Draft EU Reforms Would Have Significant Impact on Employers
Amongst the many changes proposed in the draft EU General Regulation released to the press, a number are of particular significance to multi-national employers: (a) companies with operations in multiple EU member states would be subject to the jurisdiction of a single data protection authority, based on their main place of establishment in the EU; (b) requirements to notify DPAs about data processing activities would be eliminated; (c) use of consent as a legal basis for data processing would be outlawed in certain areas, such as the employment context; (d) requirements to provide individuals with information about data processing would be enhanced; (e) privacy by design and by default would be mandatory, as would privacy impact assessments in certain cases; (f) DPAs and affected individuals would have to be notified of data security breaches within 24 hours; (g) internal data protection officers would be mandatory for companies with more than 250 employees; (h) BCRs will be streamlined and their scope extended to include third party agents of data controllers; and (i) enforcement powers of DPAs would be strengthened, including the power to impose fines of up to 5% of a company’s annual worldwide turnover (i.e., revenue).
EFF Releases Guide for Safeguarding Data at U.S. Border
The Electronic Frontier Foundation issued an extensive report, "Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices," that outlines potential ways to protect private information, including data minimization and encryption. The guide was prompted by the federal government’s claim that privacy protections guaranteed by the U.S. Constitution do not apply to electronic devices taken across borders, thereby allowing agents to search and seize such devices without any suspicion of wrong-doing, let alone a court warrant.
German DPAs Determined to Reign in Facebook
The Düsseldorfer Kreis, an informal body of all German Data Protection Authorities, published a decision broadening the application of German data protection rules to foreign social networks and setting very strict conditions for companies using fan pages and/or “like-buttons” on their websites. According to the German Data Protection Authorities, such companies are themselves responsible if the operator of a social network collects user data in a non-compliant way. The Düsseldorfer Kreis in essence has adopted the view of the DPA in Schleswig-Holstein that the use of social plug-ins and “like-buttons” violates German data protection law. While Facebook is the primary target of the DPAs, other social networks operating in Germany are also affected by the decision.
Quiet Month for HR Data Breaches
December was a quiet month for HR data beaches, with only three reported: State of Tennessee (2,000 employees offered credit protection after a mailing related to cancellation of health or dental insurance was sent to the wrong addresses); Pulaski County Special School District (an undisclosed number of the Arkansas school system’s employees placed in jeopardized by the theft of a laptop from the home of a former employee); and G2 Secure (a database of personal information of over 8,500 employees of the Irving, Texas-based provider of aviation staffing and security services exposed by a hacker).
Canada Fails to Meet Mandatory PIPEDA Review Requirements
As noted by Michael Geist, a leading Canadian privacy academic, the House of Commons ended the year without completing the review of the Personal Information Protection and Electronic Documents Act (PIPEDA) mandated in the Act, which came into effect in 2001 and requires a Parliamentary review every five years. The first review started in 2006 and led (after considerable delay) to the reforms found in Bill C-12, which is currently languishing in the House of Commons. A second review should have started in 2011. The consequences of the government’s failure to carry out the reviews are not clear, although privacy advocates will doubtlessly seize upon it as underscoring what they see as the Harper administration’s lack in interest in protecting privacy.
Chinese Province Passes Comprehensive Data Protection Regulation
On September 23 the Standing Committee of the Jiangsu Provincial People’s Congress issued the Regulation of Information Technology, which will take effect on January 1, 2012. The Regulation includes comprehensive provisions on the collection and use of personal information and significant legal liabilities for violations. Jiangsu Province is the first to implement a local rule on the protection of personal information that is not limited to a particular industry sector, but applies to a broader extent. It contains requirements for notification, consent, collection only by legal means and purpose limitation, while banning unlawful disclosure to third parties. Fines and possibly criminal sanctions may be levied against those violating the Regulations.
European Court of Justice Finds Spain in Breach of Directive
On November 24 the European Court of Justice ruled that Spain had not correctly transposed the balance of interests provisions found in Article 7(f) of the Data Protection Directive. Article 7(f) allows personal data to be processed without consent if it is “necessary for the purposes of the legitimate interests pursued by the controller…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection.” Spanish law, however, improperly restricted the scope of the balance of interest provisions to those involving processing of data that appears in public sources. According to Ariane Mole, a Partner with Bird & Bird, such ruling should have a strong impact in a number of EU member states that, like Spain, have not correctly transposed Article 7(f), thereby leaving data controllers with little choice but to obtain consent.
Data Protection Laws Pending in Two More Caribbean Nations
The government of the Cayman Islands is currently reviewing draft legislation for a robust data protection framework, according to a report in the IAPP Daily Dashboard. The Data Protection Law, modeled upon both the EU Data Protection Directive and the UK Data Protection Act 1998 and designed to secure an adequacy finding from the European Commission, is expected to be available for public comment shortly. In Trinidad & Tobago the Data Protection Act passed by both houses of Parliament earlier this year and assented to on June 22 has yet to be proclaimed by the President. A former High Court judge has stated that the act was not passed in a constitutional manner and may be largely unenforceable as a result. The absence of provisions in the Act to protect the freedom of the press also appears to be an issue.
HR Data Breaches Dip in November
Five breaches of HR-related data were reported in November, two in the private sector: Monster Worldwide (a spreadsheet containing the names, job titles, dates of birth and SSNs of an undisclosed number of its employees exposed on the Internet since 2003) and LivingSocial (personal data of hundreds of current and former employees of the online social-buying company compromised by the theft of a laptop) and three in schools and colleges: MassBay Community College (personal information of all employees since 2002 exposed internally when a security function in the PeopleSoft database was not activated when the system was launched); Pennsylvania Public School Employee’s Retirement System (2,000 retirees impacted when an employee inadvertently posted an unencrypted file on a public website); and Brownsville Independent School District (personal data of an undisclosed number of employees of the Texas school district inadvertently posted on a public website).
Privacy Certification for Cloud-based Applications Expands
TRUSTe, an online privacy services provider, announced that it was partnering with GetApps.com, a business software marketplace, to make TRUSTe’s TRUSTed Cloud online privacy certification available it its more than 1500 B2B SaaS application providers. This service will enable application providers to reassure customers with transparent and easy-to-understand information about their privacy practices and handling of corporate data. GetApp.com currently lists some 4,568 applications and tools in its business software directory.
European Commission Says Safe Harbor Program Will Continue
The pending revision of the EU Directive (now expected in early 2012) has raised questions about the viability of the Safe Harbor Program under the revised data protection framework. According to a report in Europolitics, a European Affairs daily, a Dept. of Commerce official said that "we have been assured by the European Commission that Safe Harbor will not be affected by changes in the Data Protection Directive". While the program is expected to continue to provide a legal basis for importing personal data from Europe, participants with European operations are likely to face the need to make other adjustments in their privacy compliance programs when the new framework is announced.
Mandatory Privacy Training for Gov't Contractors Proposed
On October 14 the Department of Defense, the General Services Administration and the National Aeronautics and Space Administration published a proposed rule that would amend the Federal Acquisition Regulation (FAR) to require employees of federal government contractors who work with government records containing personally identifiable information to undergo privacy training on an annual basis. The rule also specifies seven elements that must be addressed in the training.
German DPAs Issue Rules for Cloud Computing Use
Late in September the German data protection authorities, meeting in Munich, issued an “Orientation Guide to Cloud Computing” that highlights the cloud customer's responsibility for full compliance with German data protection requirements. The customer needs to know the identity all sub-processors involved in the cloud computing services and the agreement with the service provider must contain certain core elements of compliance, such as technical and organizational security measures, audit and control rights vis-à-vis any sub-processors, and all locations of data processing. Customers also need to verify the validity and applicability of a provider’s Safe Harbor certification.
Modest Number of HR Data Breaches in October
Only five breaches of HR data were reported during October, including: Securities and Exchange Commission (information about employee brokerage accounts, stored through the agency’s Ethics Program System, inappropriately disclosed to a sub-contractor of an SEC vendor, Financial Tracking Technologies); Idalex (an undisclosed number of employee personnel records left behind in an abandoned California plant near Modesto); PSE&G (a laptop stolen from the New jersey utility exposed the names and SSNs of an undisclosed number of employees); AdvancePierre Foods (employee 401k data, including names, SSNs, dates of birth, and compensation amounts, exposed when an unencrypted flash drive went missing in the mail); Nemours (an undisclosed number of employees of the company’s Delaware, Pennsylvania, New Jersey and Florida health care facilities impacted by a missing filing cabinet containing 2004 back-up payroll tapes); and the University of Georgia (personal data of 19,000 employees left exposed on a university website since at least 2008).
Council of Europe Considers Amending Convention 108
On October 10-12 the Council of Europe’s Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (known as the “T-PD-Bureau”) met in Strasbourg to discuss amending the Council of Europe’s Convention 108 and Additional Protocol. These instruments constitute the only legally-binding international convention addressing data protection and their amendment is closely linked to the current review of the EU data protection framework. One of the main topics was regulation of transborder data flows, including a proposal prepared by Hunton & Williams attorney Christopher Kuner on behalf of the International Chamber of Commerce. Further discussion of the amendments will occur at a plenary meeting at the end of November. Separately, the Council of Europe announced that it would push for adoption of Convention 108 as a global standard during the 33rd International Conference on Data Protection and Privacy Commissioners in Mexico City in early November.
Court of Appeals Rejects Whistleblowing System Approved by CNIL
A French Court of Appeals in Caen confirmed a lower court's order for the suspension of a whistleblowing system implemented by French company Benoist Girard, a subsidiary of American group Stryker. The decision came as a surprise since it rejects the approval of the system by the French data protection authority (CNIL). Benoist Girard had taken advantage of the CNIL’s General Authorization for whistleblowing schemes that fit within certain parameters, but then exceeded those limits, particularly with regard to allowing anonymous denunciations. The CNIL was reported to have inspected the system and found it to be compliant.
Irish DP Commissioner to Audit Facebook
Billy Hawkes, Ireland’s Data Protection Commissioner, announced he will conduct a privacy audit of Facebook’s activities. Since Facebook’s international headquarters is in Dublin, all users outside the US and Canada could be affected by his findings. His office decided to audit Facebook after an Austrian group, Europe v. Facebook, filed 22 complaints with his office over various practices of the social networking giant.
NLRB Issues Report on 14 Social Media Cases
The National Labor Relations Board released a report on 14 cases involving employers' policies that restrict employees' postings on social media sites. Many of the cases turn on distinguishing individual gripes from collective or concerted activities, the latter being protected under the National Labor Relations Act (NRLA). Subsequently, an Administrative Law Judge ruled that Hispanics United of Buffalo had to rehire and provide back pay to five workers fired after posting comments about a co-worker and their employment with the company on Facebook. The judge found that the Facebook communications were a "protected concerted activity" under the NLRA.
Interest in Local Clouds Grows in Europe
Concerns about U.S. government access to cloud data under the Patriot Act continued to grow in Europe, with Deutsche Telekom promoting a “German Cloud” to store and shield local data and pressing regulators to introduce a certification system for German and European cloud providers that could be used for competitive advantage. In the Netherlands, the government was preparing to ban its own use of U.S. cloud services, such as Google Docs and Dropbox, on similar grounds, but then stayed the decision pending further inter-governmental efforts to resolve the conflict.
Nine HR Data Breaches in September
Apart from the massive SAIC breach (4.9 million members of the military and their families at risk followed the theft of a back-up tape from a SAIC employee's car), there were eight other breaches of employee data reported in September: Veterans Affairs (518 veterans impacted by a breach at a VA facility in Danville, IL and 1,814 by a breach at a VA facility in Biloxi, MS); U.S. Army (25,000 retirees affected by the loss in the mail of a CD containing their sensitive benefits information); El Paso Independent School District (names, addresses, SSNs and dates of birth of 9,000 employees comprised by a network hack); US Steel Mining (4,000 retirees and dependents impacted when a CD with their information was lost in the mail); Penn Foster (500 employees of the Pennsylvania firm affected by the theft of a home computer and sensitive papers); Intelligence and National Security Alliance (names and e-mail addresses of hundreds and possibly thousands of U.S. intelligence officials, government executives and defense industry contractors posted on the Internet by hackers); and the Legislative Data Center, Sacramento (50 employees participating in a flexible-benefits program warned that their personal information had been obtained by a hacker).
Directive Reform Likely to be Delayed
The European Commission's publication of its reforms to the Data Protection Directive will likely be delayed beyond the expected November deadline. Matthew Newman, a spokesperson for European Commission Vice President Viviane Reding, told the IAPP Europe Data Protection Digest on September 29 that “this is a comprehensive reform” and the timing for publication is “within 20 weeks.” It was not clear from the report whether the 20-week extension would begin at the time of the spokesperson’s remarks or at the end of November. The former would extend the release of the Commission’s proposals until the end of February 2012; the latter would extend the release until the end of April 2012.
Costa Rica Enacts Data Protection Law
The Costa Rican Law on Personal Data Protection No. 8968 came into force on September 5. The law, modeled upon European precedents, regulates manual and automatic data processing and applies to both public institutions and private companies. It establishes a Data Protection Agency (Prodhab) and includes a mandatory registration requirement. Costa Rica becomes the seventh nation in Latin America to enact comprehensive data protection legislation, after Argentina, Chile, Colombia, Mexico, Peru and Uruguay.
Data Protection Laws Now in 76 National Jurisdictions
In a special report for Privacy Laws & Business, Australian Professor Graham Greenleaf has identified comprehensive data protection legislation in 76 national jurisdictions around the world as of July 30, 2011. His findings are summarized in a table listing the jurisdiction, the name of the law, its dates of enactment and latest amendment, the region, information about European findings of adequacy, status as a Council of Europe member and a ratifier of Convention 108 and its optional protocol, and other international commitments. Countries of some prominence that have flown under the radar of HR Privacy Solutions include Albania, Angola, Bosnia & Herzogovina, Croatia, Kyrgyz Republic, Mauritius, Montenegro, Senegal, and Serbia. India was notably included in the list, by virtue of its new rules under Section 43A of the Information Technology Act 2008. Accompanying the table was a detailed and insightful analysis of trends and time lines revealed by the data set. Professor Greenleaf indicated his intent to make a periodically updated version of the table available on his website.
Massachusetts Data Security Regs Require More Than a WISP
In its first settlement over allegations of violations of the state’s rigorous data security regulations, the Massachusetts Attorney General’s Office found that the Belmont Savings Bank’s written information security plan (WISP), while necessary, was insufficient to demonstrate compliance with the regulations. Specifically, the Bank failed to encrypt personal information on laptops and the mobile devices, failed to store and secure back-up tapes properly, and failed to train its employees in data security policies and procedures. The Bank agreed to pay a $7,500 fine and follow the provisions of its own WISP.
NLRB Issues Guidance on Social Media Policies in Workplace
After bringing a number of enforcement actions against employers for over-reaching social media policies, the National Labor Relations Board (NLRB) issued three advice memoranda that clarified its position on acceptable policies. According to the NLRB, an employer's social media policy or practice only violates the National Labor Relations Act when the policy or practice is used to stop or specifically target concerted organizing activity. Employers do not have to tolerate disparaging remarks about their company, managers, employees or customers simply because an employee makes that remark on Facebook or another social media site. Separately, the U.S. Chamber of Commerce issued a comprehensive report entitled “Survey of Social Media Issues Before the NLRB” providing a wealth of information about NLRB decisions in this area.
Seven HR Data Breaches in August
Breaches of employment-related data slowed a little in August, with only seven organizations announcing losses: Fort Dodge Correctional Facility (names, SSNs and other personal information of an undisclosed number of the Iowa prison’s employees left in an unsecured location accessible to inmates); Allianceforbiz.com (20,000 government employees and contractors impacted by the hacking of an events management company); Bay Area Rapid Transit (personal information of over 2,400 BART employees deliberately posted on the Internet as retaliation by the hacker group #Anonymous, following protests over fatal shootings by BART police); Reznick Group (an undisclosed number of employees of the top 20 national CPA firm affected by a computer security breach experienced by AssureCare Risk Management, a former service provider for the firm’s employee benefits plan); City of Pittsburgh (at least 29 police officers, public safety employees and others victimized by ID theft, with the source of the breach not known); and Lexington VA Medical Center (1,900 veteran’s warned that their personal details were made vulnerable when an employee took patient files home in violation of the Kentucky hospital’s policy).
Indian Gov't Exempts Outsourcers from Consent Requirements
On August 25, in response to pressure from the $14 billion Indian BPO industry, the government clarified the new rules under Section 43A of the Information Technology Act to exempt outsourcers from the need to obtain the written consent of data subjects of information received from clients outside India. As predicted, this requirement applies only to “bodies corporate” operating within India. Both IT lobby NASSCOM and the Data Security Council of India (DCSI) welcomed the statement issued by the Ministry of Communications & Information Technology (MCIT).
Details Emerge about New DP Law in Peru
An English translation of Peru’s Law for Personal Data Protection, signed into law in July, shows that a data protection authority, the National Authority for Personal Data Protection, will be established and given the ability to levy fines for violations of the law. In addition, a National Register of Personal Data Protection will be developed to record, for a fee, publicly or privately administered databases of personal information, as well as authorizations issued by the Authority pursuant to the law.
NIST Issues Privacy Controls for Federal Information Systems
The National Institute of Standards and Technology proposed adding privacy controls to its catalog of security controls for federal information systems, by releasing a draft 34-page Privacy Appendix for public comment through September 2, 2011. The 23 controls specified in the draft provide a structured way of assessing and ensuring that privacy requirements, deriving from federal privacy legislation, policies, regulations, directives, standards, and guidance, as well as from international standards and best practices, are satisfied in federal information systems. Examples of the controls include transparency, data minimization, use limitation, data quality, and individual access and redress.
Article 29 WP Issues Opinion on Consent
On July 13, the Article 29 Working Party, an independent advisory body to the European Commission, issued a 38-page opinion on the definition of consent. The opinion elaborates the meaning of key terms used in describing the conditions for valid consent, such as indication, freely given, specific, unambiguous, explicit and informed, and addresses the proper timing of consent. Numerous examples of valid and invalid consent are provided in this extended analysis, which also affirms the importance of using the appropriate legal grounds for processing personal data. The opinion paper concludes with a few recommendations relating to consent that the Working Party believes should be considered during the current review of the Data Protection Directive.
No Summer Holiday for HR Data Breaches
Nine breaches of HR data were reported in July: Washington Post (user IDs and e-mail addresses of 1.3 million users of the newspaper’s online job section compromised by hacking); Nyack Hospital (NY) (1,400 current and former employees exposed to ID theft by the theft of a computer); Estée Lauder (an undisclosed number of employees and contractors impacted by the theft of a laptop); Swedish Medical Center (WA) (personal information, including SSNs, of 20,000 current and former employees made accessible on the Internet unintentionally); TSA (dozens of TSA employees at Sky Harbor International Airport suffering loss of banking information and deposits possibly via credit card skimming); Meridian Health System (an undisclosed number of employees jeopardized by the overnight theft of computer equipment from the home of an employee in Asbury, NJ); Lumberton Independent School District (TX) (theft of a laptop from a car impacting an undisclosed number of employees); JetBlue (an undisclosed number of employees impacted by the placement of malware on a corporate system); and Pfizer (a laptop stolen from an employee’s car potentially revealing personal information of an undisclosed number of employees).
Russia Amends Federal Data Protection Law
In early July the upper house of Russia's federal legislature approved amendments to the country's federal data protection law which were subsequently approved by President Medvedev on July 26. The amendments impose detailed information security requirements on businesses that process personal data and revise some of the statute's data subject consent provisions. The amendments, to be followed by interpretive regulations, will come into force when they are published in the official newsletter. Russia’s underlying federal data protection law finally came into effect on July 1, after five years of delays. The new rules allow personal data to be transferred outside of Russia to EU member states or to nations that are approved by a Russian federal agency authorized to designate countries that can guarantee adequate protection for personal data. In addition, personal data may be transferred with the prior written consent of data subjects, or if required by Russian federal legislation or international treaties.
Privacy Law Reform Revived in Australia
According to Malcolm Crompton, former Federal Privacy Commissioner, the process of reviewing and reforming the Privacy Act 1988, the main law protecting privacy in Australia, was all but stalled in recent years but now has been revived by the Minister for Privacy, Brendan O’Connor. His July 21 call for a consultation on whether to introduce a statutory cause of action for serious invasions of privacy rapidly led a renewal of interest in reforming other portions of the Act. The revival was also spurred by the late June release of a 292-page report on the exposure draft of the Australian Privacy Principles and privacy legislation by the Senate Finance and Public Administration Committee.
FTC OKs Company that Scours Internet for Employers
The Federal Trade Commission dropped its investigation of Social Intelligence Corporation, finding no reason to conclude that the start-up, which provides an Internet and social media screening service to employers, did not comply with the Fair Credit Reporting Act. The decision means that the company can locate and sell adverse information it finds about applicants and employees and may legally retain the information for seven years. The service also searches for evidence of employees’ disclosure of confidential or proprietary information, professional misconduct, or illegal activity.
Facebook Facial Recognition Provokes New Privacy Firestorm
Facebook’s roll-out of facial recognition functionality on a default rather than opt-in basis raised the hackles of privacy advocates, legislators and European regulators, prompting a next-day apology from the company. The new feature automatically recognizes the identity of individuals in photos posted on a user’s pages and suggests approving the tagging of those photos with the names, whether the individuals depicted have agreed to such tagging or not. The Article 29 Working Party and privacy commissioners in Ireland, Germany and the UK said they will investigate the matter. In the U.S., EPIC filed a complaint with the FTC about the practice, calling it a “biometric data collection” scheme that violates privacy and adversely impacts consumers. Connecticut AG George Jepsen requested a meeting with company officials about the privacy risks involved.
State Employees Bear Brunt of Month's HR Data Breaches
Following April’s massive data breach impacting 3.5 million employees, Texas state employees were again placed in jeopardy by two breaches reported in June, one by the Texas Department of Assistive and Rehabilitative Services (4,900 employees impacted by a breach of an undisclosed nature) and the other by the Teachers Retirement System of Texas – Austin (personal information of an undisclosed number of retirees exposed through the window of TRS envelopes mailed to banks). In Arizona, the hacking group LulzSec breached the website of the Arizona Department of Public Safety and posted the names, addresses, phone numbers and passwords of Arizona law enforcement members and their spouses on the Internet. The breach may be the first time that a hacking group has intentionally exposed employee information for political purposes, in this case opposition to the state’s immigration policies. In California, 9,000 current and former employees of the California Department of Public Health were informed that their personal information had been inappropriately copied to a private hard drive and removed from state offices; the employee copying the data was later identified and placed on leave pending completion of an investigation. The CDPH experienced another breach back in December. In the only breach reported by a private employer in June, Automated Data Processing, the world’s largest payroll company, said it had become the latest big financial company attacked by cyber criminals. The breach it reported was limited to a single client and occurred at Workscape, a benefits administrator ADP recently bought. The number of employees impacted was not disclosed.
Peru Enacts Comprehensive Data Protection Law
Peru became the latest Latin American nation to enact omnibus privacy legislation, with Congress passing the Personal Data Protection Law on June 7 and outgoing President Alan Garcia signing the bill into law on July 2. The legislation, which follows European precedents and includes database registration requirements, is expected to improve the development of technology and related industries such as call centers.
Colombia and Senegal Poised to Enact DP Laws
According to news surfacing in June, data protection laws are expected to be put in place shortly in both Colombia and Senegal. A report in IAPP’s Privacy Advisor on the recent Iberoamerican Data Protection Conference held in Colombia described the country as being “on the verge” of enacting its comprehensive data privacy law. According to a brief note in the Privacy Journal, Senegal will soon enact its new data protection law, with an 11-member watchdog commission headed by the legal advisor to the President.
India Adopts Comprehensive Privacy Regulations
On April 13, following a brief public consultation, India’s Dept. of Information Technology quietly issued final regulations implementing those parts of the Information Technology (Amendment) Act, 2008 that deal with protecting personal information. The regulations are comprehensive in scope, applying to all organizations that collect and use personal data in India and imposing obligations typically found in omnibus data protection laws. Organizations are required to provide notice to individuals, create privacy policies, grant access and correction rights, and establish dispute resolution processes. With a few narrow exceptions, sensitive personal data (defined broadly to include passwords; financial information; data about physical, physiological and mental health conditions; sexual orientation; medical records and history; and biometric information) may be collected, processed and disclosed only with prior written consent. Reasonable security measures, as described in a comprehensive written security program and policies, must be followed, modeled upon ISO 27001 or other recognized standards, with independent audits carried out at least once a year. Penalties for violations include up to three years imprisonment, small fines or both, with company directors subject to liability claims.
FTC Settles Data Breach Charges against Ceridian
The Federal Trade Commission reached a settlement agreement with Ceridian, a major provider of payroll and HR services, stemming from a breach of payroll data in 1,000 small client companies that was reported in February 2010. According to the FTC, Ceridian did not adequately protect its network from reasonably foreseeable attacks and stored sensitive personal information in clear, readable text on its network. The settlement requires the company to establish a comprehensive information security program and to undergo 20 years of independent security audits.
Disney Employees Sue over Exposure of SSNs
Employees of two California hotels run by Walt Disney have filed a class action lawsuit on behalf of 20,000 workers, charging that the company compromised workers’ personal information and privacy by embedding SSNs in their ID cards. Mobile phone barcode scanners can read and interpret the unsecured data on the ID cards, the lawsuit alleges. The plaintiffs also charge that Disney stores former employees’ cards in an unsecured location, making them susceptible to theft or misuse.
Three Sets of Cloud Computing Guidelines Issued
Cloud computing guidelines were issued in May in Washington, Germany and Australia The National Institute of Standards and Technology (NIST) released Draft Special Publication 800-146, NIST Cloud Computing Synopsis and Recommendations, for public comment. According to NIST, this document explains cloud computing technology in plain terms and provides practical information for information technology decision makers interested in moving into the cloud. The German Federal Office for Information Security (BSI) issued the final framework paper describing the minimum requirements for information security for cloud computing services. According to the BSI, the paper provides “Best Practices” and serves as a basis for discussion between cloud computing service providers and cloud users. The Office of the Victorian Privacy Commissioner published Cloud Computing guidelines for public sector organizations that show how the Information Privacy Act 2000 (Vic) applies to cloud computing technologies.
Five HR Data Breaches in May
Continuing the ebbs and flows of HR data breaches over the last year, only five employment-related data breaches were reported in May. The largest involved the Massachusetts Executive Office of Labor and Workforce Development, which reported that a virus had corrupted computers at the state unemployment agency, exposing sensitive personal of 210,000 out-of-work residents to criminal hackers. Other breaches included the U.S. Security and Exchange Commission (SSNs and other payroll information for about 4,000 workers included in an unencrypted e-mail that slipped through monitoring software); San Juan Unified School District, CA (personal data of 4,000 employees compromised when a staff member copied sensitive data onto a flash drive to work at home, but accidentally uploaded it to a church website); Dominos Pizza (copies of SSN cards, driver’s licenses and other documents from hundreds of employee personnel files found in a dumpster in Fisher, IN); and Fox Broadcasting (a database containing e-mail addresses and passwords of 300 employees stolen by a hacking group called Lulz Security).
Italy Reduces Regulatory Burden of DP Code
On May 5 the Italian Government's Council of Ministers passed a decree aimed at reducing red tape obligations for Italian data controllers and saving them €600 million. The decree amends the Italian Data Protection Code by eliminating the applicability of data protection laws to legal persons such as companies, if the processing is only for administrative or accounting purposes. It also simplifies the notification obligations under many circumstances for companies that process personal data of their own employees and contractors, as well as their spouses or relatives, allowing such companies to self-certify, as opposed to notifying the Garante. Finally, the new decree also simplifies requirements relating to giving privacy notices to job applicants.
Maryland Restricts Employer Use of Credit Information
With enactment of its Job Applicant Fairness Act, Maryland joined Hawaii, Illinois, Oregon, and Washington in prohibiting employers from using an applicant's or employee's credit report or credit history in making employment decisions in the absence of “substantially job-related” or legal requirements. Similar legislation is pending in California, Florida, New Jersey, New York and Pennsylvania.
Firestorm Erupts over Secret iPhone Tracking
Massive HR Data Breach in Texas, Plus 10 Others
In what is believed to be the largest breach ever of personal information in Texas, the State Comptroller’s Office revealed that the names, SSNs, dates of birth, drivers license numbers and other data of 3.5 million current and former state employees was inadvertently left exposed on a publicly accessible state computer server site for a year or longer. Ten other breaches of HR data were reported in April, including: U.S. Airways (personal information of 3,000 pilots exposed by an inappropriate sharing of an Excel file by a management employee); Hartford Financial Services Group (300 employees and contractors impacted by installation of password-stealing Trojans on a number of the company's servers); Peace Officers Research Association of California (personal information of 2,000 retired public safety officers exposed through hacking); Schield Family Brands (87 of the Wisconsin firm’s 12,000 employees victimized by ID theft arising from an undetermined breach); GM Lansing assembly plant (50 workers reporting fraudulent use of their credit cards, with the means by which the card numbers were obtained not known); ABM Industries (an undisclosed number of employees jeopardized by the theft of computer equipment from an Atlanta office); UMass Memorial Healthcare (an undisclosed number of employees impacted by exposure of their personal information on misconfigured HRConnect self-service kiosks; VA Medical Center in Aiken, SC (paper records of over 2,500 veterans discovered in the trash); Town of Barton, VT (personal information of 150 employees compromised by spyware on a payroll computer); and Applied Micro Circuits (an undisclosed number of employees impacted by the theft of an unencrypted laptop from a car).
Article 29 WP Backs Adequacy Finding for New Zealand
The Article 29 Working Party issued an opinion finding that New Zealand’s newly-amended privacy laws provide an adequate level of protection for personal data received from Europe. Concerns about weaknesses in various aspects of the New Zealand law, such as in onward transfers of European data to third countries, were offset, according to the Working Party, by the low probability that European data would be involved, given New Zealand’s small footprint and great distance from Europe.
Mexican DPA Expects Company Compliance to Begin in July
Mexico's data protection authority will not rush to carry out compliance inspections or take enforcement actions when rules implementing the country's new data protection law begin taking effect in July, according to the Instituto Federal de Acceso a la Información Pública (IFAI). However, as soon as the implementing rules are published, the government expects businesses and other covered entities to begin following the basic requirements that they appoint an individual to be in charge of data protection and establish written data security and privacy policies. Full enforcement will begin in January 2012.
South Korea Enacts Comprehensive Privacy Law
On March 29 South Korea’s President signed the Act on the Protection of Personal Data, based upon a comprehensive set of data protection principles governing the collection, use, sharing and disposal of personal data. The rules, which will apply to 3.5 million public and private sector businesses and organizations, will come into effect on September 30, 2011. They include data breach notification requirements and a new right to file class action lawsuits over alleged violations of the Act. The omnibus law will establish a centralized data protection planning and enforcement system in the form of a new presidential committee. The need for the new law was underscored in April as a survey revealed that 50% of Korean Internet users have had their personal data leaked online and a massive data breach was reported by Hyundai Capital.
FTC Announces Landmark Settlement with Google
On March 30 the Federal Trade Commission announced a proposed settlement with Google over the company’s 2010 rollout of its Buzz social network, a rollout that spawned thousands of complaints about the involuntary disclosure of users’ e-mail address lists. Under the precedent-setting terms of the settlement, Google will be required to establish a comprehensive privacy program monitored biennially by an independent auditor for the next 20 years, and prohibited from making future privacy misrepresentations. The settlement also alleges that Google had substantively violated its Safe Harbor commitments, this being the first time the FTC has leveled such charges against a participating company. Google will be required to obtain users’ explicit affirmative consent before sharing their information with third parties if its products or services are changed in a way that results in information sharing contrary to any privacy promises made when the user’s information was collected. The agreement containing a consent order will be open for public comment through May 2.
What Location Tracking Looks Like
Malte Spitz, a German politician and privacy advocate, used the access provisions of German privacy law to force his cell phone company to reveal what it knew about him. The results were 35,831 different facts about his cell phone use over the course of six months, which were then published in an online interactive map that traces his movements, moment by moment, over the course of half a year. The New York Times, which described the released data as “astounding,” said it was rebuffed by major U.S. cell phone carriers when it tried to find out if they have similar data about their subscribers. Following the New York Times article, a bipartisan group of legislators gave the four major carriers 15 days to clarify their practices with respect to tracking data.
Employers May be Getting the Message on Breaches
The number of HR data breaches reported in March fell to a near-record low, with only one corporate employer and three educational organizations admitting losses: Lone Star Business Solutions (the third party payroll and HR provider to Lone Star Restaurants exposed an unknown number of employees and applicants to ID theft by disposing of thousands of documents in an unsecured dumpster in Wichita); Bloomfield Hills School District (names and SSNs of 321 employees inadvertently distributed in an Excel spreadsheet to parents in the Michigan school district); Walnut Township School District (an undisclosed number of employees impacted by someone hacking into the Ohio school district’s payroll system); and Midlands Technical College (personal information of 500 employees of the South Carolina college exposed when a flash drive disappeared from the HR office). Note: Losses at educational organizations – which are legion – typically mention students, applicants, faculty, staff, etc. and are only included in this monthly summary when they are either restricted to employees or mention an explicit number of employees.
Reding Outlines Four Pillars of New European DP Rules
EU Justice Commissioner Viviane Reding, speaking at a parliamentary conference in Brussels, said that the new data protection rules, to be finalized this summer and put in front of Parliament, are to be based on four pillars: the right to be forgotten, transparency, privacy by default and data protection regardless of data location. Reding also emphasized that third parties that process EU citizens' data outside of the EU, such as a U.S.-based social networking company, must comply with European rules. The Commission was reported to have not yet decided whether the revised legal instrument should be in the form of a directive or turned into a regulation which would be directly binding on member states.
Germany Strengthens “Irredeemability” of Internal DPOs
The German Federal Court of Labor ruled in March that an internal data protection officer's appointment cannot be terminated simply because the employer wishes to outsource the position to an external data protection officer. Under the terms of the revised Federal Data Protection Act, internal DPOs can only be terminated with good cause, such as misconduct or incompetence. The ruling is expected to significantly increase the incentives companies have to appoint external data protection officers.
Implementing Rules for Mexico's Privacy Law Expected in July
Mexico's data protection oversight body, the Federal Transparency and Data Protection Institute, has indicated that it expects the draft implementing regulations that will bring into effect the new Mexican federal privacy statute to be ready in July of this year. A public consultation will be held on the draft regulations. Enforcement of the new comprehensive data protection law is not expected to occur until 2012.
NLRB Reaches Settlement in Facebook Firing Case
The National Labor Relations Board reached a settlement with American Medical Response of Connecticut over the firing of an employee who had posted negative comments about her supervisor on her Facebook page, calling him a mental patient. In a press release the NLRB stated that “Under the terms of the settlement,… the company agreed to revise its overly-broad rules to ensure that they do not improperly restrict employees from discussing their wages, hours and working conditions with co-workers and others while not at work, and that they would not discipline or discharge employees for engaging in such discussions.” The company settled allegations relating to the firing privately with the employee.
Companies Clamp Down on Facebook, Twitter at Work
According to a study commissioned by Robert Half Technology, more than half (54%) of American companies say they've banned workers from going to Facebook, LinkedIn, MySpace and Twitter while on the job. It also found that 19% of companies allow social networking use only for business purposes, and only 16% allow limited personal use. Only 10% of the 1,400 CIOs interviewed for the study said that their companies allow employees full access to social networks during work hours.
Ebb and Flow of HR Data Breaches Continues
The number of HR data breaches reported in February dropped to only five: Oregon Dept. of Corrections (at least 550 of 4,500 employees exposed to ID theft by the loss of a thumb drive); NYC Health & Hospitals Corp. (personal data of 1.7 million patients, hospital and contract employees and others lost when computer backup tapes were stolen from the unlocked truck of a data storage and transport vendor, GRM Management Information Services, that was subsequently sued by the corporation); Ohio Department of Job and Family Services (more than 8,000 state child-care providers receiving letters from the state’s payroll provider, Affiliated Computer Services, with their SSNs displayed on the outside of the letter); Loud Technologies (an undisclosed number of employees impacted by the theft of a computer from the company’s premises); and FirstGroup America (an unknown number of employees jeopardized by the loss of an unencrypted thumb drive on a bus in Cincinnati).
Art 29 WP Responds to European Commission Consultation
The Article 29 Working Party released a 6-page response to the European Commission’s request for input on its recently-released outline of a new data protection framework in the European Union. Amongst the key recommendations of the Working Party were the following: development of a mechanism for “collective redress,” under which DPAs and civil society organizations could bring actions in courts on behalf of data subjects; explicitly incorporating accountability requirements into the obligations of data controllers; extending “privacy by design” obligations from data controller to developers and manufacturers of new products and services; incorporating mutual recognition procedures for BCR approvals into the new framework; and strengthening the autonomy and independence of the Working Party, for example by giving it the ability to issue opinions of a more binding character.
Philippines Data Protection Bill Passes 2nd Reading
A comprehensive data protection bill, the Data Privacy Act, advanced in the Philippines by passing a second reading in the House of Representatives. The bill would protect and enforce fair practices in the collection and use of personal details kept in computer systems in the government and private sector, with oversight provided by a National Data Privacy Commission. Its sponsors said that “the measure would prevent the misuse of personal facts in computer systems, including identity theft; reinforce consumer confidence in electronic commerce; and build up the country's business process outsourcing (BPO) activities.” A counterpart bill is pending in the Senate.
Omnibus Data Protection Law Coming in Colombia
Colombia is close to enactment of a comprehensive data protection bill inspired by the 2009 Madrid Resolution, according to a report in a Privacy Laws & Business newsletter. Statutory bill 46 of the House of Representatives builds upon a 2008 law and creates general provisions for the protection of personal data. It was passed by the Colombian Congress last December and is pending a review by the Constitutional Court before being signed into law later this year. Call-centre business is regarded as a driving force behind the legislation.
Supreme Court Rules in NASA Background Investigation Case
Overturning a lower court decision, the Supreme Court ruled unanimously that background checks conducted on independent contractors at a NASA facility were carried out for a legitimate purpose in a reasonable manner, even though they did intrude on privacy to some degree. Justice Samuel Alito, writing for himself and five other justices, said the court was willing to assume, for the purposes of deciding the case, that the U.S. Constitution does in fact guarantee a right to informational privacy. Even so, he said, the federal law requiring background checks of private contract employees does not violate that privacy right. Justices Scalia and Thomas argued that there is no such right in the Constitution.
E-Verify Fray Continues, as Errors Persist
Two new state governors entered the fray over E-Verify, with Florida’s governor issuing an executive order requiring that the federal employment eligibility database be used to vet all current and perspective employees and Rhode Island’s governor rescinding his predecessor’s executive order requiring use of the system. Many observers believe that legislation mandating the use of E-Verify is likely to be introduced in Congress, even though a January 18 report by the Government Accountability Office found persistent and significant problems with the accuracy of the database and the ability of those wrongly found ineligible for employment to secure timely redress.
Eight HR Data Breaches in January
After a slowing last month, the pace of HR data breaches picked up in January, with eight breaches reported: Pentagon Federal Credit Union (a hacked laptop, exposing personal and banking information of an undisclosed number of up to a million active-duty military personnel and others connected to the Pentagon); South Carolina Budget and Control Board (5,600 state workers in jeopardy of ID theft when an employee of the Board’s Employee Insurance Program opened an e-mail attachment containing malware); Ember Corporation (data of 50 current and former employees of the Boston-based company exposed when a package shipped via FedEx by Ceridian, its payroll provider, arrived in a manner than suggesting tampering in transit); KBR (an undisclosed number of employees of the Houston-based firm impacted by the theft of a laptop); Omaha Public Schools (more than 4,300 current and former employees impacted by a computer attack on the Omaha School Employees Retirement System website); New Mexico National Guard (650 Guardsmen placed in jeopardy by the theft of a computer from the National Guard’s Santa Fe headquarters); Seabury & Smith (an undisclosed number of ITT workers impacted when sensitive personal information was exposed on the Internet due to a programming error by the company’s Marsh U.S. Consumer subsidiary); and the Washington State Employment Security Division (as many as 1,000 employees potentially victimized by a man, recently arrested, who stole HR paperwork last year from a car parked on the state Capitol campus).
European Commission Reaches Adequacy Determination for Israel
The European Commission published its decision, reached in October 2010, that Israel provides an adequate level of protection for personal information. The decision follows a recommendation to this effect by the Article 29 Working Party. It allows for simplified personal data transfers between EU countries and Israel. Israel is one of only a handful of countries to have obtained adequacy status.
German Regulators Challenge Google Over Analytics Program
German web companies could face hefty fines for using Google Analytics, its online metrics service, after data protection officials broke off talks with the U.S. internet giant this week and threatened to pursue a precedent-setting court case. Johannes Casper, the Hamburg Data Protection Commissioner who brought the company’s Street View practices to light, had been negotiating with Google since November 2009 over its collection and processing of IP addresses, including their transfer to the United States. Also in January, the data protection authority for Rhineland-Palatinate issued a press release underscoring its position that Google Analytics is an illegal program. German companies with websites that use Google Analytics are likely to be the immediate target of enforcement actions.
Russia Again Delays Enforcement of Data Protection Law
Once again, President Dmitry Medvedev signed a bill into law amending the Federal Law Regarding Personal Data and postponing the implementation of certain requirements, according to a December 27 presidential press-service statement. The amendment moves the required compliance date for database operators from January 1, 2011, to July 1, 2011. The implementation date has been moved back several times from its original date of January 26, 2007, possibly reflecting the government’s uncertainty as to how to rewrite some strict provisions that many businesses regard as unworkable.