said her boss is more cautious than the two Democrats on the matter.

Promoting Privacy And Free Speech Is Good Business This Guide will help you make smart, proactive decisions about privacy and free speech so you can protect your customers' rights while bolstering the bottom line. Failing to take privacy and free speech into proper account can easily lead to negative press, government investigations and fines, costly lawsuits, and loss of customers and business partners. By making privacy and free speech a priority when developing a new product or business plan, your company can save time and money while enhancing its reputation and building customer loyalty and trust.

Online advertising firm Phorm is pressing ahead with plans to launch more than a year after it first drew criticism from some privacy advocates. Phorm executives will meet with members of the public on Tuesday, following a similar meeting in 2008. The service has proved controversial for some campaigners who believe it breaks UK data interception laws. The firm received clearance from the Home Office and police closed a file on BT trials of the technology. "We have been supported or endorsed by all of the leading stakeholders," Phorm chief executive Kent Ertugrul told BBC News. "Ofcom, the Information Commissioner's Office, the Home Office, leading privacy advocates like Simon Davies, the advertising industry and publishers have all backed our service," he said. He added: "We are very, very happy with where we are one year on." Trawling websites Phorm's system works by "trawling" websites visited by users whose ISPs have signed up to the service and for whom the technology is switched on, and then matches keywords from the content of the page to an anonymous profile. Users are then targeted with adverts that are more tailored to their interests on partner websites that have signed up to Phorm's technology.