News Archives

2005

News Archive
December 2005

Privacy Firestorm in Washington 
An unprecedented privacy firestorm will develop in Washington in January, with debate raging over the proper limits of government interference in the private lives of Americans.  High-profile privacy issues that will have to be addressed during the month include renewal of the USA Patriot Act; warrantless eavesdropping in violation of the FISA Act by the National Security Agency; possible large-scale data-mining by the NSA with the cooperation of major telecoms and others; FBI monitoring of anti-war, community and environmental groups; and Judge Alito’s support for warrantless wiretapping and opposition to Roe v. Wade.

Europeans Regulators Praise Safe Harbor 
The initial reluctance amongst some European regulators and legislators to embrace the Safe Harbor Program has yielded to a widespread appreciation of its value as a compliance option, according to regulators participating in the Safe Harbor Workshop co-sponsored by the U.S. Dept. of Commerce and the Article 29 Working Party in Washington on December 7.  To date no complaints have been referred to the panel of data protection authorities established as an independent recourse mechanism under the program, let alone by them to the Dept. of Commerce or the FTC.

FTC Enforcement Action in Area of HR Data 
The FTC may announce a major enforcement action in the area of HR data privacy during the first half of 2006, according to Lydia Parnes, Director, Bureau of Consumer Protection, speaking at the Dec. 7 Safe Harbor Workshop held at the Dept. of Commerce.

Article 29 Working Party Issues Paper on Derogations 
On November 25 the Article 29 Working Party issued an opinion paper, WP 114, sharply limiting the use of derogations, such as consent and necessity for the performance of a contract, as a basis for most data transfers from Europe.  The paper, conceived as part of the increased emphasis upon enforcement in Europe, is likely to drive U.S. companies towards greater use of Safe Harbor, model contracts or binding corporate rules.

Canadian Court Upholds Employer's Voice Recognition System 
In a case underscoring the inherent difficulties with consent in the employment context, the Federal Court of Canada issued a decision on November 29 upholding the right of TELUS to introduce a biometric voice recognition system as an authenticator for access to data applications; the court rejected the claims of four employees who had withheld their consent and sought to block the introduction of the system as a violation of their privacy rights under PIPEDA.

November 2005

Microsoft Calls for Broad National Privacy Law 
On November 3 Microsoft called on Congress to enact comprehensive national privacy legislation that would go far beyond the notice of data breach laws now under consideration in Washington.  Microsoft joins HP, eBay and other high-tech companies in advocating a comprehensive privacy law to address consumer concerns about controlling personal information both online and off, and to overcome the problems associated with the current patchwork of privacy laws.

Theft of Laptop Affects 161,000 Employees 
Boeing became the 13th employer to publicly report a breach of data security this year, with news that a laptop containing personal data of 161,000 current and former employees had been stolen. Other employers reporting breaches in 2005 have included SAIC, Bank of America, Adecco Employment Services, Time Warner, MCI, Purdue University, the U.S. Dept. of Justice, Motorola, FDIC, Eastman Kodak, San Diego County and the U.S. Air Force.

CNIL Issues Whistleblowing Guidelines 
On November 15, following consultation with the SEC, CNIL (the French data protection authority) issued an orientation document concerning the deployment in France of whistleblowing programs, such as ethics hotlines instituted for SOX compliance.  The guidance does not rule out such programs, but establishes a number of strict requirements upon them, such as limiting them to matters relating to accounting and financial reporting.

APEC Ministers Approve Privacy Framework
 Meeting in Busan, Korea on November 16, governmental ministers from APEC countries formally approved the APEC Privacy Framework.  The 40-page guidelines promote a flexible approach to information privacy protection across APEC member economies, while seeking to avoid the creation of unnecessary barriers to information flows.
 
TRUSTe Publishes Data Security Guidelines 
TRUSTe, the independent certifier and monitor of website and email privacy policies and practices, issued revised data security guidelines for its licensees and the general public.  The new version, in the form of a 22-page checklist, provides additional information about web application security, mobile devices, and preparation for possible data breaches.

IBM Bars Genetic Discrimination 
IBM became the first major company to announce a privacy policy promising not to use genetic information in employment decisions.  The U.S. Senate has already unanimously approved legislation banning genetic discrimination.  The move continues IBM’s tradition of voluntary HR privacy leadership: several years ago it announced that it would no longer do business with benefits vendors using SSNs as employee identifiers.

October 2005

Delays in Federal Data Breach Legislation 
Two more data security breaches affecting employees were announced in October.  The first stemmed from the theft of four computer hard drives with sensitive data of 15,000 military personnel serving in Iraq and stationed at Fort Carlson in Colorado, and the second from the unauthorized downloading of records of 465,000 Georgians, half of them employees. Meanwhile, the lack of data linking most security breaches to actual harm to the individuals affected has been cited as one of the factors slowing down what earlier appeared to be a Congressional rush to enact national data breach legislation.  A new federal law is not expected now until sometime in 2006.

South Africa Considers EU-like Privacy Law 
After extensive study, the South African Law Reform Commission has released a comprehensive privacy bill for public comment until February 28, 2006. The draft bill, intended to facilitate South Africa 's integration into the world economy, is modeled after the EU data protection directive and the OECD guidelines, and creates an information commissioner to oversee compliance.

Safe Harbor Continues Steady Growth 
As of the end of October, the US-EU Safe Harbor Program sponsored by the Department of Commerce had 811 participants.  The rate of growth in participants has remained steady since the program's inception in November 2000, averaging about 12-13 new companies per month.

DOJ Scrutinizes Background Investigations 
Speaking at the IAPP Privacy Academy 2005 conference in Las Vegas, Bob Belair, a Washington DC attorney, reported that the U.S. Department of Justice is carrying out a major study of how background investigations are carried out.  The study, prompted by concerns about the 40 million investigations being carried out each year, will result to a report to Congress next spring.

September 2005

Constitutional Right to Privacy Affirmed 
During his confirmation hearings John Roberts, now Chief Justice, U.S. Supreme Court, declared unequivocally that a right to privacy exists in the Constitution, citing a basis for this protection in the First, Third, Fourth and 14th Amendments, as well as in 80 years of Supreme Court decisions.  How this belief will translate into rulings in particular cases, such as those dealing with abortion, remains to be seen; however his unexpected endorsement of privacy clearly contributed to the margin by which he was confirmed.

New Employee Benefit:  ID Theft Insurance 
A number of employers have begun to offer ID Theft Insurance as a benefit to all employees.  The benefits vary, but can include credit monitoring, case manager help with identity recovery, and reimbursement for lost wages; costs range from $1 to $50 per year per employee.

Call for UN Covenant on Data Protection 
Meeting in Switzerland, data protection commissioners from 40 countries called upon the United Nations to prepare “a legal binding instrument which clearly sets out in detail the rights to data protection and privacy as enforceable human rights”.  The Montreux Declaration, subtitled “The protection of personal data and privacy in a globalized world: a universal right respecting diversities”, also asked international organizations to commit themselves to complying with data protection rules, international NGOs to draw up data protection standards, and hardware and software manufacturers to develop products and systems that integrate privacy-enhancing technologies.

FTC Sets New National Data Security Standard 
The FTC settlement with BJ’s Wholesale Club has established a new national data security standard that all companies will be held to, according to panelists on a September 20 IAPP teleconference.  In the BJ’s case, the FTC continued its steady expansion of regulatory oversight by arguing that its Section 5 powers to address “unfair and deceptive practices” did not require deception by a company (as in posting an unsupported privacy policy), but only unfairness.  Amongst other requirements, the settlement compels BJ’s to “establish and maintain a comprehensive information security program in writing that is reasonably designed to protect the security, confidentiality, and integrity of personal information it collects”, with “appropriate administrative, technical, and physical safeguards”.  Panelists included Jessica Rich, assistant director of the FTC’s Division of Financial Practices; Kirk Nahra, of Wiley Rein & Fielding; and Lisa Sotto, of Hunton & Williams. 

The Right to Privacy and John Roberts 
The question of whether a constitutional right to privacy exists in the U.S. is expected to be a contentious issue in September’s Senate confirmation hearings for John Roberts as Chief Justice of the Supreme Court.  The term privacy does not appear in either the Constitution or Bill of Rights.  However, some legal scholars argue that the existence of such a right can be inferred from others that are named.  In addition, the Ninth Amendment recognizes the existence of rights not enumerated in the Constitution.  

August 2005

HR Data Breaches in San Diego, San Antonio 
Data breaches were reported in August affecting more than 32,000 current and former employees of San Diego County, and 33,000 officers stationed at Randolph Air Force Base in San Antonio.  As expected, New York has joined the ranks of some 20 states with security breach notification laws; New York’s law is modeled closely on California’s SB 1386.  Six separate bills addressing data breaches are currently pending in Congress.

New Data Exposure in Call Center in India 
Privacy risks associated with use of call centers established in India continued to gain attention following the disclosure in August of a black market in the personal data of Australians. NASSCOM, the Indian software association, responded with plans for a series of measures aimed at maintaining confidence in Indian outsourcing firms, including the initiation of a public debate about the need for new privacy legislation going beyond current data protection proposals.

Concerns Over Inaccuracies in Background Checks 
On August 7, the Privacy Rights Clearinghouse and Privacy Activism submitted a detailed report and comments to the US Attorney General on commercial data brokers and private employers’ use of federal criminal records for employment purposes. The comments describe problems surrounding inaccurate information which can be devastating to an applicant’s record.  “Transparency and accuracy are vital to the background check process. People's livelihoods are at stake, and when background checks contain errors, the damage can be devastating to individuals seeking work,” said Privacy Rights Clearinghouse Director, Beth Givens.

July 2005

Notice of Breach Laws Spreading 
As of July 20, notice of breach legislation, inspired by California SB 1386, has been enacted in 17 states (Arkansas, Connecticut, Delaware, Florida, Georgia, Indiana, Illinois, Louisiana, Maine, Minnesota, Montana, Nevada, North Dakota, Rhode Island, Tennessee, Texas, and Washington), with New York and New Jersey expected to follow shortly.  Five Congressional committees are developing more comprehensive national legislation in response to the 51 data breaches reported during the first seven months of this year.  Federal legislation, pre-empting state notice of breach laws, is likely to be passed after Congress returns from its summer recess. 

Court Rules Against Covert Surveillance by Anheuser-Busch 
In a July 5th ruling by the US Court of Appeals for the District of Columbia Circuit, Anheuser-Busch was found to have violated federal labor laws by installing hidden cameras to monitor workers in the break area of its St. Louis Brewery and then disciplining 16 workers.  Employers are allowed, under the National Labor Relations Act, to install secret cameras as long as they inform unions about their intentions beforehand.

California Bans SSNs on Paychecks 
On July 21 the California legislature enacted a law (SB 101) requiring employers to display only the last four digits of SSNs on paychecks, or an alternative employee identifier, by January 1, 2008.

European Commission Sues Germany, Austria for Weak DP Oversight 
On July 25 it was announced that the European Commission has filed suit in the European Court of Justice against Germany, claiming that the supervisory data protection authorities in German states are not sufficiently independent of the heads of state governments to meet the requirements of the EU Data Protection Directive.  The case arose out of litigation involving T-Online, a subsidiary of Deutsche Telekom, in the state of Hesse.  The Commission is also suing Austria, on the grounds that its national supervisory authority lacks sufficient independence to carry it its data protection duties.
June 2005

FDIC Employee Data Breach 
CNN reported on June 16 that the Federal Deposit Insurance Corporation (FDIC) has alerted 6,000 current and former employees that their personal data has been compromised and that they need to be on guard against identity theft.  This is the fourth report of security breaches involving employee data in the last six weeks.  The other organizations involved have been MCI, Time Warner, and the U.S. Dept. of Justice.

May 2005

Two Laptops with Employee Data Stolen 
MCI reported on May 23 that a laptop containing names and SSNs of 16,500 current and former employees was stolen from the car of one if its financial analysts in Colorado Springs.  The laptop was said to be password-protected, but it was not revealed if data was encrypted.  MCI has sent letters to all the affected individuals.  On May 31, it was reported that the FBI and Virginia police were investigating the theft of a laptop containing names and credit card numbers of about 80,000 U.S. Dept. of Justice employees.  The laptop was stolen from a travel agency used by the department.  Data on the laptop was said to be password-protected.

New AMA Survey Shows Rise in Electronic Monitoring, Notice 
Monitoring of electronic communications by employers continues to rise, according to a 2005 AMA survey.  76% of employers monitor websites connections, 36% engage in keystroke tracking, 50% store and review employees' computer files, and 55% retain and review e-mail messages.  Depending upon the type of monitoring involved, 80-89% of employers inform employees about their monitoring practices.  26% have fired workers for misusing the Internet, and another 25% have terminated employees for e-mail misuse.

Latest Data Breach Hits 600,000 Time Warner Employees 
Computer backup tapes being picked up by Iron Mountain from Time Warner were reported missing on May 2, placing 600,000 employees, ex-employees, dependents and beneficiaries at risk of identity theft.  Time Warner began notifying all affected individuals, including an offer to pay for one year of credit-monitoring.  The company also indicated that they would institute Iron Mountain's recommendation, made two weeks ago, that all backup tapes be encrypted.

April 2005

Data Security Breaches Intensify 
Data security breaches continued to pile up in April: 1.4 million credit card numbers and names stolen from DSW Shoe Warehouse; SSNs of more than a 1,000 employees of ADP's Adecco Employment Services unit accidentally exposed on postcards; ten former employees of a call center run by Mphasis BPO (India) charged with stealing funds from NY-area customers of Citibank; two computers containing 185,000 patient records stolen from the San Jose Medical Group; 180,000 holders of GM-branded MasterCards warned by HBSC of a security breach at a retailer believed to be Polo Ralph Lauren; and over 200,000 clients  of Ameritrade warned following the unexplained loss of a back-up tape containing sensitive financial information.  Pressures for new laws to counter identity theft are mounting at both state and federal levels. 

Michigan Restricts Use of SSNs by Employers 
Michigan became the first state to pass a law requiring every employer to maintain a policy for safeguarding employee social security numbers.  In addition, the Michigan Court of Appeals became the first appellate court to allow the victims of identity theft to recover damages (totaling $275,000) from an organization that failed to adequately safeguard personal information that was subsequently used for identity theft.

February 2005

European Commission Backs New Workplace Privacy Initiative           
The European Commission's five-year social policy agenda, issued February 9, 2005, further advances an initiative to develop a new framework document, possibly in the form of a Directive, to protect the personal information of workers.  The initiative began with consultations with European-level social partners (representatives of employers and of employees) in 2001 and again in 2002.                       

Tape Theft Exposes 1.2 Million Federal Employees to ID Theft              
On February 25 the Bank of America reported the theft of computer tapes containing account information on 1.2 million federal employee credit cards, among them those of U.S. senators and employees of the Pentagon and 40 other agencies, potentially exposing them all to theft or hacking.  The Bank has begun sending out warning letters to those deemed most at risk. Coming on the heels of the ChoicePoint security breach debacle, this latest data security failure is likely to fuel the current firestorm around inadequate protection for personal information useful in ID theft and fraud.

ChoicePoint, SAIC Issue Security Breach Notices           
ChoicePoint, the data aggregation company that maintains and markets personal information on the vast majority of Americans, has sent at least 145,000 cautionary letters to consumers whose records were fraudulently accessed by Nigerian ID thieves posing as legitimate businesses.  The action by the company was compelled by California's security breach law (SB 1386).  State Attorney Generals, state legislators, members of Congress, privacy advocates and the media are responding with growing calls for stronger protection for personal information.  The same law prompted the Science Applications International Corporation of San Diego to send warning notices to 45,000 employees, following a break-in and theft of computer equipment containing their personal information relating to employee stock ownership. 

January 2005

China Considering Passage of EU-Style Comprehensive Privacy Law 
According to reports appearing in ChinaNews on January 19 and in People’s Daily Online on January 25, the government of the People’s Republic of China is considering passage of a draft omnibus privacy protection bill adopting approaches very similar to those of the European Union. The draft bill was prepared by a government-appointed group of experts.

Keeping a Job Hunt Private 
Keeping one’s job hunting private while currently employed presents significant challenges, according to a January 25 column in the Wall Street Journal.  Your boss may notice you wearing interview-oriented clothing, your telephone calls may be overheard or identified as to numbers called, and your use of e-mail and the Internet may be monitored.  The article quoted Donald Harris, President, HR Privacy Solutions, as cautioning that employers in the U.S., unlike those in Europe, pretty much set the rules when it comes to workplace monitoring.

Major Company Asks About Sexual Preferences of Employees      The San Francisco Chronicle reported on January 15 that the Bank of America has asked its 175,000 employees to fill out an online survey about job satisfaction, including a question asking respondents to indicate which of the follow choices best describes them:  heterosexual, bisexual, homosexual, or transgendered.  No notice of how this sensitive personal information would be used or safeguarded was provided by the company.

Growing Acceptance of Multi-layered Privacy Notices 
Multi-layered privacy notices, consisting of condensed, easy to understand highlights linked to longer and more complete explanations, received a boost through endorsement by the European data protection commissioners on the Article 29 Working Party.  A number of U.S. companies, such as Procter & Gamble, already use multi-layered notices.

New Employee Benefit:  ID Theft Insurance 
A growing number of employers are providing their employees with ID theft insurance, as a means of limiting the significant time lost in cleaning up the problems created by ID theft.  According to The Wall Street Journal on January 18, 2005, AIG and St. Paul's Travelers are two of the providers of the benefit, which typically includes assignment to a case manager/advisor and payment of legal fees that may be incurred.  Critics, such as Dr. Judith Collins, a professor at Michigan State University, suggest that companies should pay more attention to preventing ID theft, through better information security practices, than to cleaning up after the fact.

EC Approves Alternative Model Contract 
On January 7, 2005 the European Commission announced approval of alternative standard contractual clauses for data transfers proposed by the ICC and other international business associations as offering an "adequate level of data protection" under the EU's strict data protection laws.  Companies can use the clauses to provide a legal basis for transfers to data controllers outside of Europe as of April 1, 2005.