CIPP Information Privacy & Security News

"A federal law designed to prevent employers and health insurers from discriminating against an individual based on their genetic predisposition to disease took effect late last month, signaling a new era where intermingling genetic advances and privacy concerns create new challenges in health care. But left out of the federal Genetic Information Nondiscrimination Act, commonly known as GINA, were privacy protections for individuals seeking long-term care, disability and life insurance coverage. Each of those areas was left up to the individual states. At least 10 states regulate the use of genetic information in long-term care insurance. But in California, privacy protections were left to expire by lawmakers in January 2008. Mark Billingsley, spokesman for state insurance commissioner Steve Poizner, said in an e-mail that there "appears to be a giant loophole" in California's insurance code regarding long-term care insurance and genetic privacy protections. He said he couldn't identify a single provision in the state code that would preclude a private insurer from requesting such a test for underwriting purposes. "

"Consumers are often oblivious to the fact that some businesses share a great deal of their personal information with other businesses who deliver targeted behavioral advertising, says Anzen analysts Megan Brister and Jordan Prokopy. In an e-mail interview with IT Business Edge editor Lora Bentley, Brister and Prokopy say most consumers are just not aware of the business practices of companies that use personal information for profit. The Federal Trade Commission recently held meetings with consumer and privacy advocates, business and government leaders to discuss privacy, regulatory, and business issues of online behavioral advertising. It plans plan to ramp up efforts to protect consumers and possibly push for tougher legislation to protect consumers. One issue, Brister and Prokopy say, is the lack of transparency by companies that engage in behavioral advertising. These companies have been slow to adopt clear data-management policies and even when they do have policies, they are often written in language that is difficult to understand. Fortunately for consumers, some type of regulation appears to be on the way. The FTC appears eager to penalize businesses who lack transparency regardless of whether the consumer actually experienced any real negative effects as a result, Brister and Prokopy say."

"Lora Bentley spoke with Anzen analysts Megan Brister and Jordan Prokopy via e-mail regarding behavioral advertising - what companies are doing, what regulators want to do and what we, as advertising consumers, need to know. With their coworker Miyo Yamashita, the analysts recently wrote a guest opinion for IT Business Edge. Bentley: Why are so many concerned about privacy when it comes to behavioral advertising? What is it about the Internet that convinces consumers that information they share there is not being used? Brister and Prokopy: Most concerns stem from the lack of transparency around data disclosure practices. While consumers may value a Web site's product and service offerings, they are generally unaware that businesses share their information with an extensive group of other businesses in order to deliver targeted advertising. This group includes news Web sites, advertising networks, profiling services, and Web analytics providers, to name a few. As Pamela Jones Harbour, a Commissioner at the Federal Trade Commission (FTC), discussed at the FTC Roundtable earlier this week, there is an asymmetry between consumer perceptions and business realities. Once consumers are informed of businesses' data handling practices, they will want to have more control over how businesses manage their information. As we discuss in our article, some businesses engaged in online behavioral advertising have been slow to adopt transparent consumer data management policies. This is a concern particularly for vulnerable groups, such as minors or non-English speaking consumers, because they may not understand legally written policies. Consumer advocacy groups argue that without knowledge and control over the collection, use, and disclosure of data, Web sites may misuse or expose sensitive data about consumers' health, lifestyles and finances."

"The United States House of Representatives took a major step this week toward enacting a national data breach notification law. H.R. 2221, the Data Accountability and Trust Act (DATA), cleared the House with a voice vote. In its current form, DATA requires businesses to notify customers and the Federal Trade Commission (FTC) if sensitive information has been exposed to a security breach. If the U.S. Senate can reconcile its own approach to data breach notification legislation with DATA, a new federal standard will emerge. If signed into law by President Barack Obama, a federal data breach ¬law would pre-empt the jumbled mass of dozens of state laws. "You'd be better served by federal legislation if the federal legislation has teeth and doesn't pre-empt the state's law," said California state senator Joe Simitian, speaking to executive editor Scot Petersen in September. "If there was a meaningful standard at the national level, I think many states would be happy to accept it." Aside from the data breach notification required by the HITECH Act, DATA would put into place the first national law of its kind. H.R. 2221 was sponsored by House Subcommittee Chair Rep. Bobby L. Rush of Illinois. The bill specifically states that: "Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data -- 1. notify each individual who is a citizen or resident of the United States whose personal information was acquired by an unauthorized person as a result of such a breach of security; and 2. notify the Federal Trade Commission."

"We all know that Internet and communications technology is changing rapidly, creating huge opportunities for business innovation and individual self-expression. Most people are probably not aware, however, that privacy law is not evolving nearly as quickly. It is time to update legal protections to reflect the impact the digital revolution is having on modern life. Cloud computing -- a bit of tech-jargon meaning the use of remote servers to store and process data -- is a great example. The movement of personal and proprietary data off desktop computers and into "the cloud", which is made up of server farms and broadband connections, is a major disruptive trend in computing. Unless our laws change to account for cloud computing and other equally momentous technology developments, the Constitution's protection against unreasonable search and seizure will become a relic of the past. The federal law setting standards for government access to personal communications -- the Electronic Communications Privacy Act (ECPA) -- was written more than two decades ago, before the Internet took off. "

"Reporting from Washington - When your doctor writes you a prescription, that's just between you, your doctor and maybe your health insurance company -- right? Wrong. As things stand now, the pharmaceutical companies that make those prescription drugs are looking over the doctor's shoulder to keep track of how many prescriptions for each drug the physician is writing. By obtaining data from pharmacies and health insurers, the drug companies learn the prescribing habits of thousands of doctors. That information has become not just a powerful sales and marketing tool for the pharmaceutical industry but also a source of growing concern among some elected officials, healthcare advocates and legal authorities. "

"It has been a bad past couple of months for healthcare information security. In October and November, multiple healthcare organizations announced patient data losses that made headlines in their communities, and national news in a few of the most egregious instances in which breaches involved hundreds of thousands of records."

"In a sign that state attorneys general may be flexing the HIPAA enforcement muscle granted by the HITECH Act provisions in the Recovery Act, the Connecticut and Arizona attorneys general are investigating health plans that recently experienced data breaches that they failed to disclose for several months. Typically, state attorneys general prosecute only violations of state laws, but they now have authority to investigate and levy fines for violations of HIPAA and the HITECH Act, which requires mandatory notifications within two months of knowledge of a breach. Connecticut Attorney General Richard Blumenthal (D) has emerged as possibly the first AG to take on a HIPAA investigation, and Arizona's AG may also be pursuing a similar course. The larger of the two breaches that have come to the AGs' attention was experienced by Health Net, Inc., which lost a portable external hard drive containing seven years of data for 446,000 Connecticut residents. The lost data came from 1.5 million individuals in total, who also hailed from New Jersey and New York. Health Net reported the loss to the Connecticut AG on Nov. 19, and on the same day Blumenthal issued a scathing statement demanding answers and promising action. He specifically said he was investigating whether Health Net may have violated "federal laws," as well as his state's own data protection laws."

"Legislation, which now moves to the Senate, requires data brokers to provide nationwide notice for certain data breaches and allows consumers to verify and to correct information held on them by data brokers. The U.S. House of Representatives approved legislation Dec. 8 requiring data brokers to establish procedures to verify the accuracy of information that identifies individuals in their databases and to allow consumers to access and request correction of incorrect information. The Data Accountability and Trust Act, approved on a voice vote, would also require data brokers to provide nationwide notice in the event of certain security breaches. The legislation now moves to the U.S. Senate."

"Part one of a two-part series: Facebook, the global phenomenon in Web-based social media, rolled out a massive overhaul of its privacy protection policies and technology this week-and in so doing may have drawn up a playbook for healthcare as well, industry experts say. The privacy upgrade gives its 350 million worldwide users increased control over who has access to some of, but not all, the information on their personal pages. These new, so-called "granular" controls-specifically those embedded in the site's "publisher" function, which enables a user to post new material to his or her Facebook pages-reach down to the level of discrete data elements. The new controls, for example, allow a user to restrict who gets to see each newly posted photo or typed comment"

"Hackers are using a variety of weapons and exploiting errors such as default passwords and weak or misconfigured access control lists (ACLs), according to the latest Verizon Business Data Breach Investigations Report. The follow-up to April's 2009 Data Breach Investigation Report looks under the hood of the company's probes, analyzing how breaches happen and how to protect sensitive data. "Customers who read the 2009 Data Breach Investigation Report said they wanted to know how these attacks take place, give some examples from our caseloads and see if those circumstances can happen to them," said Wade Baker, Verizon Business research and intelligence principal. "

"Kathy Silver, CEO of University Medical Center, learned three weeks ago that names, birth dates and Social Security numbers for at least 21 patients were leaked from the hospital - a crime being investigated by the FBI. But the hospital still has not disclosed the breach to the patients, Silver told a committee of legislators Wednesday. She spoke as if this was not a problem. The law allows 60 days from the time UMC learns of a security breach to inform patients, she said. One victim says that is too long to wait to tell patients they may be at risk of identity theft. The hospital should have disclosed the breach immediately, said a 40-year-old UMC patient whose personal information - the kind that can be used for identity theft - was leaked. The man, who went to the public hospital Nov. 1 after a motorcycle accident, learned his privacy had been breached only when a Las Vegas Sun reporter told him Wednesday afternoon. The man was stunned and angry to learn from someone other than hospital officials that his data had been leaked. Hospital officials should have notified him "way sooner," he said. "I would've given them two or three days after they initially found out. But this is a major thing - a priority thing!""

"The ubiquity of online advertising is a product of its importance to the internet economy, said a group of consumer advocates Wednesday during a debate on the future of online advertising. But the impact of new targeted advertising methods on consumer privacy and its potential to manipulate online experiences was the subject of heated argument at the event, sponsored by the Information Technology and Innovation Foundation. Privacy does not mean the same thing to all consumers in all situations, said Progress and Freedom Foundation Senior Fellow Berin Szoka. Advertisements are attempts to capture user attention - the "great currency of the Internet" - and when successful support a wide range of valuable content, he said. But in online life, "consumers have many values," Szoka added. "Privacy is one of them," he said, but it is not an absolute. Consumers must sometimes trade privacy for content, he said. "There is no free lunch." As more information and entertainment migrates to the internet, Szoka said it is "critical…that we find a way to support this media." Targeted advertising can fit the bill, he suggested - especially if technology gives users more control over their own preferences. Most consumers don't understand that advertising is a necessity for today's internet, he said. New technologies like targeting need to be given a try, he said, so content providers can recoup the value of their advertising - down 25 percent since 2000, he noted. Center for Digital Democracy founder Jeff Chester said Szoka's ideas about advertising's future represented a "false dichotomy." The real debate should be over the rules that regulate advertiser content, he said. Chester warned of a "Targeting 2.0″ system in which neuroscience combined with massive databases not only serve ads, but target content to users. "It's about influencing our behavior without our consent," he said. Chester pointed to the subprime lending cr

"If you're concerned about Google retaining your personal data, then you must be doing something you shouldn't be doing. At least that's the word from Google CEO Eric Schmidt. "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place," Schmidt tells CNBC, sparking howls of incredulity from the likes of Gawker. But the bigger news may be that Schmidt has actually admitted there are cases where the search giant is forced to release your personal data. "If you really need that kind of privacy, the reality is that search engines - including Google - do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities." There's also the possibility of subpoenas. And hacks. But if any of this bothers you, you should be ashamed of yourself. According to Eric Schmidt. Gawker highlights the irony of Schmidt's typically haughty proclamations. After all, this is the man who banned CNet for a year after the news site published information about him it had gleaned from, yes, Google. But the larger point here is that Schmidt isn't even addressing the issue at hand. Per usual. When the privacy question appears, Google likes to talk about the people asking the questions. But the problem lies elsewhere: with the millions upon millions blissfully unaware of the questions. If you're concerned about your online privacy, you can always put the kibosh on Google's tracking cookies. You can avoid signing in to Google accounts. And, yes, you can avoid using Google for anything Eric Schmidt thinks you shouldn't be doing. But most web users don't even realize Google is hoarding their data. CNBC asks Schmidt: "People are treating Google like their most trusted friend. Should they be?" But he answers by scoffing at those who don't trust Google at all. Not that you'd expect anythin

"Two Kansas men have been charged with making $1m in proceeds by buying computer networking gear in China and passing it off as products from Cisco Systems. Christopher Myers, 40, and Timothy Weatherly, 27, obtained the networking gear from a variety of sources and then slapped phony Cisco labels on them, according to documents filed in federal court in Kansas City. To give the goods the additional air of legitimacy, they put them in purported Cisco boxes and included counterfeit Cisco manuals. Myers also stands accused of obtaining access to a website containing Cisco's confidential serial numbers, so the men could affix them to the gear they sold. Prosecutors said the men sold the equipment on eBay and on private websites. They were charged with one count of conspiracy, 30 counts of trafficking in counterfeit goods and one count of trafficking in counterfeit labels. The government is seeking forfeiture of $1m in proceeds from the alleged crimes. If convicted, the men also face a maximum of fives years in prison and $250,000 in fines. Myers made an initial appearance in court on Thursday. Security experts have warned that counterfeit networking gear could contain back doors that allow spies to conduct industrial espionage on US companies."

"Two L.A. traffic engineers who pleaded guilty to hacking into the city's signal system and slowing traffic at key intersections as part of a labor protest have been sentenced to two years' probation. Authorities said that Gabriel Murillo, 40, and Kartik Patel, 37, hacked into the system in 2006 despite the city's efforts to block access during a labor action. Fearful that the strikers could wreak havoc, the city temporarily blocked all engineers from access to the computer that controls traffic signals. But authorities said Patel and Murillo found a way in and picked their targets with care -- intersections they knew would cause significant backups because they were close to freeways and major destinations. The engineers programmed the signals so that red lights for several days starting Aug. 21, 2006 would be extremely long on the most congested approaches to the intersections, causing gridlock. Cars backed up at Los Angeles International Airport, at a key intersection in Studio City, at access onto the clogged Glendale Freeway and throughout the streets of Little Tokyo and the L.A. Civic Center area, sources told The Times at the time. No accidents occurred as a result. As part of their plea deal, the engineers agreed to pay $6,250 in restitution and completed 240 hours of community service."

"Important personal information, such as social security numbers, names and zip codes, of many Notre Dame employees was exposed to the Internet after the University accidentally placed the information in a publicly accessible location. The data breach affected about 24,000 employees, including some students who work for the University, Gordon Wishon, associate vice president of information technology and the University's chief information officer, said. The personal information that was exposed will no longer be accessible because the University immediately removed it from the Internet and secured it, he said. "

"Yahoo released a beta of a tool, Ad Interest Manager, designed to be a transparent user dashboard for privacy. It works. Yahoo has everything from your surfing habits to your operating system to your screen resolution. The tool gives users a one-stop shop to opt out of ad categories (statement). As Yahoo notes on its overview: To make our ads more relevant and useful for you, we make educated guesses about your interests based on your activity on Yahoo!'s sites and services. Some of the ads we show you reflect these interests. You can opt out of interest-based advertising altogether using the tools on this page. Here's what it looks like:"

"The U.S. Supreme Court Monday will hear arguments for and against the constitutionality of the oversight board established to monitor public company financial activity as part of the Sarbanes-Oxley regulation. The Sarbanes-Oxley Act was created and enacted into law partly in response to corporate accounting scandals such as Enron and WorldCom. The regulatory standard set out to reduce such fraudulent financial activities and provide an oversight mechanism for public companies. Part of the law includes the establishment of the Public Company Accounting Oversight Board (PCAOB), which consists of five members appointed by the Securities and Exchange Commission (SEC). The arguments to be heard this week relate directly to the PCAOB. While set up to regulate financial accounting at companies, those opposed to the board's powers argue that because its members are not appointed by the president, the board's control is unconstitutional based on the country's tenets of three branches of government. The challengers to the law say that the PCAOB lacks the presidential control required for executive branch agencies because the five members are appointed by the SEC, which doesn't fall under presidential powers. As a private agency in essence, the PCAOB is able to act as a government authority, which the Free Enterprise Fund believes to be unconstitutional. "

"Google's expanding its grasp on the Internet with a newly revealed DNS resolving service. Google Public DNS, announced Thursday on Google's blog, will offer you an alternative way to connect to Web sites. As with the launch of most Google services, people are starting to ask questions about what kind of data will be collected and how exactly it will be used. (Or, in more lay terms, "Is Google going to be evil?") Here are some straight-forward answers, straight from the source. "