Top Federal Panel Calls HIPAA Woefully Inadequate
A top advisory board to the US federal government on health care privacy has concluded that current laws and rules are woefully inadequate and is recommending passage of new legislation to strengthen and expand protections far beyond those provided by HIPAA. The 40-page report by the National Committee on Vital and Health Statistics (NCVHS) could become the basis for new national policy following the 2008 election, with profound implications for employers handling medical information in any context.
Moody's to Rate Vendors on Information Risk
Moody's Investors Services is preparing to launch a new service providing risk/quality ratings of vendors who process information for financial services firms in 11 areas: information security policy; organization; information classification; physical security; communications and operations management; access control; application security; incident management; business continuity; data security; and privacy. According to an interview in the December issue of the IAPP’s Privacy Advisor, Moody’s plans to build on the experience in the financial arena to expand the rating service to vendors serving clients in other industries.
HR Data Breaches Resume Normal Pace
Breaches of employee data resumed their normal pace in December, with embarrassing losses by two forms that provide data security advice: Forrester Research (a laptop stolen from a staff member’s home, affecting an undisclosed number of employees) and Deloitte & Touche (a laptop stolen from a pension advisor, affecting an unknown number of partners, principals and employees). Other breaches were reported by the New York State Dormitory Authority (back-up tapes missing in transit, affecting 800 employees); the Greenville County (SC) School District (computer hacking, affecting hundreds of employees; DHS is investigating, as a rash of government computers have been hacked in the state); and the US Air Force (a laptop missing from Bolling Air Force Base (WA), affecting 10,500 airmen).
UK : Breach Firestorm and PIA Handbook
The firestorm surrounding the November HMRC data breach affecting 25 million UK citizens continues to grow, with reports of hundreds of past losses by government agencies; new breaches of the data of those applying for passports and drivers licenses; Parliamentary hearings; and mounting pressure for tougher data protection laws and C-level accountability. Independently of this, the UK Information Commissioner released a Privacy Impact Assessment Handbook, the first by a European regulator, and Pinsent Masons, a prominent legal firm, called into question the data protection practices of Santa Claus.
Mandatory Wellness Programs Probe Off-Duty Life
More employers are not just rewarding workers who are healthy, but penalizing those whose off-duty habits and environments contribute to increased health care costs. For example, starting in January the Tribune Company plans to require its employees to pay $100 a month more in insurance premiums if they or any of their covered family members smoke. Amongst employers refusing to hire smokers are The Cleveland Clinic, Meritain Health, and Scotts Miracle-Gro. Other employers, such as the Principal Financial Group, are requiring employees to complete health risk assessments that can lead to higher insurance deductibles and co-pays for failure to curb risky habits and behaviors. Such mandatory wellness programs, welcomed by some, are frequently viewed as intrusive and challenged by unions or through legal action.
Another Lull in Employee Data Breaches
Data breaches affecting employees dropped to a two-year low in November, with only the Veteran’s Administration in the news again, this time with a report that three computers containing information on 12,000 veterans had been stolen from a VA medical center in Indianapolis. The VA also reported that 185,000 SSNs judged to be at risk were found on the home computer of an ex-VA auditor arrested for ID theft; interestingly, the auditor had quit his job at the VA when he learned that a background check was going to be required. Separately, mediation between opposing sides began after a federal judge ruled that lawsuits can go forward over the data theft last year affecting 26.5 million veterans.
Firestorm over UK Data Breach
A massive data breach in the UK by HM Revenue and Customs has exposed sensitive financial records of 25 million adults, representing half of the population. The breach, caused when computer disks being sent to auditors went missing, prompted a firestorm of criticism and a public apology by PM Gordon Brown, the launching of data security reviews in all Cabinet agencies, the initiation of a high-profile investigation and review of current data protection laws, reports of additional government breaches, and calls for increased powers for the Information Commissioner to conduct independent audits and to levy fines. Rubbing more salt in a very public wound, HM Revenue and Customs then mailed millions of apology letters containing the sensitive information that had been exposed, thereby creating further exposures for those whose mail goes astray.
Confusion over Controller/Processor Distinction
European regulators are increasingly criticizing the data controller – data processor distinction that underlies European data protection laws. The latest evidence of confusion over the distinction can be found in Charles Millard’s report in a Privacy Laws & Business newsletter that the Spanish Data Protection Agency, in an unpublished decision, has concluded that SWIFT, the international financial transactions body, “acted, at all times, as the data processor” including when it made the “crucial decision” to transfer data to the US Treasury Department. Some ten months earlier the Article 29 Working Party issued an opinion which held that SWIFT was a “joint data controller” with the financial institutions it services. The Article 29 WP ruling has been criticized for threatening to disrupt many established controller/processor relationships, including a wide range of conventional service provider and outsourcing arrangements.
Changes Called for in Alberta PIPA
As part of a mandatory review, the Select Special Committee of the Alberta Legislature has issued a 65-page report on how to improve the province’s Personal Information Protection Act. Amongst some 48 recommendations are the following: requiring notification of individuals when personal data will be transferred to a third-party service provider outside Canada; requiring notifications when data breaches occur; allowing organizations to assume that consent has been obtained for those enrolled by others in insurance or benefit plans; not amending the Act to include a “work product” exemption; requiring organizations to destroy or anonymize records no longer needed; and restricting the need to maintain data accurately and completely to what is reasonable for the purposes involved.
Court Blocks JPL Background Investigations
On October 5 the Ninth US Circuit Court of Appeals issued a temporary injunction blocking a DHS directive requiring intensive background checks for employees at places like NASA’s Jet Propulsion Laboratory in Pasadena. According to Privacy Times, the judges noted that JPL employees had raised serious legal and constitutional issues and shown the likelihood of irreparable harm if the screening proceeded as planned. A lower federal court had upheld the background checks just two days earlier.
Injunction Issued Against ICE Program
In a second federal court ruling during the month, the US District Court for the Northern District of California ruled on October 10 that the "Social Security No Match Safe Harbor" regulations published by the Department of Homeland Security (DHS) may have serious legal defects and issued a preliminary injunction against them. The ruling effectively bars the government from publishing mismatch notices under the Final Rule for the foreseeable future.
Eight Employee Data Breaches in October
Stolen laptops were the leading cause of the eight breaches of employee data reported in October, including losses at Semtech, Adminstaff, Home Depot, the King County Transportation Department (WA), and the US Postal Service in Hawaii. Three breaches from other causes were reported by the State of West Virginia (a computer tape containing records of 200,000 current and former employers was said to have been lost by UPS), The Nature Conservancy (14,000 current and former employees and dependents impacted by hacking of the non-profit’s computer system) and Pfizer (1,800 employees affected by a breach by a vendor that supplies cars to the company). The breach by Pfizer was the fourth reported by company in as many months.
California Broadens Data Covered by Breach Law
Besides banning forced micro-chipping of employees, Governor Schwarzenegger signed Assembly Bill 1289, which expands California's data breach notification law to cover medical information and health insurance information. "Medical Information" is defined as "any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional." "Health Insurance Information" is defined as "an individual’s health insurance policy number or subscriber information number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records." Employers, health care providers and any other entity with computerized employee benefits or other health data will be impacted by the new law, which goes into effect on January 1, 2008.
Canadian Government Responds to PIPEDA Review
On October 17 the Canadian government headed by Stephen Harper tabled its response to the 25 recommendations made in May by the House of Commons Standing Committee that conducted a statutory review of PIPEDA. According to Murray Long, a Canadian privacy consultant, the government accepted nearly two-thirds of the recommendations, including an expanded exclusion of business contact information; a loosening of the need for consent in the employment context; a call for data breach notification legislation; and findings that no amendments of PIPEDA were necessary with respect to transborder data flows, the powers of the Privacy Commissioner or the naming of organizations that are the subject of privacy complaints. The government disagreed, however, with the need for legislative guidance on document destruction; with the call for a work product exemption; and with recommendations that the role of consent in principal-agent relationships be clarified. Given the government’s call for further public consultations, amendments to PIPEDA are not expected to be enacted for several years.
Federal Court Blocks ICE Program
A US District Court in California issued an order temporarily blocking implementation of the Department of Homeland Security’s regulation on the legal obligations of employers receiving "no-match letters" from the Social Security Administration. A hearing on the Immigration and Customs Enforcement ("ICE") program was set for October 1. Separately, the Bush administration filed suit to block a new Illinois law that bars employers from using the federal employment verification database until it is certified as being 99% accurate.
Employees Sue NASA over Background Checks
Twenty-eight scientists, engineers and other workers of the Jet Propulsion Laboratory in Pasadena filed suit against NASA in federal court challenging new security measures. To obtain new ID badges, NASA is requiring employees and other workers at all of its research facilities to provide detailed background information and sign waivers allowing open-ended checks of past employment, questioning of former employers and neighbors, fingerprinting and other measures. The plaintiffs, none of whom does work requiring a security clearance, view the requirement, which includes being asked questions about loyalty and sexual orientation, as violating their constitutional rights. Several US lawmakers slammed the new rule, which flows from President Bush's Homeland Security Presidential Directive 12, promulgated in 2004.
Bad Month for Job Applicants
The scope of the August data breach at Monster.com widened in September, with evidence that 150,000 users of USAJobs.gov, the official federal government job site for which Monster provides technology, had been affected by malicious software that siphoned off their contact information. Veterans and National Guard members using TurboTAP.org, a Department of Defense website designed to ease transition to civilian life, were also impacted. Monster has warned all active users of its job boards that their personal contact information may have been compromised. Experts contended that the breaches could have been prevented through readily available security measures. Meanwhile, records of 800,000 job applicants at the Gap were exposed when an unidentified vendor managing applicant data for the retail chain reported the theft of an unencrypted laptop.
Three Data Breaches in a Row at Pfizer
Pfizer reported the third breach of employee data in as many months, this one affecting 34,000 employees who received letters on August 24th stating that the company had only recently learned that their confidential information had been taken without authorization from an internal system late last year. Earlier breaches stemmed from an employee’s use of peer-to-peer software and the theft of a laptop from a contractor’s vehicle. Apart from the losses at Pfizer and the Gap, no other significant new breaches of employment-related data were reported, making September the quietest month for such losses in the last two years.
European Commission Finds UK Botched Directive
According to documents obtained under FOI legislation, the European Commission believes that the government of the UK failed to properly implement almost one-third of the articles of the Data Protection Directive. Deficiencies were previously thought to center on the definition of personal data, but are now seen now include the handling of manual files; the conditions under which sensitive personal data can be processed; the fair processing notices give to individuals; the rights granted to data subjects; the application of exemptions from these rights; the ability of individuals to seek remedies for breaches; liability for breaches of data protection law; transfers of personal data outside the EU; and the powers of the Information Commissioner. The Commission has been negotiating with the UK government for several years; it could initiate infringement proceedings before the European Court of Justice at any time.
Major Revamp of Australian Privacy Law Needed
After staging the largest public consultation process in its history, the Australian Law Reform Commission (ALCR) has released 301 proposals that would involve a sweeping overhaul of Australia's privacy laws. Amongst the proposals are calls for bringing public and private sector organizations under a single unified privacy law; eliminating the current exemption for employee records; data breach notification requirements; a new statutory cause of action where an individual’s reasonable expectation of privacy has been violated; and expanding the enforcement powers of the Information Commissioner The ALRC will make its final recommendations to the government in March 2008 after a further round of public consultation.
ICE Storm Bears Down on Employers
The Department of Homeland Security (DHS) issued final regulations effective September 15, 2007 on the responsibilities of employers receiving “no-match” letters from the Social Security Administration (SSA) in response to the reporting of SSNs on W-2 forms. Employers who fail to take affirmative steps, including termination of employment, to resolve the discrepancies within 93 days face significant civil and criminal penalties. Coalitions of employers and unions have opposed what is being called the impending ICE storm (because of its being launched by the Immigration and Customs Enforcement Agency), even calling upon the SSA not to issue the letters and filing lawsuits. However, DHS has acknowledged that it will be unable to follow-up on the issuance of the no-match letters because the IRS code prohibits the SSA from divulging the specifics of such letters to DHS.
Privacy Melt-Down at Monster.com
The perils of online job searches were freshly revealed to job applicants when Monster.com reported that 1.6 million records were stolen from its applicant database. Criminals used contact information obtained through the theft to send phishing e-mails to applicants purportedly from Monster.com offering additional job search assistance but actually designed to place Trojan horses on the recipient’s computer. The malware subsequently would either hijack online banking information or encrypt all files prior to a demand for ransom. Monster’s CEO subsequently admitted that the theft may have jeopardized far more than the 1.6 million individuals first reported, warning all users of the online search service to assume that their contact information had been taken. Hundreds of applicants and a number of employers were reported to have cancelled their accounts with Monster.com as a result of the security breach.
Pensioners Hit Hard in August Data Breaches
Other HR data breaches in August placed 445,000 pensioners of the State of California and 280,000 pensioners of New York City in jeopardy of ID theft; the west coast breach occurred when SSNs were accidentally printed on mailing labels attached to brochures announcing an upcoming CalPERS election, while the east coast breach involved a laptop stolen at a restaurant from a consultant hired by the City. Breaches were also reported during the month by the security firm VeriSign (a laptop stolen from the garaged car of an employee); by Merrill Lynch (a laptop containing information on 33,000 employees stolen from a corporate office in New Jersey); and by Pfizer, which suffered a major breach last month (this time a laptop with information on 950 employees stolen from a consultant’s car in Boston).
Growing Demand for Access to Personnel Records
A growing number of employees are requesting access to their personnel files, according to an employer advisory in the July 30 edition of the National Law Journal, because of increasing challenges to terminations, concerns about references, and an expanding body of state legislation providing for access. Some 35 states have laws governing access to personnel files to private sector employees, while the right to such access is common in the public sector. Even in states without such laws, denying access to employees can backfire, since an employer who has done so may not be allowed to rely upon such records during a lawsuit. Inappropriate documents in a file and missing documentation are common problems.
ISTAPA Issues Comparative Privacy Law Analysis
The International Security, Trust and Privacy Alliance (ISTAPA), a global alliance of technology providers, research institutions and companies, released an 85-page study entitled Analysis of Privacy Principles: Making Privacy Operational. The study provides a structured comparison of 12 international data protection laws and directives, including the EU Data Protection Directive, the U.S. Privacy Act, and California’s data breach notification law. It is designed to be useful to privacy practitioners responsible for developing operational requirements for implementing privacy in their business processes and IT systems. Scott Blackmer, ISTAPA’s Secretary and a long-term advisor to HR Privacy Solutions and its clients, was one of the experts contributing to the study.
US Postal Service Sued for Marketing to Employees
A lawsuit has been filed in Seattle against the nation’s second largest employer, the US Postal Service, claiming that it violated the 1974 Privacy Act by selling personal information of employees to marketing companies without their consent. The suit, seeking class action status, alleges that the USPS allowed private businesses to access and use its employee master file, as part of the process of sending co-branded marketing materials to employees' homes. The mechanic who filed the suit claimed he was inundated with credit card, cell phone and life insurance offers over the past two years. Although employees were provided an opt-out from marketing activities, the plaintiff claims the Privacy Act requires consent on an opt-in basis.
Military Hit Twice in July Data Breaches
Service members suffered twice in July from breaches of their personal data. Science Applications International Corporation (SAIC), an $8 billion defense contractor handling sensitive health information on members of the US military and their families, reported that some of its employees illegally sent unencrypted data -- such as medical appointments, treatments and diagnoses – relating to 867,000 individuals across the Internet. SAIC, which suffered a breach of its own employee data several years ago, offered credit and identity restoration services to any victims of related identity theft. In the second incident, sensitive data of 10,000 Marines was inadvertently posted online by researchers at Penn State. Other breaches were reported during the month by Securitas Security Services, one of the world’s biggest security firms (formerly known as Pinkerton’s), which notified more than 100,000 current and former employees that their personal data had been compromised when several laptops were stolen; Virginia Beach, which informed 2,000 city and school system employees that their benefits information was compromised by an employee subsequently charged with prescription fraud; several Ohio school districts, who notified 1,800 employees that their data personal data had been accidentally posted on the Internet; and the Metropolitan St. Louis Sewer District, which told 1,600 current and former employees that their SSNs and other personal data had been found on the home computer of a disgruntled employee who informed fellow workers that he would use the file if he received a poor performance review.
US District Court Dismisses Employee Data Breach Case
The US District Court for the District of Columbia dismissed a lawsuit, Randolph v. ING Life Insurance and Annuity Company, filed by several employees of the District of Columbia. The suit was against ING, which administered their deferred compensation program, over the loss of their personal data on a laptop stolen from the home of an ING associate. The court ruled that the plaintiffs lacked standing to sue insofar as any harm they suffered was speculative, confirming a trend in US case law that data controllers will not necessarily face liability for losing control of personal information if the loss does not cause actual harm to the affected individuals.
FTC Urged to Investigate Background Check Violations
A coalition of privacy, labor and civil-liberties groups has urged the Federal Trade Commission to investigate alleged violations of the Fair Credit Reporting Act by railroad and transportation companies for conducting criminal background checks on employees without proper notice, access and recourse. About 100 workers were fired after the checks were carried out by a company, e-Verifile, that allegedly used inaccurate and irrelevant information data from the commercial data broker Acxiom. The complaint claims that the employees (a) were not told they were under investigation or were told that the checks were required by the federal government when they were not; (b) were not given access to their reports; (c) were not given a written explanation of why they were about to be fired; and (d) were not subsequently notified why they were fired. Complainants include the Center for Democracy and Technology, Rainbow/PUSH, the National Workrights Institute, the Legal Action Center and the National Employment Law Project.
UK Court of Appeal Reaffirms Narrow View of Personal Data
The UK Court of Appeal overturned a High Court ruling in the case of David Paul Johnson v The Medical Defence Union. Mr. Johnson, an orthopedic surgeon, was seeking to determine why a non-profit membership organization declined to provide him with indemnity insurance. According to Field Fisher Waterhouse, the ruling re-affirms the pragmatic position established in the Durant case that the Data Protection Act 1998 cannot be used by plaintiffs as a means of gaining access to information claimed to be personal but actually having little relationship to the protection of privacy.
Art 29 WP Addresses Definition of Personal Data
The Article 29 Data Protection Working Party has adopted an important position paper, Opinion 4/2007 on the concept of personal data. This 26-page document, issued on June 20th by national regulators in their role as an independent advisory committee of the European Commission, addresses each of the four fundamental elements of the definition of personal data found in the Directive, exploring in depth the meaning of “any information,” “relating to,” identified or identifiable,” and “natural person.” The paper addresses many of the unanswered questions about the nature of personal data that have been circulating since the Directive was first issued over a decade ago. It also applies its analysis to 19 real world examples, such as physician’s prescribing information.
Double Double in June HR Data Breaches
Eight breaches of HR data occurred in June, with two employers reporting two in the same month: the State of Ohio first reported that names and SSNs of its 64,000 employees, 75,000 of their dependents and 225,000 taxpayers were stolen when a 22-year old intern left a backup data storage device in a car, and then reported that SSNs and other nonpublic information of 439 people were on a laptop stolen from the home of an workers compensation auditor. Fresno County (CA) also reported two breaches, one the loss of a computer disk containing personal data of 10,000 employees by a courier enroute to a firm that does benefits eligibility analysis, and the other the loss of a disk containing personal data of an unknown number of home health-care workers. On the single breach front, Pfizer reported that personal information of 17,000 employee was exposed through unauthorized peer-to-peer file-sharing software installed on a laptop, with 15,700 of these records subsequently being accessed and copied by an unknown number of individuals; the University of Virginia reported that hackers accessed sensitive information of 5,735 faculty members on 54 separate days over the last two years; American Airlines said that personal information of 365 employees, including pilots and the CEO, was accidentally exposed on an internal website; and the San Antonio Police revealed the theft of a laptop exposing personal information of about 230,000 Texas licensed peace officers.
Entire Federal Workforce to Undergo Background Checks
Background investigations of federal and contract workers being conducted for a new government-wide ID card have drawn objections from the National Federation of Federal Employees and some scientists at NASA’s Jet Propulsion Lab. Before the smart cards are issued, individuals must provide fingerprints and disclose financial, medical and other personal data which will be verified against databases. In some cases, agents will be sent to interview neighbors. Critics fear that employees could lose their jobs or standing if inaccurate, out-dated or irrelevant data is unearthed during the investigations.
France Tightens Restrictions on International Data Transfers
On March 29 France issued a new decree implementing the 2004 amendments to its data protection law that has significant implications for the wording and format of privacy notices, the handling of data subject access requests and international data transfers. In particular, the decree requires companies to obtain prior authorization from the CNIL for data transfers outside of Europe, even if the transfers are legitimized by use of model contracts. Decree 2007-451 is available online in French.
China Passes Comprehensive Workers Rights Law
China enacted a sweeping new labor law aimed at protecting the rights of workers. The new law requires employers to provide written contracts to their workers, restricts the use of temporary laborers and helps give more employees long-term job security. It allows for allows collective bargaining for wages and benefits, and requires consultation with unions before jobs are eliminated. The adoption of a European approach to regulating employment increases the likelihood that China will adopt EU-style comprehensive data protection legislation.
OMB Clamps Down on Personal Data
Following up on the recent report of the President’s ID Theft Task Force, the Office of Management and Budget (OMB) issued a memo on May 22 directing all federal departments and agencies to (a) reduce the volume of personally-identifiable information collected and retained to “the minimum necessary,” (b) limit access to those who “must have such access,” and (c) use “encryption, strong authentication procedures, and other security controls to make information unusable by unauthorized individuals.” Agencies are also required to develop and implement a data breach notification policy within 120 days.
TSA Data Breach Prompts Class Action Lawsuit
Breaches of employee data continued apace in May, with the largest being reported by the Transportation Security Agency (TSA), which said that an external hard drive containing SSNs, bank data and payroll information on 100,000 current and former employees was missing from headquarters. The loss prompted filing of a class action lawsuit against the TSA by the union representing airport security screeners, the American Federation of Government Employees. Other HR breaches included IBM, which reported that an unnamed contractor had lost data tapes while in transit near the company’s Armonk NY headquarters; Alcatel-Lucent, which said that a tape with sensitive information on thousands of employees was lost in transit between two of its vendors, Hewitt Associates and Aon; and the Maryland Department of Natural Resources, which announced that a thumb drive containing personal information on 1433 employees, placed there by an IT worker to facilitate work at home, could not be located.
Eli Lilly Bars Genetic Discrimination
Eli Lilly announced a policy prohibiting the use of genetic information to discriminate against employees. The drug-maker said it acted because "fear that a person's private genetic information can be used against them could discourage patients from seeking gene-based treatments." IBM is the only other company known to have a formal genetic anti-discrimination policy.
Canadian Parliament Issues PIPEDA Report
The Parliamentary Committee reviewing PIPEDA, Canada’s federal privacy law, issued its report on May 3, following months of public hearings. The committee rejected proposals that the Privacy Commissioner be given new order-making powers and be compelled to name organizations that are the subject of privacy complaints. While endorsing passage of a data breach notification law, the committee recommended that notifications be made to the Privacy Commissioner, who would then decide if affected individuals should be notified. Other recommendations included clarifying the “work product” exception; allowing greater access to personal information during mergers and acquisitions; pursuing the approach to employee consent followed by BC, Alberta and Quebec; and refraining from introducing new requirements with respect to transborder data flows. The committee requested the government of Canada to respond to its recommendations within 120 days.
Austrian DPA Blocks HR Data Transfer
The Austrian Data Protection Commission rejected an application for a data transfer from an Austrian subsidiary to its US parent company, finding the purpose mentioned in the model contract submitted for approval (“for worldwide statistic reports and editing”) to be vague and invalid. The inability of a subsidiary to restrict the activities of a parent company was a major factor in the decision.
March Lull in HR Data Breaches Ends
The familiar drumbeat of employee data breaches resumed in April, with major losses reported by Ohio State University (information of 14,000 faculty and staff exposed via hacking); the Chicago Public Schools (the second breach in six months, this one affecting 40,000 staff as a result of the theft of two laptops); FEMA (2,300 employees received re-appointment letters with their SSNs printed on outside address labels); retailer Neiman Marcus (160,000 current and former employees exposed to ID theft by the theft of computer equipment from a third-party pension plan consultant); and Caterpillar (an undisclosed number of employees impacted by the theft of a laptop computer from a benefits consultant).
Tyco Fined €30,000 over Employee Database
CNIL, the French data protection authority, used its new enforcement powers to fine Tyco Healthcare France €30,000 for failing to cooperate with an investigation centering upon its employee database. CNIL said that the company failed to provide adequate information about the purposes for which the data was being used, data transfers to the U.S., security measures and retention periods. The fine is the most prominent regulatory action in Europe relating to non-compliant uses of HR data since data protection authorities began speaking of increased enforcement a few years ago.
CNIL Issues Worker Ethnic Data Guidelines
Capping an active month, CNIL also issued recommendations aimed at balancing the French prohibition on collecting data relating to a person's racial or ethnic origin with employers' needs to collect such data in order to implement policies preventing racial and ethnic discrimination in the workplace. The guidelines allow the collection under strict conditions, such as first consulting with workers representatives, using it solely for the purposes of advancing employment opportunity, storing the data apart from normal HR data, and deleting it as soon as it is no longer needed.
House Passes Genetic Privacy Bill
The US House of Representatives passed the Genetic Information Nondiscrimination Act (H.R.493) by an overwhelming vote of 420-3. The President immediately issued a statement that he would sign the bill if it passed in the Senate as well. Since the Senate passed this legislation in previous sessions of Congress, the bill is likely to pass into law soon.
NASSCOM Fills Gaps in Indian Privacy Laws
The National Association of Software and Service Companies (NASSCOM), which represents the Indian software industry, established an independent Self Regulatory Organization (SRO) that will award accreditation to IT companies that follow best practices such as ISO17799. Its National Skills Registry, launched last year to allow screening of IT workers, already has 55,000 completed registrations, with a goal of having 500,000 by December 2007. Both initiatives are designed to shore up confidence in India’s outsourcing industry, following allegations that the country’s call center workers stole and sold data processed by local outsourcing/BPO firms.
March Madness in Wal-Mart's Privacy Arena
Wal-Mart continues to come under scrutiny and criticism for abuses of employee privacy. In past years the company suffered a number of multi-million dollar setbacks in privacy lawsuits. March was something of a privacy melt-down month for the company. A computer technician was fired for “overzealousness” in wiretapping staff and a reporter in an attempt to find the source of a leak of corporate information. Shortly thereafter it was announced that the company had fired two senior marketing executives accused of having an extramarital affair; one of the executives has filed a wrongful termination suit. A third incident involved a suit by an auditor who claimed that Wal-Mart used its policy against fraternizing with subordinates as a pretext for firing him, when the real reason was retaliation for his criticism of the company’s toleration of working conditions he found in Central American factories. In an article in the New York Times the auditor described Wal-Mart as “the ultimate Big Brother in corporate America,” utilizing high-powered investigators with CIA and FBI backgrounds in a discriminatory manner.
2007 Most Trusted Companies in Privacy Announced
The most trusted companies in privacy, according to a 2007 poll by TRUSTe and the Ponemon Institute, shows American Express earning the top honors for the second year in a row, followed by Charles Schwab, IBM, AOL, Amazon, Johnson & Johnson, U.S. Postal Service, E-Bay, Nationwide, Procter & Gamble and Google. H-P, which was fourth last year, dropped to 16th following last year’s pretexting scandal.
The Bahamas Enact First EU-Style Privacy Law in Region
The Bahamas became the first country in Central America to enact a comprehensive data protection law. The Data Protection (Privacy of Personal Information) Act is modeled upon European legislation and will be overseen by a Data Protection Commissioner. It includes a prohibition on the transfer of personal data from The Bahamas to another country if the destination country does not provide protection equivalent to that required by the DPA.
We Have Met the Enemy and He is Us
Organizational mis-management or sloppiness is the source of twice as many data breaches as hackers, according to new research by the University of Washington. Electronic records are hemorrhaging out of organizations at the rate of 6 million per month in 2007, up from 200,000 a month last year. The study and its alarmingly high estimated rate of data losses were issued prior to revelations in late March that the TJX breach is now likely to constitute the largest breach of consumer data ever reported, exposing data of 45.7 million individuals. The previous record was set by the June 2005 CardSystems breach, which affected 40 million credit card holders.
No Private Sector HR Data Breaches in March
For the first time in two years a month went by without a report of a breach of employee data by a private sector employer. Breaches of HR data were limited to those affecting 16,000 civilian employees of the Army Training and Doctrine Command in Fort Monroe, Virginia when a laptop was stolen from a vehicle; the theft of a laptop containing personal data of 1,300 California National Guard troops deployed to the U.S.-Mexico border; the loss of personal information of 1,950 employees of Springfield City Schools in Ohio, stored on a laptop stolen from the home of a state auditor; and a breach of personal data of 380 St. Mary Parish public school employees in Centerville, Louisiana, when the information was unintentionally made available to an Internet search engine.
Canadian Privacy Commissioner Calls for Changes in PIPEDA
During her second appearance before a Parliamentary committee reviewing Canada’s federal privacy law, Commissioner Jennifer Stoddart recommended changes to PIPEDA in nine areas, and not in six others. The most significant change impacting employers was her advocacy for minimizing the role of consent in the employment context, in a manner similar to that found in the provincial law of Alberta. The Commissioner also made a detailed and extensive argument against incorporation of a “work product” exemption into PIPEDA’s definition of personal information. While backing a data breach notification requirement, she recommended that no changes be made with respect to transborder data flows or the enforcement powers of her office.
More Employee Records Go AWOL
Breaches of employee data continued with the Department of Veterans Affairs announcing that an external hard drive that went missing in January actually may contain unencrypted sensitive information on about 535,000 veterans and billing information on 1.3 million doctors. A furor erupted last May when the VA lost a laptop containing personal data on 26.5 million veterans. In another case, nine back-up tapes containing personal data on 53,000 employees and retirees, as well as 83,000 patients, were reported missing by Johns Hopkins, after being inadvertently left near a garbage bin by a San Diego contractor, Anacomp.
Huge UK Fine Triggered by Lost Laptop
The UK Financial Services Authority fined Nationwide Building Society the equivalent of $2 million over lax security practices culminating in the loss of a laptop containing customer personal information. The size of the fine is one sign of a stiffening attitude towards enforcement by regulators seen this year in the UK; ironically it will be borne by the victims, since Nationwide is a mutual society in which the only shareholders are the customers. The UK Information Commissioners Office was reported to have deferred handling the case to the FSA because of the latter’s far greater enforcement powers.
Hong Kong to Introduce Registration Requirements
Taking advantage of powers granted under the Personal Data (Privacy) Ordinance (1996), the Hong Kong Privacy Commissioner announced plans to require data users to register with his office, beginning later this year. Failure to register may result in fines of up to HK$10,000 (US$1,280). The Commissioner, Roderick Woo, announced that he would begin by focusing on organizations holding the largest amount of data, for example, those with records on millions of individuals.
President Bush Supports Genetic Privacy Legislation
President Bush urged Congress to pass long-stalled legislation to safeguard genetic privacy, which would address the fears of individual that employers and insurers might use results of genetic testing to discriminate against them. A genetic privacy bill passed the Senate unanimously in 2003, but died in the House. With the support of scientists, patients’ advocates and companies such as IBM, the bill was reintroduced in the House in January, where its prospects for passage are viewed as good.
Chief Information Security Officer Arrested in Theft of Laptops
Five laptops containing data of tens of thousands of workers at United Technologies, Altria and Prudential Financial were stolen from the New York office of Towers Perrin. In an unusual twist on the all-too-familiar story of HR data breaches, it was announced that Towers Perrin’s chief information security officer had been arrested and charged in the case.
Canadian Court: Employers Must Obtain Consent of Employees
On January 29, the Federal Court of Appeal in Canada issued a far-reaching decision in the TELUS biometrics case. The case arose from a complaint by several employees that their employer violated their privacy rights under PIPEDA by coercing them into participating in a system providing remote access to company databases through voice authentication. An Assistant Commissioner in the Office of the Federal Privacy Commissioner had argued that since the voice authentication system was a reasonable use of employee personal information, Telus had the implied consent of its employees for the collection of their voice prints. However, the Court of Appeal rejected this argument, asserting that unless one of the short and exhaustive list of exceptions found in Section 7(1) of the Act applied, employers were obligated by PIPEDA to seek the consent of employees for the collection and use of their personal information. The Court side-stepped the issue of whether Telus has the right to undertake disciplinary measures against employees withholding consent.
New Russian Privacy Law May Prevent HR Data Transfers to U.S.
According to an English translation of the new Russian privacy law made available by Hunton & Williams, the legislation, which for the most part mirrors European privacy law closely, makes no mention of contractual safeguards, Safe Harbor or binding corporate rules as a legal basis for transferring employee data to countries lacking an adequate level of data protection, such as the U.S. Consent would appear to be the only relevant option, but may be as problematic in the employment context in Russia as it is in Europe.
Compromise of Data Top Concern of Executives
Data security is the biggest worry of corporate executives. According to a new Harris Interactive survey of nearly 200 senior executives, 61 percent of respondents ranked the compromise of corporate information systems as a higher concern than any other crisis, including terrorism, corporate malfeasance, product recalls or work-force violence.