News Archives

2009

News Archive
December 2009

Supreme Court to Hear City of Ontario vs. Quon
The U.S. Supreme Court announced that it would review a case, City of Ontario vs. Quon, that focuses upon the privacy of text messages sent by an employee using an employer-issued texting device.  The employer, a police department, allowed personal use of the devices but accessed the messages in question when their volume seemed excessive.  The U.S. 9th Circuit Court of Appeals ruled last year that police officers had a reasonable expectation of privacy in their text messages, particularly since a supervisor had led Officer Quon to believe that his personal messages would not be reviewed.  Arguments in the case will be heard in the spring, with a ruling expected before the end of June.

Facebook Changes Privacy Controls, Provokes Critics
Facebook revised its privacy controls, requiring all 350 million users logging in to re-consider what information they wanted shared with whom.  While the changes were promoted as giving users more granular control over their information, critics lambasted them, citing their opacity, the fact that the default setting was to share everything with everyone and the new mandatory publication of profile information.  Facebook subsequently back-pedaled, allowing friends lists to be private, but not sufficiently to dampen the firestorm of criticism.  The Electronic Privacy Information Center (EPIC) filed a complaint against Facebook with the FTC, asking the regulatory agency to enjoin the company’s unfair and deceptive business practices and to require it to protect users' privacy.

Online PHR Vendors Graded on Privacy Protections
Patient Privacy Rights, an advocacy group headed by Dr. Deborah Peel, issued a report card on the privacy protections described in the website policies of personal health record (PHR) vendors.  The grades assigned were as follows: No More Clipboard – A; Microsoft HealthVault – B/F; WebMD – C; CapMed–icePHR – C; Google Health – D/F; and PHRs Offered by Employers and Insurers – F.  Independently, a survey of 1,000 physicians in Massachusetts found that 71% were either concerned or very concerned about possible privacy breaches associated with the use of electronic health records.

Another Lull in HR Data Breaches
Following comparable lulls in September and October, only three breaches of HR data were reported by employers in December:  Textron (an undisclosed number of the aerospace company’s 43,000 employees impacted by a misplaced USB hard drive); Notre Dame University (personal information, including names, SSNs, dates of birth and zip codes, of 24,000 employees accidentally exposed on the Internet); and the State of Minnesota (names and SSNs of 500 employees accessible on the website of Lookout Services, a third party vendor that carried out E-verify checks for the state).

Major Revamp of EU Data Protection Law Coming
Viviane Reding, previously the Commissioner for Information Society and Media, was nominated by the European Commission to the new post of Commissioner for Justice, Fundamental Rights and Citizenship.  In this role she will oversee the significant revamp of EU data protection law that was initiated with the Commission’s consultation on this topic launched in July.  The entry into force of the Lisbon Treaty, on December 1, created a more secure and stable legal basis for treating data protection as a fundamental right in the European Union, while also increasing the power of the European Parliament in data protection matters.

New Rules for Oversight of System Admins in Italy
The Italian Data Protection Authority issued a decision regulating system administrators in November 2008 that finally came into force on December 15.  The decision requires companies and public entities to closely supervise the activity of their system administrators.  According to DataGuidance News, data controllers need to maintain an internal record that identifies system administrators and their tasks, conduct annual assessments of their compliance with appropriate organizational, technical and security measures, and also maintain a record of any system administrators in charge of outsourced data.

November 2009

Commissioners Approve Draft Global Data Privacy Standard
A new draft global data privacy standard was unanimously approved by 80 Data Protection Authorities from 42 countries at the 31st annual privacy commissioners’ conference held early in November in Madrid.  While not legally binding, the draft supplements the level of protection provided by the EU Data Protection Directive with the best components of privacy codes or laws in various regions of the world.  For example, it includes provisions for data breach notifications and incorporates strong provisions relating to accountability and pro-active governance.  The draft also dramatically expands the definition of sensitive data.  While its development into a binding international instrument would require many years of effort, the draft is likely to be very influential and serve as a significant point of reference.  Presentations from the annual conference in Madrid are available online.

Department of Commerce to Review Safe Harbor Privacy Policies
The U.S. Department of Commerce announced that it will review the privacy policies of participants in the Safe Harbor program to ensure that they clearly indicate adherence to the Safe Harbor Privacy Principles. However, the review will only occur as companies come up for their annual re-certification. This new effort to meet European criticism of the program, stemming in part from the study released last year by Galexia, an Australian consultancy, was announced by the DOC’s Damon Greer at the Conference on Cross Border Data Flows, Data Protection and Privacy held in Washington, DC on November 17-18.

Alberta Revises Privacy Law
The government of Alberta enacted significant amendments to the province’s Personal Information Protection Act in late November. According to a PrivacyScan newsletter, the new requirements include (a) mandatory notification of data breaches to the Privacy Commissioner’s office, where a decision will be made as to whether data subjects should also be notified; and (b) the provision of notice to data subjects whenever their information will be transferred to, or collected by, a service provider (including a parent or affiliate company) in a foreign jurisdiction.

Eight HR Data Breaches in November
Following lulls in September and October, a more typical number of data breaches were reported by U.S. employers in November, including those experienced by MassMutual (an unknown number of employees impacted by a hack into a database of benefits information maintained by a vendor); the Army Corps of Engineers (60,000 soldiers and civilian employees affected by a external hard drive missing in Dallas); the Nebraska Worker’s Compensation System (personal information of several thousand claimants compromised by a hacker); Notre Dame (24,000 employees jeopardized by the accidental posting of their personal information on the Internet over a three year period); Sea Ray Boats (personal information of 341 employees inadvertently distributed via email); FCI USA (2,000 current and former employees impacted by a stolen laptop); Eisai Inc. (a laptop containing personal information of an undisclosed number of employees and applicants stolen from an HR employee’s car in New Jersey); and Vancouver (WA) Public Schools (a security breach in the schools’ payroll system impacting 3,000 employees and leading very quickly to reports of suspicious banking activity). 

Massachusetts Finalizes Data Security Regulations
On November 4th the Massachusetts Office of Consumer Affairs and Business Regulation announced its final regulations (201 CMR 17.00) prescribing how entities owning or processing personal information of Massachusetts residents must protect such data.  The most significant changes in the regulations, which come into effect on March 1, 2010, extend the coverage of the regulations to entities that merely store personal information on behalf of others and add two years to the date by which companies must apply specific rules to contracts with service providers.  The core of the regulations is the mandate of having a comprehensive, written information security program, including the encryption of laptops and other portable devices.

October 2009

FTC Settles with Six Companies Claiming Participation in Safe Harbor
The FTC followed up on last month’s first public Safe Harbor enforcement action with tentative settlement agreements with six companies that claimed to be certified under the International Safe Harbor Program, while in fact they had let their certifications lapse. Details of the settlement are not yet available, but at a minimum will require the companies to either re-certify or withdraw claims that they are certified.  The FTC action is more of a warning flare than the comprehensive enforcement action it could have been.  For example, 13 of the first 29 companies on the current Safe Harbor list, some 45%, are shown as having a certification status that is not current.  Some of these companies may have lawfully exited the program, but it would not be surprising if many had let their certifications lapse while still claiming to be participants.

EEOC Issues Guidance for Employers in Handling Pandemic Flu
The Equal Employment Opportunity Commission (EEOC) issued guidance for employers on how to respond to an H1N1 pandemic without violating the Americans with Disabilities Act (ADA), the Occupational Safety and Health Act (OSHA), the Family and Medical Leave Act (FMLA), prohibitions against discrimination based upon national origin, privacy laws, workers’ compensation, and disability benefits laws.  The guidance follows by a month that issued on the same topic by the CNIL in France.

Employee Awarded $1.8 Million for Invasion of Privacy
A jury awarded a former employee of Illinois-based North American Corporation, a business services firm, $1.8 million after finding that the company had used a private investigator who employed pretexting techniques to obtain her phone records.  However, the company prevailed in a separate counter-claim against the employee for anti-competitive conduct, which it claimed constituted the grounds for its investigation; the employee was ordered to return $630,000 of the $1.8 million to the company.

Microsoft to Seek ISO Certification for Its Cloud Services
At a time of broad and continuing doubts about the ability of cloud vendors in general to properly secure their services, Microsoft wants to get its suite of hosted messaging and collaboration products certified to the ISO 27001 international information security standard.  The company believes that FISMA security standards, which Google has announced it is seeking certification to, are outdated and inadequate.  A spokesman said that Microsoft wanted to ‘take it up a notch.”

Are US Employers Finally Protecting HR Data?
It was another relatively quiet month for HR data breaches, with only four reported in the US.  The most serious breach involved two separate hacks into the online systems of New Jersey-based PayChoice, one of the nation’s largest providers of payroll services; PayChoice has a client list of 125,000 employers, potentially exposing financial information of millions of payees.  Other breaches reported include Bullitt County Public Schools (KY) (names and SSNs of 676 employees accidentally sent by e-mail to all 1,800 employees); US Army Special Forces (Fort Bragg, NC) (names, SSNs, home phone numbers and addresses of 463 soldiers, found on the Internet in connection with a Congressional move to address data leaks on peer-to-peer networks); and the Bank of New York Mellon Corp. (computer technician who was a contractor to the bank charged with ID theft involving personal information of 150 employees).

DPA Finds Daimler Pre-Employment Blood Tests Illegal
The Data Protection Authority (DPA) for Schleswig-Holstein ruled that pre-employment blood tests carried out by German automaker Daimler are illegal and that the data must be deleted.  Although the tests are voluntary and the company tests candidates only in the final stages of job selection, the DPA said the practice breaks "all existing data protection regulations." The ruling underscores the point that employers in many EU member states are on dangerous footing when collecting sensitive information, even with the consent of the employees involved and when other protections for the data are in place. Daimler, which invented and pioneered the use of binding corporate codes (BCRs), has long been a world-class leader on privacy issues.

September 2009

Shared Assessments Program Expands Membership
Shared Assessments, an international vendor risk management standards group founded in 2005 by the BITS Financial Services Roundtable, has opened its door to outsourcers in healthcare, retail, telecommunications, manufacturing, higher education, government and other sectors.  In October, the program, which currently has 60 members, will publish tools mapping privacy controls to the AICPA/CICA framework, GLBA, HIPAA, HITECH Act and PIPEDA regulations as well as the EU Directive and other laws. The updated tools will be available for free download on the Shared Assessments website.

Dept. of Defense to Let Troops Use Social Media
The Defense Department (DOD) plans to allow troops to use social media for both official and unofficial purposes, according to a report in Nextgov. The new policy will reverse that of some military services and allow troops and their families to use Facebook, Twitter and other social software, as well as e-mail, instant messaging and discussion forums, running on DOD’s unclassified network.

September Lull in HR Data Breaches
Only three data breaches affecting employees were reported during September, by Naval Hospital Pensacola (38,000 servicemen and beneficiaries who use its pharmacy services notified that a laptop containing their personal information was missing), Eastern Kentucky University (names and SSNs of 5,045 faculty, staff and student workers inadvertently put on the Internet for a year) and Kraft Foods (an undisclosed number of employees impacted by the theft of a laptop and USB drive from the car of a accounting and payroll worker in the company’s shared services center). 

Hustinx Expects UN, OECD to Adopt New Data Privacy Standard
Peter Hustinx, the European Data Protection Supervisor, stated that he expects the UN and the OECD to adopt the new international data protection standard that will be announced by the world’s data protection authorities at next month’s conference of privacy commissioners in Madrid.  While the standard will need to be implemented in national laws, Hustinx believes it is on the path to becoming globally enforceable.

Hyatt Becomes First Company to Win Expedited BCR Approval
Hyatt Hotels and Resorts became the first company to win expedited approval of its corporate code of conduct (Binding Corporate Rules) through the office of the UK Information Commission.  According to Privacy Laws & Business, while four other multi-nationals (Atmel, Accenture, Philips and GE) secured approval of their BCRs in the UK over the last four years, Hyatt’s use of the EU’s new mutual recognition procedure reduced the time required to 12 months.  Seventeen EU member states currently participate in the procedure, which is expected to yield even faster approvals in the future.

CNIL Fines Company for Covert CCTV System
The French Data Protection Authority (CNIL) fined Jeanne Marc Philippe, a French clothing designer, €10,000 for installing a CCTV system that collected data about employees in an unlawful and disproportionate manner.  According to a report in Data Guidance News, employees were monitored without their knowledge, even in places where there was no particular threat to security.

August 2009

Massachusetts Revises ID Theft Regs, Extends Deadline
The Massachusetts Office of Consumer Affairs and Business Regulation revised its new ID theft regulations to be less prescriptive than earlier versions and to provide greater flexibility for small businesses.  Any business that processes or stores the personal information of Massachusetts employees or consumers will need to address the state’s requirements for a written, comprehensive information security program by the new deadline of March 1, 2010.

Facebook Will Meet Canadian Privacy Objections
The Privacy Commissioner of Canada announced that she is satisfied that the changes Facebook has agreed to make to its privacy practices and policies will bring it into compliance with Canadian privacy law.  The changes, to be implemented over the next 12 months, will also be rolled out globally.  The changes will address access by third-party developers to user information, de-activation of accounts, personal information on non-users and accounts of deceased users.  Earlier in the month, Facebook tweaked its terms of service in a variety of areas relating to privacy.

Seven HR Data Breaches Reported in August
There was no summer holiday for HR data breaches, with seven breaches reported during August, including the US Dept. of Commerce (27,000 employees exposed to risk when an employee of the National Finance Center, which handles payroll and personnel matters for the DOC, sent their information to a co-worker via an un-encrypted e-mail); the Army National Guard (131,000 soldiers of the Guard warned after a contractor’s laptop was stolen); the Colorado Dept. of Corrections (personal financial records and family information of more than 1,000 staff accidentally sent by a payroll employee to 100 co-workers); New Hampshire Dept. of Corrections (records of 1,000 employees found under a prisoner’s mattress, due to poor document disposal practices); Lockheed Martin (an unidentified number of employees affected when researchers found their personal information on a hard drive for sale on eBay); Williams Company (personal data of over 4,400 of the Tulsa firm’s workers exposed when a laptop was stolen); and Chart Industries (1,600 employees placed in jeopardy when several laptops were stolen from the Ohio firm).

FTC Brings EHR Vendors Under Breach Notification Rule
The Federal Trade Commission issued a rule broadening the reach of data breach notification rules covered by HIPAA. The new rule applies to companies that provide an online repository of health information, such as vendors that offer web-based tools to track and maintain blood pressure readings and other health-related data.  Vendors in this category, which include Microsoft’s HealthVault, Google Health and WebMD, are typically not covered by HIPAA requirements.

FTC Takes Enforcement Action over Safe Harbor
The Federal Trade Commission secured a temporary injunction against a California-based company, Balls of Kryptonite, for deceptively making a claim that it was a participant in the US/EU Safe Harbor Program.  According to the FTC, the company copied Amazon.com’s privacy policy and posted it on its own website.  While the FTC is known to investigate potential breaches of Safe Harbor commitments, this is the first time in the nine-year history of the program that such investigations have led to a public enforcement action.  The case, which involved other issues as well, will be heard in federal court unless a settlement is reached.

South African Privacy Bill Approved by Cabinet
Nine years in the making, a comprehensive data protection bill, drafted by the South African Law Commission and modeled upon European legislation, has been approved by the Cabinet and referred to Parliament.  Officials are hopeful that the law, not expected to be enacted at the earliest until the end of the first quarter of 2010, will secure an adequacy finding by the European Commission.

July 2009

Commissioner Finds Facebook Violates Canadian Privacy Law
Following an in-depth investigation of the practices of Facebook in response to a complaint filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC), Jennifer Stoddart, the Privacy Commissioner of Canada, issued her long-anticipated findings in a detailed 100-page report.  While some of the twenty allegations in the CIPPIC complaint were found to be unfounded or resolved during the investigative process, the Commissioner found that Facebook violates Canadian privacy law in at least three significant respects:  failure to limit the access of third party application developers to user data; failure to allow users to easily delete their accounts and associated personal information; and requiring users to consent to keeping their profiles active for memorial purposes in the event of their death.  Facebook has thirty days to come into compliance or announce a plan to do so, after which the Commissioner has indicated she will make an application to Federal Court to compel them to do so.  The findings are a major blow to Facebook’s business model and will be extremely influential with privacy regulators in other countries.  The Privacy Commissioner of Australia has already indicated in response to Commissioner Stoddart’s report that Facebook may be breaching Australian privacy laws: European regulators announced their concerns about social networking sites in June.

DHS to Push Ahead with E-Verify but Drop “No-Match Rule”
In spite of opposition from the US Chamber of Commerce, SHRM and other business groups, DHS Secretary Janet Napolitano voiced the administration’s support for the E-Verify system as the means of verifying eligibility for employment by federal contractors.  At the same time, DHS is rescinding the 2007 No-Match Rule, which has been blocked by court order.  The Senate also passed a number of amendments bearing upon the E-Verify requirement, which is slated to come into effect September 8.

Cloud Computing Standards Group Formed, but Feds May Not Wait
Industry groups and standards bodies have formed the Cloud Standards Coordination Working Group, to develop a strategy for cloud computing standardization that will include standards for data security, along with ones for interfaces, management frameworks, data exchange formats and other topics.  However, federal CIO Vivek Kundra says the government may create its own set of cloud security standards and certify those services that meet them, so that federal agencies can move into cloud computing more quickly.

Big Companies, School Districts and Laptops Dominate July Breaches
Eight breaches of  employment-related data were reported during July, including losses by Northrop Grumman (a stolen back-up hard drive containing personal data of an unspecified number of employees in West Virginia); Proctor & Gamble (a laptop used by their employee benefits administrator, IBM, was stolen); Tyco Flow Control Americas (the payroll manager’s laptop stolen during a weekend break-in at his Houston office); AT&T (a temp indicted for stealing personal information of 2,100 Chicago-area employees in an ID theft scheme); school districts in suburban St. Louis (a stolen laptop with personal data of 1,700 employees), Fayetteville AK (39 teachers registered with the same benefits provider victimized in an ID theft scheme), and Salt Lake City (information relating to 6,000 employees exposed on a missing USB drive); and city employees in Brighton CO (an unspecified number of employees placed in jeopardy when a laptop was stolen from an IT engineer’s pickup truck while he was playing golf).  Six of the eight breaches (75%) involved stolen laptops or storage media, while two (25%) involved benefits administrators.

DP Law Amended, Employee Privacy Act Coming in Germany
On July 3 the German Parliament passed comprehensive amendments to the Federal Data Protection Act, subsequently confirmed by the Federal Council, covering marketing, security breach notification, service provider contracts and new protections for employee data.  The new amendments, which come into effect September 1, also provide stronger protections for internal data protection officers, enhance the authority of data protection authorities, and increase fines and sanctions for violations.  In addition, a new Employee Privacy Act is expected to be enacted after Germany’s elections this fall, according to an article by Flemming Moos in IAPP’s Privacy Advisor

CNIL Drops Prior Authorization for Safe Harbor Transfers
Following the recent successful passage of a legislative amendment streamlining the operations of the CNIL, the French data protection authority, the authority has dropped the requirement that transfers of non-sensitive data under the Safe Harbor program require prior approval.  The change in policy was reflected in new documents posted on the CNIL website.

June 2009

Court Rules MySpace Comments Off-Limits to Boss
A federal jury in the U.S. District Court in Newark ruled in favor of two employees of Houston’s Restaurant in Hackensack, NJ, after they were fired on the basis of negative comments they made on their password-protected MySpace group website.  Their boss gained access to the comments by pressuring a co-worker to reveal her password.  The jury, finding that the company had violated state and federal communications laws and acted maliciously, awarded the employees $17,000 in back pay and damages.

Nine HR Data Breaches in June
Nine breaches of HR-related data were reported in June:  Tyco Flow Control Americas (an undisclosed number of employees impacted when burglars in Houston stole the payroll manager’s laptop and also breached locked rooms containing HR and payroll records); Maine Office of Information Technology (597 recipients of unemployment insurance had their SSNs and other personal information mailed to another individual because of a printing error); Vocus (an undisclosed number of employees jeopardized by mis-delivery of a box containing HR data); Beam Global Spirits & Wine (unauthorized access of an HR/Payroll database by a former employee); CS Stars (the maker of risk management software had an unencrypted portable hard drive stolen, impacting 28,000 claimants for workers compensation); Florida Department of Revenue (a stolen flash drive containing personal data on 2,826 employees of a variety of businesses); Battle Creek City, MI (65 city employees impacted when the mayor posted SSNs and other confidential information on a public website linked to his Twitter account); Sutter Health (6,000 former and current employees jeopardized when a computer repair shop found their records on an old laptop that had been resold); and AARP (personal information of an undisclosed number of employees unaccounted for when a laptop was stolen from the home of an employee).

Growing Role of Organized Crime in Data Breaches
Verizon’s 2009 Data Breach Investigations Report, which analyzed some 90 data breaches reported in 2008 involving some 285 million records, concluded that malicious or careless company insiders are no longer the prime cause of data breaches.  Instead, organized criminal groups now appear to be the major threat companies face in trying to secure sensitive personal information, with 91% of the records breached traceable to such groups.  The survey also found that 94% of breaches (and 99.9% of pilfered records) are attributed to online assets, including servers and applications, as opposed to user systems, offline storage or data in transit. In a major disconnect with these Ponemon findings, another survey by NetWitness found that only 18% of Chief Information Security Officers view external threats as their major concern, instead focusing upon risks posed by insiders.

Social Networking Sites Subject to EU Data Protection Law
The Article 29 Working Party, an advisory body to the European Commission, has issued a 13-page opinion on social networking sites that says the operators of the sites, as data controllers, are subject to European data protection laws no matter where their headquarters are located and are responsible for the privacy of their users.  Users of such sites are also data controllers if they if they are acting on behalf of a company, association or in pursuit of commercial, political or charitable goals.  The opinion puts to rest the argument that those offering social networking sites are merely data processors and therefore not subject to the Data Protection Directive.

British Standard on Data Protection Published
The British Standards Institute (BSI) issued a standard, BS 10012:2009, whose objective is to enable organisations to put in place a personal information management system (PIMS) that conforms to best practice and aids compliance with data protection law.  The standard requires issuance of a policy listing commitments in 15 areas, with an emphasis upon shaping the organizational culture, audits and continuous improvement.

Federal Data Protection Law Progresses in Mexico
Representatives of the Mexican government, speaking at the Ottawa meeting of the Tri-Lateral Committee on Transborder Data Flows, described amendments to the Mexican Constitution that recognize a fundamental right of personal data protection and give the Federal Congress powers to enact a federal law that what would apply to the private sector.  A new bill was agreed upon by private sector and public sector representatives and is expected to be passed in the new session of the Chamber of Deputies, which begins in September.

May 2009

NIST Backs Overhaul of 1974 Privacy Act
The Information Security and Privacy Advisory Board of the National Institute of Standards and Technology' (NIST) issued a report calling upon Congress to amend and update the 35-year old federal privacy law governing the public sector.  The 40-page report cited the need to improve federal privacy notices; clearly cover commercial data sources; expand the definition of "system of records" to encompass relational and distributed systems based on government use of records, not just its possession of them; and create a federal Chief Privacy Officer within OMB.

Ten More HR Data Breaches
Breaches of HR data were reported in May by the following ten organizations:  Godwin Pumps of America (stolen laptop with data on 180 employees); Catalent Pharma Solutions (personal data of 2,656 employees exposed when a laptop was stolen from a vehicle in New Jersey); United Food and Commercial Workers Union (at least 19,000 members of Oregon’s largest private-sector union, and 28,000 members in Alberta, jeopardized by a laptop stolen in the union’s New York office); Continental Airlines (a second laptop stolen this year, impacting an undisclosed number of employees); Pfizer (once again in the news when an undisclosed number of individuals were impacted by a backup hard drive being thrown into the trash); Toledo Naval Recruiting Office (thousands of records relating to recruits discarded in a dumpster without proper shredding); New Jersey Department of Labor and Workforce Development (28,00 unemployed residents notified that their personal data was sent to the wrong employer because of a clerical error); Indiana Department of Workforce Development (SSNs of 4,500 unemployed residents sent to the wrong companies because of a printing error by Pitney Bowes Management Services); Boston-based Health Dialog Services Corporation (an undisclosed number of employees impacted by hacking of the corporate network); and Aetna (65,000 employees notified of a breach of a website that also contained contact information for 450,000 job applicants).

Proposal for New International Standard Moves Forward
Progress was reported on the development of a new international standard for the protection of personal information.  The standard, developed over the last year under the auspices of the Spanish Data Protection Agency, is expected to be approved at the November Conference of Data Protection and Privacy Commissioners in Madrid and then submitted to the United Nations as the basis for a treaty.

French Pass Law to Speed Data Transfer Approvals
According to DataGuidance News, a law was enacted in France to simplify the procedures of the French Data Protection Authority (CNIL), by giving the power to approval international data transfers to the President of the CNIL. Previously, the CNIL Assembly as a whole had to approve each transfer application, a process typically requiring two to four months of waiting time.  France is one of the few EU member states to require such advance authorizations.

Online Personal Health Records to Remain in Canada
Within the next 8-12 months Canadians will be able to keep their health records and manage doctor's appointments and prescriptions online, through a partnership between Telus Health Solutions and Microsoft.  Microsoft has promised that the records will be stored on Canadian computers and remain within the country.  Canada Health Infoway, a government-funded organization pushing for an electronic health record system, and Ann Cavoukian, the Privacy Commissioner of Ontario, expressed support for the offering, which will be known as the Telus Health Service.  Telus plans to make the service available to governments, health regions, hospitals, insurers and employers.

Forrester and Chambers Urge Heightened Scrutiny of Cloud Security
Forrester issued a report entitled “How secure is your cloud?”, pointing out unlike in traditional outsourcing relationships, companies using cloud computing applications share servers with other customers and may not know where their data is stored or how it is replicated.  According to the report, the lack of visibility and control needs to be compensated for by increased scrutiny of how the vendor protects data at rest and in motion; the vendor's documentation available to auditors; authentication and access control procedures; and whether the vendor has proper data segregation and data leak prevention measures.  Separately, John Chambers, the Chairman of Cisco and a big supporter of cloud computing, conceded that it currently was a “security nightmare”.

April 2009 

FTC Issues Draft Breach Notification Regulations
The FTC released proposed data breach notification regulations for electronic health records, as called for in the HITECH Act.  The regulations, open for public comment until June 1, 2009, are the first set of breach notification requirements at the federal level in the US.  Furthermore, they will greatly expand the number of companies that would be subject to notification requirements. The extent to which any health-related records that an employer may maintain in an electronic form will fall under the coverage of the regulations remains to be determined.  The FTC’s hard-line approach to enforcement is likely to come as a shock to the healthcare industry, according to Pam Dixon of the World Privacy Forum.

Eight HR Data Breaches in April
HR data breaches blossomed in April, with data losses reported by the University of Washington (SSNs of 6,000 employees exposed through a security lapse in two parking-management servers); State of Maryland (8,000 employees impacted when information about their participation in health savings accounts was lost in the mail); State of Illinois (170 employees notified that their SSNs and names were exposed through inappropriate use of P2P software to download music by a staff member of the Department on Aging); Irving TX School District (3,400 employees exposed and some victimized when confidential records were placed in a dumpster); New Orleans public schools (personnel records left in an abandoned unlocked warehouse owned by the school system); Fujitsu Consulting (data of over 3,000 employees of Travelers and other clients lost by an overnight courier service); Fox Entertainment (data of an undisclosed number of employees mis-appropriated by a benefits department employee who was arrested and fired); and FairPoint Communications (portable storage device with personal data of 4,200 employees reported missing). 

DHS Privacy Office in Forefront on Use of Social Media
The Homeland Security Department’s privacy office will hold a conference to explore privacy and security issues in the use of social media by government agencies. The “Government 2.0: Privacy and Best Practices” conference, to be held June 22-23 in Washington DC, is open to the public.

Corporate Spying Scandals Continue to Mount in Germany
Scandals over corporate spying on employees continue to roil public opinion in Germany.  The head of Lidl, the German-based discount chain that operates in every EU member state as well as in the US and Canada, was fired and the company fined some $2 million, following revelations in March that it used private detectives to spy on its employees.  Compounding the privacy law violations, documents found in a dumpster contributed to the unearthing of the covert surveillance scheme. Another major German company, Airbus, also admitted spying on its own workers between 2005 and 2007, without the awareness of its works council, in an effort to prevent corruption.  Along with recent similar privacy abuses by Deutsche Telekom and Deutsche Bahn, pressure continues to ratchet up for new employee privacy legislation at the national level.  According to Privacy Laws & Business, a new bill or set of guidelines is expected to be promulgated before Parliamentary elections this fall.

NIST Issues Password Management Guidance
The National Institute of Standards and Technology (NIST) announced the publication of a draft Guide to Enterprise Password Management, released for public comment until May 29, 2009. The guide, SP 800-118, is intended to help organizations understand and mitigate common threats against character-based passwords, focusing on topics such as defining password policy requirements and selecting centralized and local password management solutions.

Privacy-information Services: The Free, the Cheap and the Pricey
Computerworld published a valuable summary of privacy information services, designed to help track and explain the expanding universe of privacy news, developments, regulations and laws.  The survey, prepared by Jay Cline, covers free websites, newsletters and news feeds; fee-based periodicals; and fee-based databases.

March 2009

Behavioral Targeting Moves to Center Stage
Behavioral targeting, the practice of tailoring ads to web users by tracking their online activities, made headlines around the world in March.  As Google began serving up what it called “interest-based ads”, privacy advocates in the US called upon the FTC to stop the practice, several congressmen promised legislation that would require opt-in consent and the head of consumer affairs for the European Union threatened a crack-down on what she termed the “World Wild West.”  Technical responses also emerged:  a Harvard University fellow released a browser plug-in called TACO that will block the targeting; Microsoft released Internet Explorer 8, which facilitates opt-outs on a per-session basis; and a University of Pennsylvania professor urged creation of a tracking icon that would accompany targeted ads. 

Most March HR Data Breaches in Public Sector
Seven breaches of HR data in the public sector, as well as two in the private sector, were reported in March:  New York Police Department (80,000 active and retired officers impacted by the theft of a backup tape by the department’s civilian telecommunications director); Sonoma County Sheriff’s Department (1,000 employees at risk when thieves stole four laptops from police cars in Santa Rosa, CA); Idaho National Laboratory (a disc containing records of 59,000 current and former employees of the Dept. of Energy facility went astray during shipping by UPS); Penn State Office of Physical Plant (SSNs of 1,000 employees exposed by a virus that infiltrated an administrative computer); Central Ohio Transit Authority (personal data of 900 current and former employees accidentally sent to dozens of insurance companies who were bidding for work with the agency); Elk Grove Unified School District (a paper document with SSNs of more than 500 employees lost by an employee); Kentucky Retirement Systems (personal data of 28,000 state retirees e-mailed without encryption by Walgreens Health Initiative, the state’s pharmacy benefits manager); Kaiser Permanente (29,500 workers impacted by the theft of a computer from the offices of a union); and Xcel Energy (an e-mail containing SSNs of an undisclosed number of employees distributed internally to parties not needing them).

PHR Vendors Slow to Embrace ARRA Requirements
Although David Blumenthal, President Obama’s choice to be the national coordinator for health information technology, believes that Congress intended the 2009 stimulus bill to subject personal health-record (PHR) systems developed by Microsoft and Google to federal privacy and security laws, the vendors themselves do not agree.  Google stated that the American Recovery and Reinvestment Act (ARRA) will not bring its PHR services under HIPAA, while Microsoft, the Mayo Clinic and the Cleveland Clinic said they were still studying the issue.  

Google Security Questioned
The security of Google Docs came under fire in March as the company admitted that a glitch in its software caused some documents to be accessible without proper permission and a security analyst subsequently said he found three flaws that could expose private data in other ways.  The Electronic Privacy Information Center (EPIC) urged the FTC to investigate the security of all of Google’s cloud computing apps and to enjoin Google from offering them until they have been found to protect data in a satisfactory manner.

Worker Blacklist Scandal in UK
A major privacy scandal affecting the private sector broke in the UK, where the Information Commissioner launched an investigation into, and then shut down, a secret database that blacklisted construction industry workers who raised safety concerns or had links to unions.  Forty of the top construction firms in the UK were reported to be paid subscribers to the database.

EC Issues Guide to Data Protection Compliance
The European Commission published a useful 54-page set of questions and answers, including a flowchart, to help companies understand their obligations when sending personal data abroad and the means they may use to meet these obligations.

February 2009

Major Changes Coming in HIPAA Requirements
Congress passed an economic stimulus bill containing significantly expanded federal protections for health information and electronic medical records.  The new law, which imposes more stringent HIPAA requirements on health plans, received cross-the-board praise from privacy advocates.

Massachusetts Delays Data Security Regs Until 2010
For the second time, the Massachusetts Office of Consumer Affairs and Business Regulation delayed the implementation deadline for its comprehensive information security requirements, this time from May 1, 2009 to January 1, 2010.  In addition, a revised version of the regulations was issued which softened the requirements relating to third party vendors and eliminated the need to obtain written certifications of compliance from them.

Report Explores Privacy Issues in Cloud Computing
The World Privacy Forum, a San Diego-based privacy think tank, released a 26-page report prepared by Robert Gellman entitled “Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing”.  While privacy issues involved in software as a service (SaaS), cloud computing and other Web 2.0 applications are increasingly discussed at conferences and in the media, this is the first in-depth examination of privacy and security questions that need to be addressed before embracing externally-run Internet applications.  Separately, the National Institute for Standards and Technology (NIST) is preparing guidelines for federal agencies concerning the use of cloud computing applications; the guidelines are expected later this year. 

HR Data Breaches Keep on Coming
Seven HR data breaches were reported in February, including the FAA (a hacker was able to locate two files that had been used in system testing and then forgotten about, containing personal data of 45,000 employees); federal agencies such as the Dept. of Defense, the Dept. of Homeland Security and the National Guard, where employees were caught up in the breach reported last month at SRA International; Kaiser Permanente (29,500 employees impacted by the theft of a laptop from the office of an employee union); Parkland Memorial Hospital (personal data of 9,300 employees of the Dallas hospital exposed on a stolen laptop); Arkansas Department of Information Services (data from 12 years of criminal background checks, on 807,000 individuals, unaccounted for by virtue of a missing backup tape); JetAviation Direct (2,227 employees at risk because of a stolen laptop); and Steamboat Springs School District (SSNs and other data on 1,300 employees of the Colorado school district exposed when a laptop was stolen).

Germany Rocked by Spying on Employees Scandal
In response to a major scandal relating to spying on employees by Deutsche Bahn, the national railroad, the German government convened a meeting of top government, union and industry representatives to discuss the need for new workplace privacy legislation.  The CEO of Deutsche Bahn is under intense pressure to resign, following revelations that the company utilized private investigators to covertly examine the bank accounts of nearly all its 220,000 employees over an eight year period in an attempt to root out corruption.  The snooping scandal follows others at Deutsche Telekom and several supermarket chains.  The government was previously reported to be also advancing a new data breach notification law.

Canada Launches Certification Service for EHR Vendors
Infoway, a Toronto-based non-profit organization funded by the Canadian government to accelerate the adoption of electronic health records, has launched a new certification service for vendors who create consumer e-health applications, such as Microsoft HealthVault and Google Health.  When applying for certification, a vendor will need to fill out a self-assessment form on how well their product meets Infoway’s standards, provide an overview of their privacy policy and demonstrate very specific test scripts through their applications.  The certification effort parallels one in the US by the Certification Commission for Healthcare Information Technology (CCHIT).

January 2009

2009 Begins with Ten Breaches of HR Data 
The job site Monster announced its third major breach in as many years, with millions of job seekers impacted as hackers stole user names, passwords, telephone numbers, e-mail addresses, demographic data, birth dates, gender and ethnicity data.  Other breaches included the City of Madison (WI) (data on 300-500 city employees lost on a laptop stolen from a city office, but later recovered); Merrill Lynch (an undisclosed number of employees and applicants impacted by a burglary experienced by a third party consulting service); Pepsi Bottling Group (payroll data of US employees lost after being downloaded to a portable storage device during an audit); State of Indiana (SSNs of 8,775 current and former state employees accidentally posted on the Internet); Continental Airlines (background check information on 230 employees, vendors and applicants exposed when a laptop was stolen from a company office in Newark); SRA International (hacking of SRA network exposed the personal data of all current and former employees, customers, and dependents of employees); the World Bank (names and bank account numbers of an unknown number of employees accidentally posted on the Internet); Occidental Petroleum (spreadsheet of personal data of an undisclosed number of former employees e-mailed to the personal e-mail account of a former employee); and Beaumont City (TX) (personal data of 500 current and former employees accidentally posted online).

NIST Issues New Draft Standard on Protecting PII
The National Institute of Standards and Technology (NIST) announced the release of a draft “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)” for public comment.  The 58-page guide provides many insights into how to determine confidentiality impact levels and craft protective measures appropriate to those levels.

BSI Publishes Draft Data Protection Standard
BSI British Standards published a draft data protection standard which it hopes will become a national standard for how public and private sector organizations can manage personal information in a manner compliant with the Data Protection Act 1998.  The standard, BS 10012, describes how an organization can create and manage a Personal Information Management System (PIMS) to achieve this end.  Public comment on the draft standard is invited until March 31, 2009; comments already submitted can be viewed online.

Canadian Privacy Commissioner Issues Transborder Guidelines
The Office of the Privacy Commissioner of Canada published “Guidelines for Processing Personal Data Across Borders”, explaining how federal privacy law (PIPEDA) applies to transfers of personal information to third parties, some of whom may be operating outside of Canada.  The 10-page guidelines stress that organizations remain accountable for data transferred out of Canada and must use contractual or other means to “provide a comparable level of protection while the information is being processed by the third party.”

Personality Tests Undermined by Availability of Cheat Sheets
As candidates compete for a dwindling supply of retail jobs, those facing employers who use personality assessments in the screening process are finding ways to identify the answers that will get them in the door.  According to the Wall Street Journal, applicants for jobs with companies such as Best Buy, CVS Caremark, and Blockbuster can find the “right” answer through help from friends or by Internet searches. For example, those taking a popular Unicru test provided by Kronos can find job-winning answers in a “Workers and Employers Against Unicru" group on Facebook; a page on correct Unicru answers also was posted on Wikipedia until removed by editors.