Privacy News

from HR Privacy Solutions

 

July 2010

FTC Raises Info Security Bar with Twitter Case

The consent order proposed by the Federal Trade Commission in June following its investigation of Twitter expands the agency’s enforcement of information security standards in two significant ways.  In the first place, the order makes clear that the FTC will not restrict its oversight to only those cases in which sensitive personal data, such as SSNs and payment card numbers, are involved.  Secondly, the order sets forth a number of measures relating to administrative access to systems that the FTC is likely to look for in future investigations.  For example, (a) website administrator login pages should be maintained separately from general published login pages, with these pages made known only to authorized users; and (b) administrative access should be restricted to certain IP addresses or enhanced through multi-factor authentication.

 

HR Data Breached Seven Times in July

Seven breaches of HR data were reported in July, including American Airlines (79,000 current and former employees impacted by the theft of a computer hard drive from the pension department of the Fort Worth-based airline); Oregon State University (a computer virus compromised the personal data of 34,000 current and former employees); Connecticut Teachers’ Retirement Board (a missing flash drive exposed 58,000 retirees to ID theft); St. Luke’s Health Systems, Idaho Power and Saint Alphonsus Medical Center (thousands of employees of the three organizations affected when a computer server back-up tape containing their personal data went missing in the possession of consulting firm Mercer): Village of West Bend, IN (an undisclosed number of employees impacted by the theft of a laptop containing payroll information from a car in Milwaukee); Deere and Company (benefit plan summary statements from UnitedHeathcare were mailed to the wrong addresses of an undisclosed number of employees of Deere); and Alcoa (an undisclosed number of employees potentially affected when an electronic folder of global mobility data was inadvertently shared as a public folder within the company’s internal network).

 

U.S. Cloud Providers Lobbying EU on Privacy Rules

Cloud providers such as Google and Microsoft, which have spent billions of dollars building data centers in Europe, are pressuring the European Union to streamline its privacy rules so that they can offer more remote computing and data-storage services.  Countering them, organizations like the French Association for a Digital Economy in Europe are lobbying to require storage of computer data in the country in which storage is being sold.  The cloud providers are hopeful that the European Commission’s Digital Agenda initiative will lead to the creation of a single harmonized market for cloud services by 2012.

 

Art 29 WP Urges Adoption of Accountability Principle

In an opinion issued in July, the Article 29 Working Party fleshed out the details in its 2009 recommendation that the European Commission include a new principle on accountability in any revision of the Data Protection Directive.  The 19-page opinion calls for the creation of a legal requirement that data controllers put in place concrete internal measures and practices that reflect data protection principles and obligations, in order to make data protection part of the shared values and practices of an organization.  Data controllers would also be required to demonstrate the measures and practices to supervisory authorities upon request.

 

Schleswig-Holstein DPA Calls for End to Safe Harbor

A month after opining that use of cloud service providers is basically contrary to German data protection law, Thilo Weichert, Data Protection and Privacy Commissioner of the northern German state of Schleswig-Holstein, called for an immediate end to the U.S.-EU Safe Harbor program.  Weichert, responding to an advance summary of a new critical study of the program that Australian privacy researcher Chris Connolly presented at the Privacy Laws & Business annual conference, said that the lack of enforcement by U.S. authorities made it necessary to either re-open negotiations to make the Safe Harbor principles effective or to terminate the program.  Connolly’s new study is expected to be released in August.

 

Ukraine Enacts Comprehensive Data Protection Law

Ukraine became the third nation in as many months to pass omnibus privacy legislation modeled upon European precedents.  The Law on Personal Data Protection will become effective as of January 1, 2011.  The legislation includes a mandatory requirement to register databases of personal information with an independent state authority that has yet to be established.

 

June 2010

Supreme Court Allows Search of Work-Issued Pager

The Supreme Court unanimously overturned the Ninth Circuit Court of Appeals in City of Ontario, California v. Quon, ruling that the city’s police department did not violate Officer Quon’s Fourth Amendment rights when it reviewed text messages transmitted over a work-issued pager.  However, the court, ruling strictly on narrow grounds closely tied to the facts in the case, did not resolve whether the officer had a reasonable expectation of privacy, instead basing its decision on a finding that the search in this particular set of circumstances was reasonable.  The ruling also did not address the rights of private sector employers or employees with respect to electronic communications.

 

Worldwide Investigations of Google Wi-Fi Sniffing

Privacy regulators in multiple countries, as well as police in some, are investigating Google’s three-year collection of personal data from unsecured wi-fi networks.  The countries involved include Australia, New Zealand, Hong Kong, Canada, Japan, Korea, Spain, Germany, Italy, the Czech Republic, Austria, Hungary, Switzerland, the UK and the United States.  In the UK, both Scotland Yard and the London Metropolitan Police have begun criminal investigations.  The question of intent or the subsequent use of data collected electronically is not relevant under laws in a number of jurisdictions.  Meanwhile, In the U.S., Attorneys General from 30 states participated in a conference call organized by Connecticut Attorney General Richard Blumenthal to explore coordinating investigations into Google’s wi-fi sniffing.  Google filed a motion with the U.S. Judicial Panel on Multidistrict Litigation to consolidate eight current class action lawsuits pertaining to the data collection into one mega-lawsuit.

 

German DPA Finds Cloud Computing Largely Illegal

The data protection authority of the German federal state of Schleswig-Holstein published a press release and legal opinion on cloud computing that found the use of clouds outside the EU to be largely unlawful, even if the European Commission has issued an adequacy decision in favor of the country in question.   According to the DPA, a non-EU cloud provider would always be an independent third party rather than an agent, requiring the third party to be bound by standard contractual clauses.  Under the finding, the cloud provider’s participation in Safe Harbor would provide an insufficient legal basis for data transfers to the cloud.

 

Half a Dozen HR Data Breaches in June

Missing laptops and CD/DVDs were at the heart of five of the six breaches of HR data reported during June, including the Oregon National Guard (personal data of 3,500 soldiers exposed when a laptop was stolen from a Guard member’s car in Portland); National Gypsum (an undisclosed number of employees impacted by the DVDs reported missing in transit by Towers Watson in February);  Invois (an unspecified number of employees of the Georgia firm affected by a laptop stolen during the review of a merger with GSX); Quantum Corporation (an undisclosed number of employees impacted by the weekend theft of a laptop from an IT workshop; normal encryption had been temporarily disabled during a repair operation); the Department of the Interior (personal data of 7,500 employees compromised when an encrypted CD from a third party went missing after being received in the department’s Denver shared services center); and Roanoke City Schools (2,000 employees exposed to ID theft when the district failed to remove hard drives from eight computers when selling them).

 

Taiwan Passes Personal Data Protection Act

Taiwan became the latest nation to enact omnibus privacy legislation, with passage of the Personal Data Protection Act in April.  The Act applies a core set of privacy principles reflecting European precedents on the collection, processing or use of personal data by any individual, organization or enterprise, with special protections for data that is particularly sensitive.  It also imposes an obligation upon data controllers to inform data subjects of any loss, disclosure, theft or other infringement of their personal data.  No registration requirements are included in the law; class action lawsuits are allowed.  The effective date of the Act has yet to be announced.

 

May 2010

German DPAs Call for Safe Harbor Checks

The Düsseldorfer Kreis, an informal but influential group of Germany’s 17 private sector data protection regulators, advised companies to conduct due diligence checks upon US companies concerning their participation in Safe Harbor before passing personal data to them under the program, rather than simply accepting claims of Safe Harbor membership.  At the very least, companies were instructed to check that the data importer’s Safe Harbor certification is valid and to determine how data subjects are being informed about the data transfers.  The Düsseldorfer Kreis also called upon the FTC to step up its Safe Harbor enforcement activities.

 

EU Rights Agency:  Stronger DPAs, Employment Laws Needed

The EU's Agency for Fundamental Rights (FRA) has found that data protection authorities (DPAs) suffer from insufficient funds, inadequate staffing levels and a lack of sanctions for violators. A 56-page FRA report notes that in several counties, including Austria, France, Germany, Latvia, the Netherlands, Poland and the UK, "prosecutions and sanctions for violations of data protection law are limited or non-existing" and that DPAs often lack "full powers of investigation and intervention or the capacity to give legal advice or engage in legal proceedings." The FRA calls for strengthening DPAs, as well as for the adoption of additional legislation to address data protection in the context of employment relationships.  Included in the report are comparative charts on DPA capacities in each member state, along with liberal, if somewhat anecdotal, criticism of faults and deficiencies of the DPAs in specific states.

 

House Examines Use of Credit Info in Employment

The House Subcommittee on Financial Institutions and Consumer Credit held a hearing on the “Use of Credit Information Beyond Lending: Issues and Reform Proposals” on May 12.  The subcommittee discussed H.R. 3149, introduced by Rep. Steve Cohen (D-TN), which would amend the Fair Credit Reporting Act to prohibit the use of consumer credit checks for prospective and current employees for the purposes of making adverse employment decisions.  The Society for Human Resource Management opposes the sweeping prohibition contained in the bill, favoring instead a limitation in use of credit checks to jobs with fiduciary, financial and security responsibilities.  In April the New York Times ran an article on the topic that quoted a Trans Union credit bureau lobbyist as saying under oath that “At this point, we don’t have any research to show any statistical correlation between what’s in somebody’s credit report and their job performance or their likelihood to commit fraud.”  The use of  credit checks in the employment context also caused a stir in Alberta.

 

Google Wi-Fi Sniffing  Explodes as Major Privacy Violation

In response to persistent pressure from the data protection authority in Hamburg, Google was forced to admit that its Street View mapping cars deployed for the last three years have been gathering personal data from unsecured wi-fi networks, a claim it previously denied.  The data gathered was said to include e-mail messages, websites being visited and other content available at the time the network was identified.  However, the company later admitted that it had collected 600 gigabytes of data from unsecured wireless networks around the world. The company defended the need to gather information about the location of the networks, in order to improve its mobile products, but claimed that the acquisition of user content was an engineering error of which it had been unaware.  Google announced cessation of all further mapping to address the problem.

 

Seven HR Data Breaches Reported in May

Seven breaches of employee data were reported in May (City of Charlotte and the Tennessee General Agencies Welfare Benefits Program became the second and third entities to acknowledge being impacted by the two missing Towers Watson DVDs first reported by Lorillard in April; 5,200 and 1,874 individuals were affected); J.M. Smucker (data of 6,000 employees and dependents compromised when an HR employee e-mailed a database he was having trouble with to a computer-savvy relative who had offered to help);  US Army Reserve (207,000 reservists affected when a laptop and CD were stolen from Serco, a government contractor in Reston, VA); Veteran’s Affairs Department (two laptops reported missing in Texas, one from a contractor impacting 616 veterans and the other affecting “thousands”); and the LA Firemen’s Credit Union (data of 28,000 members exposed when the credit union failed to manage records properly when moving to a new location).

 

April 2010

Dept. of Commerce to Address Internet Privacy

Re-asserting the role of privacy advisor to the White House and government policymakers that it last exercised in the ‘90s, the Department of Commerce announced that it would study how privacy is impacted in the Internet economy.  The department said it was organizing an Internet Privacy Task Force, would hold a public meeting on U.S. privacy policy in Washington DC on May 7, solicit public comments from all Internet stakeholders, and issue a report by early fall.  The move opens the potential for a policy turf war with the FTC, which is also preparing a framework of guidance for Internet privacy.

 

Military Hit Hard by April Data Breaches

Ten breaches of HR data were reported in April, including two by the Navy and two by the Army:  U.S. Navy (244 employees at the Naval Facilities Engineering Service Center in Port Hueneme, CA finally notified of a breach that occurred in 2008); U.S. Army (documents containing sensitive personal information of 1,272 patients at the Brooke Army Medical Center in San Antonio stolen from a parked car); U.S. Army Reserve (12,000 military and civilian personnel associated with a former reserve command at Fort Totten, NY notified that their paper files could not be located); Lorillard Tobacco (an undisclosed number of employees impacted by the failure of a benefits service provider, Towers Watson, to encrypt two DVDs before they went missing in overnight delivery); Strategic Workforce Solutions (an undisclosed number of employees affected by theft of an unencrypted portable device from a car in Atlanta); Lam Research (at least 3,000 employees impacted by the theft of a laptop from a car in Fremont); Navy Region Hawaii (242 employees of the Federal Fire Department notified that their personal data was compromised by a hacker); Atlanta Fire Rescue (1,000 firefighters notified of an exposure stemming from use of a file sharing program, which came to light when a security consultant used the data during a workshop as an example of what can be found on the Internet); Kern County Employees’ Retirement Association (37,000 county employees and retirees in California impacted by a part-time clerk’s malfeasance); and Famous Dave’s of America (laptop stolen from a car with personal data of an undisclosed number of the national restaurant chain’s employees).

 

Ten Privacy Commissioners Challenge Google

Led by Jennifer Stoddart, Canada’s Federal Privacy Commissioner, ten privacy commissioners sponsored a press conference in Washington DC to publicize their criticism of Google’s social networking and Street View programs, as well as new online products from other vendors.  The nations involved are Canada, Israel, Spain, France, the Netherlands, Germany, Italy, Ireland, New Zealand and the UK.  According to Stoddart, "We want to send a strong message that you can't go on using people's personal information without their consent in these kinds of ways to launch a new product….Do your testing before, and make sure you comply with privacy legislation."  Jacob Kohnstamm, chairman of the Dutch data protection authority, said that internet-based firms ought to see the letter sent to the firms outlining privacy concerns as “a last warning to the online world” before enforcement actions are taken.

 

Mexico Passes Omnibus Data Protection Law

After nine years of legislative development, including close consultations with European privacy regulators, Mexico enacted a comprehensive data protection law, covering both private and public sectors.  Implementation and enforcement of the law will be carried out by the Federal Institute for Access to Public Information and Data Protection.  Maximum penalties for misuse of sensitive personal information are five years in prison and fines up to $2.9 million.  The U.S. is now surrounded by countries to the north, south, east and west that provide stronger legal protections for personal information than we do.

 

NIST Issues Guide to Protecting PII

The National Institute of Standards and Technology (NIST) issued a "Guide to Protecting the Confidentiality of Personally Identifiable Information," designed to help agencies identify personally identifiable information (PII) and determine appropriate level of protection for it.  Of particular note is the Guide’s expansive definition of PII to include any information that is linked or linkable to an individual, such as medical, educational, financial or employment data, as well as telephone numbers and IP addresses.

 

March 2010

Senators Propose National Worker ID Card

Senators Charles Schumer (D-NY) and Lindsay Graham (R-SC) have proposed that biometric national ID cards, which they called “high-tech, fraud-proof Social Security cards,” be required for all U.S. employees, as a means of combating illegal immigration.  Information would be stored on the cards, rather than in a government database, and the cards would not contain private data, medical data or tracking devices.  DHS recently extended the deadline for state compliance with the Real ID program, first launched in 2005, for another year.  Privacy advocates criticized the proposal as inevitably leading to a national database and mission creep, while being based upon false claims of being fraud-proof.

 

FTC Requires Monitoring Outbound Internet Traffic

In reaching a settlement with Dave & Buster’s, a restaurant and entertainment chain, the FTC quietly and without fanfare introduced a new security standard, requiring the company to monitor and filter outbound Internet traffic to block the unauthorized export of sensitive information.  The consent decree puts companies on notice that they may face FTC scrutiny and penalties if they fail to use data loss prevention software.

 

HR Data Breaches Moderate in March

March saw a decrease in the number of HR data breaches reported, with five data losses, including Yuma Proving Ground (700 employees at risk because of a compromise of an employee’s home computer); (Arrow Electronics (4,004 employees impacted by the theft of a laptop from the firm’s Melville, NY office); Beecher Carlson (an undisclosed number of employees, including 1,012 in Massachusetts, affected when two laptops were stolen from the Atlanta-based insurance broker); Nuance Communications (information of 1,191 Massachusetts employees exposed on a laptop stolen from a car); and the Evergreen Public Schools (WA) (numerous incidents of ID theft reported after data on 5,000 employees in a payroll system was compromised by the “shoulder-surfing” of a password).

 

Top EU Privacy Regulator Calls for ‘Privacy by Design’

Data protection laws should be changed to force people creating new technologies to build privacy features into them, according to a 21-page recommendation to the European Commission by Peter Hustinx, the European Data Protection Supervisor.   Hustinx called for applying ‘Privacy by Design’ obligations in particular to developers of social media, RFID and targeted advertising applications.  Support for the ‘Privacy by Design’ approach, developed by Anne Cavoukian, Ontario’s Privacy Commissioner back in the 90’s, was also voiced in the November Madrid Resolution and the January Article 29 Working Party opinion on the future of privacy.

 

French Senate Approves Amendment to DP Law

DataGuidance News reports that on March 23 the French Senate approved an amendment to the national data protection law which will require French companies with more than a 100 employees who access or process personal data to appoint an internal data protection officer.  As noted in the Monthly Privacy Review in November 2009, the bill will also introduce data breach notification obligations into French Law.  The amendment now goes to the National Assembly for its consideration.

 

Japanese Cell Phone Tracks Employee Motions

KDDI Corporation, the Japanese phone giant, has developed a cell phone that uses advanced analysis of accelerometers that will allow bosses to track the physical movements of workers.  For example, a boss could tell when a janitor is scrubbing, using a mop, emptying a waste bin, etc.  The company said it prefers to think of its creation as “a caring, mothering system rather than a Big Brother,” but counsels potential users to get the consent of employees in advance.

 

February 2010

Massachusetts Data Security Law Now in Effect

After a number of extensive delays, most provisions of the new Massachusetts data security regulations came into effect on March 1, 2010.  Entities that process personal information about state residents must develop, implement and maintain a written, risk-based information security program that includes numerous administrative, technical and physical safeguards, including encryption of laptops and other portable devices.  By March 1, 2012, service providers must be contractually bound by the same requirements.

 

Checking Job Applicants Online Very Common in U.S.

According to a Microsoft survey of 2,400 employers and jobseekers in the U.S., UK, Germany and France, 70% of HR respondents in the U.S. rejected job applicants because of negative information found online, with smaller numbers of 41% in the UK, 16% in Germany and 14% in France.  Furthermore, 75% of HR respondents in the U.S. reported that their companies had formal policies requiring them to conduct such online research, compared to 48% in the UK, 16% in Germany and 14% in France.

 

Google Runs into Privacy Buzz-Saw over Buzz

Google’s introduction of Buzz, a social networking program integrated with the company’s e-mail and chat services, met a firestorm of criticism when users discovered that the program automatically shared their contacts with all Buzz users.  The company quickly revamped its privacy settings, but faces regulatory investigations after complaints were filed with the FTC and the Canadian Federal Privacy Commissioner.  Buzz, offered as Google’s answer to Facebook and Twitter, also raises a host of new privacy concerns by virtue of its integration with location-mapping programs on mobile phones.

 

HR Data Continues Hemorrhaging in February

Nine HR data breaches were reported in February, including the West Memphis Police Dept. (an unknown number of employees impacted by a compromise of the department’s computer network, possibly by a detective); U.S. Dept. of Commerce (two new incidents affecting hundreds of employees, in addition to the two breaches reported earlier); State of Ohio (a spreadsheet of banking data of 6,000 state employees, including the Governor, inadvertently e-mailed to dozens of payroll officers of state agencies; this is the second breach in six months); Ceridian (banking data of 27,000 employees in 1,000 companies exposed by hacking of Ceridian’s Powerpay payroll system; some of the data was 10 years old and should have been deleted); Royal Dutch Shell (directory contact information for the company’s 170,000 employees published on the Internet by a group of 100 or so employees opposed to Shell’s policies in Nigeria and elsewhere); Equifax (an unknown number of current and former employees received W-2 forms in the mail with their SSNs exposed); Kansas City Art Institute (145 employees impacted by the theft of a laptop from the HR office); Highmark (a list that including SSNs of 3,700 employees of Boscov's Department Store's tampered with when mailed from the group health plan to the retailer); and the Arkansas National Guard (an unknown number of current and former soldiers affected by a missing hard drive).

 

European Commission Updates Model Contract for Processors

The European Commission has issued new standard contractual clauses that must be used going forward when companies decide to use model contracts as the legal basis for data transfers to data processors located outside the European Union.  The revisions place new obligations upon such data processors, including the requirement that they obtain the written permission of the data exporter prior to subcontracting any processing of the data. They are also intended to ensure that the sub-processor is placed under the same legal obligations as the processor.  The new model contract, while introducing some clarity in an area where there was little, does not go as far as advocated by industry groups such as the ICC.

 

More Requirements Emerging in Alberta PIPA Amendment

According to McCarthy Tetrault, additional details are emerging about the Personal Information Protection Amendment Act, 2009 (Bill 54), which has not yet come into effect.  Bill 54 requires companies transferring personal data to a service provider or parent company outside of Canada to inform affected individuals about the transfer in advance, including the purposes involved, the identity and location of the recipient, how to obtain written information about the recipient’s privacy policies and practices, and a point of contact for questions.  It also requires notification to data subjects and to the Privacy Commissioner of data breaches posing a real risk of harm.  Furthermore, Bill 54 places a positive obligation upon companies to destroy personal information once it is no longer reasonably required; previously they were allowed to keep the information as long as reasonable for legal or business purposes.

 

January 2010

FTC Declines to Address Adequacy of Safe Harbor Policies

The FTC, in responding to a comment received on the proposed settlement reached with one of the six companies recently found to have let its Safe Harbor certification lapse, made it clear that it does not find deficiencies in a company’s published Safe Harbor privacy policy to constitute a “violation of the Safe Harbor framework,”  Chris Connelly, a principal in Galexia, an Australian consultancy, and author of a 2008 critique of Safe Harbor, had pointed out that the policy issued by Directors Desk LLC did not include information on enforcement or complaints.  The FTC decision to focus its enforcement activities only on a company’s “substantive practices” is the likely reason the Department of Commerce announced in November that it would begin reviewing the adequacy of Safe Harbor privacy policies when companies re-certify.

 

Federal Government to Keep SSNs as Employee IDs

The Office of Personnel Management announced that it was withdrawing a rule, proposed only two weeks earlier, that would have required all federal agencies to stop using SSNs as employee identifiers, on the grounds that it was impractical to create another primary identifier.  Most private sector companies, both large and small, have already stopped using SSNs for this purpose.

 

Ten HR Data Breaches in January

After three lulls last year, a “more normal” number of HR data breaches were reported in the U.S. in January, ten to be specific, including:  U.S. Dept. of Commerce (27,000 employees impacted by the unintended e-mailing of their unencrypted information to other employees; this was the second DOC breach in five months); Washington (WA) Department of Corrections (43 individuals jeopardized when a briefcase of personnel records was stolen from an HR staffer’s car); Eugene (OR) School District (an undisclosed number of employees jeopardized by hacking of a school server); Logan International Airport (the identity of 16 TSA employees stolen by a contract worker in the HR department); P.F. Chang’s China Bistro (an undisclosed number of employees impacted by theft of computing equipment); City of Oakridge (OR) (sensitive personal information of an unknown number of city employees accidentally sent out with monthly water bills to 1,400 households); Columbus Public Health (OH) (hundreds of city health workers jeopardized by an employee’s theft of their personal information); Humboldt State University (CA) (information of 3,500 employees hacked via a sophisticated log-in virus); Iowa Racing and Gaming Commission (80,000 records containing employee information hacked on a Commission server, via an attack believed to originate in China); and  PricewaterhouseCoopers (77,000 current and former employees of the State of Alaska impacted by a breach of a 2003-4 retirement file in a Chicago PwC office).

 

Background Checks? There's an App for That

A new app from BeenVerified enables users to conduct background checks on anyone in a matter of seconds from their iPhone.  Users can conduct up to three checks per week for free or unlimited checks for only $8 per month.  According to BeenVerified, about 400,000 users have downloaded the app and conducted a million checks so far.  Employment law firm Littler Mendelson rightly cautions that use of the app is likely to jeopardize an employer’s compliance with the Fair Credit Reporting Act.

 

UN Watchdog Calls for International Privacy Agreement

Martin Scheinin, Special Rapporteur to the UN Human Rights Council, delivered a report calling for a new international agreement on privacy in response to a worldwide increase in intrusiveness due to counter-terrorism measures.  His 35-page global assessment of the state of privacy closely follows, although it does not mention, the call for a new international privacy convention issued by privacy commissioners in Madrid last November.

 

UK DPA Receives Power to Impose £500,000 Fines

Following a public consultation, the UK Ministry of Justice has concluded that the Information Commissioner should be given the power to impose fines of up to £500,000 (approximately $800,000) for serious breaches of the Data Protection Act 1998.  The fining authority is expected to come into effect on April 6, 2010.

 

December 2009

Supreme Court to Hear City of Ontario vs. Quon

The U.S. Supreme Court announced that it would review a case, City of Ontario vs. Quon, that focuses upon the privacy of text messages sent by an employee using an employer-issued texting device.  The employer, a police department, allowed personal use of the devices but accessed the messages in question when their volume seemed excessive.  The U.S. 9^th Circuit Court of Appeals ruled last year that police officers had a reasonable expectation of privacy in their text messages, particularly since a supervisor had led Officer Quon to believe that his personal messages would not be reviewed.  Arguments in the case will be heard in the spring, with a ruling expected before the end of June.

 

Facebook Changes Privacy Controls, Provokes Critics

Facebook revised its privacy controls, requiring all 350 million users logging in to re-consider what information they wanted shared with whom.  While the changes were promoted as giving users more granular control over their information, critics lambasted them, citing their opacity, the fact that the default setting was to share everything with everyone and the new mandatory publication of profile information.  Facebook subsequently back-pedaled, allowing friends lists to be private, but not sufficiently to dampen the firestorm of criticism.  The Electronic Privacy Information Center (EPIC) filed a complaint against Facebook with the FTC, asking the regulatory agency to enjoin the company’s unfair and deceptive business practices and to require it to protect users' privacy.

 

Online PHR Vendors Graded on Privacy Protections

Patient Privacy Rights, an advocacy group headed by Dr. Deborah Peel, issued a report card on the privacy protections described in the website policies of personal health record (PHR) vendors.  The grades assigned were as follows: No More Clipboard – A; Microsoft HealthVault – B/F; WebMD – C; CapMed–icePHR – C; Google Health – D/F; and PHRs Offered by Employers and Insurers – F.  Independently, a survey of 1,000 physicians in Massachusetts found that 71% were either concerned or very concerned about possible privacy breaches associated with the use of electronic health records.

 

Another Lull in HR Data Breaches

Following comparable lulls in September and October, only three breaches of HR data were reported by employers in December:  Textron (an undisclosed number of the aerospace company’s 43,000 employees impacted by a misplaced USB hard drive); Notre Dame University (personal information, including names, SSNs, dates of birth and zip codes, of 24,000 employees accidentally exposed on the Internet); and the State of Minnesota (names and SSNs of 500 employees accessible on the website of Lookout Services, a third party vendor that carried out E-verify checks for the state).

 

Major Revamp of EU Data Protection Law Coming

Viviane Reding, previously the Commissioner for Information Society and Media, was nominated by the European Commission to the new post of Commissioner for Justice, Fundamental Rights and Citizenship.  In this role she will oversee the significant revamp of EU data protection law that was initiated with the Commission’s consultation on this topic launched in July.  The entry into force of the Lisbon Treaty, on December 1, created a more secure and stable legal basis for treating data protection as a fundamental right in the European Union, while also increasing the power of the European Parliament in data protection matters.

 

New Rules for Oversight of System Admins in Italy

The Italian Data Protection Authority issued a decision regulating system administrators in November 2008 that finally came into force on December 15.  The decision requires companies and public entities to closely supervise the activity of their system administrators.  According to DataGuidance News, data controllers need to maintain an internal record that identifies system administrators and their tasks, conduct annual assessments of their compliance with appropriate organizational, technical and security measures, and also maintain a record of any system administrators in charge of outsourced data.

 

November 2009

Commissioners Approve Draft Global Data Privacy Standard

A new draft global data privacy standard was unanimously approved by 80 Data Protection Authorities from 42 countries at the 31st annual privacy commissioners’ conference held early in November in Madrid.  While not legally binding, the draft supplements the level of protection provided by the EU Data Protection Directive with the best components of privacy codes or laws in various regions of the world.  For example, it includes provisions for data breach notifications and incorporates strong provisions relating to accountability and pro-active governance.  The draft also dramatically expands the definition of sensitive data.  While its development into a binding international instrument would require many years of effort, the draft is likely to be very influential and serve as a significant point of reference.  Presentations from the annual conference in Madrid are available online.

 

Department of Commerce to Review Safe Harbor Privacy Policies
The U.S. Department of Commerce announced that it will review the privacy policies of participants in the Safe Harbor program to ensure that they clearly indicate adherence to the Safe Harbor Privacy Principles. However, the review will only occur as companies come up for their annual re-certification. This new effort to meet European criticism of the program, stemming in part from the study released last year by Galexia, an Australian consultancy, was announced by the DOC’s Damon Greer at the Conference on Cross Border Data Flows, Data Protection and Privacy held in Washington, DC on November 17-18.

 

Alberta Revises Privacy Law

The government of Alberta enacted significant amendments to the province’s Personal Information Protection Act in late November. According to a PrivacyScan newsletter, the new requirements include (a) mandatory notification of data breaches to the Privacy Commissioner’s office, where a decision will be made as to whether data subjects should also be notified; and (b) the provision of notice to data subjects whenever their information will be transferred to, or collected by, a service provider (including a parent or affiliate company) in a foreign jurisdiction.

 

Eight HR Data Breaches in November

Following lulls in September and October, a more typical number of data breaches were reported by U.S. employers in November, including those experienced by MassMutual (an unknown number of employees impacted by a hack into a database of benefits information maintained by a vendor); the Army Corps of Engineers (60,000 soldiers and civilian employees affected by a external hard drive missing in Dallas); the Nebraska Worker’s Compensation System (personal information of several thousand claimants compromised by a hacker); Notre Dame (24,000 employees jeopardized by the accidental posting of their personal information on the Internet over a three year period); Sea Ray Boats (personal information of 341 employees inadvertently distributed via email); FCI USA (2,000 current and former employees impacted by a stolen laptop); Eisai Inc. (a laptop containing personal information of an undisclosed number of employees and applicants stolen from an HR employee’s car in New Jersey); and Vancouver (WA) Public Schools (a security breach in the schools’ payroll system impacting 3,000 employees and leading very quickly to reports of suspicious banking activity). 

 

Massachusetts Finalizes Data Security Regulations

On November 4th the Massachusetts Office of Consumer Affairs and Business Regulation announced its final regulations (201 CMR 17.00) prescribing how entities owning or processing personal information of Massachusetts residents must protect such data.  The most significant changes in the regulations, which come into effect on March 1, 2010, extend the coverage of the regulations to entities that merely store personal information on behalf of others and add two years to the date by which companies must apply specific rules to contracts with service providers.  The core of the regulations is the mandate of having a comprehensive, written information security program, including the encryption of laptops and other portable devices.

 

October 2009

FTC Settles with Six Companies Claiming Participation in Safe Harbor

The FTC followed up on last month’s first public Safe Harbor enforcement action with tentative settlement agreements with six companies that claimed to be certified under the International Safe Harbor Program, while in fact they had let their certifications lapse. Details of the settlement are not yet available, but at a minimum will require the companies to either re-certify or withdraw claims that they are certified.  The FTC action is more of a warning flare than the comprehensive enforcement action it could have been.  For example, 13 of the first 29 companies on the current Safe Harbor list, some 45%, are shown as having a certification status that is not current.  Some of these companies may have lawfully exited the program, but it would not be surprising if many had let their certifications lapse while still claiming to be participants.

 

EEOC Issues Guidance for Employers in Handling Pandemic Flu

The Equal Employment Opportunity Commission (EEOC) issued guidance for employers on how to respond to an H1N1 pandemic without violating the Americans with Disabilities Act (ADA), the Occupational Safety and Health Act (OSHA), the Family and Medical Leave Act (FMLA), prohibitions against discrimination based upon national origin, privacy laws, workers’ compensation, and disability benefits laws.  The guidance follows by a month that issued on the same topic by the CNIL in France.

 

Employee Awarded $1.8 Million for Invasion of Privacy

A jury awarded a former employee of Illinois-based North American Corporation, a business services firm, $1.8 million after finding that the company had used a private investigator who employed pretexting techniques to obtain her phone records.  However, the company prevailed in a separate counter-claim against the employee for anti-competitive conduct, which it claimed constituted the grounds for its investigation; the employee was ordered to return $630,000 of the $1.8 million to the company.

 

Microsoft to Seek ISO Certification for Its Cloud Services

At a time of broad and continuing doubts about the ability of cloud vendors in general to properly secure their services, Microsoft wants to get its suite of hosted messaging and collaboration products certified to the ISO 27001 international information security standard.  The company believes that FISMA security standards, which Google has announced it is seeking certification to, are outdated and inadequate.  A spokesman said that Microsoft wanted to ‘take it up a notch.”

 

Are US Employers Finally Protecting HR Data?

It was another relatively quiet month for HR data breaches, with only four reported in the US.  The most serious breach involved two separate hacks into the online systems of New Jersey-based PayChoice, one of the nation’s largest providers of payroll services; PayChoice has a client list of 125,000 employers, potentially exposing financial information of millions of payees.  Other breaches reported include Bullitt County Public Schools (KY) (names and SSNs of 676 employees accidentally sent by e-mail to all 1,800 employees); US Army Special Forces (Fort Bragg, NC) (names, SSNs, home phone numbers and addresses of 463 soldiers, found on the Internet in connection with a Congressional move to address data leaks on peer-to-peer networks); and the Bank of New York Mellon Corp. (computer technician who was a contractor to the bank charged with ID theft involving personal information of 150 employees).

 

DPA Finds Daimler Pre-Employment Blood Tests Illegal

The Data Protection Authority (DPA) for Schleswig-Holstein ruled that pre-employment blood tests carried out by German automaker Daimler are illegal and that the data must be deleted.  Although the tests are voluntary and the company tests candidates only in the final stages of job selection, the DPA said the practice breaks "all existing data protection regulations." The ruling underscores the point that employers in many EU member states are on dangerous footing when collecting sensitive information, even with the consent of the employees involved and when other protections for the data are in place. Daimler, which invented and pioneered the use of binding corporate codes (BCRs), has long been a world-class leader on privacy issues.

 

September 2009

Shared Assessments Program Expands Membership

Shared Assessments, an international vendor risk management standards group founded in 2005 by the BITS Financial Services Roundtable, has opened its door to outsourcers in healthcare, retail, telecommunications, manufacturing, higher education, government and other sectors.  In October, the program, which currently has 60 members, will publish tools mapping privacy controls to the AICPA/CICA framework, GLBA, HIPAA, HITECH Act and PIPEDA regulations as well as the EU Directive and other laws. The updated tools will be available for free download on the Shared Assessments website.

 

Dept. of Defense to Let Troops Use Social Media

The Defense Department (DOD) plans to allow troops to use social media for both official and unofficial purposes, according to a report in Nextgov. The new policy will reverse that of some military services and allow troops and their families to use Facebook, Twitter and other social software, as well as e-mail, instant messaging and discussion forums, running on DOD’s unclassified network.

 

September Lull in HR Data Breaches

Only three data breaches affecting employees were reported during September, by Naval Hospital Pensacola (38,000 servicemen and beneficiaries who use its pharmacy services notified that a laptop containing their personal information was missing), Eastern Kentucky University (names and SSNs of 5,045 faculty, staff and student workers inadvertently put on the Internet for a year) and Kraft Foods (an undisclosed number of employees impacted by the theft of a laptop and USB drive from the car of a accounting and payroll worker in the company’s shared services center). 

 

Hustinx Expects UN, OECD to Adopt New Data Privacy Standard

Peter Hustinx, the European Data Protection Supervisor, stated that he expects the UN and the OECD to adopt the new international data protection standard that will be announced by the world’s data protection authorities at next month’s conference of privacy commissioners in Madrid.  While the standard will need to be implemented in national laws, Hustinx believes it is on the path to becoming globally enforceable.

 

Hyatt Becomes First Company to Win Expedited BCR Approval

Hyatt Hotels and Resorts became the first company to win expedited approval of its corporate code of conduct (Binding Corporate Rules) through the office of the UK Information Commission.  According to Privacy Laws & Business, while four other multi-nationals (Atmel, Accenture, Philips and GE) secured approval of their BCRs in the UK over the last four years, Hyatt’s use of the EU’s new mutual recognition procedure reduced the time required to 12 months.  Seventeen EU member states currently participate in the procedure, which is expected to yield even faster approvals in the future.

 

CNIL Fines Company for Covert CCTV System

The French Data Protection Authority (CNIL) fined Jeanne Marc Philippe, a French clothing designer, €10,000 for installing a CCTV system that collected data about employees in an unlawful and disproportionate manner.  According to a report in Data Guidance News, employees were monitored without their knowledge, even in places where there was no particular threat to security.

 

August 2009

Massachusetts Revises ID Theft Regs, Extends Deadline

The Massachusetts Office of Consumer Affairs and Business Regulation revised its new ID theft regulations to be less prescriptive than earlier versions and to provide greater flexibility for small businesses.  Any business that processes or stores the personal information of Massachusetts employees or consumers will need to address the state’s requirements for a written, comprehensive information security program by the new deadline of March 1, 2010.

 

Facebook Will Meet Canadian Privacy Objections

The Privacy Commissioner of Canada announced that she is satisfied that the changes Facebook has agreed to make to its privacy practices and policies will bring it into compliance with Canadian privacy law.  The changes, to be implemented over the next 12 months, will also be rolled out globally.  The changes will address access by third-party developers to user information, de-activation of accounts, personal information on non-users and accounts of deceased users.  Earlier in the month, Facebook tweaked its terms of service in a variety of areas relating to privacy.

 

Seven HR Data Breaches Reported in August

There was no summer holiday for HR data breaches, with seven breaches reported during August, including the US Dept. of Commerce (27,000 employees exposed to risk when an employee of the National Finance Center, which handles payroll and personnel matters for the DOC, sent their information to a co-worker via an un-encrypted e-mail); the Army National Guard (131,000 soldiers of the Guard warned after a contractor’s laptop was stolen); the Colorado Dept. of Corrections (personal financial records and family information of more than 1,000 staff accidentally sent by a payroll employee to 100 co-workers); New Hampshire Dept. of Corrections (records of 1,000 employees found under a prisoner’s mattress, due to poor document disposal practices); Lockheed Martin (an unidentified number of employees affected when researchers found their personal information on a hard drive for sale on eBay); Williams Company (personal data of over 4,400 of the Tulsa firm’s workers exposed when a laptop was stolen); and Chart Industries (1,600 employees placed in jeopardy when several laptops were stolen from the Ohio firm).

 

FTC Brings EHR Vendors Under Breach Notification Rule

The Federal Trade Commission issued a rule broadening the reach of data breach notification rules covered by HIPAA. The new rule applies to companies that provide an online repository of health information, such as vendors that offer web-based tools to track and maintain blood pressure readings and other health-related data.  Vendors in this category, which include Microsoft’s HealthVault, Google Health and WebMD, are typically not covered by HIPAA requirements.

 

FTC Takes Enforcement Action over Safe Harbor

The Federal Trade Commission secured a temporary injunction against a California-based company, Balls of Kryptonite, for deceptively making a claim that it was a participant in the US/EU Safe Harbor Program.  According to the FTC, the company copied Amazon.com’s privacy policy and posted it on its own website.  While the FTC is known to investigate potential breaches of Safe Harbor commitments, this is the first time in the nine-year history of the program that such investigations have led to a public enforcement action.  The case, which involved other issues as well, will be heard in federal court unless a settlement is reached.

 

South African Privacy Bill Approved by Cabinet

Nine years in the making, a comprehensive data protection bill, drafted by the South African Law Commission and modeled upon European legislation, has been approved by the Cabinet and referred to Parliament.  Officials are hopeful that the law, not expected to be enacted at the earliest until the end of the first quarter of 2010, will secure an adequacy finding by the European Commission.

 

July 2009

Commissioner Finds Facebook Violates Canadian Privacy Law

Following an in-depth investigation of the practices of Facebook in response to a complaint filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC), Jennifer Stoddart, the Privacy Commissioner of Canada, issued her long-anticipated findings in a detailed 100-page report.  While some of the twenty allegations in the CIPPIC complaint were found to be unfounded or resolved during the investigative process, the Commissioner found that Facebook violates Canadian privacy law in at least three significant respects:  failure to limit the access of third party application developers to user data; failure to allow users to easily delete their accounts and associated personal information; and requiring users to consent to keeping their profiles active for memorial purposes in the event of their death.  Facebook has thirty days to come into compliance or announce a plan to do so, after which the Commissioner has indicated she will make an application to Federal Court to compel them to do so.  The findings are a major blow to Facebook’s business model and will be extremely influential with privacy regulators in other countries.  The Privacy Commissioner of Australia has already indicated in response to Commissioner Stoddart’s report that Facebook may be breaching Australian privacy laws: European regulators announced their concerns about social networking sites in June.

 

DHS to Push Ahead with E-Verify but Drop “No-Match Rule”

In spite of opposition from the US Chamber of Commerce, SHRM and other business groups, DHS Secretary Janet Napolitano voiced the administration’s support for the E-Verify system as the means of verifying eligibility for employment by federal contractors.  At the same time, DHS is rescinding the 2007 No-Match Rule, which has been blocked by court order.  The Senate also passed a number of amendments bearing upon the E-Verify requirement, which is slated to come into effect September 8.

 

Cloud Computing Standards Group Formed, but Feds May Not Wait

Industry groups and standards bodies have formed the Cloud Standards Coordination Working Group, to develop a strategy for cloud computing standardization that will include standards for data security, along with ones for interfaces, management frameworks, data exchange formats and other topics.  However, federal CIO Vivek Kundra says the government may create its own set of cloud security standards and certify those services that meet them, so that federal agencies can move into cloud computing more quickly.

 

Big Companies, School Districts and Laptops Dominate July Breaches

Eight breaches of  employment-related data were reported during July, including losses by Northrop Grumman (a stolen back-up hard drive containing personal data of an unspecified number of employees in West Virginia); Proctor & Gamble (a laptop used by their employee benefits administrator, IBM, was stolen); Tyco Flow Control Americas (the payroll manager’s laptop stolen during a weekend break-in at his Houston office); AT&T (a temp indicted for stealing personal information of 2,100 Chicago-area employees in an ID theft scheme); school districts in suburban St. Louis (a stolen laptop with personal data of 1,700 employees), Fayetteville AK (39 teachers registered with the same benefits provider victimized in an ID theft scheme), and Salt Lake City (information relating to 6,000 employees exposed on a missing USB drive); and city employees in Brighton CO (an unspecified number of employees placed in jeopardy when a laptop was stolen from an IT engineer’s pickup truck while he was playing golf).  Six of the eight breaches (75%) involved stolen laptops or storage media, while two (25%) involved benefits administrators.

 

DP Law Amended, Employee Privacy Act Coming in Germany

On July 3 the German Parliament passed comprehensive amendments to the Federal Data Protection Act, subsequently confirmed by the Federal Council, covering marketing, security breach notification, service provider contracts and new protections for employee data.  The new amendments, which come into effect September 1, also provide stronger protections for internal data protection officers, enhance the authority of data protection authorities, and increase fines and sanctions for violations.  In addition, a new Employee Privacy Act is expected to be enacted after Germany’s elections this fall, according to an article by Flemming Moos in IAPP’s Privacy Advisor. 

 

CNIL Drops Prior Authorization for Safe Harbor Transfers

Following the recent successful passage of a legislative amendment streamlining the operations of the CNIL, the French data protection authority, the authority has dropped the requirement that transfers of non-sensitive data under the Safe Harbor program require prior approval.  The change in policy was reflected in new documents posted on the CNIL website.

 

June 2009

Court Rules MySpace Comments Off-Limits to Boss

A federal jury in the U.S. District Court in Newark ruled in favor of two employees of Houston’s Restaurant in Hackensack, NJ, after they were fired on the basis of negative comments they made on their password-protected MySpace group website.  Their boss gained access to the comments by pressuring a co-worker to reveal her password.  The jury, finding that the company had violated state and federal communications laws and acted maliciously, awarded the employees $17,000 in back pay and damages.

 

Nine HR Data Breaches in June

Nine breaches of HR-related data were reported in June:  Tyco Flow Control Americas (an undisclosed number of employees impacted when burglars in Houston stole the payroll manager’s laptop and also breached locked rooms containing HR and payroll records); Maine Office of Information Technology (597 recipients of unemployment insurance had their SSNs and other personal information mailed to another individual because of a printing error); Vocus (an undisclosed number of employees jeopardized by mis-delivery of a box containing HR data); Beam Global Spirits & Wine (unauthorized access of an HR/Payroll database by a former employee); CS Stars (the maker of risk management software had an unencrypted portable hard drive stolen, impacting 28,000 claimants for workers compensation); Florida Department of Revenue (a stolen flash drive containing personal data on 2,826 employees of a variety of businesses); Battle Creek City, MI (65 city employees impacted when the mayor posted SSNs and other confidential information on a public website linked to his Twitter account); Sutter Health (6,000 former and current employees jeopardized when a computer repair shop found their records on an old laptop that had been resold); and AARP (personal information of an undisclosed number of employees unaccounted for when a laptop was stolen from the home of an employee).

 

Growing Role of Organized Crime in Data Breaches

Verizon’s 2009 Data Breach Investigations Report, which analyzed some 90 data breaches reported in 2008 involving some 285 million records, concluded that malicious or careless company insiders are no longer the prime cause of data breaches.  Instead, organized criminal groups now appear to be the major threat companies face in trying to secure sensitive personal information, with 91% of the records breached traceable to such groups.  The survey also found that 94% of breaches (and 99.9% of pilfered records) are attributed to online assets, including servers and applications, as opposed to user systems, offline storage or data in transit. In a major disconnect with these Ponemon findings, another survey by NetWitness found that only 18% of Chief Information Security Officers view external threats as their major concern, instead focusing upon risks posed by insiders.

 

Social Networking Sites Subject to EU Data Protection Law

The Article 29 Working Party, an advisory body to the European Commission, has issued a 13-page opinion on social networking sites that says the operators of the sites, as data controllers, are subject to European data protection laws no matter where their headquarters are located and are responsible for the privacy of their users.  Users of such sites are also data controllers if they if they are acting on behalf of a company, association or in pursuit of commercial, political or charitable goals.  The opinion puts to rest the argument that those offering social networking sites are merely data processors and therefore not subject to the Data Protection Directive.

 

British Standard on Data Protection Published

The British Standards Institute (BSI) issued a standard, BS 10012:2009, whose objective is to enable organisations to put in place a personal information management system (PIMS) that conforms to best practice and aids compliance with data protection law.  The standard requires issuance of a policy listing commitments in 15 areas, with an emphasis upon shaping the organizational culture, audits and continuous improvement.

 

Federal Data Protection Law Progresses in Mexico

Representatives of the Mexican government, speaking at the Ottawa meeting of the Tri-Lateral Committee on Transborder Data Flows, described amendments to the Mexican Constitution that recognize a fundamental right of personal data protection and give the Federal Congress powers to enact a federal law that what would apply to the private sector.  A new bill was agreed upon by private sector and public sector representatives and is expected to be passed in the new session of the Chamber of Deputies, which begins in September.

 

May 2009

NIST Backs Overhaul of 1974 Privacy Act

The Information Security and Privacy Advisory Board of the National Institute of Standards and Technology' (NIST) issued a report calling upon Congress to amend and update the 35-year old federal privacy law governing the public sector.  The 40-page report cited the need to improve federal privacy notices; clearly cover commercial data sources; expand the definition of "system of records" to encompass relational and distributed systems based on government use of records, not just its possession of them; and create a federal Chief Privacy Officer within OMB.

 

Ten More HR Data Breaches

Breaches of HR data were reported in May by the following ten organizations:  Godwin Pumps of America (stolen laptop with data on 180 employees); Catalent Pharma Solutions (personal data of 2,656 employees exposed when a laptop was stolen from a vehicle in New Jersey); United Food and Commercial Workers Union (at least 19,000 members of Oregon’s largest private-sector union, and 28,000 members in Alberta, jeopardized by a laptop stolen in the union’s New York office); Continental Airlines (a second laptop stolen this year, impacting an undisclosed number of employees); Pfizer (once again in the news when an undisclosed number of individuals were impacted by a backup hard drive being thrown into the trash); Toledo Naval Recruiting Office (thousands of records relating to recruits discarded in a dumpster without proper shredding); New Jersey Department of Labor and Workforce Development (28,00 unemployed residents notified that their personal data was sent to the wrong employer because of a clerical error); Indiana Department of Workforce Development (SSNs of 4,500 unemployed residents sent to the wrong companies because of a printing error by Pitney Bowes Management Services); Boston-based Health Dialog Services Corporation (an undisclosed number of employees impacted by hacking of the corporate network); and Aetna (65,000 employees notified of a breach of a website that also contained contact information for 450,000 job applicants).

 

Proposal for New International Standard Moves Forward

Progress was reported on the development of a new international standard for the protection of personal information.  The standard, developed over the last year under the auspices of the Spanish Data Protection Agency, is expected to be approved at the November Conference of Data Protection and Privacy Commissioners in Madrid and then submitted to the United Nations as the basis for a treaty.

 

French Pass Law to Speed Data Transfer Approvals

According to DataGuidance News, a law was enacted in France to simplify the procedures of the French Data Protection Authority (CNIL), by giving the power to approval international data transfers to the President of the CNIL. Previously, the CNIL Assembly as a whole had to approve each transfer application, a process typically requiring two to four months of waiting time.  France is one of the few EU member states to require such advance authorizations.

 

Online Personal Health Records to Remain in Canada

Within the next 8-12 months Canadians will be able to keep their health records and manage doctor's appointments and prescriptions online, through a partnership between Telus Health Solutions and Microsoft.  Microsoft has promised that the records will be stored on Canadian computers and remain within the country.  Canada Health Infoway, a government-funded organization pushing for an electronic health record system, and Ann Cavoukian, the Privacy Commissioner of Ontario, expressed support for the offering, which will be known as the Telus Health Service.  Telus plans to make the service available to governments, health regions, hospitals, insurers and employers.

 

Forrester and Chambers Urge Heightened Scrutiny of Cloud Security

Forrester issued a report entitled “How secure is your cloud?”, pointing out unlike in traditional outsourcing relationships, companies using cloud computing applications share servers with other customers and may not know where their data is stored or how it is replicated.  According to the report, the lack of visibility and control needs to be compensated for by increased scrutiny of how the vendor protects data at rest and in motion; the vendor's documentation available to auditors; authentication and access control procedures; and whether the vendor has proper data segregation and data leak prevention measures.  Separately, John Chambers, the Chairman of Cisco and a big supporter of cloud computing, conceded that it currently was a “security nightmare”.

 

April 2009

FTC Issues Draft Breach Notification Regulations

The FTC released proposed data breach notification regulations for electronic health records, as called for in the HITECH Act.  The regulations, open for public comment until June 1, 2009, are the first set of breach notification requirements at the federal level in the US.  Furthermore, they will greatly expand the number of companies that would be subject to notification requirements. The extent to which any health-related records that an employer may maintain in an electronic form will fall under the coverage of the regulations remains to be determined.  The FTC’s hard-line approach to enforcement is likely to come as a shock to the healthcare industry, according to Pam Dixon of the World Privacy Forum.

 

Eight HR Data Breaches in April

HR data breaches blossomed in April, with data losses reported by the University of Washington (SSNs of 6,000 employees exposed through a security lapse in two parking-management servers); State of Maryland (8,000 employees impacted when information about their participation in health savings accounts was lost in the mail); State of Illinois (170 employees notified that their SSNs and names were exposed through inappropriate use of P2P software to download music by a staff member of the Department on Aging); Irving TX School District (3,400 employees exposed and some victimized when confidential records were placed in a dumpster); New Orleans public schools (personnel records left in an abandoned unlocked warehouse owned by the school system); Fujitsu Consulting (data of over 3,000 employees of Travelers and other clients lost by an overnight courier service); Fox Entertainment (data of an undisclosed number of employees mis-appropriated by a benefits department employee who was arrested and fired); and FairPoint Communications (portable storage device with personal data of 4,200 employees reported missing). 

 

DHS Privacy Office in Forefront on Use of Social Media

The Homeland Security Department’s privacy office will hold a conference to explore privacy and security issues in the use of social media by government agencies. The “Government 2.0: Privacy and Best Practices” conference, to be held June 22-23 in Washington DC, is open to the public.

 

Corporate Spying Scandals Continue to Mount in Germany

Scandals over corporate spying on employees continue to roil public opinion in Germany.  The head of Lidl, the German-based discount chain that operates in every EU member state as well as in the US and Canada, was fired and the company fined some $2 million, following revelations in March that it used private detectives to spy on its employees.  Compounding the privacy law violations, documents found in a dumpster contributed to the unearthing of the covert surveillance scheme. Another major German company, Airbus, also admitted spying on its own workers between 2005 and 2007, without the awareness of its works council, in an effort to prevent corruption.  Along with recent similar privacy abuses by Deutsche Telekom and Deutsche Bahn, pressure continues to ratchet up for new employee privacy legislation at the national level.  According to Privacy Laws & Business, a new bill or set of guidelines is expected to be promulgated before Parliamentary elections this fall.

 

NIST Issues Password Management Guidance

The National Institute of Standards and Technology (NIST) announced the publication of a draft Guide to Enterprise Password Management, released for public comment until May 29, 2009. The guide, SP 800-118, is intended to help organizations understand and mitigate common threats against character-based passwords, focusing on topics such as defining password policy requirements and selecting centralized and local password management solutions.

 

Privacy-information Services: The Free, the Cheap and the Pricey

Computerworld published a valuable summary of privacy information services, designed to help track and explain the expanding universe of privacy news, developments, regulations and laws.  The survey, prepared by Jay Cline, covers free websites, newsletters and news feeds; fee-based periodicals; and fee-based databases.

 

March 2009

Behavioral Targeting Moves to Center Stage

Behavioral targeting, the practice of tailoring ads to web users by tracking their online activities, made headlines around the world in March.  As Google began serving up what it called “interest-based ads”, privacy advocates in the US called upon the FTC to stop the practice, several congressmen promised legislation that would require opt-in consent and the head of consumer affairs for the European Union threatened a crack-down on what she termed the “World Wild West.”  Technical responses also emerged:  a Harvard University fellow released a browser plug-in called TACO that will block the targeting; Microsoft released Internet Explorer 8, which facilitates opt-outs on a per-session basis; and a University of Pennsylvania professor urged creation of a tracking icon that would accompany targeted ads. 

 

Most March HR Data Breaches in Public Sector

Seven breaches of HR data in the public sector, as well as two in the private sector, were reported in March:  New York Police Department (80,000 active and retired officers impacted by the theft of a backup tape by the department’s civilian telecommunications director); Sonoma County Sheriff’s Department (1,000 employees at risk when thieves stole four laptops from police cars in Santa Rosa, CA); Idaho National Laboratory (a disc containing records of 59,000 current and former employees of the Dept. of Energy facility went astray during shipping by UPS); Penn State Office of Physical Plant (SSNs of 1,000 employees exposed by a virus that infiltrated an administrative computer); Central Ohio Transit Authority (personal data of 900 current and former employees accidentally sent to dozens of insurance companies who were bidding for work with the agency); Elk Grove Unified School District (a paper document with SSNs of more than 500 employees lost by an employee); Kentucky Retirement Systems (personal data of 28,000 state retirees e-mailed without encryption by Walgreens Health Initiative, the state’s pharmacy benefits manager); Kaiser Permanente (29,500 workers impacted by the theft of a computer from the offices of a union); and Xcel Energy (an e-mail containing SSNs of an undisclosed number of employees distributed internally to parties not needing them).

 

PHR Vendors Slow to Embrace ARRA Requirements

Although David Blumenthal, President Obama’s choice to be the national coordinator for health information technology, believes that Congress intended the 2009 stimulus bill to subject personal health-record (PHR) systems developed by Microsoft and Google to federal privacy and security laws, the vendors themselves do not agree.  Google stated that the American Recovery and Reinvestment Act (ARRA) will not bring its PHR services under HIPAA, while Microsoft, the Mayo Clinic and the Cleveland Clinic said they were still studying the issue.  

 

Google Security Questioned

The security of Google Docs came under fire in March as the company admitted that a glitch in its software caused some documents to be accessible without proper permission and a security analyst subsequently said he found three flaws that could expose private data in other ways.  The Electronic Privacy Information Center (EPIC) urged the FTC to investigate the security of all of Google’s cloud computing apps and to enjoin Google from offering them until they have been found to protect data in a satisfactory manner.

 

Worker Blacklist Scandal in UK

A major privacy scandal affecting the private sector broke in the UK, where the Information Commissioner launched an investigation into, and then shut down, a secret database that blacklisted construction industry workers who raised safety concerns or had links to unions.  Forty of the top construction firms in the UK were reported to be paid subscribers to the database.

 

EC Issues Guide to Data Protection Compliance

The European Commission published a useful 54-page set of questions and answers, including a flowchart, to help companies understand their obligations when sending personal data abroad and the means they may use to meet these obligations.

 

February 2009

Major Changes Coming in HIPAA Requirements

Congress passed an economic stimulus bill containing significantly expanded federal protections for health information and electronic medical records.  The new law, which imposes more stringent HIPAA requirements on health plans, received cross-the-board praise from privacy advocates.

 

Massachusetts Delays Data Security Regs Until 2010

For the second time, the Massachusetts Office of Consumer Affairs and Business Regulation delayed the implementation deadline for its comprehensive information security requirements, this time from May 1, 2009 to January 1, 2010.  In addition, a revised version of the regulations was issued which softened the requirements relating to third party vendors and eliminated the need to obtain written certifications of compliance from them.

 

Report Explores Privacy Issues in Cloud Computing

The World Privacy Forum, a San Diego-based privacy think tank, released a 26-page report prepared by Robert Gellman entitled “Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing”.  While privacy issues involved in software as a service (SaaS), cloud computing and other Web 2.0 applications are increasingly discussed at conferences and in the media, this is the first in-depth examination of privacy and security questions that need to be addressed before embracing externally-run Internet applications.  Separately, the National Institute for Standards and Technology (NIST) is preparing guidelines for federal agencies concerning the use of cloud computing applications; the guidelines are expected later this year. 

 

HR Data Breaches Keep on Coming

Seven HR data breaches were reported in February, including the FAA (a hacker was able to locate two files that had been used in system testing and then forgotten about, containing personal data of 45,000 employees); federal agencies such as the Dept. of Defense, the Dept. of Homeland Security and the National Guard, where employees were caught up in the breach reported last month at SRA International; Kaiser Permanente (29,500 employees impacted by the theft of a laptop from the office of an employee union); Parkland Memorial Hospital (personal data of 9,300 employees of the Dallas hospital exposed on a stolen laptop); Arkansas Department of Information Services (data from 12 years of criminal background checks, on 807,000 individuals, unaccounted for by virtue of a missing backup tape); JetAviation Direct (2,227 employees at risk because of a stolen laptop); and Steamboat Springs School District (SSNs and other data on 1,300 employees of the Colorado school district exposed when a laptop was stolen).

 

Germany Rocked by Spying on Employees Scandal

In response to a major scandal relating to spying on employees by Deutsche Bahn, the national railroad, the German government convened a meeting of top government, union and industry representatives to discuss the need for new workplace privacy legislation.  The CEO of Deutsche Bahn is under intense pressure to resign, following revelations that the company utilized private investigators to covertly examine the bank accounts of nearly all its 220,000 employees over an eight year period in an attempt to root out corruption.  The snooping scandal follows others at Deutsche Telekom and several supermarket chains.  The government was previously reported to be also advancing a new data breach notification law.

 

Canada Launches Certification Service for EHR Vendors

Infoway, a Toronto-based non-profit organization funded by the Canadian government to accelerate the adoption of electronic health records, has launched a new certification service for vendors who create consumer e-health applications, such as Microsoft HealthVault and Google Health.  When applying for certification, a vendor will need to fill out a self-assessment form on how well their product meets Infoway’s standards, provide an overview of their privacy policy and demonstrate very specific test scripts through their applications.  The certification effort parallels one in the US by the Certification Commission for Healthcare Information Technology (CCHIT).

 

January 2009

2009 Begins with Ten Breaches of HR Data 

The job site Monster announced its third major breach in as many years, with millions of job seekers impacted as hackers stole user names, passwords, telephone numbers, e-mail addresses, demographic data, birth dates, gender and ethnicity data.  Other breaches included the City of Madison (WI) (data on 300-500 city employees lost on a laptop stolen from a city office, but later recovered); Merrill Lynch (an undisclosed number of employees and applicants impacted by a burglary experienced by a third party consulting service); Pepsi Bottling Group (payroll data of US employees lost after being downloaded to a portable storage device during an audit); State of Indiana (SSNs of 8,775 current and former state employees accidentally posted on the Internet); Continental Airlines (background check information on 230 employees, vendors and applicants exposed when a laptop was stolen from a company office in Newark); SRA International (hacking of SRA network exposed the personal data of all current and former employees, customers, and dependents of employees); the World Bank (names and bank account numbers of an unknown number of employees accidentally posted on the Internet); Occidental Petroleum (spreadsheet of personal data of an undisclosed number of former employees e-mailed to the personal e-mail account of a former employee); and Beaumont City (TX) (personal data of 500 current and former employees accidentally posted online).

 

NIST Issues New Draft Standard on Protecting PII

The National Institute of Standards and Technology (NIST) announced the release of a draft “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)” for public comment.  The 58-page guide provides many insights into how to determine confidentiality impact levels and craft protective measures appropriate to those levels.

 

BSI Publishes Draft Data Protection Standard

BSI British Standards published a draft data protection standard which it hopes will become a national standard for how public and private sector organizations can manage personal information in a manner compliant with the Data Protection Act 1998.  The standard, BS 10012, describes how an organization can create and manage a Personal Information Management System (PIMS) to achieve this end.  Public comment on the draft standard is invited until March 31, 2009; comments already submitted can be viewed online.

 

Canadian Privacy Commissioner Issues Transborder Guidelines

The Office of the Privacy Commissioner of Canada published “Guidelines for Processing Personal Data Across Borders”, explaining how federal privacy law (PIPEDA) applies to transfers of personal information to third parties, some of whom may be operating outside of Canada.  The 10-page guidelines stress that organizations remain accountable for data transferred out of Canada and must use contractual or other means to “provide a comparable level of protection while the information is being processed by the third party.”

 

Personality Tests Undermined by Availability of Cheat Sheets

As candidates compete for a dwindling supply of retail jobs, those facing employers who use personality assessments in the screening process are finding ways to identify the answers that will get them in the door.  According to the Wall Street Journal, applicants for jobs with companies such as Best Buy, CVS Caremark, and Blockbuster can find the “right” answer through help from friends or by Internet searches. For example, those taking a popular Unicru test provided by Kronos can find job-winning answers in a “Workers and Employers Against Unicru" group on Facebook; a page on correct Unicru answers also was posted on Wikipedia until removed by editors.

 

December 2008

HHS Issues New Privacy Guidelines for EHRs

The Department of Health and Human Services released new privacy guidelines designed to establish a single, consistent approach to defining the roles of individuals and the responsibilities of those who hold and exchange electronic health records (EHRs), regardless of the legal framework that may apply to a particular organization.  The eight privacy principles of the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information include patient access; correction of records; openness and transparency; patient choice; limitations to the collection, use, and disclosure of personal health information; data integrity; safeguards; and accountability.  HHS also published a privacy and security toolkit and an extremely innovative facts-at-a-glance sample privacy notice.

 

Employers Face Challenges with Social Networking

During an interview on the need to include privacy as one component of a larger information governance strategy, GE’s CPO, Nuala O'Connor Kelly, noted that some 13,000 GE employees have self-identified on Facebook as GE employees, sometimes using their GE e-mail address and putting up GE logos to create discussion groups.  The legal and organizational challenges posed by such activities were underscored by three separate reports, the first being that Salesforce.com has found a novel way to help companies recruit using Facebook.  With an employee’s permission, companies can run Salesforce.com software that scans the profiles of an employee’s Facebook friends in search of the right candidate for an open position.  The second source of concern relates to the Facebook’s newly announced Connect feature, which raises questions as to what user information will be shared with other websites as a result of Connect’s single sign-on functionality.  The third relates to potential violations of HIPAA by an OB/GYN nurse in Pennsylvania who complained about patients on her MySpace page.

 

Cobbler’s Children Once Again Go without Shoes

Two firms that offer data security products, HP and Symantec, each reported breaches of employee data in December, along with six other organizations:  HP (at least several thousand employee records exposed on a laptop stolen from an HP employee in the Houston area); Symantec (100 employees or less impacted by the theft of a laptop from an employee’s home); the Library of Congress; (at least 10 employees victimized by the theft and misuse of their identities by a staff member of the Library’s HR department); the DC public schools (65 job applicants and employees similarly victimized by a program support specialist employed by the school system); Florida Agency for Workforce Innovation (sensitive information of 250,000 job seekers who sought state help exposed to Internet searchers by a breach in computer security); the University of North Carolina at Greensboro (2,700 employees jeopardized by use of a virus-infected computer to process payroll); North Pacific Group (information on 2,249 employees exposed by the theft of several laptops and other computer equipment); and Lehigh Hanson (payroll files on an undisclosed number of employees accidentally placed on the Internet).

 

FTC to Co-Sponsor International Data Security Conference

The FTC, in conjunction with the Asia-Pacific Economic Cooperation (APEC) forum and the Organisation for Economic Co-operation and Development (OECD), will host a two-day international conference: “Securing Personal Data in the Global Economy.” The conference, which will address how companies can manage personal data security issues in a global information environment where data can be stored and accessed from multiple jurisdictions, will be held in Washington DC on March 16-17, 2009.  As with recent government-sponsored privacy conferences in Europe, the conference will be webcast.

 

Switzerland Accepts US-EU Safe Harbor Framework

Switzerland’s Federal Data Protection Commissioner signed an agreement with the US establishing a US-Swiss Safe Harbor Framework.  Benefits for companies in Switzerland are that they no longer need to prepare model contracts for transferring personal data to the US nor submit the contracts to the Federal Data Protection Commissioner for review.  According to a report in Privacy Laws & Business, it is uncertain when the framework will enter into effect.

 

November 2008

Massachusetts's Data Security Law Delayed

The deadline for compliance with Massachusetts’s comprehensive information security requirements, originally scheduled for January 1, 2009, has been postponed until May 1, 2009; the requirement for obtaining written certifications of compliance from third-party vendors has been put off to January 1, 2010.  According to a press release issued by the state, the implementation deadline was extended “in light of intervening economic circumstances… to provide flexibility to businesses that may be experiencing financial challenges brought on by national and international economic conditions.”

 

Employee Snooping Back in News

Employee snooping was back in the news in November, with reports that Verizon fired a number of workers for inappropriately accessing the cell phone records of President-Elect Obama.  Earlier in the year State Department workers and contractors were sacked for looking at Obama’s passport records.  Separately, a hospital in Little Rock fired six employees for snooping into the medical records of a local TV station anchorwoman, following a routine patient-privacy audit.  A common theme in all the snooping cases is employees enjoying greater access to information than called for by their responsibilities.

 

Starbucks Not the Only Employer Spilling the Beans

Seven HR data breaches were reported in November, including Starbucks (97,000 employees put at risk because of a stolen laptop); Lenscrafters (information on 59,000 employees exposed through a mainframe breach); the Veterans Administration (sensitive data of 1,600 veterans inadvertently posted on the Internet); the University of Missouri (41,000 employees and retirees in jeopardy in connection with an extortion threat made against Express Scripts, a company that manages prescription benefits for millions of employees); Maryland Department of the Environment (data on 1,367 former employees exposed when two laptops were stolen); Sinclair Community College (Ohio) (names and SSNs of 1,000 employees accidentally posted for a year on the Internet); and the Seattle School District (personal information of 5,000 employees unintentionally released to a local union representing some workers).

 

Bermuda Preparing EU-Style Privacy Law

The government of Bermuda announced that it was preparing legislation that would bring it into conformance with European standards for protecting personal information.  Bermuda would become the second Caribbean nation, after The Bahamas, to enact EU-style data protection legislation.

 

Employee Firing for Blog Comments Upheld

An arbitrator upheld the firing of a public service employee in Alberta over inappropriate comments about her supervisor and co-workers in a blog.  In upholding the dismissal in Alberta v. Alberta Union of Provincial Employees the arbitrator noted “that a blog is a form of public expression is, or ought to be, self-evident” and held that the employee, by “expressing contempt for her managers, ridiculing her co-workers, and denigrating administrative processes, engaged in serious misconduct that irreparably severed the employment relationship.”

 

October 2008

Six HR Data Breaches, Six Different Causes

A half-dozen HR data breaches were reported in October, each illustrative of a different way in which sensitive personal information can be compromised:  the City of Fresno (5,700 employees impacted by a break-in and theft of computer equipment from a vendor processing workers compensation claims); City of Charleston (information on 535 Administration Department employees exposed when a laptop was stolen from an auditor’s vehicle); Shell Oil (an undisclosed number of employees jeopardized by an IT contractor who used stolen data to file fake unemployment claims); Medical Mutual of Ohio (11 computer disks with information on 36,000 employees and retirees missing in the mail); NYS Labor Department (personal data of 400 applicants for unemployment insurance mistakenly mailed to other applicants); and PSS World Medical (an undisclosed number of job applicants impacted by unauthorized access to private information associated with an online job board).

 

Mutual Recognition Pact May Speed BCR Approvals

The data protection authorities of nine EU member states have agreed to give mutual recognition to the approval any one of them gives to Binding Corporate Rules submitted by a company.  The countries involved are France, Germany, Ireland, Italy, Latvia, Luxembourg, the Netherlands, Spain and the UK.  The step is designed to speed the process of securing approvals from multiple DPAs, which currently takes years to achieve.  An early test may come in the next few months, with Sanofi-Aventis's BCR application to the CNIL.

 

European Privacy Conferences Available Online

Streaming webcasts of the complete programs of two major privacy conferences held in Europe in October are available online, including the 30^th International Conference of Data Protection and Privacy Commissioners, held in Strasbourg, and the European Commission’s Workshop on International Transfers of Personal Data, held in Brussels.

 

More Funding, Powers for UK DPA

The Office of the Information Commissioner of the UK will get an extra £6-million and added powers, including the power to conduct data security spot checks and to fine companies for violations of the Data Protection Act.  The strengthening of oversight powers, expected before the end of 2008, comes amidst a steady and ongoing drumbeat of well-publicized public and private sector data breaches (277 within the past year).

 

Uruguay Enacts Comprehensive Data Protection Law

A comprehensive data protection law, modeled upon those in Europe, went into effect in Uruguay in August.  According to a report in a Privacy Laws and Business newsletter, the law contains a full set of data protection principles including consent, notices, special provisions for sensitive data, limitations on certain transfers of personal data and a provision banning the transfer of personal data to destinations lacking adequacy. The law also calls for establishment of a Regulatory and Personal Data Control Unit, expected to come into existence in 2010.

 

September 2008

Massachusetts Mandates Rigorous Data Security Program

The Massachusetts Office of Consumer Affairs and Business Regulation issued regulations, effective January 1, 2009, that require businesses to develop and implement a comprehensive, written information security program for handling ID theft-related personal information in either paper or electronic form.  The security program must contain more than a dozen components that collectively are more rigorous than those normally imposed by the FTC in its enforcement actions, including:  designation of responsible individuals; risk assessments; security policies; employee training; disciplinary sanctions; personal information inventories; passage of security program requirements on to vendors; documentation of breach-related activities and responses; and encryption of personal information on portable devices and in transmission.  The regulations, promulgated on September 22, were authorized by a data breach law passed in August 2007.

 

Financial Crisis May Spur More Regulation of Privacy

The disastrous failure of government oversight of Wall Street companies and mortgage lenders may mark the end of 30-year period of belief in limited government intervention in the marketplace.  Should the pendulum of public opinion swing back towards greater regulation, stronger laws for protecting privacy, as opposed to the prevailing emphasis on industry self-regulation, may be one outcome.

 

Google Remains in Art 29 WP Crosshairs

The Article 29 Working Party announced that it will hold hearings with Google over the company’s claim that European data protection laws do not apply to it, even though it has offices and servers in Europe and collects personal data from Europeans.  The Working Party, while praising Google’s decision to reduce the time it stores results of web searches from 18 to 9 months as a step in the right direction, pressed for a six month period and criticized what it said were inadequate anonymization routines.  Google also came under fire in South Korea for exposing sensitive ID numbers of thousands of Koreans and in the US for privacy lapses in Chrome, its new Internet browser.

 

HR Data Breaches Slow in September

September was a relatively quiet month for HR data breaches, with losses reported by Intuit (22,000 employees impacted by a previously reported break-in at an HR outsourcing vendor, Colt Express, that also affected 19 other companies); Orbitz Worldwide (loss of an undisclosed number of employees’ information on a laptop stolen from a car); and U.S. Foodservice (a significant but undisclosed expansion in the number of employees impacted by a previously reported laptop theft).

 

Who is Guarding the Guardians?

A new Cyber-Ark Software survey of 300 IT security professionals reveals that 88 percent of IT administrators, if laid off tomorrow, would take valuable and sensitive company information with them, including the CEO's passwords, customer databases, R&D plans, financial reports, M&A plans, and the company's list of privileged passwords.

 

August 2008

DOJ Backtracks on Attorney-Client Privilege

In a major advance in corporate privacy, the Justice Department announced it would no longer pressure companies to wave attorney-client privilege and not pay the legal fees of employees accused of crimes.  The announcement came on the same day as a federal court ruling dismissing charges against 13 employees in the KPMG tax fraud case, in which the government used these tactics.  Under the new policy, the Department will evaluate corporate cooperation based upon information provided by a company, rather than whether it was willing to waive attorney-client privilege.

 

Laptop Seizures Gaining Attention of Lawmakers

Pressure mounted against seizures of laptops at border crossings following the Dept. of Homeland Security’s release of policy guidelines governing such actions.  The government is claiming expansive powers to randomly search laptops, decrypt and translate any information on the machine, and even retain the laptop for an indeterminate amount of time. Several legislators have said they will introduce bills prohibiting such open-ended, suspicion-less searches when Congress returns after its summer recess.  The Canada Border Services Agency was reported to be following a similar policy at its border crossings.

 

Only Four HR Data Breaches in August

Following the record-setting 11 data breaches reported by employers in July, only four were noted in August, by Charter Communications (a dozen laptops containing detailed personal information on 9,000 current and former workers nationwide stolen from a South Carolina office); Delphi (a flash drive with SSNS and other personal data about 2,600 former Dayton-area workers removed from the unattended laptop of a state employee); Ohio Police & Fire Pension Fund (data of 13,000 retirees improperly taken by a former fund employee); and the US Army (data of 50,000 noncommissioned officers on promotion lists compromised by inadvertent posting on the Internet).

 

Russia Establishes DPA, Website and Registration

Two years after enacting a comprehensive data protection law, implementation efforts are finally reported to be underway in Russia.  The Federal Service for Oversight of Mass Media, Communications and Protection of Cultural Heritage, the agency emerging as responsible for overseeing compliance with the law, has launched a website and begun registering data controllers.  Although there are a number of exemptions to the registration requirement, more than 11,500 businesses have registered to date, with 300 signing up during the last week of July alone. 

 

ALRC Issues Massive Report on Privacy Law Changes

The Australian Law Reform Commission released its final report on its multi-year review of Australian privacy laws.  The 2,700 page report contains some 295 recommendations, including removal of exemptions for employee records and small businesses, institution of a statutory cause of action for privacy invasions, a mandatory data breach notification requirement and tighter controls on cross-border data transfers.  Observers expect a year or more to pass before any of the recommendations are adopted and enacted into law.

 

July 2008

Privacy Certification Coming for Personal Health Records

The Certification Commission for Healthcare Information Technology (CCHIT) launched an industry working group in June that will create a certification plan to protect the privacy of consumers who use personal health record (PHR) technologies.  CCHIT, which hopes to begin certifying personal health record providers and services in July 2009, has adopted a “big tent” definition of PHRs as any product or service that performs either or both of the following activities: (1) collecting, receiving, storing, or using personal health information (PHI) as part of a consumer data stream or PHR services; and (2) transmitting or disclosing to a third party any PHI gathered through or derived from a consumer data stream or PHR services. 

 

Eleven HR Data Breaches in July

July was a banner month for HR data breaches, with reports of data losses from 11 employers: Google (all pre-2006 employees exposed to ID theft when thieves stole computer equipment from the offices of a former vendor, Colt Express Outsourcing Services); Bristol-Meyers (an undisclosed number of employees impacted by a stolen back-up tape); Baxter International (personal data of 6,900 employees exposed when an HR staff member’s laptop was stolen from a Chicago hotel room); Computer Associates (973 employees and dependents also affected by the Colt Express break-in); Huron Consulting Group (an undisclosed number of employees warned of the theft of payroll information by a fired employee); US Army - Fort Lewis, WA (personal information of 700 soldiers lost when a laptop was stolen from an Army employee’s truck); Washington DC Transit Authority (accidental publishing of SSNs of 4,700 employees on a website); Missouri National Guard (personal data of 2,000 soldiers at risk from a breach of an undisclosed nature); Anheuser-Busch (theft of laptops during the  burglary of a company office in St. Louis); California Dept. of Consumer Affairs (5,000 employees jeopardized by the unauthorized download of their data by a personnel specialist on her last day of work); and Hillsborough Community College, FL (sensitive information of 2,000 employees exposed when a programmer’s laptop was stolen).

 

CNIL Audits Employment Sector

CNIL, the French data protection authority, announced in late June that it had carried out audits of the human resources function of 50 unnamed French companies, with the audits leading in several cases to enforcement actions. The most frequent problems the CNIL encountered were failure to inform employees about their data protection rights; failure to adequately protect employee personal data, particularly in cross-border data transfers; and the absence of policies for the disposal of data.  CNIL also reported that anonymous whistleblower hotlines required by SOX are rarely used by French employees, and that many employers failed to notify the CNIL before putting them in place.  Over the past several years the CNIL, under the leadership of Alex Türk, who also chairs the influential Article 29 Working Party, has emerged as one of the most vigorous data protection regulators in Europe.

 

Top Canadian Court:  Attorney-Client Privilege Trumps Privacy

The Supreme Court of Canada issued a unanimous ruling in the Blood Tribe case that attorney-client privilege supersedes the power of the Federal Privacy Commissioner to compel the disclosure of personal information when investigating possible breaches of PIPEDA.

 

DOC Issues Safe Harbor Certification Mark

The Commerce Department has developed a certification mark for use by participants in the US-EU Safe Harbor program. The mark, now illustrated on the Safe Harbor website, may be used by companies to signify that they have self-certified compliance with the provisions of the Safe Harbor Framework.  Suitable locations in which to use the mark include a corporate website’s online privacy policy, the main page of HR portals used by both US and European employees, and an online applicant privacy policy.

 

June 2008

Outsourcing of Communications Creates Right to Privacy

In a major decision, the Ninth Circuit Court of Appeals ruled that employers need either a court warrant or consent to read the e-mail or text messages of employees when it contracts with outside entities to provide such services.  The ruling stemmed from a lawsuit by Ontario CA Police Sgt. Jeff Quon and three others against the city's service provider and the city and Police Department for violating the 4th Amendment prohibition against unreasonable search and seizure.  An estimated 28% of employers use outside vendors to host e-mail and text-messaging services.

 

Tech and Health Care Firms Announce PHR Privacy Guidelines

Google, Microsoft, Cisco Systems, Intuit, Aetna, Blue Cross Blue Shield and 25 other organizations announced support for a privacy guideline framework for protecting the data people keep in their online personal health records (PHRs).  The privacy framework, hundreds of pages in length, is the outcome of a Markle Foundation initiative that supported an industry working group over the past 18 months.  The guidelines, known as the Common Framework, are based upon the idea that information in a PHR should be under the control of the individual.  They consist of a set of 17 mutually-reinforcing technical documents and specifications, testing interfaces, code, privacy and security policies, and model contract language. About 9 in 10 Americans call privacy-related factors essential or significant to their use of an online PHR, according to a recent Markle survey. 

 

Connecticut Mandates Employee Data Protection Policy

In response to a series of massive security breaches, Connecticut became the second state (after Michigan) to mandate that private employers publish a policy on the protection of employee SSNs. The new law, An Act Concerning the Confidentiality of Social Security Numbers, effective October 1, 2008, also imposes a statutory obligation to safeguard, and properly dispose of, personal information.  For purposes of the law, personal information is defined broadly as any "information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number." 

 

And the Beat Goes On

The familiar drumbeat of HR data breaches continued in June, with reports of losses by six employers:  AT&T (a laptop containing unencrypted payroll data for an undisclosed number of managers was stolen from an employee’s car); Stanford University (a stolen laptop impacting 72,000 current and former employees); CNET (more than 6,500 employees and relatives exposed to ID theft after burglars stole computer systems from the offices of a vendor, Colt Express Outsourcing Services); California State Department of Consumer Affairs (5,000 employees, contractors and board members warned of a security breach when a Word document was improperly transmitted);  Dickson County (TN) Board of Education (sensitive personal data of 850 employees lost when a laptop computer was stolen from the office of the district school superintendent); and the New Mexico Department of Workforce Solutions (four boxes of manila folders with documents containing names and SSNs found in a trash bin behind the Roswell office). 

 

Article 29 WP Encourages Use of BCRs The Article 29 Working Party continued its effort to support and encourage corporate use of binding corporate rules at its June plenary session, announcing creation of a BCR toolkit and working to streamline the approval process.  During a special meeting on BCRs convened earlier in the month in Paris by Alex Türk, who heads up both the CNIL and the Working Party, data protection authorities in attendance agreed that although Safe Harbor and model contracts are also available, BCRs are the best compliance option available to global companies.

 

May 2008

New Genetic Information Law Poses Challenges

President Bush signed House Bill 493, the Genetic Information Nondiscrimination Act, into law on May 21. The bill, which prohibits employers and insurers from discrimination on the basis of genetic information, contains some surprises and challenges for employers.  Genetic information is defined broadly, to include not only the results of genetic testing but also information about "the manifestation of a disease or disorder in family members”, such as that found in family medical histories of the employee or of the employee’s spouse or dependents.  The law does not become effective until November 21, 2009.

 

Facebook: Coming Soon to an Employee Portal Near You?

As some corporations, such as Dell, begin to utilize Facebook’s social networking software, privacy advocates and regulators continue to pressure the company to improve its privacy policies and practices. In Canada, Federal Privacy Commissioner Jennifer Stoddart said in a speech at Queens’ University that websites such as Facebook and MySpace were “the single biggest threat to the security of Canadians' personal information.” A few weeks later CIPPIC, a Canadian public policy group, filed a complaint with Commissioner Stoddart charging Facebook with 22 separate violations of a Canadian personal information protection law. In the US, Facebook reached an agreement with Attorneys General from 49 states and the District of Columbia to strengthen privacy protections for minors and teenagers using the site.

 

Google Launches Health Service in Beta Mode

Google began giving users a central place online to store their health records and then share them with health-care providers, with the beta launch of Google Health.  Individuals can go to www.google.com/health and create profiles that include information such as existing medical conditions, allergies and any medicines being taken.  They can also import medical records from US pharmacies and medical facilities that have signed on as partners, although few have so far.  With the service still a work-in-progress, concerns about privacy and security remain a big hurdle.

 

Sixth Pfizer Data Breach in a Year

Pfizer set an unwanted record when it experienced its sixth loss of employee data in a year, when a laptop and flash drive containing information on 13,000 employees was reported stolen from an employee’s car.  Other HR data breaches reported during the month included the Marine Corps Reserve Center in San Antonio (a former contractor pled guilty to unauthorized access to a computer and aggravated ID theft after being accused of selling names and SSNs of 17,000 military employees); Bearing Point Management & Technology Consultants (a laptop stolen from an employee's vehicle containing records of an undisclosed number of employees); LPL Financial (personal data on 2800 employees lost when a laptop was stolen from an employee's car); Las Cruces Public Schools, NM (a part-time computer analyst inadvertently posted personal data of 1,750 district employees on the Internet); University of Iowa (946 current and former employees impacted by improper access of a computer application); and BB&T Insurance (a laptop containing personnel data of an unknown number of Harrisonburg City (VA) Schools employees stolen from an agent’s car).

 

UK DPA Gains Power to Fine Data Breachers

Passage of the Criminal Justice and Immigration Act has given the UK Information Commissioner’s Office the power to impose substantial fines on public and private sector organisations that deliberately or recklessly commit serious breaches of the Data Protection Act.  Observers believe the new powers, comparable to those of the Financial Services Authority, will cause the ICO to be taken far more seriously.  One legal expert, Dr. Chris Pounder, finds the authority given to the ICO to be so substantial that security breach notification legislation is no longer necessary.

 

April 2008

Congress Passes Genetic Non-Discrimination Act

After a decade of debate, both houses of Congress passed a bill designed to bar discrimination by employers and insurance companies on the basis of information obtained from genetic tests. The bill, the Genetic Information Non-Discrimination Act (GINA), was sent on to the President, who previously indicated he would sign it into law.  31 states already have laws related to genetic discrimination by employers.  The employment provisions of the bill will not apply until 18 months after enactment.  Critics of the bill, including Deborah Peel and Sue Blevins, say the law doesn’t go far enough, for example by not prohibiting disclosure of genetic information without consent.

 

No Spring Break for Employee Data Breaches

Seven breaches of employee data were reported in April:  Pfizer, in its fifth breach in 15 months, disclosed that a laptop containing records of 800 employees was stolen from the home of a contractor proving travel services; the West Seneca School District (NY) reported that  information on 1,800 employees was exposed by hacking by two teenage students; the University of Toledo, which suffered a breach last month, disclosed that payroll information of 6,488 employees was accidentally posted on the university’s intranet; the Baltimore Highway Administration announced a breach of 1,800 employee records due to an inappropriate use of a shared network drive; Siemens disclosed that information on 3,542 employees was exposed when a laptop was stolen from the home of an employee; Stryker reported that its VPN had been repeatedly penetrated by an unauthorized user using an administrative password, exposing personal information of an undisclosed number of employees; and SPX disclosed that information of 403 employees was missing on a laptop stolen from a vendor, USintemetworking. 

 

European Commission to Study Privacy Law Changes

The European Commission issued a contract notice in March seeking bidders for a “study on different approaches to tackle the new privacy challenges in particular in the light of development of new technologies and security issues.”  Among the objectives of the study are the identification of privacy challenges created by “globalization and ubiquity of personal data,” and a comparative analysis of the ways in which different legal systems and self-regulatory systems deal with these challenges.  The legal basis for transborder data flows is likely to receive particular attention. 

 

CNIL Fines Another Employer

CNIL, the French data protection authority, reported that it had imposed a 40,000 Euro fine on the Service Innovation Group (SIG) France, a direct marketing company, after the company was found to have included irrelevant subjective information about both permanent and temporary employees in its personnel files. SIG was also found to have failed to comply with the subject access requirements of French data protection law.

 

JAL Employees Reject $473,000 Settlement Offer

The Japanese media reported that 194 employees of Japan Air Lines (JAL) rejected an offer of 48 million Yen (about $473,000) to settle a lawsuit in filed in Tokyo District Court alleging that their personal information had been collected and disclosed unlawfully without their consent. The employees claimed that some 150 items of personal information, including names, addresses, physical descriptions, medical records, and notes of “character traits” were shared with their workplace union without their consent, in violation of the 2003 Personal Information Protection Act.

 

Japan Issues Guidelines for Working with Data Processors

The Japanese Ministry of Economy, Trade and Industry (METI) released new guidelines at the end of February requiring tighter oversight of data processors and restricting the kind of data they may receive.  The guidelines have four major points:  (1) the data processor may only receive data necessary to fulfill their designated duties; (2) the data processor must employ adequate data protection measures; (3) the data processing contract must state the measures the data processor will take to protect the data; and (4) the data controller must inspect the operations of the data processor from time to time.

 

March 2008

HR Groups Support New Federal Work Eligibility Bill

A group of HR organizations, led by the Society for Human Resource Management, is backing a federal bill that would replace the E-Verify program with one based on existing state systems used to locate non-child-support-paying parents.  The New Employee Verification Act (H.R. 5515), introduced by Reps. Sam Johnson, R-Texas, Kevin Brady, R-Texas, and Paul Ryan, R-Wis, would expand the use of databases currently used by 90% of US employers and eliminate the paper-based I-9 process.  Supporters claim the new approach would help prevent ID theft and be more reliable than the E-Verify program.

 

Patriot Act Chills Acceptance of Software-as-a-Service

Companies seeking to adopt web-based Software-as-a-Service (SaaS) applications are facing opposition from abroad over government access to information in the applications via the US Patriot Act.  For example, employees at Lakehead University in Thunder Bay, Ontario have filed a grievance against the introduction of Google Gmail and other applications.  Companies with European employees will need a legal basis to transfer personal information from Europe to servers located elsewhere, before they can begin using SaaS applications.

 

Breaches of HR Data Reach Peak Levels

Nine employers reported data breaches in March:  Kraft Foods (20,000 employees impacted when a laptop was stolen from an employee who was migrating information from one computer to another as part of a systems project); MTV Networks (5,000 employees affected after an Internet connection in an employee's computer was compromised by someone outside the company); Nestle Waters North America (8,245 employees impacted by a theft of computer equipment from Systematic Automation Inc., a vendor of employee benefits statements); Presbyterian Intercommunity Hospital (CA) (5,000 employees also affected by the Systematic Automation breach); Nevada Dept of Public Safety (109 job applicants affected by the loss of a thumb drive by Crown, Stanley and Silverman, a vendor carrying out background checks); Rhode Island Dept of Administration (1,400 employees impacted by a computer disk that was missing after the relocation of an office); Broward School District (FL) (38,000 employees exposed to ID theft because of hacking by a high school senior); and Agilent Technologies (51,000 employees affected when a laptop was stolen in San Francisco from a car of a vendor, Stock & Options Solutions); and Georgia Dept of Human Resources (information on an undisclosed number of current and former employees exposed when an external hard drive went missing).

 

Consultation on Use of RFID Chips in Workplace

The Privacy Commissioner of Canada opened a period of public consultation on uses of RFID technology in the workplace and issued a very informative and worthwhile 38-page consultation paper.  The paper includes a list of questions that employers are invited to provide their opinions and feedback on.  The deadline for submissions is April 30, 2008.

 

Research Shows Weak Wireless Security at Airports

Research conducted at 14 airports around the world by AirTight Networks found that less than 3% of users were protecting data on their laptops by using virtual private networks (VPNs).  Most of the networks detected at airports used by the remaining 97% of users were completely unsecured, and many of those with some protection used easily-defeated security protocols such as WEP.

 

February 2008

Electronic Health Records Taking Center Stage

Google announced a pilot project involving the creation of electronic health records (EHRs) of up to 10,000 patients of the Cleveland Clinic.  Last year Microsoft introduced a similar service called HealthVault, and AOL co-founder Steve Case is backing one called Revolution Health.  Like the other services, Google’s will allow individuals to create and manage a password-protected health profile, including information about prescriptions, allergies and medical histories.  Separately, the World Privacy Forum warned of the potential pitfalls of using these services offered by companies not subject to federal regulations on privacy and security, such as HIPAA.  These concerns were detailed in a 17-page legal and policy analysis entitled Personal Health Records: Why Many PHRs Threaten Privacy.  The Privacy Commissioner of Austria also called for public debate about EHRs, questioning whether they are really needed for most people, and arguing that current European data protection law does not provide adequate protections for EHRs.

 

Laptops Subject to Search and Seizure at US Borders

Employers may want to inform employees traveling outside the US that their laptops and other electronic devices are subject to warrantless search and seizure by customs officers when they return to the US and also develop a policy to address the issue.  This long-standing US practice gained renewed prominence in early February with the filing of a lawsuit against the Dept. of Homeland Security by the Electronic Frontier Foundation and the Asian Law Caucus, two California-based civil rights groups.  The Association of Corporate Travel Executives (ACTE), which filed an amicus brief in a related case last June, expressed concerns about potential lack of access to business records, possible significant damage to a traveler’s professional standing, and uncertainty over whether providing customs officials with an encryption key was required.

 

Stolen Computers, Vendors Dominate February Breaches

February easily qualified as Watch Out for Stolen Computers and Vendors Month, with at least six employers reporting thefts of laptops and desktops:  Towers Perrin reported the theft of five laptops from its offices in Manhattan, affecting a potentially huge but undisclosed number of its own and its clients’ employees; ADC Telecommunications notified authorities that 2,600 of its employees and retirees were impacted by the theft of a laptop owned by its benefits administrator; 4,000 marines and others stationed on Okinawa and Iwakuni were jeopardized by the theft of a laptop of a federal contractor; the Diocese of Providence (RI) reported the theft of four desktop computers containing information on 5,000 school employees; a laptop lost while an employee of Memorial Hospital in South Bend (IN) was traveling had SSNs and other information on 4,300 employees; and in California, a hard drive holding the names, addresses, birth dates and SSNs of 3,500 Modesto City Schools’ employees was reported stolen from a benefits vendor. Finally, the inadvertent posting of personal information on a company file sharing site affected an undisclosed number of employees of Lexmark International.

 

Swedish DPA Blocks Processing by Standard & Poor’s

The Swedish data protection authority refused to authorize a subsidiary of Standard & Poor’s to process employee criminal records. The subsidiary had been asked to obtain employees’ past criminal records by its US parent company so that the parent could become a member of a “Nationally Recognized Statistical Rating Organisation” (NRSRO) in the US. The Swedish DPA rejected the request on the grounds that it was not directly connected or relevant to the company’s undertaking.

 

Disk Encryption Not Always Effective

Nine computer researchers, in a paper entitled "Lest We Remember: Cold Boot Attacks on Encryption Keys", argue that encryption keys can be extracted directly from a laptop’s RAM if the device has been locked with a screen saver, left in sleep mode or just recently been turned off.  Subjecting RAM chips to simple cooling techniques can lead to their retaining data for hours or even days.

 

January 2008

Ninth Circuit Court Hands JPL Employees a Victory

A federal appeals court ruled that NASA should be blocked from conducting intensive background checks on low-risk employees at its Jet Propulsion Laboratory, saying the practice threatens workers' constitutional rights.  The government had demanded that the workers, who include scientists involved with the Mars Rover mission, fill out questionnaires on their personal lives, waive the privacy of their financial, medical and psychiatric records and permit open-ended interviews with third parties about them.  As a result of the decision, NASA will be enjoined from proceeding with the investigations while a suit brought by the workers proceeds.

 

New York Law Restricts Use of Truncated SSNs

With the passage of a new law that became effective on January 1, New York became the fifth state to restrict even the use of truncated Social Security Numbers by companies.  A total of 29 states now have laws prohibiting certain common uses of SSNs.  The New York law also requires companies to take “reasonable measures” to ensure that access to SSNs is strictly for “a legitimate or necessary purpose” and that “necessary or appropriate” safeguards are in place to protect the confidentiality of SSNs.

 

Microsoft Seeks Patent on Worker-Monitoring System

Microsoft has filed a patent application for a computer system that links workers to their computers via wireless sensors allowing managers to monitor employees’ performance by measuring their heart rate, body temperature, movement, facial expression and blood pressure.  Such systems have been used for astronauts, pilots and firefighters, but never for office workers.  While described as a tool to alert managers to the need to intervene when a worker experiences excessive stress or frustration, revelation of the patent application drew strong criticism from unions, civil rights lawyers and privacy advocates.  A separate patent application from Microsoft presents a method of collecting offline information from users' cell phones, geolocation systems, credit-card information and other data sources to build individual profiles that can facilitate "targeted advertising" when the users go online.

 

HR Data Breaches Continue in January

There was no lessening of breaches of employee data in January, with losses reported by the Workers Compensation Fund in Utah (a laptop containing information on 2,800 individuals stolen from the garage of a staff auditor); Health Net in Connecticut (5,000 employees affected by a laptop stolen from a vendor); University of Wisconsin-Madison (information of 200 employees exposed on the Internet); the Navy Surface Warfare Center (up to 10,000 employees at risk when four ID thieves were apprehended with employment verification reports); and two beaches of workers compensation systems in Newfoundland and Labrador (exposing the information of at least 1,420 claimants on the Internet via a file-sharing program).

 

Spain Issues New Data Protection Regulation

On January 19 the Spanish Data Protection Agency published a new Regulation on Data Protection (Royal Decree 1720/2007, of December 21, 2007, currently available only in Spanish).  The Regulation establishes new rules on the relationship between data controllers and data processors, on security measures and on paper files.  It also authorizes the Data Protection Agency to declare that a non-European country has an adequate level of protection for purposes of data transfers, even if that country has not been approved by the European Union.  A provision that calls for getting consent from family members could affect conflict of interest and benefits practices of employers.

 

FTC Releases Data Security Resources

The FTC has published “Protecting Personal Information: A Guide for Business”. The 28-page high-level guide, which may be most valuable to small and medium-sized businesses, promotes a data security plan built upon five key principles:  Take Stock; Scale Down; Lock It; Pitch It; and Plan Ahead.  The FTC website makes the basic content of the guide available in an online multi-media tutorial (mistakenly called “interactive”), as well as in a set of PowerPoint slides.

 

December 2007

Top Federal Panel Calls HIPAA Woefully Inadequate

A top advisory board to the US federal government on health care privacy has concluded that current laws and rules are woefully inadequate and is recommending passage of new legislation to strengthen and expand protections far beyond those provided by HIPAA.  The 40-page report by the National Committee on Vital and Health Statistics (NCVHS) could become the basis for new national policy following the 2008 election, with profound implications for employers handling medical information in any context.

 

Moody's to Rate Vendors on Information Risk

Moody's Investors Services is preparing to launch a new service providing risk/quality ratings of vendors who process information for financial services firms in 11 areas:  information security policy; organization; information classification; physical security; communications and operations management; access control; application security; incident management; business continuity; data security; and privacy.  According to an interview in the December issue of the IAPP’s Privacy Advisor, Moody’s plans to build on the experience in the financial arena to expand the rating service to vendors serving clients in other industries.

 

HR Data Breaches Resume Normal Pace

Breaches of employee data resumed their normal pace in December, with embarrassing losses by two forms that provide data security advice:  Forrester Research (a laptop stolen from a staff member’s home, affecting an undisclosed number of employees) and Deloitte & Touche (a laptop stolen from a pension advisor, affecting an unknown number of partners, principals and employees).  Other breaches were reported by the New York State Dormitory Authority (back-up tapes missing in transit, affecting 800 employees); the Greenville County (SC) School District (computer hacking, affecting hundreds of employees; DHS is investigating, as a rash of government computers have been hacked in the state); and the US Air Force (a laptop missing from Bolling Air Force Base (WA), affecting 10,500 airmen).

 

UK : Breach Firestorm and PIA Handbook

The firestorm surrounding the November HMRC data breach affecting 25 million UK citizens continues to grow, with reports of hundreds of past losses by government agencies; new breaches of the data of those applying for passports and drivers licenses; Parliamentary hearings; and mounting pressure for tougher data protection laws and C-level accountability.  Independently of this, the UK Information Commissioner released a Privacy Impact Assessment Handbook, the first by a European regulator, and Pinsent Masons, a prominent legal firm, called into question the data protection practices of Santa Claus.

 

November 2007

Mandatory Wellness Programs Probe Off-Duty Life

More employers are not just rewarding workers who are healthy, but penalizing those whose off-duty habits and environments contribute to increased health care costs.  For example, starting in January the Tribune Company plans to require its employees to pay $100 a month more in insurance premiums if they or any of their covered family members smoke.  Amongst employers refusing to hire smokers are The Cleveland Clinic, Meritain Health, and Scotts Miracle-Gro.  Other employers, such as the Principal Financial Group, are requiring employees to complete health risk assessments that can lead to higher insurance deductibles and co-pays for failure to curb risky habits and behaviors.  Such mandatory wellness programs, welcomed by some, are frequently viewed as intrusive and challenged by unions or through legal action.

 

Another Lull in Employee Data Breaches

Data breaches affecting employees dropped to a two-year low in November, with only the Veteran’s Administration in the news again, this time with a report that three computers containing information on 12,000 veterans had been stolen from a VA medical center in Indianapolis.  The VA also reported that 185,000 SSNs judged to be at risk were found on the home computer of an ex-VA auditor arrested for ID theft; interestingly, the auditor had quit his job at the VA when he learned that a background check was going to be required.  Separately, mediation between opposing sides began after a federal judge ruled that lawsuits can go forward over the data theft last year affecting 26.5 million veterans. 

 

Firestorm over UK Data Breach

A massive data breach in the UK by HM Revenue and Customs has exposed sensitive financial records of 25 million adults, representing half of the population.  The breach, caused when computer disks being sent to auditors went missing, prompted a firestorm of criticism and a public apology by PM Gordon Brown, the launching of data security reviews in all Cabinet agencies, the initiation of a high-profile investigation and review of current data protection laws, reports of additional government breaches, and calls for increased powers for the Information Commissioner to conduct independent audits and to levy fines.  Rubbing more salt in a very public wound, HM Revenue and Customs then mailed millions of apology letters containing the sensitive information that had been exposed, thereby creating further exposures for those whose mail goes astray.

 

Confusion over Controller/Processor Distinction

European regulators are increasingly criticizing the data controller – data processor distinction that underlies European data protection laws.  The latest evidence of confusion over the distinction can be found in Charles Millard’s report in a Privacy Laws & Business newsletter that the Spanish Data Protection Agency, in an unpublished decision, has concluded that SWIFT, the international financial transactions body, “acted, at all times, as the data processor” including when it made the “crucial decision” to transfer data to the US Treasury Department.  Some ten months earlier the Article 29 Working Party issued an opinion which held that SWIFT was a “joint data controller” with the financial institutions it services.   The Article 29 WP ruling has been criticized for threatening to disrupt many established controller/processor relationships, including a wide range of conventional service provider and outsourcing arrangements. 

 

Changes Called for in Alberta PIPA

As part of a mandatory review, the Select Special Committee of the Alberta Legislature has issued a 65-page report on how to improve the province’s Personal Information Protection Act.  Amongst some 48 recommendations are the following:  requiring notification of individuals when personal data will be transferred to a third-party service provider outside Canada; requiring notifications when data breaches occur; allowing organizations to assume that consent has been obtained for those enrolled by others in insurance or benefit plans; not amending the Act to include a “work product” exemption; requiring organizations to destroy or anonymize records no longer needed; and restricting the need to maintain data accurately and completely to what is reasonable for the purposes involved.

 

(Current News Above)

Privacy Archives:  

March 2007 - October 2007

November 2006 - February 2007

March 2006 - October 2006

November 2005 - February 2006

March 2005 - October 2005

November 2004 - February 2005

March 2004 - October 2004