FTC Proposes New Privacy Framework
On December 1 the Federal Trade Commission issued its long-anticipated position paper outlining a new approach to privacy protection for consumers, businesses and policymakers. Contending that online companies have failed to protect the privacy of Internet users, the 79-page preliminary staff report proposes a framework calling upon companies to abide by three principles: privacy by design, simplified choice, and greater transparency about data practices. Notable features of the report include support for the creation of a “Do Not Track” mechanism; the designation of certain data usage activities, such as order fulfillment, as “commonly accepted practices” that do not require notice and consent; and recognition that technological advances have made the distinction between personally-identifiable information and non-personally identifiable information irrelevant. The FTC’s interest in protecting employee data is also mentioned at several points in the report. The new framework is said to build upon the FTC’s notice-and-choice and harm-based privacy models, while also addressing some of their limitations. The possibility of recommending new legislation is mentioned only in connection with the creation of the “Do Not Track” mechanism. Public comments on the report were requested by January 31, 2011.
Two weeks after the FTC released its new privacy framework, the Dept. of Commerce unveiled its own green paper on privacy. The 69-page DOC report, developed by the agency’s Internet Policy Task Force, recommends the development of what it calls “a privacy bill of rights" based upon an expanded set of fair information privacy principles, creation of a privacy office within the agency and consideration of a national data security breach notification law. Among the issues the DOC is seeking further comment on during January, besides whether "baseline" privacy legislation should be enacted, are how the privacy principles should be enforced, whether the FTC should be given expanded rule-making authority and whether privacy legislation should include a private right for action for consumers.
Firing Data Security Whistleblowers Not a Good Idea
Ruling in Cutler v. Dike, a California state appellate court upheld a jury finding that an employer illegally fired an employee because he objected to the manner in which his employer maintained its confidential patient information. This decision, along with a similar New Jersey federal court decision in Zungoli v. UPS, reinforces the need for employers to take all employee complaints of data security seriously and to avoid taking any retaliatory action against employees who voice these complaints.
HR Data Breaches Slow in December
Only four breaches of HR data were reported in December: Saint Louis University (a breach of the university’s computer system impacting an unknown number of employees); Wackenhut Services (a hard drive lost in transit from Iraq to the U.S. containing personal information of an undisclosed number of employees of the security firm); Concur Technologies (1,017 employees exposed to ID theft when thieves broke in and stole computer equipment and software from a Washington office over the Thanksgiving weekend); and Kmax Systems (job applications with personal information of an unknown number of candidates found in a dumpster in Orlando, annotated with inappropriate comments of interviewers).
Garante Halts GPS Tracking of Employees
The Italian data protection authority, the Garante, ordered a company to stop processing personal data of its employees collected by means of the installation of GPS systems on company vehicles. The Garante found that according to the Workers Statute (Law No. 300/70) it is possible to install employee localization systems only on the basis of an ad hoc union agreement or permission of the local labor office, which was not done. Companies wishing to install GPS tracking systems need to get authorization from the local labor office and also inform the Garante about the processing of the data and who will be authorized to access the information.
Brazil Launches Consultation on Data Protection Bill
The Brazilian Ministry of Justice published a draft data protection bill on November 20, 2010, with a public consultation on the bill running through January 31. According to a DataGuidance report, the Bill would introduce for the first time a general law on data protection in Brazil, which has so far relied on the Constitution and Consumer Code to protect the privacy of its citizens. Judging from the description of key principles in the bill, namely the proportionality, necessity and purpose principles, the creation of a National Data Protection Board, the definitions of personal information and sensitive personal information, and restrictions of cross-border data transfers contained in the bill, Brazil is preparing to adopt a comprehensive data protection bill on the European model. The draft legislation also includes data breach notification requirements.
Groups File Complaint with FTC over Online Health Sites
The Center for Digital Democracy, U.S. Public Interest Research Group, Consumer Watchdog and the World Privacy Forum asked the Federal Trade Commission to investigate the use of sensitive personal information for marketing purposes by a number of health websites, such as WebMD. The 144-page complaint charges that some sites are not transparent enough about how they track people through online heath searches, create user profiles and market to users' conditions. The main concern, said Ed Mierzwinski of U.S. PIRG, is that employers or health insurers could get hold of the profiles. "You could be searching for health information about your cat or your neighbor and it could end up harming your healthcare in terms of denial or increased cost," said Mierzwinski.
Labor Board Opposes Employee Termination for Facebook Post
The National Labor Relations Board accused an ambulance service company, American Medical Response of Connecticut, of illegally firing an employee after she criticized her supervisor on her Facebook page. The case is groundbreaking in that it is the first time the labor board has stepped in to argue that workers' criticisms of their bosses or companies on a social networking site are protected activities that cannot be limited by Internet or social media policies. Morgan, Lewis & Bockius, a law firm with a large labor and employment practice, issued a flash advisory to its clients, saying, “All private sector employers should take note,” regardless “of whether their work force is represented by a union.”
Seven HR Data Breaches Reported in November
Stolen laptops and errant e-mails were prominent in the seven breaches of employee data reported in November: U.S. General Services Administration (12,000 GSA workers alerted after an employee sent the names and SSNs of the agency’s entire staff to a private e-mail address six weeks earlier); Hanger Orthopedic Group (an undisclosed number of employees impacted by the theft of an HR staff member’s laptop); EOD Technology (an unknown number of employees learning through new information developed by the FBI that their personal data had been compromised by a hacker two years ago); Kayser-Roth (an undisclosed number of employees jeopardized by the theft of a laptop from the corporate payroll department in Greensboro, NC); Richmond VA School System (personal data of more than a hundred employees accidentally e-mailed to all Richmond staff); Bare Escentual (stolen laptop impacting an unknown number of employees); and the Bronx NY Dept. of Veterans Affairs (names and SSNs of 146 employees of the Education Department who took a CPR test left exposed in an unsecured box).
European Commission Releases Outline of DP Reforms
The European Commission issued a 20-page position paper outlining changes needed in data protection law to keep up with rapid technological and business developments in the 15 years since the EU Data Protection Directive was enacted. While the paper affirms the core principles enshrined in the Directive, it sees a number of challenges giving rise to the need to strengthen individual rights when dealing with new technologies, which it proposes to accomplish by increasing transparency for data subjects, including with respect to data breaches; enhancing control over one’s own data, including greater reliance upon data minimization and clarification of the ‘right to be forgotten’; raising public awareness; and clarifying and strengthening rules on consent and sensitive data. The Commission also sees the need to address the internal market perspective, through further harmonization of DP rules amongst the member states, including simplified notification rules; the introduction of greater legal certainty with respect to applicable law; enhancing the responsibility of data controllers, possibly by making appointment of internal DP officers mandatory, by creating an obligation to use privacy impact assessments and by promoting ‘privacy by design’; encouraging self-regulatory initiatives and certification schemes; and extending DP rules to cover police and judicial involvement in criminal matters. Finally, the Commission recognizes a need to clarify and simplify the rules for international data transfers and to strengthen and harmonize the powers of Data Protection Authorities. Public comments on the position paper were invited until January 15, 2011, with new legislation to be proposed before the end of the year.
German Federal Council Calls for Changes in Employee DP Bill
The Federal Council (Bundesrat), a legislative body representing the 16 German länder, submitted 46 pages of recommendations for substantial changes to the legislation drafted by the administration of Chancellor Merkel on employee data protection. Along with its many recommendations for specific changes, the Council expressed its preference for an independent piece of legislation, rather than the approach taken by the government to include employment-related provisions as amendments to a subsection of the existing federal data privacy law.
Indian Government Launches Consultation on Privacy Law
The Indian Department of Personnel and Training (DoPT) launched a public consultation on October 13 on a discussion paper according to which clear privacy legislation “that spells out the nature of the rights available to individuals and the consequences that an organisation will suffer if it breaches these rights” is “imperative” in India. The paper recommends a “hybrid approach” between framework legislation and industry self-regulation. According to the paper, "the legislation should really be in the form of a framework rather than detailed prescriptions. It should highlight the basic principles that any data [controller] will need to [abide by]...Sector-specific or industry specific detailed guidelines will [then] be prepared and approved by the regulator…responsible for enforcing the legislation.” The paper also highlights the importance of developing the concept of accountability.
EEOC Public Meeting Explores Employers’ Use of Credit History
On October 20 the EEOC held a rare public meeting to explore employers’ use of credit history in the selection process. Four states (Hawaii, Illinois, Oregon, and Washington) have already enacted laws restricting the use of credit history and similar legislation is pending before fifteen other states and Congress. None of the participants in the meeting were able to cite a single study showing a link between any particular credit profile and poor job performance or a propensity to engage in dishonest or criminal conduct. The EEOC is also concerned about the disparate impact of employer use of credit histories on protected classes.
State AGs, Other Countries Continue Street View Investigations
Attorneys General in 35 states pressed ahead with their Street View investigation during October, led by Connecticut AG Richard Blumenthal, who stated that Google’s new admissions and changing story only heightened the need for sustained scrutiny. Meanwhile, in Spain, the Data Protection Authority (AEPD) announced that it had initiated a criminal sanction procedure and decided to impose a large fine, possibly over €2.4 million, against Google for five serious infringements of the Spanish Data Protection Act. In Italy, the privacy regulator ordered Google to make sure its Street View cars were clearly marked and their itinerary made public three days in advance through the company’s website, local newspapers and radio. In addition, a judicial source confirmed that prosecutors in Rome are investigating possible violations of privacy laws. In the UK, the Information Commissioner announced that he was launching a new investigation into Street View, with substantial fines one possible outcome; his office subsequently announced that it was hiring a technology specialist, suggesting that its initial scrutiny of Google lacked sufficient technical expertise. In Canada, the federal Privacy Commissioner stated that an investigation by her office showed that because of a “careless and easily avoidable error,” Google had contravened Canadian privacy law through its Street View wi-fi sniffing. According to the Commissioner, the investigation will remain open until Google confirms, by February 1, 2011, that it has improved its privacy governance, expanded privacy training, designated a privacy leader and deleted the payload data it collected.
HR Data Breaches Swell in October
Ten breaches of HR-related data were reported in October, including the Mississippi National Guard (sensitive personal data of 3,000 members accidentally posted for a month on the brigade’s website); Veterans Affairs Department (SSNs and other personal data of 4,000 vets mailed to the wrong address in a benefits summary mailing from the Boston regional office); Johns Hopkins University (personal data of 692 dependents of employees of the Applied Physics Laboratory inadvertently attached to an e-mail sent internally within the Lab); Milwaukee County, WI (at least 30 county employees impacted by ID theft believed to have been carried out by temporary worker in the HR department); Jackson Hewitt (personnel records of an undisclosed number of the tax company’s employees found in the trash outside an Jacksonville office); Trade Center Management Associates (personal data of an unknown number of employees working in the Ronald Reagan Building and International Trade Center in Washington, DC stolen during a burglary); GEICO (personal data of an undisclosed number of Field Representatives accidentally disclosed internally by e-mail); Louisiana Dept. of Health and Hospitals (personal data of 56,000 emergency medical technicians and EMT students compromised by a hacker); Darden Restaurants (an unknown number of employees placed in jeopardy because of the theft of a laptop); and Airgas (an undisclosed number of employees warned that their data may have been compromised when an internal security scan showed a company computer to have been compromised by malicious software).
Commission Reaches Adequacy Determination for Israel
Following a four-month delay caused by opposition from Ireland, the European Commission issued a decision formally recognizing Israel as providing an adequate level of protection for personal data. The Article 29 Working Party had recommended an adequacy determination for Israel last December. Israel joins Switzerland, Argentina, Guernsey, Isle of Man, Jersey, Faroe Islands, Canada and U.S. Safe Harbor companies in meeting the test of adequacy.
French Appeals Court Rejects Use of Geo-location Data
A French Appeals Court in Dijon upheld a decision against an employer who terminated an employee who used a company car for personal reasons and also committed serious traffic violations in the process. The Court rejected evidence collected using a GPS device in the company’s vehicle on the grounds that the employer had failed to register this data processing activity with the CNIL and had not given proper notice to employees regarding the use of GPS devices in company cars.
Accountability Paper Released, Helping Define Rules to Come
On October 26 the Centre for Information Policy Leadership, with support provided by Hunton & Williams, released a 14-page report entitled “Demonstrating and Measuring Accountability, Accountability Phase II – The Paris Project.” This document, which is the result of deliberations of an international working group that included 60 representatives of business, civil society, government, and data protection and privacy enforcement agencies, is likely to be very influential with respect to upcoming revisions to privacy frameworks on both sides of the Atlantic. Participants in the project identified nine fundamentals for accountable organizations in the privacy arena: policies; executive oversight; staffing and delegation; education and awareness; ongoing risk assessment and mitigation; program risk assessment oversight and validation; event management and complaint handling; internal enforcement; and redress.
Supreme Court Hears Arguments in NASA Case
The Supreme Court heard arguments from government contractors at the NASA Jet Propulsion Laboratory in California, who are fighting the government's request to have them submit to what they call intrusive background checks as a condition of continued employment. Neal Katyal, the acting Solicitor General, contended that when it came to the employment context, broad questions are unavoidable and must be answered by employees, unless they infringe upon constitutional rights. A ruling in the case is likely to have significant implications for both government and private employers.
Only Six HR Data Breaches in September
Reported breaches of employment-related data subsided in September, with only six employers revealing data losses: Kinetics Concepts (names, addresses, dates of birth, SSNs and salaries of 4,000 employees of the health care company accidentally exposed in a misdirected internal e-mail); Cooper University Hospital (all staff of the New Jersey hospital placed in jeopardy when an extensive database of their information on a flash drive went missing); Benefit Concepts (an undisclosed number of employees impacted by the loss of a FedEx package of payroll checks and data shipped by the company’s payroll vendor, CompuPay); Cardinal Health (data relating to an undisclosed number of employees exposed when the Ohio-based health care company discovered that an HR laptop had been sold without personal information being removed); SeaChange Int’l (employees in 26 states notified that a temporary administrative assistant with access to their data was discovered to have a prior conviction for a $350,000 insurance fraud); and Eastern Michigan University (compromise of login information responsible for exposing employees' direct deposit banking details and other personal information).
Security Industry Association Releases Privacy Framework
The Security Industry Association (SIA) released a 12-point Privacy Framework to address privacy concerns related to the recording of video, the collection of personally identifiable information and the use of biometrics, RFID and other electronic physical security technologies. The guidelines include such recommendations as conducting privacy impact assessments, implementing privacy by design principles, adopting a breach notification plan and establishing a retention policy and limiting access to personally identifiable information to those who "need to know."
One Facebook Probe Ends in Canada, Another Begins
Canadian Federal Privacy Commissioner Jennifer Stoddart closed out a complaint about Facebook’s privacy practices dating back to 2008, saying that over the last year the company had addressed the concerns raised in a satisfactory manner through modifications to its policies and practices. However, she also announced that her office was launching a new investigation, in light of new Facebook features, such as the “Like” button and the invitation capability that suggests new friends to users.
ECJ Bars Legal Privilege for In-house Counsel
Ruling in Akzo Nobel Chemicals Ltd. v Commission, the European Court of Justice (ECJ) found that communications between the management and employees of a company and its in-house lawyers is not protected from search and disclosure in EU investigations and proceedings. The court argued that despite enrollment with a Bar or Law Society and ensuing professional legal obligations, an in-house counsel does not enjoy the same degree of independence from his employer as a lawyer working in an external law firm does. The ruling, although focused upon an anti-trust matter, may cause European companies to think twice before requesting internal counsel to formally assess compliance with data protection laws.
Swiss Supreme Court: IP Addresses are Personal Data
The Supreme Court of Switzerland ruled that IP addresses constitute personal data in a case involving a company, Logistep AG, which had collected, without consent, the IP addresses of internet users who were illegally downloading copyrighted materials using peer-to-peer software. Although the court recognized the reduction of copyright infringement as a valid objective, it found that it did not override or justify the intrusion into personal privacy.
Malaysia Enacts the Latest in a Wave of DP Laws
The Personal Data Protection Act, passed by the lower house of the Malaysian Parliament in April 2010, was passed without changes by the upper house on May 6, 2010. It received Royal Assent on June 2, 2010 and came into effect with its official gazetting on June 10, 2010. Malaysia becomes the first of the ten countries in the Asean region to implement omnibus privacy legislation, although the Act deviates in certain respects from its European precedents. Malaysia became the sixth nation to enact comprehensive data protection legislation in the first six months of this year, following Mexico, Morocco, Belarus, Taiwan, and the Ukraine.
HR Data Breaches at All-time High in August
More breaches of HR data were reported in August than in any month since 2006, when HR Privacy Solutions began tracking them. The following twelve employers reported losses of employment-related data: State of Delaware (22,000 retirees impacted when their personal information was inadvertently posted on the Internet by the state’s benefits consultant, Aon Consulting); First Advantage (a laptop lost during an airport layover affected more than 32,000 candidates for jobs with the tax consulting firm’s clients); HMS Host (an undisclosed number of job applicants at the Cleveland airport Starbucks jeopardized by an HR employee of HMS Host, who was indicted for access device fraud and aggravated identity theft); Baton Rouge Police Dept. (30 current and retired officers victimized by credit card fraud after an insider sold a computer printout to an ID thief); Centric Software (an undisclosed number of the California firm’s employees impacted by the theft of a laptop from an employee’s car); Town of Rockland, MA (canceled checks with SSNs of hundreds of town employees missing after wind knocked them from a loaded recycling truck); NBC Universal (an undisclosed number of employees affected by the theft of a laptop); Brookings Institute (a CD with W-2 statement information of an undisclosed number of the Washington DC think tank’s employees lost in transit); Jones Lang LaSalle (theft of a laptop from an employee’s car impacting an undisclosed number of the commercial real estate firm’s employees); Ross (hundreds of the Houston-based department store chain’s employees exposed to ID theft when applications and resumes were placed in a public dumpster); Town of Hingham, MA (1,300 employees notified that their personal information had been accidentally e-mailed to dozens of people); and Boise City (personal information of 300 employees included in the back-up tape lost in transit by Mercer).
Illinois Restricts Use of Credit History in Hiring
Illinois enacted a law, the Employee Credit Privacy Act, effective January 1, 2011, that significantly restricts employers from checking an applicant’s or current employee’s credit status or history. The act permits credit inquiries when a satisfactory credit history is a bona fide occupational requirement or is legally required. Illinois becomes the fourth state, after Oregon, Hawaii and Washington, to limit the use of an individual's credit history in hiring decisions.
European Commission Delays DP Reforms
The European Commission announced that because of the need for more time to integrate third pillar (i.e., law enforcement and justice) matters into a single data protection framework and to consider the 160 submissions received during the public consultation, it was pushing back plans to overhaul the Data Protection Directive by up to a year. The Commission also cited business concerns about variations in national laws, which it said were prominent in the consultation, as needing to be addressed. While it intends to announce its plans for the review this year, the Commission now expects that a proposed new framework instrument will not be available until late in 2011. CNIL, the French DPA, had a somewhat different take on the delay, stating that it came about because of push-back from the Article 29 Working Party about an unrealistic time table.
Street View Investigations Continue to Unfold
Google faces 28 legal or criminal investigations around the world, in every continent except Antarctica, over the wi-fi sniffing it conducted as a part of data collection for Street View, according to an analysis by The Guardian. While the UK Information Commissioner gave the company a conditional pass in July and the New Zealand police found that no crime had been committed, investigations of the company continued in other countries. In South Korea, police searched the company’s offices; in Spain, a Madrid judge ordered a Google representative to appear in court in October; and in France, a camera car used by the company was stopped and inspected by the CNIL. Meanwhile, in the U.S., a panel of federal judges is deciding whether and where to consolidate lawsuits against Google that allege the company violated wiretapping laws; at least nine lawsuits are seeking class action status.
Germany to Bar Employers from Checking Facebook
As part of the draft of a new law governing workplace privacy, the German government has proposed prohibiting employers from using Facebook or other purely social networking profiles when reviewing the qualifications of job candidates. However, the bill would allow employers to search for publicly accessible information about candidates on the Web and to view their pages on job networking sites, such as LinkedIn. The bill now goes to Parliament for discussion and possible passage later this year.
FTC Raises Info Security Bar with Twitter Case
The consent order proposed by the Federal Trade Commission in June following its investigation of Twitter expands the agency’s enforcement of information security standards in two significant ways. In the first place, the order makes clear that the FTC will not restrict its oversight to only those cases in which sensitive personal data, such as SSNs and payment card numbers, are involved. Secondly, the order sets forth a number of measures relating to administrative access to systems that the FTC is likely to look for in future investigations. For example, (a) website administrator login pages should be maintained separately from general published login pages, with these pages made known only to authorized users; and (b) administrative access should be restricted to certain IP addresses or enhanced through multi-factor authentication.
HR Data Breached Seven Times in July
Seven breaches of HR data were reported in July, including American Airlines (79,000 current and former employees impacted by the theft of a computer hard drive from the pension department of the Fort Worth-based airline); Oregon State University (a computer virus compromised the personal data of 34,000 current and former employees); Connecticut Teachers’ Retirement Board (a missing flash drive exposed 58,000 retirees to ID theft); St. Luke’s Health Systems, Idaho Power and Saint Alphonsus Medical Center (thousands of employees of the three organizations affected when a computer server back-up tape containing their personal data went missing in the possession of consulting firm Mercer): Village of West Bend, IN (an undisclosed number of employees impacted by the theft of a laptop containing payroll information from a car in Milwaukee); Deere and Company (benefit plan summary statements from UnitedHeathcare were mailed to the wrong addresses of an undisclosed number of employees of Deere); and Alcoa (an undisclosed number of employees potentially affected when an electronic folder of global mobility data was inadvertently shared as a public folder within the company’s internal network).
U.S. Cloud Providers Lobbying EU on Privacy Rules
Cloud providers such as Google and Microsoft, which have spent billions of dollars building data centers in Europe, are pressuring the European Union to streamline its privacy rules so that they can offer more remote computing and data-storage services. Countering them, organizations like the French Association for a Digital Economy in Europe are lobbying to require storage of computer data in the country in which storage is being sold. The cloud providers are hopeful that the European Commission’s Digital Agenda initiative will lead to the creation of a single harmonized market for cloud services by 2012.
Art 29 WP Urges Adoption of Accountability Principle
In an opinion issued in July, the Article 29 Working Party fleshed out the details in its 2009 recommendation that the European Commission include a new principle on accountability in any revision of the Data Protection Directive. The 19-page opinion calls for the creation of a legal requirement that data controllers put in place concrete internal measures and practices that reflect data protection principles and obligations, in order to make data protection part of the shared values and practices of an organization. Data controllers would also be required to demonstrate the measures and practices to supervisory authorities upon request.
Schleswig-Holstein DPA Calls for End to Safe Harbor
A month after opining that use of cloud service providers is basically contrary to German data protection law, Thilo Weichert, Data Protection and Privacy Commissioner of the northern German state of Schleswig-Holstein, called for an immediate end to the U.S.-EU Safe Harbor program. Weichert, responding to an advance summary of a new critical study of the program that Australian privacy researcher Chris Connolly presented at the Privacy Laws & Business annual conference, said that the lack of enforcement by U.S. authorities made it necessary to either re-open negotiations to make the Safe Harbor principles effective or to terminate the program. Connolly’s new study is expected to be released in August.
Ukraine Enacts Comprehensive Data Protection Law
Ukraine became the third nation in as many months to pass omnibus privacy legislation modeled upon European precedents. The Law on Personal Data Protection will become effective as of January 1, 2011. The legislation includes a mandatory requirement to register databases of personal information with an independent state authority that has yet to be established.
Supreme Court Allows Search of Work-Issued Pager
The Supreme Court unanimously overturned the Ninth Circuit Court of Appeals in City of Ontario, California v. Quon, ruling that the city’s police department did not violate Officer Quon’s Fourth Amendment rights when it reviewed text messages transmitted over a work-issued pager. However, the court, ruling strictly on narrow grounds closely tied to the facts in the case, did not resolve whether the officer had a reasonable expectation of privacy, instead basing its decision on a finding that the search in this particular set of circumstances was reasonable. The ruling also did not address the rights of private sector employers or employees with respect to electronic communications.
Worldwide Investigations of Google Wi-Fi Sniffing
Privacy regulators in multiple countries, as well as police in some, are investigating Google’s three-year collection of personal data from unsecured wi-fi networks. The countries involved include Australia, New Zealand, Hong Kong, Canada, Japan, Korea, Spain, Germany, Italy, the Czech Republic, Austria, Hungary, Switzerland, the UK and the United States. In the UK, both Scotland Yard and the London Metropolitan Police have begun criminal investigations. The question of intent or the subsequent use of data collected electronically is not relevant under laws in a number of jurisdictions. Meanwhile, In the U.S., Attorneys General from 30 states participated in a conference call organized by Connecticut Attorney General Richard Blumenthal to explore coordinating investigations into Google’s wi-fi sniffing. Google filed a motion with the U.S. Judicial Panel on Multidistrict Litigation to consolidate eight current class action lawsuits pertaining to the data collection into one mega-lawsuit.
German DPA Finds Cloud Computing Largely Illegal
The data protection authority of the German federal state of Schleswig-Holstein published a press release and legal opinion on cloud computing that found the use of clouds outside the EU to be largely unlawful, even if the European Commission has issued an adequacy decision in favor of the country in question. According to the DPA, a non-EU cloud provider would always be an independent third party rather than an agent, requiring the third party to be bound by standard contractual clauses. Under the finding, the cloud provider’s participation in Safe Harbor would provide an insufficient legal basis for data transfers to the cloud.
Half a Dozen HR Data Breaches in June
Missing laptops and CD/DVDs were at the heart of five of the six breaches of HR data reported during June, including the Oregon National Guard (personal data of 3,500 soldiers exposed when a laptop was stolen from a Guard member’s car in Portland); National Gypsum (an undisclosed number of employees impacted by the DVDs reported missing in transit by Towers Watson in February); Invois (an unspecified number of employees of the Georgia firm affected by a laptop stolen during the review of a merger with GSX); Quantum Corporation (an undisclosed number of employees impacted by the weekend theft of a laptop from an IT workshop; normal encryption had been temporarily disabled during a repair operation); the Department of the Interior (personal data of 7,500 employees compromised when an encrypted CD from a third party went missing after being received in the department’s Denver shared services center); and Roanoke City Schools (2,000 employees exposed to ID theft when the district failed to remove hard drives from eight computers when selling them).
Taiwan Passes Personal Data Protection Act
Taiwan became the latest nation to enact omnibus privacy legislation, with passage of the Personal Data Protection Act in April. The Act applies a core set of privacy principles reflecting European precedents on the collection, processing or use of personal data by any individual, organization or enterprise, with special protections for data that is particularly sensitive. It also imposes an obligation upon data controllers to inform data subjects of any loss, disclosure, theft or other infringement of their personal data. No registration requirements are included in the law; class action lawsuits are allowed. The effective date of the Act has yet to be announced.
German DPAs Call for Safe Harbor Checks
The Düsseldorfer Kreis, an informal but influential group of Germany’s 17 private sector data protection regulators, advised companies to conduct due diligence checks upon US companies concerning their participation in Safe Harbor before passing personal data to them under the program, rather than simply accepting claims of Safe Harbor membership. At the very least, companies were instructed to check that the data importer’s Safe Harbor certification is valid and to determine how data subjects are being informed about the data transfers. The Düsseldorfer Kreis also called upon the FTC to step up its Safe Harbor enforcement activities.
EU Rights Agency: Stronger DPAs, Employment Laws Needed
The EU's Agency for Fundamental Rights (FRA) has found that data protection authorities (DPAs) suffer from insufficient funds, inadequate staffing levels and a lack of sanctions for violators. A 56-page FRA report notes that in several counties, including Austria, France, Germany, Latvia, the Netherlands, Poland and the UK, "prosecutions and sanctions for violations of data protection law are limited or non-existing" and that DPAs often lack "full powers of investigation and intervention or the capacity to give legal advice or engage in legal proceedings." The FRA calls for strengthening DPAs, as well as for the adoption of additional legislation to address data protection in the context of employment relationships. Included in the report are comparative charts on DPA capacities in each member state, along with liberal, if somewhat anecdotal, criticism of faults and deficiencies of the DPAs in specific states.
House Examines Use of Credit Info in Employment
The House Subcommittee on Financial Institutions and Consumer Credit held a hearing on the “Use of Credit Information Beyond Lending: Issues and Reform Proposals” on May 12. The subcommittee discussed H.R. 3149, introduced by Rep. Steve Cohen (D-TN), which would amend the Fair Credit Reporting Act to prohibit the use of consumer credit checks for prospective and current employees for the purposes of making adverse employment decisions. The Society for Human Resource Management opposes the sweeping prohibition contained in the bill, favoring instead a limitation in use of credit checks to jobs with fiduciary, financial and security responsibilities. In April the New York Times ran an article on the topic that quoted a Trans Union credit bureau lobbyist as saying under oath that “At this point, we don’t have any research to show any statistical correlation between what’s in somebody’s credit report and their job performance or their likelihood to commit fraud.” The use of credit checks in the employment context also caused a stir in Alberta.
Google Wi-Fi Sniffing Explodes as Major Privacy Violation
In response to persistent pressure from the data protection authority in Hamburg, Google was forced to admit that its Street View mapping cars deployed for the last three years have been gathering personal data from unsecured wi-fi networks, a claim it previously denied. The data gathered was said to include e-mail messages, websites being visited and other content available at the time the network was identified. However, the company later admitted that it had collected 600 gigabytes of data from unsecured wireless networks around the world. The company defended the need to gather information about the location of the networks, in order to improve its mobile products, but claimed that the acquisition of user content was an engineering error of which it had been unaware. Google announced cessation of all further mapping to address the problem.
Seven HR Data Breaches Reported in May
Seven breaches of employee data were reported in May (City of Charlotte and the Tennessee General Agencies Welfare Benefits Program became the second and third entities to acknowledge being impacted by the two missing Towers Watson DVDs first reported by Lorillard in April; 5,200 and 1,874 individuals were affected); J.M. Smucker (data of 6,000 employees and dependents compromised when an HR employee e-mailed a database he was having trouble with to a computer-savvy relative who had offered to help); US Army Reserve (207,000 reservists affected when a laptop and CD were stolen from Serco, a government contractor in Reston, VA); Veteran’s Affairs Department (two laptops reported missing in Texas, one from a contractor impacting 616 veterans and the other affecting “thousands”); and the LA Firemen’s Credit Union (data of 28,000 members exposed when the credit union failed to manage records properly when moving to a new location).
Dept. of Commerce to Address Internet Privacy
Military Hit Hard by April Data Breaches
Ten breaches of HR data were reported in April, including two by the Navy and two by the Army: U.S. Navy (244 employees at the Naval Facilities Engineering Service Center in Port Hueneme, CA finally notified of a breach that occurred in 2008); U.S. Army (documents containing sensitive personal information of 1,272 patients at the Brooke Army Medical Center in San Antonio stolen from a parked car); U.S. Army Reserve (12,000 military and civilian personnel associated with a former reserve command at Fort Totten, NY notified that their paper files could not be located); Lorillard Tobacco (an undisclosed number of employees impacted by the failure of a benefits service provider, Towers Watson, to encrypt two DVDs before they went missing in overnight delivery); Strategic Workforce Solutions (an undisclosed number of employees affected by theft of an unencrypted portable device from a car in Atlanta); Lam Research (at least 3,000 employees impacted by the theft of a laptop from a car in Fremont); Navy Region Hawaii (242 employees of the Federal Fire Department notified that their personal data was compromised by a hacker); Atlanta Fire Rescue (1,000 firefighters notified of an exposure stemming from use of a file sharing program, which came to light when a security consultant used the data during a workshop as an example of what can be found on the Internet); Kern County Employees’ Retirement Association (37,000 county employees and retirees in California impacted by a part-time clerk’s malfeasance); and Famous Dave’s of America (laptop stolen from a car with personal data of an undisclosed number of the national restaurant chain’s employees).
Ten Privacy Commissioners Challenge Google
Led by Jennifer Stoddart, Canada’s Federal Privacy Commissioner, ten privacy commissioners sponsored a press conference in Washington DC to publicize their criticism of Google’s social networking and Street View programs, as well as new online products from other vendors. The nations involved are Canada, Israel, Spain, France, the Netherlands, Germany, Italy, Ireland, New Zealand and the UK. According to Stoddart, "We want to send a strong message that you can't go on using people's personal information without their consent in these kinds of ways to launch a new product….Do your testing before, and make sure you comply with privacy legislation." Jacob Kohnstamm, chairman of the Dutch data protection authority, said that internet-based firms ought to see the letter sent to the firms outlining privacy concerns as “a last warning to the online world” before enforcement actions are taken.
Mexico Passes Omnibus Data Protection Law
After nine years of legislative development, including close consultations with European privacy regulators, Mexico enacted a comprehensive data protection law, covering both private and public sectors. Implementation and enforcement of the law will be carried out by the Federal Institute for Access to Public Information and Data Protection. Maximum penalties for misuse of sensitive personal information are five years in prison and fines up to $2.9 million. The U.S. is now surrounded by countries to the north, south, east and west that provide stronger legal protections for personal information than we do.
NIST Issues Guide to Protecting PII
The National Institute of Standards and Technology (NIST) issued a "Guide to Protecting the Confidentiality of Personally Identifiable Information," designed to help agencies identify personally identifiable information (PII) and determine appropriate level of protection for it. Of particular note is the Guide’s expansive definition of PII to include any information that is linked or linkable to an individual, such as medical, educational, financial or employment data, as well as telephone numbers and IP addresses.
Senators Propose National Worker ID Card
Senators Charles Schumer (D-NY) and Lindsay Graham (R-SC) have proposed that biometric national ID cards, which they called “high-tech, fraud-proof Social Security cards,” be required for all U.S. employees, as a means of combating illegal immigration. Information would be stored on the cards, rather than in a government database, and the cards would not contain private data, medical data or tracking devices. DHS recently extended the deadline for state compliance with the Real ID program, first launched in 2005, for another year. Privacy advocates criticized the proposal as inevitably leading to a national database and mission creep, while being based upon false claims of being fraud-proof.
FTC Requires Monitoring Outbound Internet Traffic
In reaching a settlement with Dave & Buster’s, a restaurant and entertainment chain, the FTC quietly and without fanfare introduced a new security standard, requiring the company to monitor and filter outbound Internet traffic to block the unauthorized export of sensitive information. The consent decree puts companies on notice that they may face FTC scrutiny and penalties if they fail to use data loss prevention software.
HR Data Breaches Moderate in March
March saw a decrease in the number of HR data breaches reported, with five data losses, including Yuma Proving Ground (700 employees at risk because of a compromise of an employee’s home computer); (Arrow Electronics (4,004 employees impacted by the theft of a laptop from the firm’s Melville, NY office); Beecher Carlson (an undisclosed number of employees, including 1,012 in Massachusetts, affected when two laptops were stolen from the Atlanta-based insurance broker); Nuance Communications (information of 1,191 Massachusetts employees exposed on a laptop stolen from a car); and the Evergreen Public Schools (WA) (numerous incidents of ID theft reported after data on 5,000 employees in a payroll system was compromised by the “shoulder-surfing” of a password).
Top EU Privacy Regulator Calls for ‘Privacy by Design’
Data protection laws should be changed to force people creating new technologies to build privacy features into them, according to a 21-page recommendation to the European Commission by Peter Hustinx, the European Data Protection Supervisor. Hustinx called for applying ‘Privacy by Design’ obligations in particular to developers of social media, RFID and targeted advertising applications. Support for the ‘Privacy by Design’ approach, developed by Anne Cavoukian, Ontario’s Privacy Commissioner back in the 90’s, was also voiced in the November Madrid Resolution and the January Article 29 Working Party opinion on the future of privacy.
French Senate Approves Amendment to DP Law
DataGuidance News reports that on March 23 the French Senate approved an amendment to the national data protection law which will require French companies with more than a 100 employees who access or process personal data to appoint an internal data protection officer. As noted in the Monthly Privacy Review in November 2009, the bill will also introduce data breach notification obligations into French Law. The amendment now goes to the National Assembly for its consideration.
Japanese Cell Phone Tracks Employee Motions
KDDI Corporation, the Japanese phone giant, has developed a cell phone that uses advanced analysis of accelerometers that will allow bosses to track the physical movements of workers. For example, a boss could tell when a janitor is scrubbing, using a mop, emptying a waste bin, etc. The company said it prefers to think of its creation as “a caring, mothering system rather than a Big Brother,” but counsels potential users to get the consent of employees in advance.
Massachusetts Data Security Law Now in Effect
After a number of extensive delays, most provisions of the new Massachusetts data security regulations came into effect on March 1, 2010. Entities that process personal information about state residents must develop, implement and maintain a written, risk-based information security program that includes numerous administrative, technical and physical safeguards, including encryption of laptops and other portable devices. By March 1, 2012, service providers must be contractually bound by the same requirements.
Checking Job Applicants Online Very Common in U.S.
According to a Microsoft survey of 2,400 employers and jobseekers in the U.S., UK, Germany and France, 70% of HR respondents in the U.S. rejected job applicants because of negative information found online, with smaller numbers of 41% in the UK, 16% in Germany and 14% in France. Furthermore, 75% of HR respondents in the U.S. reported that their companies had formal policies requiring them to conduct such online research, compared to 48% in the UK, 16% in Germany and 14% in France.
Google Runs into Privacy Buzz-Saw over Buzz
Google’s introduction of Buzz, a social networking program integrated with the company’s e-mail and chat services, met a firestorm of criticism when users discovered that the program automatically shared their contacts with all Buzz users. The company quickly revamped its privacy settings, but faces regulatory investigations after complaints were filed with the FTC and the Canadian Federal Privacy Commissioner. Buzz, offered as Google’s answer to Facebook and Twitter, also raises a host of new privacy concerns by virtue of its integration with location-mapping programs on mobile phones.
HR Data Continues Hemorrhaging in February
Nine HR data breaches were reported in February, including the West Memphis Police Dept. (an unknown number of employees impacted by a compromise of the department’s computer network, possibly by a detective); U.S. Dept. of Commerce (two new incidents affecting hundreds of employees, in addition to the two breaches reported earlier); State of Ohio (a spreadsheet of banking data of 6,000 state employees, including the Governor, inadvertently e-mailed to dozens of payroll officers of state agencies; this is the second breach in six months); Ceridian (banking data of 27,000 employees in 1,000 companies exposed by hacking of Ceridian’s Powerpay payroll system; some of the data was 10 years old and should have been deleted); Royal Dutch Shell (directory contact information for the company’s 170,000 employees published on the Internet by a group of 100 or so employees opposed to Shell’s policies in Nigeria and elsewhere); Equifax (an unknown number of current and former employees received W-2 forms in the mail with their SSNs exposed); Kansas City Art Institute (145 employees impacted by the theft of a laptop from the HR office); Highmark (a list that including SSNs of 3,700 employees of Boscov's Department Store's tampered with when mailed from the group health plan to the retailer); and the Arkansas National Guard (an unknown number of current and former soldiers affected by a missing hard drive).
European Commission Updates Model Contract for Processors
The European Commission has issued new standard contractual clauses that must be used going forward when companies decide to use model contracts as the legal basis for data transfers to data processors located outside the European Union. The revisions place new obligations upon such data processors, including the requirement that they obtain the written permission of the data exporter prior to subcontracting any processing of the data. They are also intended to ensure that the sub-processor is placed under the same legal obligations as the processor. The new model contract, while introducing some clarity in an area where there was little, does not go as far as advocated by industry groups such as the ICC.
More Requirements Emerging in Alberta PIPA Amendment
According to McCarthy Tetrault, additional details are emerging about the Personal Information Protection Amendment Act, 2009 (Bill 54), which has not yet come into effect. Bill 54 requires companies transferring personal data to a service provider or parent company outside of Canada to inform affected individuals about the transfer in advance, including the purposes involved, the identity and location of the recipient, how to obtain written information about the recipient’s privacy policies and practices, and a point of contact for questions. It also requires notification to data subjects and to the Privacy Commissioner of data breaches posing a real risk of harm. Furthermore, Bill 54 places a positive obligation upon companies to destroy personal information once it is no longer reasonably required; previously they were allowed to keep the information as long as reasonable for legal or business purposes.
FTC Declines to Address Adequacy of Safe Harbor Policies
Federal Government to Keep SSNs as Employee IDs
The Office of Personnel Management announced that it was withdrawing a rule, proposed only two weeks earlier, that would have required all federal agencies to stop using SSNs as employee identifiers, on the grounds that it was impractical to create another primary identifier. Most private sector companies, both large and small, have already stopped using SSNs for this purpose.
Ten HR Data Breaches in January
After three lulls last year, a “more normal” number of HR data breaches were reported in the U.S. in January, ten to be specific, including: U.S. Dept. of Commerce (27,000 employees impacted by the unintended e-mailing of their unencrypted information to other employees; this was the second DOC breach in five months); Washington (WA) Department of Corrections (43 individuals jeopardized when a briefcase of personnel records was stolen from an HR staffer’s car); Eugene (OR) School District (an undisclosed number of employees jeopardized by hacking of a school server); Logan International Airport (the identity of 16 TSA employees stolen by a contract worker in the HR department); P.F. Chang’s China Bistro (an undisclosed number of employees impacted by theft of computing equipment); City of Oakridge (OR) (sensitive personal information of an unknown number of city employees accidentally sent out with monthly water bills to 1,400 households); Columbus Public Health (OH) (hundreds of city health workers jeopardized by an employee’s theft of their personal information); Humboldt State University (CA) (information of 3,500 employees hacked via a sophisticated log-in virus); Iowa Racing and Gaming Commission (80,000 records containing employee information hacked on a Commission server, via an attack believed to originate in China); and PricewaterhouseCoopers (77,000 current and former employees of the State of Alaska impacted by a breach of a 2003-4 retirement file in a Chicago PwC office).
Background Checks? There's an App for That
A new app from BeenVerified enables users to conduct background checks on anyone in a matter of seconds from their iPhone. Users can conduct up to three checks per week for free or unlimited checks for only $8 per month. According to BeenVerified, about 400,000 users have downloaded the app and conducted a million checks so far. Employment law firm Littler Mendelson rightly cautions that use of the app is likely to jeopardize an employer’s compliance with the Fair Credit Reporting Act.
UN Watchdog Calls for International Privacy Agreement
Martin Scheinin, Special Rapporteur to the UN Human Rights Council, delivered a report calling for a new international agreement on privacy in response to a worldwide increase in intrusiveness due to counter-terrorism measures. His 35-page global assessment of the state of privacy closely follows, although it does not mention, the call for a new international privacy convention issued by privacy commissioners in Madrid last November.
UK DPA Receives Power to Impose £500,000 Fines
Following a public consultation, the UK Ministry of Justice has concluded that the Information Commissioner should be given the power to impose fines of up to £500,000 (approximately $800,000) for serious breaches of the Data Protection Act 1998. The fining authority is expected to come into effect on April 6, 2010.