News Archives

2004

News Archive

New Codes of Practice for Employers
Privacy Commissioners issued two codes of practice for employers in December.  In the UK, the Office of the Information Commissioner published the long-awaited fourth and final part of its Employment Practices Data Protection Code, entitled "Information about Workers' Health."  The code offers advice to employers regarding the collection and use of employee medical records.  In Hong Kong, the Privacy Commissioner's Office issued guidance on monitoring the electronic communications of employees, in a document entitled “Privacy Guidelines: Monitoring and Personal Data Privacy at Work”.

Corporate Job Website Phished 
In the first known case of phishing a corporate job website, Gartner reported that job applicants in Australia were steered via e-mail messages to a phony website replicating that of Credit Suisse Bank.  Part of the "job application" they found asked for personal information useful in identity theft.  Gartner believes social engineering such as this will be the greatest security threat over the next decade, ahead of electronic hacking or cracking.

Top IT Priority:  Regulatory Compliance
According to a major global survey, regulatory compliance heads the list of issues facing IT.  The survey of 758 IT decision-makers, conducted by the Economist Intelligence Unit, also found that data privacy legislation was the number one compliance concern of IT professionals, followed by anti-money-laundering and Sarbanes-Oxley.  Besides avoiding regulatory fines, respondents cited the safeguarding of brand image as a key main driver in attending to compliance issues.  Significantly, some 92 per cent of respondents expect to achieve greater process efficiency through their compliance efforts .

Safe Harbor Review Finds Problems, Progress 
The European Commission issued a report on October 20, 2004 reviewing the implementation of the Safe Harbor Program. While praising the "constant growth" in the number of companies participating in the program, the review noted that further expansion in membership is desirable.  The major problems revealed by the review, which was carried out primarily through a desk audit of a sample of program participants performed by outside consultants, were the failure of a "substantial minority" of companies to have Safe Harbor-compliant privacy policies publicly available, the lack of a public commitment by companies to follow the advice of the EU panel of data protection authorities handling disputes, and questions about whether the FTC has enforcement jurisdiction for companies joining Safe Harbor for HR data.  The report follows a February 2002 review which identified some of the same problems, such as a lack of transparency and completeness in Safe Harbor privacy policies.

Provincial Laws Found Substantially Similar to PIPEDA 
On October 12, 2004 provincial privacy laws of Alberta and British Columbia were judged to be “substantially similar” to Canada's federal privacy legislation, PIPEDA. The finding means that the two provincial laws pre-empt PIPEDA in their respective jurisdictions.  Unlike PIPEDA, both the Alberta and British Columbia privacy laws apply to the processing of all private sector employee personal information, so that employers within these provinces, as well as in Quebec, must comply with EU-style comprehensive privacy laws when collecting and using data of applicants and employees.

Phishing Threats Accelerating 
 Phishing efforts are expected to grow dramatically worse as ID thieves intensify efforts to fool computer users into revealing sensitive personal and financial information.  It may be only a matter of time before criminals use the same techniques to victimize employees accessing what they believe to be corporate self-service portals, such as those containing direct deposit or other financial information.  Some of the latest news on phishing threats, responses and research can be found at the website of the Anti-Phishing Working Group.

First Reported Implanting of RFID Chips in Employees
The first known cases of RFID-tagging of employees emerged, with the Attorney General of Mexico reporting that he and members of his staff have had the tiny chips implanted in their arms, to ensure authenticated access to the new criminal information center, which contains sensitive criminal databases and sophisticated communications systems.  Other employers, such as hospitals located primarily outside the U.S., are reportedly evaluating similar usage to identify patients and control access to their information by medical staff.  According to VeriChip, the RFID tag maker, some 1,000 individuals worldwide have had chips implanted under their skin. In mid-October 2004, the FDA approved the use of RFID chips by institutions engaged in the delivery of medical care, although the agency subsequently admitted it had not addressed the privacy issues involved.

France Passes Amendments Implementing Privacy Directive
On July 15th, the French senate passed amendments to its 1978 Data Protection Act bringing it formally into line with the EU Data Protection Directive. By passing the amendments, France became the last of the original 15 EU member states to implement the 1995 directive into national law.  Previously France had claimed that it had not failed to implement the Directive since it was interpreting its 1978 Act taking it into account.  The amendments that were passed strengthen the powers of the CNIL (data protection agency), impose steeper fines for non-compliance, and create new rules on notification of processing. 

Security Risks with iPODs, PDAs and Other Removable Storage Devices
There is growing recognition that pocket-sized digital devices, such as MP3 players, PDAs and USB-connected flash drives, pose significant security risks that organizations need to address.  The British Ministry of Defence denied news reports that it has banned use of the devices in most areas of its headquarters, while affirming it did impose certain restrictions on their use.  A survey of 200 UK corporations showed that 82% of respondents regard so-called mobile media devices like the iPod as a security threat, with a good number also banning use of the devices.  In the U.S., the IRS’s use of nearly 2,000 uncertified personal digital assistants that do not encrypt sensitive data came in for criticism by the Treasury Inspector General’s office.  Gartner Consulting also advised companies to take the risks associated with these removable storage devices seriously.  In a related development, all work at U.S. Department of Energy using controlled removable electronic media, including classified hard drives and computer disks, was ordered halted until proper security can be assured.  The order, coupled with threats of firings of responsible managers, came two weeks after officials at Los Alamos National Laboratory discovered that two disks containing classified data were missing.

New Survey:  43% of Large Corporations Employ Staff to Monitor and Read Outbound E-mail
According to a new survey by Forrester Consulting, sponsored by ProofPoint, more than 43% of corporations with more than 20,000 employees employ staff to monitor and read outbound e-mail.  While monitoring of e-mail in the U.S. is hardly new, what is surprising is how many companies find it necessary to go beyond use of content-scanning software with actual physical monitoring by staff.  The survey also found that the larger the company, the more likely it is to provide human monitoring of outbound e-mail.  Concerns expressed by companies responding to the survey included stopping the leak of intellectual property, confidential memos and embarrassing information, and ensuring compliance with personal, financial and healthcare privacy regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA.

Safe Harbor Review Finds Problems, Progress 
The European Commission issued a report on October 20, 2004 reviewing the implementation of the Safe Harbor Program.  While praising the "constant growth" in the number of companies participating in the program, the review noted that further expansion in membership is desirable.  The major problems revealed by the review, which was carried out primarily through a desk audit of a sample of program participants performed by outside consultants, were the failure of a "substantial minority" of companies to have Safe Harbor-compliant privacy policies publicly available, the lack of a public commitment by companies to follow the advice of the EU panel of data protection authorities handling disputes, and questions about whether the FTC has enforcement jurisdiction for companies joining Safe Harbor for HR data.  The report follows a February 2002 review which identified some of the same problems, such as a lack of transparency and completeness in Safe Harbor privacy policies.

Provincial Laws Found Substantially Similar to PIPEDA 
On October 12, 2004 provincial privacy laws of Alberta and British Columbia were judged to be “substantially similar” to Canada's federal privacy legislation, PIPEDA. The finding means that the two provincial laws pre-empt PIPEDA in their respective jurisdictions.  Unlike PIPEDA, both the Alberta and British Columbia privacy laws apply to the processing of all private sector employee personal information, so that employers within these provinces, as well as in Quebec, must comply with EU-style comprehensive privacy laws when collecting and using data of applicants and employees.