News Archives

2006

News Archive
December 2006

$100 Million Data Protection Fine in Greece
The Greek data protection authority fined cell phone operator Vodafone an astonishing $100 million over a wiretapping scandal that involved the illegal monitoring of Prime Minister Costas Karamanlis and 103 other individuals during and after the 2004 Olympics games. Besides leveling the largest fine in the history of both European and American data protection, the authority also broke ground by claiming that Vodafone was responsible because the company failed to adequately protect its network. The identity of the parties carrying out the monitoring has yet to be determined. Vodafone rejected the authority’s ruling as groundless and stated that they would challenge the fine in court.
 
ID Theft Task Force Invites Public Comment
The President’s Identity Theft Task Force, chaired by Attorney General Gonzales, co-chaired by FTC Chair Majoras and staffed by the heads of 14 major federal agencies and oversight bodies, has opened a period of public consultation on ID theft lasting through January 19, 2007. Interested parties (individuals, companies, organizations, etc.) are encouraged to submit their views as to what the federal government should do to better prevent identity theft, coordinate prosecution, and ensure recovery for victims.

Another Data Breach Set-Back for Boeing
For the second time within 13 months, Boeing announced that a laptop containing massive amounts of unencrypted employee personal data had been stolen. The loss this time affected 382,000 individuals, mostly retirees, and occurred in spite of extensive changes implemented by the company after the previous loss. The employee involved, who violated a clear policy in spite of training he had received, was fired. Tim Neale, a Boeing spokesman, outlined the steps the company has taken over the last year, indicating that several of them – such as removal of SSNs from files and automatic encryption – are still in process. Other breaches of employee data reported in December were relatively minor, compared to prior months.
 
Change in Federal Rules of Civil Procedure
New federal rules regarding the legal discovery of electronic documents went into effect on December 1. The amendments to the Rules of Civil Procedure will spur increased attention to the importance of adequate management and retention of electronic documents, including e-mail, Word documents and spreadsheets.

November 2006

Parliament Begins Review of PIPEDA
The House of Commons Standing Committee on Access to Information, Privacy and Ethics began its mandatory review of PIPEDA, Canada’s federal privacy law governing the private sector, with open hearings scheduled to last many weeks.  Jennifer Stoddart, the Federal Privacy Commissioner, testified that the law is “working reasonably well” and that she did not agree with critics who have called for an expansion in the enforcement powers of her office.  She also opposed the public naming of organizations believed to be violating the law, the approach to limiting the role of employee consent adopted by BC and Alberta, and any legislative changes relating to transborder data flows and the work product exception. 

Employees to Get Electronic Health Records
A coalition of large employers, led by Intel, IBM, Wal-Mart and BP, prepared to launch a plan to provide digital health records to their employees and to store them in a data warehouse linking hospitals, doctors and pharmacies.  Privacy advocates, including the Patient Privacy Rights Foundation, worry that electronic records will be misused to deny individuals jobs or health-care coverage.  

DPAs Emphasize Role of Communications
At the annual Conference of Data Protection and Information Commissioners, held in early November in London, a cooperative initiative with a common set of objectives was adopted by ten commissioners concerned about growing international privacy challenges and the need to be more effective as regulators.  The ten include commissioners from France, the UK, Spain, Italy, Germany, the Netherlands, Canada, New Zealand and Switzerland, along with the European Data Protection Supervisor.  Their joint position paper, entitled “Communicating Data Protection and Making It More Effective”, is a thoughtful summary of the challenges facing privacy regulators from rapid advances in technology, globalization and anti-terrorism, as well as their own limitations.

Theft of Vendor Computer Imperils a Million
In one of the largest breaches of employee data ever reported, the State of Colorado and a number of other states began notifying up to one million recently hired employees that their personal information was compromised when a desktop computer owned by a child support payment processor, ACS, was stolen in Denver.  Personal data on the computer was not encrypted.  Other HR data losses surfacing during November included one affecting 60,000 current and former employees of Starbucks, arising from several laptops missing from headquarters; another affecting 1,740 former Chicago school employees when a printing contractor included their personal details in a health insurance mailing; and finally, one impacting 1,600 veterans when a computer was stolen from a medical facility of the Veterans Affairs New York Harbor Healthcare System.

Survey Links Breach Notices to Harm
According to a new Alan Westin - Harris Interactive survey, 49 million adults in the U.S. have been told that their personal information had been lost, stolen or improperly disclosed over the past three years.  In spite of assertions by critics of data breach laws that there is little linkage between notifications of breaches and actual harm to those notified, a significant 19% of this group, about 9.3 million persons, believe that something harmful happened to them following the notification.

October 2006

New Restrictions on Use of SSNs
New York State has enacted legislation placing strict limits on the use and dissemination of SSNs, and imposing harsh penalties for misuse.  Amongst other provisions, the NY Social Security Number Protection Law, which comes into effect January 1, 2008, prohibits businesses from using SSNs or even partial SSNs to authenticate users of computers applications.

OECD Active in Cross-Border Enforcement
The OECD released a Report on the Cross-border Enforcement of Privacy Laws, examining law enforcement authorities and mechanisms that have been established with a particular focus on how they operate in the cross-border context.  The 42-page report describes existing arrangements to address privacy challenges that transcend national boundaries and calls for a more global and systematic approach to cross-border law enforcement cooperation.  Development of a policy framework and practical tools will follow.

Employers Find New Ways to Lose Data
Data breaches were reported by four employers in October:  The Port of Seattle announced that six computer disks, containing personal data of 6,900 employees at Seattle-Tacoma International Airport, were missing; T-Mobile USA began notifying 43,000 current and former employees that their personal information had been stored on a laptop stolen from an employee’s checked luggage; the State of Kentucky accidentally mailed insurance enrollment letters containing exposed SSNs to 146,000 employees; and the Navy lost a laptop containing personal information on 30,000 applicants, prospects and recruiters when it fell off a motorcycle driven by a Navy recruiter.  The Navy’s loss was one of 788 cases of missing data in federal agencies since April 2003, according to a report issued by the House Committee on Government Reform on October 13.

Survey Shows High Costs of Data Breaches
The high and rising costs of data breaches emerged clearly in a new survey conducted by PGP, Vontu and The Ponemon Institute.   Based upon responses from 31 companies, breaches in 2006 have cost an average of $4.7 million, or $182 per compromised record, up from $138 per record last year.  Included in the $4.7 million figure is $2.5 million in lost business.  Total costs per incident ranged from under $226,000 to over $22 million.

People, Not Products, Key to Security
The annual Global Information Security Workforce Study, sponsored by security certification organization (ISC)2 and carried out by IDC, revealed that people, rather than products, are most important to security.  According to 4,016 information security professionals in 100 countries, the most important factors in security, in order of importance, are management support of security policies; users following security policy; qualified security staff; software solutions and hardware solutions.

September 2006

Privacy Melt-Down at H-P
Lax oversight of third party agents emerged as a key theme in Congressional hearings into H-P‘s use of outside investigators to identify the source of leaks of confidential boardroom information.  The privacy of directors, employees and journalists was invaded through the use of pretexting, e-mail web beacons and other techniques.  Besides being in the cross-hairs of Congressional wrath, H-P has suffered high-level resignations, scrutiny by law enforcement investigations, and a weighty blow to its claim to leadership on privacy issues. 

Six More HR Data Breaches
Employers in the news for data breaches in September include Wells Fargo (affecting an undisclosed number of employees when a computer and a hard disk were stolen from the trunk of a car belonging to a third party health care auditor), the City of Chicago (when information on up to 38,443 city employees and retirees on the laptop of a pension advisor employed by Nationwide Retirement Solutions was reported stolen, a year and a half earlier, from the advisor’s home), the Transportation Security Administration (when Accenture mailed personal information on nearly 1,200 former TSA employees to the wrong addresses),  TeleSource (when an acquiring company, Vekstar, put personnel files in a dumpster), the Illinois Dept. of Corrections (when a report containing personal information of an undisclosed number of employees was found outside DOC premises). Erlanger Health System (when a USB “jump drive” containing personal data of 4,150 current and former employees was reported missing) and General Electric (when a laptop computer holding personal data on 50,000 current and former employees was stolen from a locked hotel room).

ID Theft Task Force Issues Guidance
On September 19 the President's Identity Theft Task Force issued interim recommendations on measures organizations can take immediately to help address the problem of identity theft.  Many of the recommendations are not new, such as encouragement to restrict, conceal and mask SSNs in employee records and systems.  Members of the HR systems community have been encouraged to do this for the same reason since at least 1997 (see “SSNs as Employee Identifiers?). Nevertheless, portions of the 22-page task force report may help buttress internal arguments made to management for the resources needed to reduce dependencies upon SSNs in HR functions and systems.

Europe Warms to Breach Notification Laws
As part of a public consultation that closes on October 27, the European Commission has published proposals for a law change that would force telecoms firms to notify regulators and customers of all breaches of their network security.  The proposals reflect growing appreciation by European regulators of the value of U.S.-style data breach notification laws.

ICC Tries to Help BCR Approval Process
The International Chamber of Commerce has produced a standardized application form that can be used to seek permission from all 25 EU countries for a company’s Binding Corporate Rules.  The ICC hopes to secure approval of the application from the Article 29 Working Party.  To date no company has been successful in securing approval for its BCRs from all EU member states.

August 2006

Russia Enacts EU-Style Privacy Legislation
On July 27 Russia enacted a comprehensive privacy law, About Personal Data, which will come into effect in February 2007.  Its scope, definitions of terms, basic privacy principles and restrictions on transborder data flows are modeled closely upon those in the EU Data Protection Directive.  While the law will be overseen by a federal supervisory body, the extent of actual enforcement will be critical; past privacy laws have largely languished on the books.

No Summer Holiday for HR Data Breaches
The pace of HR data breaches continued in August, with five reports:  a desk-top computer owned by Unisys containing information for the Veterans Administration on the insurance claims of 38,000 veterans went missing in Virginia; a laptop with personal data on up to 1,500 job applicants and workers was stolen from a locked cabinet at a Toyota plant in Texas; Chevron informed as many as 29,000 U.S. workers that a laptop with their data was stolen from an employee of an accounting firm auditing its benefits plans; a laptop with data on 1,200 Williams-Sonoma employees was stolen from the home of a Deloitte & Touche auditor; and 9,468 employees of the California Dept. of Mental Health were informed that a computer tape with their personal information was missing.

Companies Struggle with Data Security
A survey on laptop security by the Ponemon Institute and Vontu shows that 81% of companies have lost at least one laptop containing sensitive information within the last year and have made securing such data at rest a priority this year.  At the same time, 64% of companies have never taken an inventory of either sensitive customer data or employee information, and 49% would have difficultly determining what data was lost if a laptop or other portable device was missing.  A second Ponemon survey, this time with PortAuthority Technologies, showed that 41% of respondents believed they did not have the resources needed to enforce data security policies.

Candidates are Googled and MySpaced
A survey by the National Association of Colleges and Employers found that 27% of employers have reviewed a job candidates’ personal Web pages on social networking Internet sites such as “MySpace” and “Facebook,” or done broader Internet searches on applicants.

July 2006

Data Breaches Dominate July Privacy News
Data breaches affecting employees continued in July, with losses affecting over 100,000 Navy and Marine aviators and aircrews, over half a million individuals in New York State Workers Compensation files, 12,000 employees of Armstrong World Industries, and 13,700 employees of Cablevision Systems.  The latest prominent victim of ID theft was Senate Minority Leader Harry Reid (D-NV).  In reaction to previous breaches nine employees sued Union Pacific and OMB imposed a strict within-the-hour reporting requirement on federal agencies.   Seven federal breach notification bills from as many committees are given little chance of passage in 2006, because of differences amongst them and turf battles.

New Guidance:  UK OIC on TBDFs, Art 29 WP on Notification
European regulators issued new guidance in July:  in the UK, the Information Commissioner published a 30 page legal analysis and good practice guide for transferring personal data outside the EEA, while in Brussels the Article 29 Working Party published a 76 page reference guide to the notification required to data protection authorities in each of the 25 member states.

Wariness Around RFID Chips, GPS Cell Phones
New technologies figured in two U.S. developments reported in July, with Wisconsin passing a law barring the involuntary micro-chipping of employees and 20 building inspectors in Massachusetts suspended for refusing to accept employer-issued cell phones with GPS tracking capability.

Security Risk:  Use of Live Data in System Tests
Surveys in the UK and Germany revealed significant non-compliance with data protection requirements.  In the UK, a Compuware survey showed that 44% of IT respondents admitting using live personal data in system tests, and 83% of those who outsourced sent live data and protected it only with non-disclosure agreements.  A Compuware-IFIC survey in Germany found that 64% of IT companies used genuine customer data for testing applications, while 36% conceded having little knowledge of the Federal Data Protection Act.

Privacy Commissioner Issues PIPEDA Review Document
The Federal Privacy Commissioner of Canada has issued a Discussion Document to assist Parliament in its mandatory review of PIPEDA, urging that the following issues be considered:  whether the Commissioner’s ombudsman role is effective and sufficient; whether the consent requirement for processing should be removed or modified in the employment context; whether collection of certain types of employee data should be prohibited altogether; whether organizations should be required to report data security breaches; and whether transborder flows of personal data should be more closely regulated.

June 2006

Many HIPAA Complaints, Little Enforcement 
Despite 19,420 complaints alleging medical privacy violations under HIPAA, the Dept. of Health & Human Services has not imposed a single fine and has prosecuted just two criminal cases, according to a front-page story in the June 5th Washington Post. HHS has “closed” more than 73 percent of the cases, either ruling there were no violations or allowing the health entity or provider to fix the problem without penalty.  Critics claim the laxity in enforcement is undercutting compliance with the law.

Eight HR Data Breaches in June
Employee data continued to hemorrhage in June, with 8 breaches reported by the Stop & Shop, Giant and Tops supermarket chains (pension data on a laptop lost by EDS, a subcontractor, during a plane flight), Equifax (data on 2,500 Atlanta employees on a laptop stolen on a London train), the US Dept. of Energy (data of 1,500 employees of the DOE nuclear weapons agency exposed by hacking last September not reported until now), the IRS (data on 291 applicants and employees on a laptop lost when checked as luggage on a flight), the District of Columbia (pension data on 13,000 employees on a laptop stolen from the home of a subcontractor, ING), the US Dept. of Agriculture (data on 26,000 current and former employees exposed through hacking), Union Pacific (laptop theft with loss of data on 30,000 employees), and the US Navy (data on 28,000 sailors and family members posted on a public website).

US Privacy Regulator Loses Laptop
The Federal Trade Commission, the nation’s primary regulator enforcing privacy laws, added its own name to the roster of data breachers when it reported that a laptop containing unencrypted sensitive personal information of 110 individuals involved in a continuing legal case was stolen from the car of one of its attorneys.  The case has been referred to the agency’s Inspector General.

Employers Losing Trust of Employees
The Ponemon Institute released a report entitled "Americans' Perceptions about Workplace Privacy" that shows employees don’t trust that their employers are protecting their privacy at work. Of the 945 people surveyed, less than half of them said they “strongly agree” or “agree” that their companies are concerned about their privacy. Forty-six percent of the respondents who were asked whether more government regulations are needed to protect workers’ privacy answered "yes" and 37 percent said "no."   Furthermore, 57% of respondents said that it would take only one data breach incident by their company involving their personal data for them to lose confidence in the company's ability to protect their information.

May 2006

Exxon-Valdez of HR Data Spills Hits Vets, Troops
In the largest breach of HR data ever reported, personal data of 26.5 million veterans, including nearly all active-duty troops, was stolen from the home of an analyst working for the U.S. Veterans Administration. The information, which included SSNs, names, birth dates, home addresses and, in some cases, information about disabilities was stored on portable devices in an unencrypted form, in a violation of VA policies believed to have been going on for three years.  A two week delay in reporting the loss fueled anger on Capitol Hill against the VA, leading to hearings, firings and projections that the total cost of addressing the breach is likely to be in the $200 to $500 million range.  The VA has a documented history of ignoring audits and reports of its poor data security posture.

Pentagon Employee Data Hacked
The massive VA data breach overshadowed a smaller one occurring at the beginning of May, when the U.S. Department of Defense reported that hackers had accessed confidential health care records and personal information, placing some 14,000 employees and dependents at risk of identity theft.  Meanwhile 32 states now have notice of breach legislation on the books, and a tough new federal breach bill requiring notification to the U.S. Secret Service or the FBI, with fines of up to $1 million and up to five years in prison for non-compliance, was approved by the House Judiciary Committee.

France to Require Anonymization of Resumes
In an effort to improve equality of employment opportunity, the French National Assembly amended the Labor Code on March 31 to require that companies with fifty or more employees anonymize resumes of job applicants before using them in the recruitment process.  Studies have shown that French employers are biased toward applicants with traditional French names and “respectable” home addresses.  Details for implementing the measure are to be set out in a decree issued by France’s highest administrative court.

Data Privacy Bill Advances in China
A Draft Law for Protection of Personal Information and Data was presented earlier this year at the annual session of the Chinese People’s Political Consultative Conference, an advisory body to the government of China.  Little is known of the details of the proposed law, although reports of earlier versions described it as similar to the comprehensive privacy laws found in Europe.

April 2006

Employment Eligibility System Criticized
Pending immigration legislation will require all employers to determine the employment eligibility of job applicants via an online federal government database.  The Employment Eligibility Verification System (EEVS), operating at present as a pilot program involving 5,000 companies, was criticized as insecure and deeply flawed by the General Accountability Office in a report issued last August.  The ACLU and AFL-CIO have urged Congress not to subvert the constitutional right to privacy of workers, arguing that plans for expanding the EEVS include creating two massive databases of job history and personal information about all workers, which would represent a goldmine for identity thieves.  The conservative Heritage Foundation, the U.S. Chamber of Commerce and other business organizations have also expressed strong objections to the employment verification system.

Moving Well Beyond Layered Privacy Notices 
As part of a multi-year ongoing project, federal agencies regulating the financial services industry have issued a 337-page research report, Evolution of a Prototype Financial Privacy Notice.  The report presents a number of field-tested strategies for organizing, designing, simplifying, and formatting privacy policy notices; it includes several innovative prototypes.  The project ultimately may have a major impact upon how all privacy notices are drafted, including those of employers.

No End to HR Data Breaches, New State Laws 
An Iron Mountain driver picking up back-up tapes in New York lost two of them, leading the Long Island Railroad to send notices to 17,000 current and former employees, informing them that their names, home addresses, SSNs and salary information were missing.  Colorado and Nebraska joined 25 other states, New York City and the U.S. Virgin islands in passing notice of data breach legislation.

FTC Not Looking for Perfection in Data Security 
Speaking at a conference on data protection hosted by the Spanish Data Protection Agency in Madrid in late March, a representative of the FTC reiterated the Commission’s view of the need to look at the contexts of security lapses. According to the FTC's Kathryn Ratte, “the security of information in a company should be a continual and oft-revised procedure, although evidence of violations does not necessarily mean that this procedure has failed”. Other speakers from the FTC have made the same point in presentations at IAPP and IHRIM this spring, namely that the FTC is not “looking for perfection” or “playing Gotcha!”

Canada Addresses USA Patriot Act Concerns 
The Treasury Board of Canada issued a report, Privacy Matters: the Federal Strategy to Address Concerns about the USA PATRIOT Act and Transborder Data Flows, which sets concerns about Canadian data being exposed to the US government in the context of larger issues surrounding global outsourcing of personal information processing.  The report outlines a strategy and work done to date to ensure that federal agencies act responsibly before entering into outsourcing arrangements subject to the USA Patriot Act, and also provides guidance on contracting in general.

March 2006

570,000 Impacted by Hack of Georgia Pension Plan 
In one of the largest data breaches involving employee data, the Georgia Technology Authority announced that an unpatched flaw in a “widely used security program” was exploited by an unknown hacker to gain access to a database containing confidential information on more than 570,000 members of the state’s pension plans.  The hacker used sophisticated hacking tools to break through several layers of security after accessing the server hosting the database via the software flaw.  The vendor of the software was not identified.

TPA Breaches Hit H-P, State of Florida, BC Hydro 
H-P, a long-time leader in customer and HR privacy, announced that a laptop containing unencrypted 401(k) information on 196,000 of its employees was stolen from Fidelity Investments.  Fidelity has offered to pay for credit-report monitoring services for affected individuals and to remedy any resulting fraudulent account transactions.  Meanwhile, in one of the first reported breaches involving offshoring, the State of Florida warned 108,000 employees that their personal information may have been compromised after work on the state's People First payroll and human resources system was improperly subcontracted to a company in India.  Offshoring the information was a violation of the state’s contract with Convergys, which subcontracted indexing work to GDXdata, a Denver firm, which then turned the work over to an Indian firm.  Finally, B.C. Hydro notified more than 4,000 employees that criminals may have access to their names, employee numbers, salaries and bank account information following a break-and-enter and theft at a private company, Accenture Business Services for Utilities, which handles many of Hydro's administrative functions.  This is one of the first reported breaches of employee data in Canada, which does not have US-style notice of breach laws.

Safe Harbor Membership Tops 900 
The number of companies joining the Dept. of Commerce Safe Harbor Program now exceeds 900, as the rate of joining, about 25 per month, has increased by 50% from earlier long-term levels.  Smaller firms continue to dominate the roster of members, although CareerBuilder, Kimball, Deloitte & Touche, and Siebel Systems signed up in recent months.

New Guidance Issued by UK Information Commissioner 
Following a decision by the House of Lords not to hear an appeal in the Durant case, the UK Information Commissioner has issued new guidance on the definitions of “personal data” and “relevant filing system” under the Data Protection Act 1998.  The guidance, in the form of a 12-page PDF, offers a more narrow interpretation of these key terms than that followed in other EU member states and comes in advance of Durant’s planned appeal to the European Court of Justice.  The Commissioner also noted that the Article 29 Working Party is actively investigating the scope of “personal data” under the Directive.

CBBB Launches Security & Privacy Made Simpler Website 
The Council of Better Business Bureaus, along with think tank Privacy & American Business and sponsors such as IBM and eBay, launched a Security and Privacy--Made Simpler website aimed at businesses with fewer than 500 employees.  The initial offering, which includes a 22-page PDF guidebook, focuses primarily upon security issues and avoiding data breaches with respect to customer data; later in the year the CBBB intends to provide an Employee Data Toolkit.

February 2006

McAfee, State of Ohio Suffer Breaches by TPAs 
Employers continued to hemorrhage employee data in February, particularly through breaches caused by third party administrators (TPAs).  McAfee, the software security firm, notified 9,000 employees that their names, addresses, SSNs, and employee stock holdings, stored on an unencrypted CD, were unaccounted for when an auditor from Deloitte & Touche left them behind in an airplane seat pocket.  The State of Ohio reported that personal information of 4,600 employees and dependents, including SSNs and drug prescription records, was compromised by the theft of a laptop from Medco Health Solutions, a vendor that manages drug benefits for the state.

Article 29 Working Party Issues Whistleblowing Guidance 
The Article 29 Working Party issued an Opinion on February 1st on the application of EU data protection rules to internal whistle blowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime.  Whistle blowing schemes that include other issues, such as HR and environmental matters, will be addressed later in the year.  Peter Schaar, the Chair of the Working Party, also released a letter to SEC Chairman Christopher Cox calling for cooperation between Europe and the U.S. in implementation of the whistleblowing requirements of Sarbanes-Oxley.

First Published Binding Corporate Rules 
Binding Corporate Rules proposed by the Schering Group (Schering AG) were approved by the Berlin Data Protection Commissioner.  While there has been much discussion and documentation around the issues involved with binding corporate rules, the Schering BCRs are the first ones that have been made publicly available.

Employees Asked to Chip In 
Two data center employees of a Cincinnati video surveillance company, CityWatcher.com, were recently implanted with VeriChip radio frequency identification (RFID) devices.  The employees were reported to have volunteered to accept the implants, but critics questioned whether they were not in effect coerced into giving their consent. 

January 2006

IBM Sees Employee Access Rights as New Criminal Target 
According to 2006 Global Business Security Index Report issued by IBM, this year will be marked by a fundamental shift away from sophisticated external hacking of corporate sites towards the targeting of employee access rights within company firewalls, as a prelude to extortion or fraud.  Most companies have tightened their network security making direct assaults increasingly difficult, prompting the shift to exploitation of existing access privileges through social engineering and other techniques.

Data of 19,000 Honeywell Employees Posted on Web 
Data breaches affecting employers continued in 2006, with the report that SSNs, bank account numbers and other sensitive information of 19,000 employees of Honeywell was posted on the Internet by an unknown party.  Suggesting that Honeywell had a breach contingency plan in place, the company began notifying employees and offering them a year of credit monitoring and ID theft insurance within a day of discovering the posting and having the relevant service provider remove it.

Spanish APD, FTC Cement Positions as Tough Enforcers 
      Agencia de Protección de Datos, the Spanish data protection authority, released its annual report for 2004, indicating that fines for violations of data protection law rose to $20 million, almost doubling from the previous year, while inspections of data processing operations rose by 70%, to 973.  The success of the APD in raising the pressure for compliance and funding its own operations is garnering increased attention from privacy commissioners around the world.  These regulators are also being influenced by the even tougher enforcement stance adopted by the FTC; notwithstanding the absence of omnibus European-style privacy legislation, the FTC has reached a $15 million settlement with ChoicePoint over its 2005 data breaches.

GE's Binding Corporate Rules Approved in UK 
The UK Information Commissioner authorized General Electric to transfer employee information out of the UK to any of its worldwide operations, under the first approval granted on the basis of binding corporate rules. Approval for transfers from the other 24 EU member states has not yet been obtained