Privacy News

Privacy News

from HR Privacy Solutions

December 2011

Draft EU Reforms Would Have Significant Impact on Employers

Amongst the many changes proposed in the draft EU General Regulation released to the press, a number are of particular significance to multi-national employers: (a) companies with operations in multiple EU member states would be subject to the jurisdiction of a single data protection authority, based on their main place of establishment in the EU; (b) requirements to notify DPAs about data processing activities would be eliminated; (c) use of consent as a legal basis for data processing would be outlawed in certain areas, such as the employment context; (d) requirements to provide individuals with information about data processing would be enhanced; (e) privacy by design and by default would be mandatory, as would privacy impact assessments in certain cases; (f) DPAs and affected individuals would have to be notified of data security breaches within 24 hours; (g) internal data protection officers would be mandatory for companies with more than 250 employees; (h) BCRs will be streamlined and their scope extended to include third party agents of data controllers; and (i) enforcement powers of DPAs would be strengthened, including the power to impose fines of up to 5% of a company’s annual worldwide turnover (i.e., revenue).

EFF Releases Guide for Safeguarding Data at U.S. Border

The Electronic Frontier Foundation issued an extensive report, "Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices," that outlines potential ways to protect private information, including data minimization and encryption. The guide was prompted by the federal government’s claim that privacy protections guaranteed by the U.S. Constitution do not apply to electronic devices taken across borders, thereby allowing agents to search and seize such devices without any suspicion of wrong-doing, let alone a court warrant.

German DPAs Determined to Reign in Facebook

The Düsseldorfer Kreis, an informal body of all German Data Protection Authorities, published a decision broadening the application of German data protection rules to foreign social networks and setting very strict conditions for companies using fan pages and/or “like-buttons” on their websites. According to the German Data Protection Authorities, such companies are themselves responsible if the operator of a social network collects user data in a non-compliant way. The Düsseldorfer Kreis in essence has adopted the view of the DPA in Schleswig-Holstein that the use of social plug-ins and “like-buttons” violates German data protection law. While Facebook is the primary target of the DPAs, other social networks operating in Germany are also affected by the decision.

Quiet Month for HR Data Breaches

December was a quiet month for HR data beaches, with only three reported: State of Tennessee (2,000 employees offered credit protection after a mailing related to cancellation of health or dental insurance was sent to the wrong addresses); Pulaski County Special School District (an undisclosed number of the Arkansas school system’s employees placed in jeopardized by the theft of a laptop from the home of a former employee); and G2 Secure (a database of personal information of over 8,500 employees of the Irving, Texas-based provider of aviation staffing and security services exposed by a hacker).

Canada Fails to Meet Mandatory PIPEDA Review Requirements

As noted by Michael Geist, a leading Canadian privacy academic, the House of Commons ended the year without completing the review of the Personal Information Protection and Electronic Documents Act (PIPEDA) mandated in the Act, which came into effect in 2001 and requires a Parliamentary review every five years. The first review started in 2006 and led (after considerable delay) to the reforms found in Bill C-12, which is currently languishing in the House of Commons. A second review should have started in 2011. The consequences of the government’s failure to carry out the reviews are not clear, although privacy advocates will doubtlessly seize upon it as underscoring what they see as the Harper administration’s lack in interest in protecting privacy.

November 2011

Chinese Province Passes Comprehensive Data Protection Regulation

On September 23 the Standing Committee of the Jiangsu Provincial People’s Congress issued the Regulation of Information Technology, which will take effect on January 1, 2012. The Regulation includes comprehensive provisions on the collection and use of personal information and significant legal liabilities for violations. Jiangsu Province is the first to implement a local rule on the protection of personal information that is not limited to a particular industry sector, but applies to a broader extent. It contains requirements for notification, consent, collection only by legal means and purpose limitation, while banning unlawful disclosure to third parties. Fines and possibly criminal sanctions may be levied against those violating the Regulations.

European Court of Justice Finds Spain in Breach of Directive

On November 24 the European Court of Justice ruled that Spain had not correctly transposed the balance of interests provisions found in Article 7(f) of the Data Protection Directive. Article 7(f) allows personal data to be processed without consent if it is “necessary for the purposes of the legitimate interests pursued by the controller…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection.” Spanish law, however, improperly restricted the scope of the balance of interest provisions to those involving processing of data that appears in public sources. According to Ariane Mole, a Partner with Bird & Bird, such ruling should have a strong impact in a number of EU member states that, like Spain, have not correctly transposed Article 7(f), thereby leaving data controllers with little choice but to obtain consent.

Data Protection Laws Pending in Two More Caribbean Nations

The government of the Cayman Islands is currently reviewing draft legislation for a robust data protection framework, according to a report in the IAPP Daily Dashboard. The Data Protection Law, modeled upon both the EU Data Protection Directive and the UK Data Protection Act 1998 and designed to secure an adequacy finding from the European Commission, is expected to be available for public comment shortly. In Trinidad & Tobago the Data Protection Act passed by both houses of Parliament earlier this year and assented to on June 22 has yet to be proclaimed by the President. A former High Court judge has stated that the act was not passed in a constitutional manner and may be largely unenforceable as a result. The absence of provisions in the Act to protect the freedom of the press also appears to be an issue.

HR Data Breaches Dip in November

Five breaches of HR-related data were reported in November, two in the private sector: Monster Worldwide (a spreadsheet containing the names, job titles, dates of birth and SSNs of an undisclosed number of its employees exposed on the Internet since 2003) and LivingSocial (personal data of hundreds of current and former employees of the online social-buying company compromised by the theft of a laptop) and three in schools and colleges: MassBay Community College (personal information of all employees since 2002 exposed internally when a security function in the PeopleSoft database was not activated when the system was launched); Pennsylvania Public School Employee’s Retirement System (2,000 retirees impacted when an employee inadvertently posted an unencrypted file on a public website); and Brownsville Independent School District (personal data of an undisclosed number of employees of the Texas school district inadvertently posted on a public website).

Privacy Certification for Cloud-based Applications Expands

TRUSTe, an online privacy services provider, announced that it was partnering with GetApps.com, a business software marketplace, to make TRUSTe’s TRUSTed Cloud online privacy certification available it its more than 1500 B2B SaaS application providers. This service will enable application providers to reassure customers with transparent and easy-to-understand information about their privacy practices and handling of corporate data. GetApp.com currently lists some 4,568 applications and tools in its business software directory.

October 2011

European Commission Says Safe Harbor Program Will Continue

The pending revision of the EU Directive (now expected in early 2012) has raised questions about the viability of the Safe Harbor Program under the revised data protection framework. According to a report in Europolitics, a European Affairs daily, a Dept. of Commerce official said that "we have been assured by the European Commission that Safe Harbor will not be affected by changes in the Data Protection Directive". While the program is expected to continue to provide a legal basis for importing personal data from Europe, participants with European operations are likely to face the need to make other adjustments in their privacy compliance programs when the new framework is announced.

Mandatory Privacy Training for Gov't Contractors Proposed

On October 14 the Department of Defense, the General Services Administration and the National Aeronautics and Space Administration published a proposed rule that would amend the Federal Acquisition Regulation (FAR) to require employees of federal government contractors who work with government records containing personally identifiable information to undergo privacy training on an annual basis. The rule also specifies seven elements that must be addressed in the training.

German DPAs Issue Rules for Cloud Computing Use

Late in September the German data protection authorities, meeting in Munich, issued an “Orientation Guide to Cloud Computing” that highlights the cloud customer's responsibility for full compliance with German data protection requirements. The customer needs to know the identity all sub-processors involved in the cloud computing services and the agreement with the service provider must contain certain core elements of compliance, such as technical and organizational security measures, audit and control rights vis-à-vis any sub-processors, and all locations of data processing. Customers also need to verify the validity and applicability of a provider’s Safe Harbor certification.

Modest Number of HR Data Breaches in October

Only five breaches of HR data were reported during October, including: Securities and Exchange Commission (information about employee brokerage accounts, stored through the agency’s Ethics Program System, inappropriately disclosed to a sub-contractor of an SEC vendor, Financial Tracking Technologies); Idalex (an undisclosed number of employee personnel records left behind in an abandoned California plant near Modesto); PSE&G (a laptop stolen from the New jersey utility exposed the names and SSNs of an undisclosed number of employees); AdvancePierre Foods (employee 401k data, including names, SSNs, dates of birth, and compensation amounts, exposed when an unencrypted flash drive went missing in the mail); Nemours (an undisclosed number of employees of the company’s Delaware, Pennsylvania, New Jersey and Florida health care facilities impacted by a missing filing cabinet containing 2004 back-up payroll tapes); and the University of Georgia (personal data of 19,000 employees left exposed on a university website since at least 2008).

Council of Europe Considers Amending Convention 108

On October 10-12 the Council of Europe’s Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (known as the “T-PD-Bureau”) met in Strasbourg to discuss amending the Council of Europe’s Convention 108 and Additional Protocol. These instruments constitute the only legally-binding international convention addressing data protection and their amendment is closely linked to the current review of the EU data protection framework. One of the main topics was regulation of transborder data flows, including a proposal prepared by Hunton & Williams attorney Christopher Kuner on behalf of the International Chamber of Commerce. Further discussion of the amendments will occur at a plenary meeting at the end of November. Separately, the Council of Europe announced that it would push for adoption of Convention 108 as a global standard during the 33rd International Conference on Data Protection and Privacy Commissioners in Mexico City in early November.

Court of Appeals Rejects Whistleblowing System Approved by CNIL

A French Court of Appeals in Caen confirmed a lower court's order for the suspension of a whistleblowing system implemented by French company Benoist Girard, a subsidiary of American group Stryker. The decision came as a surprise since it rejects the approval of the system by the French data protection authority (CNIL). Benoist Girard had taken advantage of the CNIL’s General Authorization for whistleblowing schemes that fit within certain parameters, but then exceeded those limits, particularly with regard to allowing anonymous denunciations. The CNIL was reported to have inspected the system and found it to be compliant.

September 2011

Irish DP Commissioner to Audit Facebook

Billy Hawkes, Ireland’s Data Protection Commissioner, announced he will conduct a privacy audit of Facebook’s activities. Since Facebook’s international headquarters is in Dublin, all users outside the US and Canada could be affected by his findings. His office decided to audit Facebook after an Austrian group, Europe v. Facebook, filed 22 complaints with his office over various practices of the social networking giant.

NLRB Issues Report on 14 Social Media Cases

The National Labor Relations Board released a report on 14 cases involving employers' policies that restrict employees' postings on social media sites. Many of the cases turn on distinguishing individual gripes from collective or concerted activities, the latter being protected under the National Labor Relations Act (NRLA). Subsequently, an Administrative Law Judge ruled that Hispanics United of Buffalo had to rehire and provide back pay to five workers fired after posting comments about a co-worker and their employment with the company on Facebook. The judge found that the Facebook communications were a "protected concerted activity" under the NLRA.

Interest in Local Clouds Grows in Europe

Concerns about U.S. government access to cloud data under the Patriot Act continued to grow in Europe, with Deutsche Telekom promoting a “German Cloud” to store and shield local data and pressing regulators to introduce a certification system for German and European cloud providers that could be used for competitive advantage. In the Netherlands, the government was preparing to ban its own use of U.S. cloud services, such as Google Docs and Dropbox, on similar grounds, but then stayed the decision pending further inter-governmental efforts to resolve the conflict.

Nine HR Data Breaches in September

Apart from the massive SAIC breach (4.9 million members of the military and their families at risk followed the theft of a back-up tape from a SAIC employee's car), there were eight other breaches of employee data reported in September: Veterans Affairs (518 veterans impacted by a breach at a VA facility in Danville, IL and 1,814 by a breach at a VA facility in Biloxi, MS); U.S. Army (25,000 retirees affected by the loss in the mail of a CD containing their sensitive benefits information); El Paso Independent School District (names, addresses, SSNs and dates of birth of 9,000 employees comprised by a network hack); US Steel Mining (4,000 retirees and dependents impacted when a CD with their information was lost in the mail); Penn Foster (500 employees of the Pennsylvania firm affected by the theft of a home computer and sensitive papers); Intelligence and National Security Alliance (names and e-mail addresses of hundreds and possibly thousands of U.S. intelligence officials, government executives and defense industry contractors posted on the Internet by hackers); and the Legislative Data Center, Sacramento (50 employees participating in a flexible-benefits program warned that their personal information had been obtained by a hacker).

Directive Reform Likely to be Delayed

The European Commission's publication of its reforms to the Data Protection Directive will likely be delayed beyond the expected November deadline. Matthew Newman, a spokesperson for European Commission Vice President Viviane Reding, told the IAPP Europe Data Protection Digest on September 29 that “this is a comprehensive reform” and the timing for publication is “within 20 weeks.” It was not clear from the report whether the 20-week extension would begin at the time of the spokesperson’s remarks or at the end of November. The former would extend the release of the Commission’s proposals until the end of February 2012; the latter would extend the release until the end of April 2012.

Costa Rica Enacts Data Protection Law

The Costa Rican Law on Personal Data Protection No. 8968 came into force on September 5. The law, modeled upon European precedents, regulates manual and automatic data processing and applies to both public institutions and private companies. It establishes a Data Protection Agency (Prodhab) and includes a mandatory registration requirement. Costa Rica becomes the seventh nation in Latin America to enact comprehensive data protection legislation, after Argentina, Chile, Colombia, Mexico, Peru and Uruguay.

August 2011

Data Protection Laws Now in 76 National Jurisdictions

In a special report for Privacy Laws & Business, Australian Professor Graham Greenleaf has identified comprehensive data protection legislation in 76 national jurisdictions around the world as of July 30, 2011. His findings are summarized in a table listing the jurisdiction, the name of the law, its dates of enactment and latest amendment, the region, information about European findings of adequacy, status as a Council of Europe member and a ratifier of Convention 108 and its optional protocol, and other international commitments. Countries of some prominence that have flown under the radar of HR Privacy Solutions include Albania, Angola, Bosnia & Herzogovina, Croatia, Kyrgyz Republic, Mauritius, Montenegro, Senegal, and Serbia. India was notably included in the list, by virtue of its new rules under Section 43A of the Information Technology Act 2008. Accompanying the table was a detailed and insightful analysis of trends and time lines revealed by the data set. Professor Greenleaf indicated his intent to make a periodically updated version of the table available on his website.

Massachusetts Data Security Regs Require More Than a WISP

In its first settlement over allegations of violations of the state’s rigorous data security regulations, the Massachusetts Attorney General’s Office found that the Belmont Savings Bank’s written information security plan (WISP), while necessary, was insufficient to demonstrate compliance with the regulations. Specifically, the Bank failed to encrypt personal information on laptops and the mobile devices, failed to store and secure back-up tapes properly, and failed to train its employees in data security policies and procedures. The Bank agreed to pay a $7,500 fine and follow the provisions of its own WISP.

NLRB Issues Guidance on Social Media Policies in Workplace

After bringing a number of enforcement actions against employers for over-reaching social media policies, the National Labor Relations Board (NLRB) issued three advice memoranda that clarified its position on acceptable policies. According to the NLRB, an employer's social media policy or practice only violates the National Labor Relations Act when the policy or practice is used to stop or specifically target concerted organizing activity. Employers do not have to tolerate disparaging remarks about their company, managers, employees or customers simply because an employee makes that remark on Facebook or another social media site. Separately, the U.S. Chamber of Commerce issued a comprehensive report entitled “Survey of Social Media Issues Before the NLRB” providing a wealth of information about NLRB decisions in this area.

Seven HR Data Breaches in August

Breaches of employment-related data slowed a little in August, with only seven organizations announcing losses: Fort Dodge Correctional Facility (names, SSNs and other personal information of an undisclosed number of the Iowa prison’s employees left in an unsecured location accessible to inmates); Allianceforbiz.com (20,000 government employees and contractors impacted by the hacking of an events management company); Bay Area Rapid Transit (personal information of over 2,400 BART employees deliberately posted on the Internet as retaliation by the hacker group #Anonymous, following protests over fatal shootings by BART police); Reznick Group (an undisclosed number of employees of the top 20 national CPA firm affected by a computer security breach experienced by AssureCare Risk Management, a former service provider for the firm’s employee benefits plan); City of Pittsburgh (at least 29 police officers, public safety employees and others victimized by ID theft, with the source of the breach not known); and Lexington VA Medical Center (1,900 veteran’s warned that their personal details were made vulnerable when an employee took patient files home in violation of the Kentucky hospital’s policy).

Indian Gov't Exempts Outsourcers from Consent Requirements

On August 25, in response to pressure from the $14 billion Indian BPO industry, the government clarified the new rules under Section 43A of the Information Technology Act to exempt outsourcers from the need to obtain the written consent of data subjects of information received from clients outside India. As predicted, this requirement applies only to “bodies corporate” operating within India. Both IT lobby NASSCOM and the Data Security Council of India (DCSI) welcomed the statement issued by the Ministry of Communications & Information Technology (MCIT).

Details Emerge about New DP Law in Peru

An English translation of Peru’s Law for Personal Data Protection, signed into law in July, shows that a data protection authority, the National Authority for Personal Data Protection, will be established and given the ability to levy fines for violations of the law. In addition, a National Register of Personal Data Protection will be developed to record, for a fee, publicly or privately administered databases of personal information, as well as authorizations issued by the Authority pursuant to the law.

July 2011

NIST Issues Privacy Controls for Federal Information Systems

The National Institute of Standards and Technology proposed adding privacy controls to its catalog of security controls for federal information systems, by releasing a draft 34-page Privacy Appendix for public comment through September 2, 2011. The 23 controls specified in the draft provide a structured way of assessing and ensuring that privacy requirements, deriving from federal privacy legislation, policies, regulations, directives, standards, and guidance, as well as from international standards and best practices, are satisfied in federal information systems. Examples of the controls include transparency, data minimization, use limitation, data quality, and individual access and redress.

Article 29 WP Issues Opinion on Consent

On July 13, the Article 29 Working Party, an independent advisory body to the European Commission, issued a 38-page opinion on the definition of consent. The opinion elaborates the meaning of key terms used in describing the conditions for valid consent, such as indication, freely given, specific, unambiguous, explicit and informed, and addresses the proper timing of consent. Numerous examples of valid and invalid consent are provided in this extended analysis, which also affirms the importance of using the appropriate legal grounds for processing personal data. The opinion paper concludes with a few recommendations relating to consent that the Working Party believes should be considered during the current review of the Data Protection Directive.

No Summer Holiday for HR Data Breaches

Nine breaches of HR data were reported in July: Washington Post (user IDs and e-mail addresses of 1.3 million users of the newspaper’s online job section compromised by hacking); Nyack Hospital (NY) (1,400 current and former employees exposed to ID theft by the theft of a computer); Estée Lauder (an undisclosed number of employees and contractors impacted by the theft of a laptop); Swedish Medical Center (WA) (personal information, including SSNs, of 20,000 current and former employees made accessible on the Internet unintentionally); TSA (dozens of TSA employees at Sky Harbor International Airport suffering loss of banking information and deposits possibly via credit card skimming); Meridian Health System (an undisclosed number of employees jeopardized by the overnight theft of computer equipment from the home of an employee in Asbury, NJ); Lumberton Independent School District (TX) (theft of a laptop from a car impacting an undisclosed number of employees); JetBlue (an undisclosed number of employees impacted by the placement of malware on a corporate system); and Pfizer (a laptop stolen from an employee’s car potentially revealing personal information of an undisclosed number of employees).

Russia Amends Federal Data Protection Law

In early July the upper house of Russia's federal legislature approved amendments to the country's federal data protection law which were subsequently approved by President Medvedev on July 26. The amendments impose detailed information security requirements on businesses that process personal data and revise some of the statute's data subject consent provisions. The amendments, to be followed by interpretive regulations, will come into force when they are published in the official newsletter. Russia’s underlying federal data protection law finally came into effect on July 1, after five years of delays. The new rules allow personal data to be transferred outside of Russia to EU member states or to nations that are approved by a Russian federal agency authorized to designate countries that can guarantee adequate protection for personal data. In addition, personal data may be transferred with the prior written consent of data subjects, or if required by Russian federal legislation or international treaties.

Privacy Law Reform Revived in Australia

According to Malcolm Crompton, former Federal Privacy Commissioner, the process of reviewing and reforming the Privacy Act 1988, the main law protecting privacy in Australia, was all but stalled in recent years but now has been revived by the Minister for Privacy, Brendan O’Connor. His July 21 call for a consultation on whether to introduce a statutory cause of action for serious invasions of privacy rapidly led a renewal of interest in reforming other portions of the Act. The revival was also spurred by the late June release of a 292-page report on the exposure draft of the Australian Privacy Principles and privacy legislation by the Senate Finance and Public Administration Committee.

June 2011

FTC OKs Company that Scours Internet for Employers

The Federal Trade Commission dropped its investigation of Social Intelligence Corporation, finding no reason to conclude that the start-up, which provides an Internet and social media screening service to employers, did not comply with the Fair Credit Reporting Act. The decision means that the company can locate and sell adverse information it finds about applicants and employees and may legally retain the information for seven years. The service also searches for evidence of employees’ disclosure of confidential or proprietary information, professional misconduct, or illegal activity.

Facebook Facial Recognition Provokes New Privacy Firestorm

Facebook’s roll-out of facial recognition functionality on a default rather than opt-in basis raised the hackles of privacy advocates, legislators and European regulators, prompting a next-day apology from the company. The new feature automatically recognizes the identity of individuals in photos posted on a user’s pages and suggests approving the tagging of those photos with the names, whether the individuals depicted have agreed to such tagging or not. The Article 29 Working Party and privacy commissioners in Ireland, Germany and the UK said they will investigate the matter. In the U.S., EPIC filed a complaint with the FTC about the practice, calling it a “biometric data collection” scheme that violates privacy and adversely impacts consumers. Connecticut AG George Jepsen requested a meeting with company officials about the privacy risks involved.

State Employees Bear Brunt of Month's HR Data Breaches

Following April’s massive data breach impacting 3.5 million employees, Texas state employees were again placed in jeopardy by two breaches reported in June, one by the Texas Department of Assistive and Rehabilitative Services (4,900 employees impacted by a breach of an undisclosed nature) and the other by the Teachers Retirement System of Texas – Austin (personal information of an undisclosed number of retirees exposed through the window of TRS envelopes mailed to banks). In Arizona, the hacking group LulzSec breached the website of the Arizona Department of Public Safety and posted the names, addresses, phone numbers and passwords of Arizona law enforcement members and their spouses on the Internet. The breach may be the first time that a hacking group has intentionally exposed employee information for political purposes, in this case opposition to the state’s immigration policies. In California, 9,000 current and former employees of the California Department of Public Health were informed that their personal information had been inappropriately copied to a private hard drive and removed from state offices; the employee copying the data was later identified and placed on leave pending completion of an investigation. The CDPH experienced another breach back in December. In the only breach reported by a private employer in June, Automated Data Processing, the world’s largest payroll company, said it had become the latest big financial company attacked by cyber criminals. The breach it reported was limited to a single client and occurred at Workscape, a benefits administrator ADP recently bought. The number of employees impacted was not disclosed.

Peru Enacts Comprehensive Data Protection Law

Peru became the latest Latin American nation to enact omnibus privacy legislation, with Congress passing the Personal Data Protection Law on June 7 and outgoing President Alan Garcia signing the bill into law on July 2. The legislation, which follows European precedents and includes database registration requirements, is expected to improve the development of technology and related industries such as call centers.

Colombia and Senegal Poised to Enact DP Laws

According to news surfacing in June, data protection laws are expected to be put in place shortly in both Colombia and Senegal. A report in IAPP’s Privacy Advisor on the recent Iberoamerican Data Protection Conference held in Colombia described the country as being “on the verge” of enacting its comprehensive data privacy law. According to a brief note in the Privacy Journal, Senegal will soon enact its new data protection law, with an 11-member watchdog commission headed by the legal advisor to the President.

May 2011

India Adopts Comprehensive Privacy Regulations

On April 13, following a brief public consultation, India’s Dept. of Information Technology quietly issued final regulations implementing those parts of the Information Technology (Amendment) Act, 2008 that deal with protecting personal information. The regulations are comprehensive in scope, applying to all organizations that collect and use personal data in India and imposing obligations typically found in omnibus data protection laws. Organizations are required to provide notice to individuals, create privacy policies, grant access and correction rights, and establish dispute resolution processes. With a few narrow exceptions, sensitive personal data (defined broadly to include passwords; financial information; data about physical, physiological and mental health conditions; sexual orientation; medical records and history; and biometric information) may be collected, processed and disclosed only with prior written consent. Reasonable security measures, as described in a comprehensive written security program and policies, must be followed, modeled upon ISO 27001 or other recognized standards, with independent audits carried out at least once a year. Penalties for violations include up to three years imprisonment, small fines or both, with company directors subject to liability claims.

FTC Settles Data Breach Charges against Ceridian

The Federal Trade Commission reached a settlement agreement with Ceridian, a major provider of payroll and HR services, stemming from a breach of payroll data in 1,000 small client companies that was reported in February 2010. According to the FTC, Ceridian did not adequately protect its network from reasonably foreseeable attacks and stored sensitive personal information in clear, readable text on its network. The settlement requires the company to establish a comprehensive information security program and to undergo 20 years of independent security audits.

Disney Employees Sue over Exposure of SSNs

Employees of two California hotels run by Walt Disney have filed a class action lawsuit on behalf of 20,000 workers, charging that the company compromised workers’ personal information and privacy by embedding SSNs in their ID cards. Mobile phone barcode scanners can read and interpret the unsecured data on the ID cards, the lawsuit alleges. The plaintiffs also charge that Disney stores former employees’ cards in an unsecured location, making them susceptible to theft or misuse.

Three Sets of Cloud Computing Guidelines Issued

Cloud computing guidelines were issued in May in Washington, Germany and Australia The National Institute of Standards and Technology (NIST) released Draft Special Publication 800-146, NIST Cloud Computing Synopsis and Recommendations, for public comment. According to NIST, this document explains cloud computing technology in plain terms and provides practical information for information technology decision makers interested in moving into the cloud. The German Federal Office for Information Security (BSI) issued the final framework paper describing the minimum requirements for information security for cloud computing services. According to the BSI, the paper provides “Best Practices” and serves as a basis for discussion between cloud computing service providers and cloud users. The Office of the Victorian Privacy Commissioner published Cloud Computing guidelines for public sector organizations that show how the Information Privacy Act 2000 (Vic) applies to cloud computing technologies.

Five HR Data Breaches in May

Continuing the ebbs and flows of HR data breaches over the last year, only five employment-related data breaches were reported in May. The largest involved the Massachusetts Executive Office of Labor and Workforce Development, which reported that a virus had corrupted computers at the state unemployment agency, exposing sensitive personal of 210,000 out-of-work residents to criminal hackers. Other breaches included the U.S. Security and Exchange Commission (SSNs and other payroll information for about 4,000 workers included in an unencrypted e-mail that slipped through monitoring software); San Juan Unified School District, CA (personal data of 4,000 employees compromised when a staff member copied sensitive data onto a flash drive to work at home, but accidentally uploaded it to a church website); Dominos Pizza (copies of SSN cards, driver’s licenses and other documents from hundreds of employee personnel files found in a dumpster in Fisher, IN); and Fox Broadcasting (a database containing e-mail addresses and passwords of 300 employees stolen by a hacking group called Lulz Security).

Italy Reduces Regulatory Burden of DP Code

On May 5 the Italian Government's Council of Ministers passed a decree aimed at reducing red tape obligations for Italian data controllers and saving them €600 million. The decree amends the Italian Data Protection Code by eliminating the applicability of data protection laws to legal persons such as companies, if the processing is only for administrative or accounting purposes. It also simplifies the notification obligations under many circumstances for companies that process personal data of their own employees and contractors, as well as their spouses or relatives, allowing such companies to self-certify, as opposed to notifying the Garante. Finally, the new decree also simplifies requirements relating to giving privacy notices to job applicants.

April 2011

Maryland Restricts Employer Use of Credit Information

With enactment of its Job Applicant Fairness Act, Maryland joined Hawaii, Illinois, Oregon, and Washington in prohibiting employers from using an applicant's or employee's credit report or credit history in making employment decisions in the absence of “substantially job-related” or legal requirements. Similar legislation is pending in California, Florida, New Jersey, New York and Pennsylvania.

Firestorm Erupts over Secret iPhone Tracking

UK researchers found that Apple iPhones and iPads using iOS 4 track users' locations and store the data in an unencrypted file on the devices and their owners’ syncing computers. The FCC and Congress were reported to be looking into the tracking, which may violate federal communications law as well as Apple’s own privacy policy; privacy regulators in Germany, Italy, France and Korea also began investigations. In Florida and New York, class action lawsuits were filed against Apple over the location tracking. New research reported in the Wall Street Journal shows that Google also collects vast amounts of location data through its Android cell phones. Within a week of the revelations about iPhone tracking, Congress broadened its investigation of location tracking to include Google, Microsoft, HP, Nokia and Research in Motion. A week after the tracking was publicized, Apple issued a statement denying that it was tracking iPhone users but admitting that the devices were storing more location information than necessary because of a software bug that it intended to correct.

Massive HR Data Breach in Texas, Plus 10 Others

In what is believed to be the largest breach ever of personal information in Texas, the State Comptroller’s Office revealed that the names, SSNs, dates of birth, drivers license numbers and other data of 3.5 million current and former state employees was inadvertently left exposed on a publicly accessible state computer server site for a year or longer. Ten other breaches of HR data were reported in April, including: U.S. Airways (personal information of 3,000 pilots exposed by an inappropriate sharing of an Excel file by a management employee); Hartford Financial Services Group (300 employees and contractors impacted by installation of password-stealing Trojans on a number of the company's servers); Peace Officers Research Association of California (personal information of 2,000 retired public safety officers exposed through hacking); Schield Family Brands (87 of the Wisconsin firm’s 12,000 employees victimized by ID theft arising from an undetermined breach); GM Lansing assembly plant (50 workers reporting fraudulent use of their credit cards, with the means by which the card numbers were obtained not known); ABM Industries (an undisclosed number of employees jeopardized by the theft of computer equipment from an Atlanta office); UMass Memorial Healthcare (an undisclosed number of employees impacted by exposure of their personal information on misconfigured HRConnect self-service kiosks; VA Medical Center in Aiken, SC (paper records of over 2,500 veterans discovered in the trash); Town of Barton, VT (personal information of 150 employees compromised by spyware on a payroll computer); and Applied Micro Circuits (an undisclosed number of employees impacted by the theft of an unencrypted laptop from a car).

Article 29 WP Backs Adequacy Finding for New Zealand

The Article 29 Working Party issued an opinion finding that New Zealand’s newly-amended privacy laws provide an adequate level of protection for personal data received from Europe. Concerns about weaknesses in various aspects of the New Zealand law, such as in onward transfers of European data to third countries, were offset, according to the Working Party, by the low probability that European data would be involved, given New Zealand’s small footprint and great distance from Europe.

Mexican DPA Expects Company Compliance to Begin in July

Mexico's data protection authority will not rush to carry out compliance inspections or take enforcement actions when rules implementing the country's new data protection law begin taking effect in July, according to the Instituto Federal de Acceso a la Información Pública (IFAI). However, as soon as the implementing rules are published, the government expects businesses and other covered entities to begin following the basic requirements that they appoint an individual to be in charge of data protection and establish written data security and privacy policies. Full enforcement will begin in January 2012.

South Korea Enacts Comprehensive Privacy Law

On March 29 South Korea’s President signed the Act on the Protection of Personal Data, based upon a comprehensive set of data protection principles governing the collection, use, sharing and disposal of personal data. The rules, which will apply to 3.5 million public and private sector businesses and organizations, will come into effect on September 30, 2011. They include data breach notification requirements and a new right to file class action lawsuits over alleged violations of the Act. The omnibus law will establish a centralized data protection planning and enforcement system in the form of a new presidential committee. The need for the new law was underscored in April as a survey revealed that 50% of Korean Internet users have had their personal data leaked online and a massive data breach was reported by Hyundai Capital.

March 2011

FTC Announces Landmark Settlement with Google

On March 30 the Federal Trade Commission announced a proposed settlement with Google over the company’s 2010 rollout of its Buzz social network, a rollout that spawned thousands of complaints about the involuntary disclosure of users’ e-mail address lists. Under the precedent-setting terms of the settlement, Google will be required to establish a comprehensive privacy program monitored biennially by an independent auditor for the next 20 years, and prohibited from making future privacy misrepresentations. The settlement also alleges that Google had substantively violated its Safe Harbor commitments, this being the first time the FTC has leveled such charges against a participating company. Google will be required to obtain users’ explicit affirmative consent before sharing their information with third parties if its products or services are changed in a way that results in information sharing contrary to any privacy promises made when the user’s information was collected. The agreement containing a consent order will be open for public comment through May 2.

What Location Tracking Looks Like

Malte Spitz, a German politician and privacy advocate, used the access provisions of German privacy law to force his cell phone company to reveal what it knew about him. The results were 35,831 different facts about his cell phone use over the course of six months, which were then published in an online interactive map that traces his movements, moment by moment, over the course of half a year. The New York Times, which described the released data as “astounding,” said it was rebuffed by major U.S. cell phone carriers when it tried to find out if they have similar data about their subscribers. Following the New York Times article, a bipartisan group of legislators gave the four major carriers 15 days to clarify their practices with respect to tracking data.

Employers May be Getting the Message on Breaches

The number of HR data breaches reported in March fell to a near-record low, with only one corporate employer and three educational organizations admitting losses: Lone Star Business Solutions (the third party payroll and HR provider to Lone Star Restaurants exposed an unknown number of employees and applicants to ID theft by disposing of thousands of documents in an unsecured dumpster in Wichita); Bloomfield Hills School District (names and SSNs of 321 employees inadvertently distributed in an Excel spreadsheet to parents in the Michigan school district); Walnut Township School District (an undisclosed number of employees impacted by someone hacking into the Ohio school district’s payroll system); and Midlands Technical College (personal information of 500 employees of the South Carolina college exposed when a flash drive disappeared from the HR office). Note: Losses at educational organizations – which are legion – typically mention students, applicants, faculty, staff, etc. and are only included in this monthly summary when they are either restricted to employees or mention an explicit number of employees.

Reding Outlines Four Pillars of New European DP Rules

EU Justice Commissioner Viviane Reding, speaking at a parliamentary conference in Brussels, said that the new data protection rules, to be finalized this summer and put in front of Parliament, are to be based on four pillars: the right to be forgotten, transparency, privacy by default and data protection regardless of data location. Reding also emphasized that third parties that process EU citizens' data outside of the EU, such as a U.S.-based social networking company, must comply with European rules. The Commission was reported to have not yet decided whether the revised legal instrument should be in the form of a directive or turned into a regulation which would be directly binding on member states.

Germany Strengthens “Irredeemability” of Internal DPOs

The German Federal Court of Labor ruled in March that an internal data protection officer's appointment cannot be terminated simply because the employer wishes to outsource the position to an external data protection officer. Under the terms of the revised Federal Data Protection Act, internal DPOs can only be terminated with good cause, such as misconduct or incompetence. The ruling is expected to significantly increase the incentives companies have to appoint external data protection officers.

Implementing Rules for Mexico's Privacy Law Expected in July

Mexico's data protection oversight body, the Federal Transparency and Data Protection Institute, has indicated that it expects the draft implementing regulations that will bring into effect the new Mexican federal privacy statute to be ready in July of this year. A public consultation will be held on the draft regulations. Enforcement of the new comprehensive data protection law is not expected to occur until 2012.

February 2011

NLRB Reaches Settlement in Facebook Firing Case

The National Labor Relations Board reached a settlement with American Medical Response of Connecticut over the firing of an employee who had posted negative comments about her supervisor on her Facebook page, calling him a mental patient. In a press release the NLRB stated that “Under the terms of the settlement,… the company agreed to revise its overly-broad rules to ensure that they do not improperly restrict employees from discussing their wages, hours and working conditions with co-workers and others while not at work, and that they would not discipline or discharge employees for engaging in such discussions.” The company settled allegations relating to the firing privately with the employee.

Companies Clamp Down on Facebook, Twitter at Work

According to a study commissioned by Robert Half Technology, more than half (54%) of American companies say they've banned workers from going to Facebook, LinkedIn, MySpace and Twitter while on the job. It also found that 19% of companies allow social networking use only for business purposes, and only 16% allow limited personal use. Only 10% of the 1,400 CIOs interviewed for the study said that their companies allow employees full access to social networks during work hours.

Ebb and Flow of HR Data Breaches Continues

The number of HR data breaches reported in February dropped to only five: Oregon Dept. of Corrections (at least 550 of 4,500 employees exposed to ID theft by the loss of a thumb drive); NYC Health & Hospitals Corp. (personal data of 1.7 million patients, hospital and contract employees and others lost when computer backup tapes were stolen from the unlocked truck of a data storage and transport vendor, GRM Management Information Services, that was subsequently sued by the corporation); Ohio Department of Job and Family Services (more than 8,000 state child-care providers receiving letters from the state’s payroll provider, Affiliated Computer Services, with their SSNs displayed on the outside of the letter); Loud Technologies (an undisclosed number of employees impacted by the theft of a computer from the company’s premises); and FirstGroup America (an unknown number of employees jeopardized by the loss of an unencrypted thumb drive on a bus in Cincinnati).

Art 29 WP Responds to European Commission Consultation

The Article 29 Working Party released a 6-page response to the European Commission’s request for input on its recently-released outline of a new data protection framework in the European Union. Amongst the key recommendations of the Working Party were the following: development of a mechanism for “collective redress,” under which DPAs and civil society organizations could bring actions in courts on behalf of data subjects; explicitly incorporating accountability requirements into the obligations of data controllers; extending “privacy by design” obligations from data controller to developers and manufacturers of new products and services; incorporating mutual recognition procedures for BCR approvals into the new framework; and strengthening the autonomy and independence of the Working Party, for example by giving it the ability to issue opinions of a more binding character.

Philippines Data Protection Bill Passes 2nd Reading

A comprehensive data protection bill, the Data Privacy Act, advanced in the Philippines by passing a second reading in the House of Representatives. The bill would protect and enforce fair practices in the collection and use of personal details kept in computer systems in the government and private sector, with oversight provided by a National Data Privacy Commission. Its sponsors said that “the measure would prevent the misuse of personal facts in computer systems, including identity theft; reinforce consumer confidence in electronic commerce; and build up the country's business process outsourcing (BPO) activities.” A counterpart bill is pending in the Senate.

Omnibus Data Protection Law Coming in Colombia

Colombia is close to enactment of a comprehensive data protection bill inspired by the 2009 Madrid Resolution, according to a report in a Privacy Laws & Business newsletter. Statutory bill 46 of the House of Representatives builds upon a 2008 law and creates general provisions for the protection of personal data. It was passed by the Colombian Congress last December and is pending a review by the Constitutional Court before being signed into law later this year. Call-centre business is regarded as a driving force behind the legislation.

January 2011

Supreme Court Rules in NASA Background Investigation Case

Overturning a lower court decision, the Supreme Court ruled unanimously that background checks conducted on independent contractors at a NASA facility were carried out for a legitimate purpose in a reasonable manner, even though they did intrude on privacy to some degree. Justice Samuel Alito, writing for himself and five other justices, said the court was willing to assume, for the purposes of deciding the case, that the U.S. Constitution does in fact guarantee a right to informational privacy. Even so, he said, the federal law requiring background checks of private contract employees does not violate that privacy right. Justices Scalia and Thomas argued that there is no such right in the Constitution.

E-Verify Fray Continues, as Errors Persist

Two new state governors entered the fray over E-Verify, with Florida’s governor issuing an executive order requiring that the federal employment eligibility database be used to vet all current and perspective employees and Rhode Island’s governor rescinding his predecessor’s executive order requiring use of the system. Many observers believe that legislation mandating the use of E-Verify is likely to be introduced in Congress, even though a January 18 report by the Government Accountability Office found persistent and significant problems with the accuracy of the database and the ability of those wrongly found ineligible for employment to secure timely redress.

Eight HR Data Breaches in January

After a slowing last month, the pace of HR data breaches picked up in January, with eight breaches reported: Pentagon Federal Credit Union (a hacked laptop, exposing personal and banking information of an undisclosed number of up to a million active-duty military personnel and others connected to the Pentagon); South Carolina Budget and Control Board (5,600 state workers in jeopardy of ID theft when an employee of the Board’s Employee Insurance Program opened an e-mail attachment containing malware); Ember Corporation (data of 50 current and former employees of the Boston-based company exposed when a package shipped via FedEx by Ceridian, its payroll provider, arrived in a manner than suggesting tampering in transit); KBR (an undisclosed number of employees of the Houston-based firm impacted by the theft of a laptop); Omaha Public Schools (more than 4,300 current and former employees impacted by a computer attack on the Omaha School Employees Retirement System website); New Mexico National Guard (650 Guardsmen placed in jeopardy by the theft of a computer from the National Guard’s Santa Fe headquarters); Seabury & Smith (an undisclosed number of ITT workers impacted when sensitive personal information was exposed on the Internet due to a programming error by the company’s Marsh U.S. Consumer subsidiary); and the Washington State Employment Security Division (as many as 1,000 employees potentially victimized by a man, recently arrested, who stole HR paperwork last year from a car parked on the state Capitol campus).

European Commission Reaches Adequacy Determination for Israel

The European Commission published its decision, reached in October 2010, that Israel provides an adequate level of protection for personal information. The decision follows a recommendation to this effect by the Article 29 Working Party. It allows for simplified personal data transfers between EU countries and Israel. Israel is one of only a handful of countries to have obtained adequacy status.

German Regulators Challenge Google Over Analytics Program

German web companies could face hefty fines for using Google Analytics, its online metrics service, after data protection officials broke off talks with the U.S. internet giant this week and threatened to pursue a precedent-setting court case. Johannes Casper, the Hamburg Data Protection Commissioner who brought the company’s Street View practices to light, had been negotiating with Google since November 2009 over its collection and processing of IP addresses, including their transfer to the United States. Also in January, the data protection authority for Rhineland-Palatinate issued a press release underscoring its position that Google Analytics is an illegal program. German companies with websites that use Google Analytics are likely to be the immediate target of enforcement actions.

Russia Again Delays Enforcement of Data Protection Law

Once again, President Dmitry Medvedev signed a bill into law amending the Federal Law Regarding Personal Data and postponing the implementation of certain requirements, according to a December 27 presidential press-service statement. The amendment moves the required compliance date for database operators from January 1, 2011, to July 1, 2011. The implementation date has been moved back several times from its original date of January 26, 2007, possibly reflecting the government’s uncertainty as to how to rewrite some strict provisions that many businesses regard as unworkable.

December 2010

FTC Proposes New Privacy Framework

On December 1 the Federal Trade Commission issued its long-anticipated position paper outlining a new approach to privacy protection for consumers, businesses and policymakers. Contending that online companies have failed to protect the privacy of Internet users, the 79-page preliminary staff report proposes a framework calling upon companies to abide by three principles: privacy by design, simplified choice, and greater transparency about data practices. Notable features of the report include support for the creation of a “Do Not Track” mechanism; the designation of certain data usage activities, such as order fulfillment, as “commonly accepted practices” that do not require notice and consent; and recognition that technological advances have made the distinction between personally-identifiable information and non-personally identifiable information irrelevant. The FTC’s interest in protecting employee data is also mentioned at several points in the report. The new framework is said to build upon the FTC’s notice-and-choice and harm-based privacy models, while also addressing some of their limitations. The possibility of recommending new legislation is mentioned only in connection with the creation of the “Do Not Track” mechanism. Public comments on the report were requested by January 31, 2011.

Commerce Releases Privacy Policy Report

Two weeks after the FTC released its new privacy framework, the Dept. of Commerce unveiled its own green paper on privacy. The 69-page DOC report, developed by the agency’s Internet Policy Task Force, recommends the development of what it calls “a privacy bill of rights" based upon an expanded set of fair information privacy principles, creation of a privacy office within the agency and consideration of a national data security breach notification law. Among the issues the DOC is seeking further comment on during January, besides whether "baseline" privacy legislation should be enacted, are how the privacy principles should be enforced, whether the FTC should be given expanded rule-making authority and whether privacy legislation should include a private right for action for consumers.

Firing Data Security Whistleblowers Not a Good Idea

Ruling in Cutler v. Dike, a California state appellate court upheld a jury finding that an employer illegally fired an employee because he objected to the manner in which his employer maintained its confidential patient information. This decision, along with a similar New Jersey federal court decision in Zungoli v. UPS, reinforces the need for employers to take all employee complaints of data security seriously and to avoid taking any retaliatory action against employees who voice these complaints.

HR Data Breaches Slow in December

Only four breaches of HR data were reported in December: Saint Louis University (a breach of the university’s computer system impacting an unknown number of employees); Wackenhut Services (a hard drive lost in transit from Iraq to the U.S. containing personal information of an undisclosed number of employees of the security firm); Concur Technologies (1,017 employees exposed to ID theft when thieves broke in and stole computer equipment and software from a Washington office over the Thanksgiving weekend); and Kmax Systems (job applications with personal information of an unknown number of candidates found in a dumpster in Orlando, annotated with inappropriate comments of interviewers).

Garante Halts GPS Tracking of Employees

The Italian data protection authority, the Garante, ordered a company to stop processing personal data of its employees collected by means of the installation of GPS systems on company vehicles. The Garante found that according to the Workers Statute (Law No. 300/70) it is possible to install employee localization systems only on the basis of an ad hoc union agreement or permission of the local labor office, which was not done. Companies wishing to install GPS tracking systems need to get authorization from the local labor office and also inform the Garante about the processing of the data and who will be authorized to access the information.

Brazil Launches Consultation on Data Protection Bill

The Brazilian Ministry of Justice published a draft data protection bill on November 20, 2010, with a public consultation on the bill running through January 31. According to a DataGuidance report, the Bill would introduce for the first time a general law on data protection in Brazil, which has so far relied on the Constitution and Consumer Code to protect the privacy of its citizens. Judging from the description of key principles in the bill, namely the proportionality, necessity and purpose principles, the creation of a National Data Protection Board, the definitions of personal information and sensitive personal information, and restrictions of cross-border data transfers contained in the bill, Brazil is preparing to adopt a comprehensive data protection bill on the European model. The draft legislation also includes data breach notification requirements.

November 2010

Groups File Complaint with FTC over Online Health Sites

The Center for Digital Democracy, U.S. Public Interest Research Group, Consumer Watchdog and the World Privacy Forum asked the Federal Trade Commission to investigate the use of sensitive personal information for marketing purposes by a number of health websites, such as WebMD. The 144-page complaint charges that some sites are not transparent enough about how they track people through online heath searches, create user profiles and market to users' conditions. The main concern, said Ed Mierzwinski of U.S. PIRG, is that employers or health insurers could get hold of the profiles. "You could be searching for health information about your cat or your neighbor and it could end up harming your healthcare in terms of denial or increased cost," said Mierzwinski.

Labor Board Opposes Employee Termination for Facebook Post

The National Labor Relations Board accused an ambulance service company, American Medical Response of Connecticut, of illegally firing an employee after she criticized her supervisor on her Facebook page. The case is groundbreaking in that it is the first time the labor board has stepped in to argue that workers' criticisms of their bosses or companies on a social networking site are protected activities that cannot be limited by Internet or social media policies. Morgan, Lewis & Bockius, a law firm with a large labor and employment practice, issued a flash advisory to its clients, saying, “All private sector employers should take note,” regardless “of whether their work force is represented by a union.”

Seven HR Data Breaches Reported in November

Stolen laptops and errant e-mails were prominent in the seven breaches of employee data reported in November: U.S. General Services Administration (12,000 GSA workers alerted after an employee sent the names and SSNs of the agency’s entire staff to a private e-mail address six weeks earlier); Hanger Orthopedic Group (an undisclosed number of employees impacted by the theft of an HR staff member’s laptop); EOD Technology (an unknown number of employees learning through new information developed by the FBI that their personal data had been compromised by a hacker two years ago); Kayser-Roth (an undisclosed number of employees jeopardized by the theft of a laptop from the corporate payroll department in Greensboro, NC); Richmond VA School System (personal data of more than a hundred employees accidentally e-mailed to all Richmond staff); Bare Escentual (stolen laptop impacting an unknown number of employees); and the Bronx NY Dept. of Veterans Affairs (names and SSNs of 146 employees of the Education Department who took a CPR test left exposed in an unsecured box).

European Commission Releases Outline of DP Reforms

The European Commission issued a 20-page position paper outlining changes needed in data protection law to keep up with rapid technological and business developments in the 15 years since the EU Data Protection Directive was enacted. While the paper affirms the core principles enshrined in the Directive, it sees a number of challenges giving rise to the need to strengthen individual rights when dealing with new technologies, which it proposes to accomplish by increasing transparency for data subjects, including with respect to data breaches; enhancing control over one’s own data, including greater reliance upon data minimization and clarification of the ‘right to be forgotten’; raising public awareness; and clarifying and strengthening rules on consent and sensitive data. The Commission also sees the need to address the internal market perspective, through further harmonization of DP rules amongst the member states, including simplified notification rules; the introduction of greater legal certainty with respect to applicable law; enhancing the responsibility of data controllers, possibly by making appointment of internal DP officers mandatory, by creating an obligation to use privacy impact assessments and by promoting ‘privacy by design’; encouraging self-regulatory initiatives and certification schemes; and extending DP rules to cover police and judicial involvement in criminal matters. Finally, the Commission recognizes a need to clarify and simplify the rules for international data transfers and to strengthen and harmonize the powers of Data Protection Authorities. Public comments on the position paper were invited until January 15, 2011, with new legislation to be proposed before the end of the year.

German Federal Council Calls for Changes in Employee DP Bill

The Federal Council (Bundesrat), a legislative body representing the 16 German länder, submitted 46 pages of recommendations for substantial changes to the legislation drafted by the administration of Chancellor Merkel on employee data protection. Along with its many recommendations for specific changes, the Council expressed its preference for an independent piece of legislation, rather than the approach taken by the government to include employment-related provisions as amendments to a subsection of the existing federal data privacy law.

Indian Government Launches Consultation on Privacy Law

The Indian Department of Personnel and Training (DoPT) launched a public consultation on October 13 on a discussion paper according to which clear privacy legislation “that spells out the nature of the rights available to individuals and the consequences that an organisation will suffer if it breaches these rights” is “imperative” in India. The paper recommends a “hybrid approach” between framework legislation and industry self-regulation. According to the paper, "the legislation should really be in the form of a framework rather than detailed prescriptions. It should highlight the basic principles that any data [controller] will need to [abide by]...Sector-specific or industry specific detailed guidelines will [then] be prepared and approved by the regulator…responsible for enforcing the legislation.” The paper also highlights the importance of developing the concept of accountability.

October 2010

EEOC Public Meeting Explores Employers’ Use of Credit History

On October 20 the EEOC held a rare public meeting to explore employers’ use of credit history in the selection process. Four states (Hawaii, Illinois, Oregon, and Washington) have already enacted laws restricting the use of credit history and similar legislation is pending before fifteen other states and Congress. None of the participants in the meeting were able to cite a single study showing a link between any particular credit profile and poor job performance or a propensity to engage in dishonest or criminal conduct. The EEOC is also concerned about the disparate impact of employer use of credit histories on protected classes.

State AGs, Other Countries Continue Street View Investigations

Attorneys General in 35 states pressed ahead with their Street View investigation during October, led by Connecticut AG Richard Blumenthal, who stated that Google’s new admissions and changing story only heightened the need for sustained scrutiny. Meanwhile, in Spain, the Data Protection Authority (AEPD) announced that it had initiated a criminal sanction procedure and decided to impose a large fine, possibly over €2.4 million, against Google for five serious infringements of the Spanish Data Protection Act. In Italy, the privacy regulator ordered Google to make sure its Street View cars were clearly marked and their itinerary made public three days in advance through the company’s website, local newspapers and radio. In addition, a judicial source confirmed that prosecutors in Rome are investigating possible violations of privacy laws. In the UK, the Information Commissioner announced that he was launching a new investigation into Street View, with substantial fines one possible outcome; his office subsequently announced that it was hiring a technology specialist, suggesting that its initial scrutiny of Google lacked sufficient technical expertise. In Canada, the federal Privacy Commissioner stated that an investigation by her office showed that because of a “careless and easily avoidable error,” Google had contravened Canadian privacy law through its Street View wi-fi sniffing. According to the Commissioner, the investigation will remain open until Google confirms, by February 1, 2011, that it has improved its privacy governance, expanded privacy training, designated a privacy leader and deleted the payload data it collected.

HR Data Breaches Swell in October

Ten breaches of HR-related data were reported in October, including the Mississippi National Guard (sensitive personal data of 3,000 members accidentally posted for a month on the brigade’s website); Veterans Affairs Department (SSNs and other personal data of 4,000 vets mailed to the wrong address in a benefits summary mailing from the Boston regional office); Johns Hopkins University (personal data of 692 dependents of employees of the Applied Physics Laboratory inadvertently attached to an e-mail sent internally within the Lab); Milwaukee County, WI (at least 30 county employees impacted by ID theft believed to have been carried out by temporary worker in the HR department); Jackson Hewitt (personnel records of an undisclosed number of the tax company’s employees found in the trash outside an Jacksonville office); Trade Center Management Associates (personal data of an unknown number of employees working in the Ronald Reagan Building and International Trade Center in Washington, DC stolen during a burglary); GEICO (personal data of an undisclosed number of Field Representatives accidentally disclosed internally by e-mail); Louisiana Dept. of Health and Hospitals (personal data of 56,000 emergency medical technicians and EMT students compromised by a hacker); Darden Restaurants (an unknown number of employees placed in jeopardy because of the theft of a laptop); and Airgas (an undisclosed number of employees warned that their data may have been compromised when an internal security scan showed a company computer to have been compromised by malicious software).

Commission Reaches Adequacy Determination for Israel

Following a four-month delay caused by opposition from Ireland, the European Commission issued a decision formally recognizing Israel as providing an adequate level of protection for personal data. The Article 29 Working Party had recommended an adequacy determination for Israel last December. Israel joins Switzerland, Argentina, Guernsey, Isle of Man, Jersey, Faroe Islands, Canada and U.S. Safe Harbor companies in meeting the test of adequacy.

French Appeals Court Rejects Use of Geo-location Data

A French Appeals Court in Dijon upheld a decision against an employer who terminated an employee who used a company car for personal reasons and also committed serious traffic violations in the process. The Court rejected evidence collected using a GPS device in the company’s vehicle on the grounds that the employer had failed to register this data processing activity with the CNIL and had not given proper notice to employees regarding the use of GPS devices in company cars.

Accountability Paper Released, Helping Define Rules to Come

On October 26 the Centre for Information Policy Leadership, with support provided by Hunton & Williams, released a 14-page report entitled “Demonstrating and Measuring Accountability, Accountability Phase II – The Paris Project.” This document, which is the result of deliberations of an international working group that included 60 representatives of business, civil society, government, and data protection and privacy enforcement agencies, is likely to be very influential with respect to upcoming revisions to privacy frameworks on both sides of the Atlantic. Participants in the project identified nine fundamentals for accountable organizations in the privacy arena: policies; executive oversight; staffing and delegation; education and awareness; ongoing risk assessment and mitigation; program risk assessment oversight and validation; event management and complaint handling; internal enforcement; and redress.

September 2010

Supreme Court Hears Arguments in NASA Case

The Supreme Court heard arguments from government contractors at the NASA Jet Propulsion Laboratory in California, who are fighting the government's request to have them submit to what they call intrusive background checks as a condition of continued employment. Neal Katyal, the acting Solicitor General, contended that when it came to the employment context, broad questions are unavoidable and must be answered by employees, unless they infringe upon constitutional rights. A ruling in the case is likely to have significant implications for both government and private employers.

Only Six HR Data Breaches in September

Reported breaches of employment-related data subsided in September, with only six employers revealing data losses: Kinetics Concepts (names, addresses, dates of birth, SSNs and salaries of 4,000 employees of the health care company accidentally exposed in a misdirected internal e-mail); Cooper University Hospital (all staff of the New Jersey hospital placed in jeopardy when an extensive database of their information on a flash drive went missing); Benefit Concepts (an undisclosed number of employees impacted by the loss of a FedEx package of payroll checks and data shipped by the company’s payroll vendor, CompuPay); Cardinal Health (data relating to an undisclosed number of employees exposed when the Ohio-based health care company discovered that an HR laptop had been sold without personal information being removed); SeaChange Int’l (employees in 26 states notified that a temporary administrative assistant with access to their data was discovered to have a prior conviction for a $350,000 insurance fraud); and Eastern Michigan University (compromise of login information responsible for exposing employees' direct deposit banking details and other personal information).

Security Industry Association Releases Privacy Framework

The Security Industry Association (SIA) released a 12-point Privacy Framework to address privacy concerns related to the recording of video, the collection of personally identifiable information and the use of biometrics, RFID and other electronic physical security technologies. The guidelines include such recommendations as conducting privacy impact assessments, implementing privacy by design principles, adopting a breach notification plan and establishing a retention policy and limiting access to personally identifiable information to those who "need to know."

One Facebook Probe Ends in Canada, Another Begins

Canadian Federal Privacy Commissioner Jennifer Stoddart closed out a complaint about Facebook’s privacy practices dating back to 2008, saying that over the last year the company had addressed the concerns raised in a satisfactory manner through modifications to its policies and practices. However, she also announced that her office was launching a new investigation, in light of new Facebook features, such as the “Like” button and the invitation capability that suggests new friends to users.

ECJ Bars Legal Privilege for In-house Counsel

Ruling in Akzo Nobel Chemicals Ltd. v Commission, the European Court of Justice (ECJ) found that communications between the management and employees of a company and its in-house lawyers is not protected from search and disclosure in EU investigations and proceedings. The court argued that despite enrollment with a Bar or Law Society and ensuing professional legal obligations, an in-house counsel does not enjoy the same degree of independence from his employer as a lawyer working in an external law firm does. The ruling, although focused upon an anti-trust matter, may cause European companies to think twice before requesting internal counsel to formally assess compliance with data protection laws.

Swiss Supreme Court: IP Addresses are Personal Data

The Supreme Court of Switzerland ruled that IP addresses constitute personal data in a case involving a company, Logistep AG, which had collected, without consent, the IP addresses of internet users who were illegally downloading copyrighted materials using peer-to-peer software. Although the court recognized the reduction of copyright infringement as a valid objective, it found that it did not override or justify the intrusion into personal privacy.

August 2010

Malaysia Enacts the Latest in a Wave of DP Laws

The Personal Data Protection Act, passed by the lower house of the Malaysian Parliament in April 2010, was passed without changes by the upper house on May 6, 2010. It received Royal Assent on June 2, 2010 and came into effect with its official gazetting on June 10, 2010. Malaysia becomes the first of the ten countries in the Asean region to implement omnibus privacy legislation, although the Act deviates in certain respects from its European precedents. Malaysia became the sixth nation to enact comprehensive data protection legislation in the first six months of this year, following Mexico, Morocco, Belarus, Taiwan, and the Ukraine.

HR Data Breaches at All-time High in August

More breaches of HR data were reported in August than in any month since 2006, when HR Privacy Solutions began tracking them. The following twelve employers reported losses of employment-related data: State of Delaware (22,000 retirees impacted when their personal information was inadvertently posted on the Internet by the state’s benefits consultant, Aon Consulting); First Advantage (a laptop lost during an airport layover affected more than 32,000 candidates for jobs with the tax consulting firm’s clients); HMS Host (an undisclosed number of job applicants at the Cleveland airport Starbucks jeopardized by an HR employee of HMS Host, who was indicted for access device fraud and aggravated identity theft); Baton Rouge Police Dept. (30 current and retired officers victimized by credit card fraud after an insider sold a computer printout to an ID thief); Centric Software (an undisclosed number of the California firm’s employees impacted by the theft of a laptop from an employee’s car); Town of Rockland, MA (canceled checks with SSNs of hundreds of town employees missing after wind knocked them from a loaded recycling truck); NBC Universal (an undisclosed number of employees affected by the theft of a laptop); Brookings Institute (a CD with W-2 statement information of an undisclosed number of the Washington DC think tank’s employees lost in transit); Jones Lang LaSalle (theft of a laptop from an employee’s car impacting an undisclosed number of the commercial real estate firm’s employees); Ross (hundreds of the Houston-based department store chain’s employees exposed to ID theft when applications and resumes were placed in a public dumpster); Town of Hingham, MA (1,300 employees notified that their personal information had been accidentally e-mailed to dozens of people); and Boise City (personal information of 300 employees included in the back-up tape lost in transit by Mercer).

Illinois Restricts Use of Credit History in Hiring

Illinois enacted a law, the Employee Credit Privacy Act, effective January 1, 2011, that significantly restricts employers from checking an applicant’s or current employee’s credit status or history. The act permits credit inquiries when a satisfactory credit history is a bona fide occupational requirement or is legally required. Illinois becomes the fourth state, after Oregon, Hawaii and Washington, to limit the use of an individual's credit history in hiring decisions.

European Commission Delays DP Reforms

The European Commission announced that because of the need for more time to integrate third pillar (i.e., law enforcement and justice) matters into a single data protection framework and to consider the 160 submissions received during the public consultation, it was pushing back plans to overhaul the Data Protection Directive by up to a year. The Commission also cited business concerns about variations in national laws, which it said were prominent in the consultation, as needing to be addressed. While it intends to announce its plans for the review this year, the Commission now expects that a proposed new framework instrument will not be available until late in 2011. CNIL, the French DPA, had a somewhat different take on the delay, stating that it came about because of push-back from the Article 29 Working Party about an unrealistic time table.

Street View Investigations Continue to Unfold

Google faces 28 legal or criminal investigations around the world, in every continent except Antarctica, over the wi-fi sniffing it conducted as a part of data collection for Street View, according to an analysis by The Guardian. While the UK Information Commissioner gave the company a conditional pass in July and the New Zealand police found that no crime had been committed, investigations of the company continued in other countries. In South Korea, police searched the company’s offices; in Spain, a Madrid judge ordered a Google representative to appear in court in October; and in France, a camera car used by the company was stopped and inspected by the CNIL. Meanwhile, in the U.S., a panel of federal judges is deciding whether and where to consolidate lawsuits against Google that allege the company violated wiretapping laws; at least nine lawsuits are seeking class action status.

Germany to Bar Employers from Checking Facebook

As part of the draft of a new law governing workplace privacy, the German government has proposed prohibiting employers from using Facebook or other purely social networking profiles when reviewing the qualifications of job candidates. However, the bill would allow employers to search for publicly accessible information about candidates on the Web and to view their pages on job networking sites, such as LinkedIn. The bill now goes to Parliament for discussion and possible passage later this year.

July 2010

FTC Raises Info Security Bar with Twitter Case

The consent order proposed by the Federal Trade Commission in June following its investigation of Twitter expands the agency’s enforcement of information security standards in two significant ways. In the first place, the order makes clear that the FTC will not restrict its oversight to only those cases in which sensitive personal data, such as SSNs and payment card numbers, are involved. Secondly, the order sets forth a number of measures relating to administrative access to systems that the FTC is likely to look for in future investigations. For example, (a) website administrator login pages should be maintained separately from general published login pages, with these pages made known only to authorized users; and (b) administrative access should be restricted to certain IP addresses or enhanced through multi-factor authentication.

HR Data Breached Seven Times in July

Seven breaches of HR data were reported in July, including American Airlines (79,000 current and former employees impacted by the theft of a computer hard drive from the pension department of the Fort Worth-based airline); Oregon State University (a computer virus compromised the personal data of 34,000 current and former employees); Connecticut Teachers’ Retirement Board (a missing flash drive exposed 58,000 retirees to ID theft); St. Luke’s Health Systems, Idaho Power and Saint Alphonsus Medical Center (thousands of employees of the three organizations affected when a computer server back-up tape containing their personal data went missing in the possession of consulting firm Mercer): Village of West Bend, IN (an undisclosed number of employees impacted by the theft of a laptop containing payroll information from a car in Milwaukee); Deere and Company (benefit plan summary statements from UnitedHeathcare were mailed to the wrong addresses of an undisclosed number of employees of Deere); and Alcoa (an undisclosed number of employees potentially affected when an electronic folder of global mobility data was inadvertently shared as a public folder within the company’s internal network).

U.S. Cloud Providers Lobbying EU on Privacy Rules

Cloud providers such as Google and Microsoft, which have spent billions of dollars building data centers in Europe, are pressuring the European Union to streamline its privacy rules so that they can offer more remote computing and data-storage services. Countering them, organizations like the French Association for a Digital Economy in Europe are lobbying to require storage of computer data in the country in which storage is being sold. The cloud providers are hopeful that the European Commission’s Digital Agenda initiative will lead to the creation of a single harmonized market for cloud services by 2012.

Art 29 WP Urges Adoption of Accountability Principle

In an opinion issued in July, the Article 29 Working Party fleshed out the details in its 2009 recommendation that the European Commission include a new principle on accountability in any revision of the Data Protection Directive. The 19-page opinion calls for the creation of a legal requirement that data controllers put in place concrete internal measures and practices that reflect data protection principles and obligations, in order to make data protection part of the shared values and practices of an organization. Data controllers would also be required to demonstrate the measures and practices to supervisory authorities upon request.

Schleswig-Holstein DPA Calls for End to Safe Harbor

A month after opining that use of cloud service providers is basically contrary to German data protection law, Thilo Weichert, Data Protection and Privacy Commissioner of the northern German state of Schleswig-Holstein, called for an immediate end to the U.S.-EU Safe Harbor program. Weichert, responding to an advance summary of a new critical study of the program that Australian privacy researcher Chris Connolly presented at the Privacy Laws & Business annual conference, said that the lack of enforcement by U.S. authorities made it necessary to either re-open negotiations to make the Safe Harbor principles effective or to terminate the program. Connolly’s new study is expected to be released in August.

Ukraine Enacts Comprehensive Data Protection Law

Ukraine became the third nation in as many months to pass omnibus privacy legislation modeled upon European precedents. The Law on Personal Data Protection will become effective as of January 1, 2011. The legislation includes a mandatory requirement to register databases of personal information with an independent state authority that has yet to be established.

June 2010

Supreme Court Allows Search of Work-Issued Pager

The Supreme Court unanimously overturned the Ninth Circuit Court of Appeals in City of Ontario, California v. Quon, ruling that the city’s police department did not violate Officer Quon’s Fourth Amendment rights when it reviewed text messages transmitted over a work-issued pager. However, the court, ruling strictly on narrow grounds closely tied to the facts in the case, did not resolve whether the officer had a reasonable expectation of privacy, instead basing its decision on a finding that the search in this particular set of circumstances was reasonable. The ruling also did not address the rights of private sector employers or employees with respect to electronic communications.

Worldwide Investigations of Google Wi-Fi Sniffing

Privacy regulators in multiple countries, as well as police in some, are investigating Google’s three-year collection of personal data from unsecured wi-fi networks. The countries involved include Australia, New Zealand, Hong Kong, Canada, Japan, Korea, Spain, Germany, Italy, the Czech Republic, Austria, Hungary, Switzerland, the UK and the United States. In the UK, both Scotland Yard and the London Metropolitan Police have begun criminal investigations. The question of intent or the subsequent use of data collected electronically is not relevant under laws in a number of jurisdictions. Meanwhile, In the U.S., Attorneys General from 30 states participated in a conference call organized by Connecticut Attorney General Richard Blumenthal to explore coordinating investigations into Google’s wi-fi sniffing. Google filed a motion with the U.S. Judicial Panel on Multidistrict Litigation to consolidate eight current class action lawsuits pertaining to the data collection into one mega-lawsuit.

German DPA Finds Cloud Computing Largely Illegal

The data protection authority of the German federal state of Schleswig-Holstein published a press release and legal opinion on cloud computing that found the use of clouds outside the EU to be largely unlawful, even if the European Commission has issued an adequacy decision in favor of the country in question. According to the DPA, a non-EU cloud provider would always be an independent third party rather than an agent, requiring the third party to be bound by standard contractual clauses. Under the finding, the cloud provider’s participation in Safe Harbor would provide an insufficient legal basis for data transfers to the cloud.

Half a Dozen HR Data Breaches in June

Missing laptops and CD/DVDs were at the heart of five of the six breaches of HR data reported during June, including the Oregon National Guard (personal data of 3,500 soldiers exposed when a laptop was stolen from a Guard member’s car in Portland); National Gypsum (an undisclosed number of employees impacted by the DVDs reported missing in transit by Towers Watson in February); Invois (an unspecified number of employees of the Georgia firm affected by a laptop stolen during the review of a merger with GSX); Quantum Corporation (an undisclosed number of employees impacted by the weekend theft of a laptop from an IT workshop; normal encryption had been temporarily disabled during a repair operation); the Department of the Interior (personal data of 7,500 employees compromised when an encrypted CD from a third party went missing after being received in the department’s Denver shared services center); and Roanoke City Schools (2,000 employees exposed to ID theft when the district failed to remove hard drives from eight computers when selling them).

Taiwan Passes Personal Data Protection Act

Taiwan became the latest nation to enact omnibus privacy legislation, with passage of the Personal Data Protection Act in April. The Act applies a core set of privacy principles reflecting European precedents on the collection, processing or use of personal data by any individual, organization or enterprise, with special protections for data that is particularly sensitive. It also imposes an obligation upon data controllers to inform data subjects of any loss, disclosure, theft or other infringement of their personal data. No registration requirements are included in the law; class action lawsuits are allowed. The effective date of the Act has yet to be announced.

May 2010

German DPAs Call for Safe Harbor Checks

The Düsseldorfer Kreis, an informal but influential group of Germany’s 17 private sector data protection regulators, advised companies to conduct due diligence checks upon US companies concerning their participation in Safe Harbor before passing personal data to them under the program, rather than simply accepting claims of Safe Harbor membership. At the very least, companies were instructed to check that the data importer’s Safe Harbor certification is valid and to determine how data subjects are being informed about the data transfers. The Düsseldorfer Kreis also called upon the FTC to step up its Safe Harbor enforcement activities.

EU Rights Agency: Stronger DPAs, Employment Laws Needed

The EU's Agency for Fundamental Rights (FRA) has found that data protection authorities (DPAs) suffer from insufficient funds, inadequate staffing levels and a lack of sanctions for violators. A 56-page FRA report notes that in several counties, including Austria, France, Germany, Latvia, the Netherlands, Poland and the UK, "prosecutions and sanctions for violations of data protection law are limited or non-existing" and that DPAs often lack "full powers of investigation and intervention or the capacity to give legal advice or engage in legal proceedings." The FRA calls for strengthening DPAs, as well as for the adoption of additional legislation to address data protection in the context of employment relationships. Included in the report are comparative charts on DPA capacities in each member state, along with liberal, if somewhat anecdotal, criticism of faults and deficiencies of the DPAs in specific states.

House Examines Use of Credit Info in Employment

The House Subcommittee on Financial Institutions and Consumer Credit held a hearing on the “Use of Credit Information Beyond Lending: Issues and Reform Proposals” on May 12. The subcommittee discussed H.R. 3149, introduced by Rep. Steve Cohen (D-TN), which would amend the Fair Credit Reporting Act to prohibit the use of consumer credit checks for prospective and current employees for the purposes of making adverse employment decisions. The Society for Human Resource Management opposes the sweeping prohibition contained in the bill, favoring instead a limitation in use of credit checks to jobs with fiduciary, financial and security responsibilities. In April the New York Times ran an article on the topic that quoted a Trans Union credit bureau lobbyist as saying under oath that “At this point, we don’t have any research to show any statistical correlation between what’s in somebody’s credit report and their job performance or their likelihood to commit fraud.” The use of credit checks in the employment context also caused a stir in Alberta.

Google Wi-Fi Sniffing Explodes as Major Privacy Violation

In response to persistent pressure from the data protection authority in Hamburg, Google was forced to admit that its Street View mapping cars deployed for the last three years have been gathering personal data from unsecured wi-fi networks, a claim it previously denied. The data gathered was said to include e-mail messages, websites being visited and other content available at the time the network was identified. However, the company later admitted that it had collected 600 gigabytes of data from unsecured wireless networks around the world. The company defended the need to gather information about the location of the networks, in order to improve its mobile products, but claimed that the acquisition of user content was an engineering error of which it had been unaware. Google announced cessation of all further mapping to address the problem.

Seven HR Data Breaches Reported in May

Seven breaches of employee data were reported in May (City of Charlotte and the Tennessee General Agencies Welfare Benefits Program became the second and third entities to acknowledge being impacted by the two missing Towers Watson DVDs first reported by Lorillard in April; 5,200 and 1,874 individuals were affected); J.M. Smucker (data of 6,000 employees and dependents compromised when an HR employee e-mailed a database he was having trouble with to a computer-savvy relative who had offered to help); US Army Reserve (207,000 reservists affected when a laptop and CD were stolen from Serco, a government contractor in Reston, VA); Veteran’s Affairs Department (two laptops reported missing in Texas, one from a contractor impacting 616 veterans and the other affecting “thousands”); and the LA Firemen’s Credit Union (data of 28,000 members exposed when the credit union failed to manage records properly when moving to a new location).

April 2010

Dept. of Commerce to Address Internet Privacy

Re-asserting the role of privacy advisor to the White House and government policymakers that it last exercised in the ‘90s, the Department of Commerce announced that it would study how privacy is impacted in the Internet economy. The department said it was organizing an Internet Privacy Task Force, would hold a public meeting on U.S. privacy policy in Washington DC on May 7, solicit public comments from all Internet stakeholders, and issue a report by early fall. The move opens the potential for a policy turf war with the FTC, which is also preparing a framework of guidance for Internet privacy.

Military Hit Hard by April Data Breaches

Ten breaches of HR data were reported in April, including two by the Navy and two by the Army: U.S. Navy (244 employees at the Naval Facilities Engineering Service Center in Port Hueneme, CA finally notified of a breach that occurred in 2008); U.S. Army (documents containing sensitive personal information of 1,272 patients at the Brooke Army Medical Center in San Antonio stolen from a parked car); U.S. Army Reserve (12,000 military and civilian personnel associated with a former reserve command at Fort Totten, NY notified that their paper files could not be located); Lorillard Tobacco (an undisclosed number of employees impacted by the failure of a benefits service provider, Towers Watson, to encrypt two DVDs before they went missing in overnight delivery); Strategic Workforce Solutions (an undisclosed number of employees affected by theft of an unencrypted portable device from a car in Atlanta); Lam Research (at least 3,000 employees impacted by the theft of a laptop from a car in Fremont); Navy Region Hawaii (242 employees of the Federal Fire Department notified that their personal data was compromised by a hacker); Atlanta Fire Rescue (1,000 firefighters notified of an exposure stemming from use of a file sharing program, which came to light when a security consultant used the data during a workshop as an example of what can be found on the Internet); Kern County Employees’ Retirement Association (37,000 county employees and retirees in California impacted by a part-time clerk’s malfeasance); and Famous Dave’s of America (laptop stolen from a car with personal data of an undisclosed number of the national restaurant chain’s employees).

Ten Privacy Commissioners Challenge Google

Led by Jennifer Stoddart, Canada’s Federal Privacy Commissioner, ten privacy commissioners sponsored a press conference in Washington DC to publicize their criticism of Google’s social networking and Street View programs, as well as new online products from other vendors. The nations involved are Canada, Israel, Spain, France, the Netherlands, Germany, Italy, Ireland, New Zealand and the UK. According to Stoddart, "We want to send a strong message that you can't go on using people's personal information without their consent in these kinds of ways to launch a new product….Do your testing before, and make sure you comply with privacy legislation." Jacob Kohnstamm, chairman of the Dutch data protection authority, said that internet-based firms ought to see the letter sent to the firms outlining privacy concerns as “a last warning to the online world” before enforcement actions are taken.

Mexico Passes Omnibus Data Protection Law

After nine years of legislative development, including close consultations with European privacy regulators, Mexico enacted a comprehensive data protection law, covering both private and public sectors. Implementation and enforcement of the law will be carried out by the Federal Institute for Access to Public Information and Data Protection. Maximum penalties for misuse of sensitive personal information are five years in prison and fines up to $2.9 million. The U.S. is now surrounded by countries to the north, south, east and west that provide stronger legal protections for personal information than we do.

NIST Issues Guide to Protecting PII

The National Institute of Standards and Technology (NIST) issued a "Guide to Protecting the Confidentiality of Personally Identifiable Information," designed to help agencies identify personally identifiable information (PII) and determine appropriate level of protection for it. Of particular note is the Guide’s expansive definition of PII to include any information that is linked or linkable to an individual, such as medical, educational, financial or employment data, as well as telephone numbers and IP addresses.

March 2010

Senators Propose National Worker ID Card

Senators Charles Schumer (D-NY) and Lindsay Graham (R-SC) have proposed that biometric national ID cards, which they called “high-tech, fraud-proof Social Security cards,” be required for all U.S. employees, as a means of combating illegal immigration. Information would be stored on the cards, rather than in a government database, and the cards would not contain private data, medical data or tracking devices. DHS recently extended the deadline for state compliance with the Real ID program, first launched in 2005, for another year. Privacy advocates criticized the proposal as inevitably leading to a national database and mission creep, while being based upon false claims of being fraud-proof.

FTC Requires Monitoring Outbound Internet Traffic

In reaching a settlement with Dave & Buster’s, a restaurant and entertainment chain, the FTC quietly and without fanfare introduced a new security standard, requiring the company to monitor and filter outbound Internet traffic to block the unauthorized export of sensitive information. The consent decree puts companies on notice that they may face FTC scrutiny and penalties if they fail to use data loss prevention software.

HR Data Breaches Moderate in March

March saw a decrease in the number of HR data breaches reported, with five data losses, including Yuma Proving Ground (700 employees at risk because of a compromise of an employee’s home computer); (Arrow Electronics (4,004 employees impacted by the theft of a laptop from the firm’s Melville, NY office); Beecher Carlson (an undisclosed number of employees, including 1,012 in Massachusetts, affected when two laptops were stolen from the Atlanta-based insurance broker); Nuance Communications (information of 1,191 Massachusetts employees exposed on a laptop stolen from a car); and the Evergreen Public Schools (WA) (numerous incidents of ID theft reported after data on 5,000 employees in a payroll system was compromised by the “shoulder-surfing” of a password).

Top EU Privacy Regulator Calls for ‘Privacy by Design’

Data protection laws should be changed to force people creating new technologies to build privacy features into them, according to a 21-page recommendation to the European Commission by Peter Hustinx, the European Data Protection Supervisor. Hustinx called for applying ‘Privacy by Design’ obligations in particular to developers of social media, RFID and targeted advertising applications. Support for the ‘Privacy by Design’ approach, developed by Anne Cavoukian, Ontario’s Privacy Commissioner back in the 90’s, was also voiced in the November Madrid Resolution and the January Article 29 Working Party opinion on the future of privacy.

French Senate Approves Amendment to DP Law

DataGuidance News reports that on March 23 the French Senate approved an amendment to the national data protection law which will require French companies with more than a 100 employees who access or process personal data to appoint an internal data protection officer. As noted in the Monthly Privacy Review in November 2009, the bill will also introduce data breach notification obligations into French Law. The amendment now goes to the National Assembly for its consideration.

Japanese Cell Phone Tracks Employee Motions

KDDI Corporation, the Japanese phone giant, has developed a cell phone that uses advanced analysis of accelerometers that will allow bosses to track the physical movements of workers. For example, a boss could tell when a janitor is scrubbing, using a mop, emptying a waste bin, etc. The company said it prefers to think of its creation as “a caring, mothering system rather than a Big Brother,” but counsels potential users to get the consent of employees in advance.

February 2010

Massachusetts Data Security Law Now in Effect

After a number of extensive delays, most provisions of the new Massachusetts data security regulations came into effect on March 1, 2010. Entities that process personal information about state residents must develop, implement and maintain a written, risk-based information security program that includes numerous administrative, technical and physical safeguards, including encryption of laptops and other portable devices. By March 1, 2012, service providers must be contractually bound by the same requirements.

Checking Job Applicants Online Very Common in U.S.

According to a Microsoft survey of 2,400 employers and jobseekers in the U.S., UK, Germany and France, 70% of HR respondents in the U.S. rejected job applicants because of negative information found online, with smaller numbers of 41% in the UK, 16% in Germany and 14% in France. Furthermore, 75% of HR respondents in the U.S. reported that their companies had formal policies requiring them to conduct such online research, compared to 48% in the UK, 16% in Germany and 14% in France.

Google Runs into Privacy Buzz-Saw over Buzz

Google’s introduction of Buzz, a social networking program integrated with the company’s e-mail and chat services, met a firestorm of criticism when users discovered that the program automatically shared their contacts with all Buzz users. The company quickly revamped its privacy settings, but faces regulatory investigations after complaints were filed with the FTC and the Canadian Federal Privacy Commissioner. Buzz, offered as Google’s answer to Facebook and Twitter, also raises a host of new privacy concerns by virtue of its integration with location-mapping programs on mobile phones.

HR Data Continues Hemorrhaging in February

Nine HR data breaches were reported in February, including the West Memphis Police Dept. (an unknown number of employees impacted by a compromise of the department’s computer network, possibly by a detective); U.S. Dept. of Commerce (two new incidents affecting hundreds of employees, in addition to the two breaches reported earlier); State of Ohio (a spreadsheet of banking data of 6,000 state employees, including the Governor, inadvertently e-mailed to dozens of payroll officers of state agencies; this is the second breach in six months); Ceridian (banking data of 27,000 employees in 1,000 companies exposed by hacking of Ceridian’s Powerpay payroll system; some of the data was 10 years old and should have been deleted); Royal Dutch Shell (directory contact information for the company’s 170,000 employees published on the Internet by a group of 100 or so employees opposed to Shell’s policies in Nigeria and elsewhere); Equifax (an unknown number of current and former employees received W-2 forms in the mail with their SSNs exposed); Kansas City Art Institute (145 employees impacted by the theft of a laptop from the HR office); Highmark (a list that including SSNs of 3,700 employees of Boscov's Department Store's tampered with when mailed from the group health plan to the retailer); and the Arkansas National Guard (an unknown number of current and former soldiers affected by a missing hard drive).

European Commission Updates Model Contract for Processors

The European Commission has issued new standard contractual clauses that must be used going forward when companies decide to use model contracts as the legal basis for data transfers to data processors located outside the European Union. The revisions place new obligations upon such data processors, including the requirement that they obtain the written permission of the data exporter prior to subcontracting any processing of the data. They are also intended to ensure that the sub-processor is placed under the same legal obligations as the processor. The new model contract, while introducing some clarity in an area where there was little, does not go as far as advocated by industry groups such as the ICC.

More Requirements Emerging in Alberta PIPA Amendment

According to McCarthy Tetrault, additional details are emerging about the Personal Information Protection Amendment Act, 2009 (Bill 54), which has not yet come into effect. Bill 54 requires companies transferring personal data to a service provider or parent company outside of Canada to inform affected individuals about the transfer in advance, including the purposes involved, the identity and location of the recipient, how to obtain written information about the recipient’s privacy policies and practices, and a point of contact for questions. It also requires notification to data subjects and to the Privacy Commissioner of data breaches posing a real risk of harm. Furthermore, Bill 54 places a positive obligation upon companies to destroy personal information once it is no longer reasonably required; previously they were allowed to keep the information as long as reasonable for legal or business purposes.

January 2010

FTC Declines to Address Adequacy of Safe Harbor Policies

The FTC, in responding to a comment received on the proposed settlement reached with one of the six companies recently found to have let its Safe Harbor certification lapse, made it clear that it does not find deficiencies in a company’s published Safe Harbor privacy policy to constitute a “violation of the Safe Harbor framework,” Chris Connelly, a principal in Galexia, an Australian consultancy, and author of a 2008 critique of Safe Harbor, had pointed out that the policy issued by Directors Desk LLC did not include information on enforcement or complaints. The FTC decision to focus its enforcement activities only on a company’s “substantive practices” is the likely reason the Department of Commerce announced in November that it would begin reviewing the adequacy of Safe Harbor privacy policies when companies re-certify.

Federal Government to Keep SSNs as Employee IDs

The Office of Personnel Management announced that it was withdrawing a rule, proposed only two weeks earlier, that would have required all federal agencies to stop using SSNs as employee identifiers, on the grounds that it was impractical to create another primary identifier. Most private sector companies, both large and small, have already stopped using SSNs for this purpose.

Ten HR Data Breaches in January

After three lulls last year, a “more normal” number of HR data breaches were reported in the U.S. in January, ten to be specific, including: U.S. Dept. of Commerce (27,000 employees impacted by the unintended e-mailing of their unencrypted information to other employees; this was the second DOC breach in five months); Washington (WA) Department of Corrections (43 individuals jeopardized when a briefcase of personnel records was stolen from an HR staffer’s car); Eugene (OR) School District (an undisclosed number of employees jeopardized by hacking of a school server); Logan International Airport (the identity of 16 TSA employees stolen by a contract worker in the HR department); P.F. Chang’s China Bistro (an undisclosed number of employees impacted by theft of computing equipment); City of Oakridge (OR) (sensitive personal information of an unknown number of city employees accidentally sent out with monthly water bills to 1,400 households); Columbus Public Health (OH) (hundreds of city health workers jeopardized by an employee’s theft of their personal information); Humboldt State University (CA) (information of 3,500 employees hacked via a sophisticated log-in virus); Iowa Racing and Gaming Commission (80,000 records containing employee information hacked on a Commission server, via an attack believed to originate in China); and PricewaterhouseCoopers (77,000 current and former employees of the State of Alaska impacted by a breach of a 2003-4 retirement file in a Chicago PwC office).

Background Checks? There's an App for That

A new app from BeenVerified enables users to conduct background checks on anyone in a matter of seconds from their iPhone. Users can conduct up to three checks per week for free or unlimited checks for only $8 per month. According to BeenVerified, about 400,000 users have downloaded the app and conducted a million checks so far. Employment law firm Littler Mendelson rightly cautions that use of the app is likely to jeopardize an employer’s compliance with the Fair Credit Reporting Act.

UN Watchdog Calls for International Privacy Agreement

Martin Scheinin, Special Rapporteur to the UN Human Rights Council, delivered a report calling for a new international agreement on privacy in response to a worldwide increase in intrusiveness due to counter-terrorism measures. His 35-page global assessment of the state of privacy closely follows, although it does not mention, the call for a new international privacy convention issued by privacy commissioners in Madrid last November.

UK DPA Receives Power to Impose £500,000 Fines

Following a public consultation, the UK Ministry of Justice has concluded that the Information Commissioner should be given the power to impose fines of up to £500,000 (approximately $800,000) for serious breaches of the Data Protection Act 1998. The fining authority is expected to come into effect on April 6, 2010.

December 2009

Supreme Court to Hear City of Ontario vs. Quon

The U.S. Supreme Court announced that it would review a case, City of Ontario vs. Quon, that focuses upon the privacy of text messages sent by an employee using an employer-issued texting device. The employer, a police department, allowed personal use of the devices but accessed the messages in question when their volume seemed excessive. The U.S. 9^th Circuit Court of Appeals ruled last year that police officers had a reasonable expectation of privacy in their text messages, particularly since a supervisor had led Officer Quon to believe that his personal messages would not be reviewed. Arguments in the case will be heard in the spring, with a ruling expected before the end of June.

Facebook Changes Privacy Controls, Provokes Critics

Facebook revised its privacy controls, requiring all 350 million users logging in to re-consider what information they wanted shared with whom. While the changes were promoted as giving users more granular control over their information, critics lambasted them, citing their opacity, the fact that the default setting was to share everything with everyone and the new mandatory publication of profile information. Facebook subsequently back-pedaled, allowing friends lists to be private, but not sufficiently to dampen the firestorm of criticism. The Electronic Privacy Information Center (EPIC) filed a complaint against Facebook with the FTC, asking the regulatory agency to enjoin the company’s unfair and deceptive business practices and to require it to protect users' privacy.

Online PHR Vendors Graded on Privacy Protections

Patient Privacy Rights, an advocacy group headed by Dr. Deborah Peel, issued a report card on the privacy protections described in the website policies of personal health record (PHR) vendors. The grades assigned were as follows: No More Clipboard – A; Microsoft HealthVault – B/F; WebMD – C; CapMed–icePHR – C; Google Health – D/F; and PHRs Offered by Employers and Insurers – F. Independently, a survey of 1,000 physicians in Massachusetts found that 71% were either concerned or very concerned about possible privacy breaches associated with the use of electronic health records.

Another Lull in HR Data Breaches

Following comparable lulls in September and October, only three breaches of HR data were reported by employers in December: Textron (an undisclosed number of the aerospace company’s 43,000 employees impacted by a misplaced USB hard drive); Notre Dame University (personal information, including names, SSNs, dates of birth and zip codes, of 24,000 employees accidentally exposed on the Internet); and the State of Minnesota (names and SSNs of 500 employees accessible on the website of Lookout Services, a third party vendor that carried out E-verify checks for the state).

Major Revamp of EU Data Protection Law Coming

Viviane Reding, previously the Commissioner for Information Society and Media, was nominated by the European Commission to the new post of Commissioner for Justice, Fundamental Rights and Citizenship. In this role she will oversee the significant revamp of EU data protection law that was initiated with the Commission’s consultation on this topic launched in July. The entry into force of the Lisbon Treaty, on December 1, created a more secure and stable legal basis for treating data protection as a fundamental right in the European Union, while also increasing the power of the European Parliament in data protection matters.

New Rules for Oversight of System Admins in Italy

The Italian Data Protection Authority issued a decision regulating system administrators in November 2008 that finally came into force on December 15. The decision requires companies and public entities to closely supervise the activity of their system administrators. According to DataGuidance News, data controllers need to maintain an internal record that identifies system administrators and their tasks, conduct annual assessments of their compliance with appropriate organizational, technical and security measures, and also maintain a record of any system administrators in charge of outsourced data.

November 2009

Commissioners Approve Draft Global Data Privacy Standard

A new draft global data privacy standard was unanimously approved by 80 Data Protection Authorities from 42 countries at the 31st annual privacy commissioners’ conference held early in November in Madrid. While not legally binding, the draft supplements the level of protection provided by the EU Data Protection Directive with the best components of privacy codes or laws in various regions of the world. For example, it includes provisions for data breach notifications and incorporates strong provisions relating to accountability and pro-active governance. The draft also dramatically expands the definition of sensitive data. While its development into a binding international instrument would require many years of effort, the draft is likely to be very influential and serve as a significant point of reference. Presentations from the annual conference in Madrid are available online.

Department of Commerce to Review Safe Harbor Privacy Policies
The U.S. Department of Commerce announced that it will review the privacy policies of participants in the Safe Harbor program to ensure that they clearly indicate adherence to the Safe Harbor Privacy Principles. However, the review will only occur as companies come up for their annual re-certification. This new effort to meet European criticism of the program, stemming in part from the study released last year by Galexia, an Australian consultancy, was announced by the DOC’s Damon Greer at the Conference on Cross Border Data Flows, Data Protection and Privacy held in Washington, DC on November 17-18.

Alberta Revises Privacy Law

The government of Alberta enacted significant amendments to the province’s Personal Information Protection Act in late November. According to a PrivacyScan newsletter, the new requirements include (a) mandatory notification of data breaches to the Privacy Commissioner’s office, where a decision will be made as to whether data subjects should also be notified; and (b) the provision of notice to data subjects whenever their information will be transferred to, or collected by, a service provider (including a parent or affiliate company) in a foreign jurisdiction.

Eight HR Data Breaches in November

Following lulls in September and October, a more typical number of data breaches were reported by U.S. employers in November, including those experienced by MassMutual (an unknown number of employees impacted by a hack into a database of benefits information maintained by a vendor); the Army Corps of Engineers (60,000 soldiers and civilian employees affected by a external hard drive missing in Dallas); the Nebraska Worker’s Compensation System (personal information of several thousand claimants compromised by a hacker); Notre Dame (24,000 employees jeopardized by the accidental posting of their personal information on the Internet over a three year period); Sea Ray Boats (personal information of 341 employees inadvertently distributed via email); FCI USA (2,000 current and former employees impacted by a stolen laptop); Eisai Inc. (a laptop containing personal information of an undisclosed number of employees and applicants stolen from an HR employee’s car in New Jersey); and Vancouver (WA) Public Schools (a security breach in the schools’ payroll system impacting 3,000 employees and leading very quickly to reports of suspicious banking activity).

Massachusetts Finalizes Data Security Regulations

On November 4th the Massachusetts Office of Consumer Affairs and Business Regulation announced its final regulations (201 CMR 17.00) prescribing how entities owning or processing personal information of Massachusetts residents must protect such data. The most significant changes in the regulations, which come into effect on March 1, 2010, extend the coverage of the regulations to entities that merely store personal information on behalf of others and add two years to the date by which companies must apply specific rules to contracts with service providers. The core of the regulations is the mandate of having a comprehensive, written information security program, including the encryption of laptops and other portable devices.

October 2009

FTC Settles with Six Companies Claiming Participation in Safe Harbor

The FTC followed up on last month’s first public Safe Harbor enforcement action with tentative settlement agreements with six companies that claimed to be certified under the International Safe Harbor Program, while in fact they had let their certifications lapse. Details of the settlement are not yet available, but at a minimum will require the companies to either re-certify or withdraw claims that they are certified. The FTC action is more of a warning flare than the comprehensive enforcement action it could have been. For example, 13 of the first 29 companies on the current Safe Harbor list, some 45%, are shown as having a certification status that is not current. Some of these companies may have lawfully exited the program, but it would not be surprising if many had let their certifications lapse while still claiming to be participants.

EEOC Issues Guidance for Employers in Handling Pandemic Flu

The Equal Employment Opportunity Commission (EEOC) issued guidance for employers on how to respond to an H1N1 pandemic without violating the Americans with Disabilities Act (ADA), the Occupational Safety and Health Act (OSHA), the Family and Medical Leave Act (FMLA), prohibitions against discrimination based upon national origin, privacy laws, workers’ compensation, and disability benefits laws. The guidance follows by a month that issued on the same topic by the CNIL in France.

Employee Awarded $1.8 Million for Invasion of Privacy

A jury awarded a former employee of Illinois-based North American Corporation, a business services firm, $1.8 million after finding that the company had used a private investigator who employed pretexting techniques to obtain her phone records. However, the company prevailed in a separate counter-claim against the employee for anti-competitive conduct, which it claimed constituted the grounds for its investigation; the employee was ordered to return $630,000 of the $1.8 million to the company.

Microsoft to Seek ISO Certification for Its Cloud Services

At a time of broad and continuing doubts about the ability of cloud vendors in general to properly secure their services, Microsoft wants to get its suite of hosted messaging and collaboration products certified to the ISO 27001 international information security standard. The company believes that FISMA security standards, which Google has announced it is seeking certification to, are outdated and inadequate. A spokesman said that Microsoft wanted to ‘take it up a notch.”

Are US Employers Finally Protecting HR Data?

It was another relatively quiet month for HR data breaches, with only four reported in the US. The most serious breach involved two separate hacks into the online systems of New Jersey-based PayChoice, one of the nation’s largest providers of payroll services; PayChoice has a client list of 125,000 employers, potentially exposing financial information of millions of payees. Other breaches reported include Bullitt County Public Schools (KY) (names and SSNs of 676 employees accidentally sent by e-mail to all 1,800 employees); US Army Special Forces (Fort Bragg, NC) (names, SSNs, home phone numbers and addresses of 463 soldiers, found on the Internet in connection with a Congressional move to address data leaks on peer-to-peer networks); and the Bank of New York Mellon Corp. (computer technician who was a contractor to the bank charged with ID theft involving personal information of 150 employees).

DPA Finds Daimler Pre-Employment Blood Tests Illegal

The Data Protection Authority (DPA) for Schleswig-Holstein ruled that pre-employment blood tests carried out by German automaker Daimler are illegal and that the data must be deleted. Although the tests are voluntary and the company tests candidates only in the final stages of job selection, the DPA said the practice breaks "all existing data protection regulations." The ruling underscores the point that employers in many EU member states are on dangerous footing when collecting sensitive information, even with the consent of the employees involved and when other protections for the data are in place. Daimler, which invented and pioneered the use of binding corporate codes (BCRs), has long been a world-class leader on privacy issues.

September 2009

Shared Assessments Program Expands Membership

Shared Assessments, an international vendor risk management standards group founded in 2005 by the BITS Financial Services Roundtable, has opened its door to outsourcers in healthcare, retail, telecommunications, manufacturing, higher education, government and other sectors. In October, the program, which currently has 60 members, will publish tools mapping privacy controls to the AICPA/CICA framework, GLBA, HIPAA, HITECH Act and PIPEDA regulations as well as the EU Directive and other laws. The updated tools will be available for free download on the Shared Assessments website.

Dept. of Defense to Let Troops Use Social Media

The Defense Department (DOD) plans to allow troops to use social media for both official and unofficial purposes, according to a report in Nextgov. The new policy will reverse that of some military services and allow troops and their families to use Facebook, Twitter and other social software, as well as e-mail, instant messaging and discussion forums, running on DOD’s unclassified network.

September Lull in HR Data Breaches

Only three data breaches affecting employees were reported during September, by Naval Hospital Pensacola (38,000 servicemen and beneficiaries who use its pharmacy services notified that a laptop containing their personal information was missing), Eastern Kentucky University (names and SSNs of 5,045 faculty, staff and student workers inadvertently put on the Internet for a year) and Kraft Foods (an undisclosed number of employees impacted by the theft of a laptop and USB drive from the car of a accounting and payroll worker in the company’s shared services center).

Hustinx Expects UN, OECD to Adopt New Data Privacy Standard

Peter Hustinx, the European Data Protection Supervisor, stated that he expects the UN and the OECD to adopt the new international data protection standard that will be announced by the world’s data protection authorities at next month’s conference of privacy commissioners in Madrid. While the standard will need to be implemented in national laws, Hustinx believes it is on the path to becoming globally enforceable.

Hyatt Becomes First Company to Win Expedited BCR Approval

Hyatt Hotels and Resorts became the first company to win expedited approval of its corporate code of conduct (Binding Corporate Rules) through the office of the UK Information Commission. According to Privacy Laws & Business, while four other multi-nationals (Atmel, Accenture, Philips and GE) secured approval of their BCRs in the UK over the last four years, Hyatt’s use of the EU’s new mutual recognition procedure reduced the time required to 12 months. Seventeen EU member states currently participate in the procedure, which is expected to yield even faster approvals in the future.

CNIL Fines Company for Covert CCTV System

The French Data Protection Authority (CNIL) fined Jeanne Marc Philippe, a French clothing designer, €10,000 for installing a CCTV system that collected data about employees in an unlawful and disproportionate manner. According to a report in Data Guidance News, employees were monitored without their knowledge, even in places where there was no particular threat to security.

August 2009

Massachusetts Revises ID Theft Regs, Extends Deadline

The Massachusetts Office of Consumer Affairs and Business Regulation revised its new ID theft regulations to be less prescriptive than earlier versions and to provide greater flexibility for small businesses. Any business that processes or stores the personal information of Massachusetts employees or consumers will need to address the state’s requirements for a written, comprehensive information security program by the new deadline of March 1, 2010.

Facebook Will Meet Canadian Privacy Objections

The Privacy Commissioner of Canada announced that she is satisfied that the changes Facebook has agreed to make to its privacy practices and policies will bring it into compliance with Canadian privacy law. The changes, to be implemented over the next 12 months, will also be rolled out globally. The changes will address access by third-party developers to user information, de-activation of accounts, personal information on non-users and accounts of deceased users. Earlier in the month, Facebook tweaked its terms of service in a variety of areas relating to privacy.

Seven HR Data Breaches Reported in August

There was no summer holiday for HR data breaches, with seven breaches reported during August, including the US Dept. of Commerce (27,000 employees exposed to risk when an employee of the National Finance Center, which handles payroll and personnel matters for the DOC, sent their information to a co-worker via an un-encrypted e-mail); the Army National Guard (131,000 soldiers of the Guard warned after a contractor’s laptop was stolen); the Colorado Dept. of Corrections (personal financial records and family information of more than 1,000 staff accidentally sent by a payroll employee to 100 co-workers); New Hampshire Dept. of Corrections (records of 1,000 employees found under a prisoner’s mattress, due to poor document disposal practices); Lockheed Martin (an unidentified number of employees affected when researchers found their personal information on a hard drive for sale on eBay); Williams Company (personal data of over 4,400 of the Tulsa firm’s workers exposed when a laptop was stolen); and Chart Industries (1,600 employees placed in jeopardy when several laptops were stolen from the Ohio firm).

FTC Brings EHR Vendors Under Breach Notification Rule

The Federal Trade Commission issued a rule broadening the reach of data breach notification rules covered by HIPAA. The new rule applies to companies that provide an online repository of health information, such as vendors that offer web-based tools to track and maintain blood pressure readings and other health-related data. Vendors in this category, which include Microsoft’s HealthVault, Google Health and WebMD, are typically not covered by HIPAA requirements.

FTC Takes Enforcement Action over Safe Harbor

The Federal Trade Commission secured a temporary injunction against a California-based company, Balls of Kryptonite, for deceptively making a claim that it was a participant in the US/EU Safe Harbor Program. According to the FTC, the company copied Amazon.com’s privacy policy and posted it on its own website. While the FTC is known to investigate potential breaches of Safe Harbor commitments, this is the first time in the nine-year history of the program that such investigations have led to a public enforcement action. The case, which involved other issues as well, will be heard in federal court unless a settlement is reached.

South African Privacy Bill Approved by Cabinet

Nine years in the making, a comprehensive data protection bill, drafted by the South African Law Commission and modeled upon European legislation, has been approved by the Cabinet and referred to Parliament. Officials are hopeful that the law, not expected to be enacted at the earliest until the end of the first quarter of 2010, will secure an adequacy finding by the European Commission.

July 2009

Commissioner Finds Facebook Violates Canadian Privacy Law

Following an in-depth investigation of the practices of Facebook in response to a complaint filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC), Jennifer Stoddart, the Privacy Commissioner of Canada, issued her long-anticipated findings in a detailed 100-page report. While some of the twenty allegations in the CIPPIC complaint were found to be unfounded or resolved during the investigative process, the Commissioner found that Facebook violates Canadian privacy law in at least three significant respects: failure to limit the access of third party application developers to user data; failure to allow users to easily delete their accounts and associated personal information; and requiring users to consent to keeping their profiles active for memorial purposes in the event of their death. Facebook has thirty days to come into compliance or announce a plan to do so, after which the Commissioner has indicated she will make an application to Federal Court to compel them to do so. The findings are a major blow to Facebook’s business model and will be extremely influential with privacy regulators in other countries. The Privacy Commissioner of Australia has already indicated in response to Commissioner Stoddart’s report that Facebook may be breaching Australian privacy laws: European regulators announced their concerns about social networking sites in June.

DHS to Push Ahead with E-Verify but Drop “No-Match Rule”

In spite of opposition from the US Chamber of Commerce, SHRM and other business groups, DHS Secretary Janet Napolitano voiced the administration’s support for the E-Verify system as the means of verifying eligibility for employment by federal contractors. At the same time, DHS is rescinding the 2007 No-Match Rule, which has been blocked by court order. The Senate also passed a number of amendments bearing upon the E-Verify requirement, which is slated to come into effect September 8.

Cloud Computing Standards Group Formed, but Feds May Not Wait

Industry groups and standards bodies have formed the Cloud Standards Coordination Working Group, to develop a strategy for cloud computing standardization that will include standards for data security, along with ones for interfaces, management frameworks, data exchange formats and other topics. However, federal CIO Vivek Kundra says the government may create its own set of cloud security standards and certify those services that meet them, so that federal agencies can move into cloud computing more quickly.

Big Companies, School Districts and Laptops Dominate July Breaches

Eight breaches of employment-related data were reported during July, including losses by Northrop Grumman (a stolen back-up hard drive containing personal data of an unspecified number of employees in West Virginia); Proctor & Gamble (a laptop used by their employee benefits administrator, IBM, was stolen); Tyco Flow Control Americas (the payroll manager’s laptop stolen during a weekend break-in at his Houston office); AT&T (a temp indicted for stealing personal information of 2,100 Chicago-area employees in an ID theft scheme); school districts in suburban St. Louis (a stolen laptop with personal data of 1,700 employees), Fayetteville AK (39 teachers registered with the same benefits provider victimized in an ID theft scheme), and Salt Lake City (information relating to 6,000 employees exposed on a missing USB drive); and city employees in Brighton CO (an unspecified number of employees placed in jeopardy when a laptop was stolen from an IT engineer’s pickup truck while he was playing golf). Six of the eight breaches (75%) involved stolen laptops or storage media, while two (25%) involved benefits administrators.

DP Law Amended, Employee Privacy Act Coming in Germany

On July 3 the German Parliament passed comprehensive amendments to the Federal Data Protection Act, subsequently confirmed by the Federal Council, covering marketing, security breach notification, service provider contracts and new protections for employee data. The new amendments, which come into effect September 1, also provide stronger protections for internal data protection officers, enhance the authority of data protection authorities, and increase fines and sanctions for violations. In addition, a new Employee Privacy Act is expected to be enacted after Germany’s elections this fall, according to an article by Flemming Moos in IAPP’s Privacy Advisor.

CNIL Drops Prior Authorization for Safe Harbor Transfers

Following the recent successful passage of a legislative amendment streamlining the operations of the CNIL, the French data protection authority, the authority has dropped the requirement that transfers of non-sensitive data under the Safe Harbor program require prior approval. The change in policy was reflected in new documents posted on the CNIL website.

June 2009

Court Rules MySpace Comments Off-Limits to Boss

A federal jury in the U.S. District Court in Newark ruled in favor of two employees of Houston’s Restaurant in Hackensack, NJ, after they were fired on the basis of negative comments they made on their password-protected MySpace group website. Their boss gained access to the comments by pressuring a co-worker to reveal her password. The jury, finding that the company had violated state and federal communications laws and acted maliciously, awarded the employees $17,000 in back pay and damages.

Nine HR Data Breaches in June

Nine breaches of HR-related data were reported in June: Tyco Flow Control Americas (an undisclosed number of employees impacted when burglars in Houston stole the payroll manager’s laptop and also breached locked rooms containing HR and payroll records); Maine Office of Information Technology (597 recipients of unemployment insurance had their SSNs and other personal information mailed to another individual because of a printing error); Vocus (an undisclosed number of employees jeopardized by mis-delivery of a box containing HR data); Beam Global Spirits & Wine (unauthorized access of an HR/Payroll database by a former employee); CS Stars (the maker of risk management software had an unencrypted portable hard drive stolen, impacting 28,000 claimants for workers compensation); Florida Department of Revenue (a stolen flash drive containing personal data on 2,826 employees of a variety of businesses); Battle Creek City, MI (65 city employees impacted when the mayor posted SSNs and other confidential information on a public website linked to his Twitter account); Sutter Health (6,000 former and current employees jeopardized when a computer repair shop found their records on an old laptop that had been resold); and AARP (personal information of an undisclosed number of employees unaccounted for when a laptop was stolen from the home of an employee).

Growing Role of Organized Crime in Data Breaches

Verizon’s 2009 Data Breach Investigations Report, which analyzed some 90 data breaches reported in 2008 involving some 285 million records, concluded that malicious or careless company insiders are no longer the prime cause of data breaches. Instead, organized criminal groups now appear to be the major threat companies face in trying to secure sensitive personal information, with 91% of the records breached traceable to such groups. The survey also found that 94% of breaches (and 99.9% of pilfered records) are attributed to online assets, including servers and applications, as opposed to user systems, offline storage or data in transit. In a major disconnect with these Ponemon findings, another survey by NetWitness found that only 18% of Chief Information Security Officers view external threats as their major concern, instead focusing upon risks posed by insiders.

Social Networking Sites Subject to EU Data Protection Law

The Article 29 Working Party, an advisory body to the European Commission, has issued a 13-page opinion on social networking sites that says the operators of the sites, as data controllers, are subject to European data protection laws no matter where their headquarters are located and are responsible for the privacy of their users. Users of such sites are also data controllers if they if they are acting on behalf of a company, association or in pursuit of commercial, political or charitable goals. The opinion puts to rest the argument that those offering social networking sites are merely data processors and therefore not subject to the Data Protection Directive.

British Standard on Data Protection Published

The British Standards Institute (BSI) issued a standard, BS 10012:2009, whose objective is to enable organisations to put in place a personal information management system (PIMS) that conforms to best practice and aids compliance with data protection law. The standard requires issuance of a policy listing commitments in 15 areas, with an emphasis upon shaping the organizational culture, audits and continuous improvement.

Federal Data Protection Law Progresses in Mexico

Representatives of the Mexican government, speaking at the Ottawa meeting of the Tri-Lateral Committee on Transborder Data Flows, described amendments to the Mexican Constitution that recognize a fundamental right of personal data protection and give the Federal Congress powers to enact a federal law that what would apply to the private sector. A new bill was agreed upon by private sector and public sector representatives and is expected to be passed in the new session of the Chamber of Deputies, which begins in September.

May 2009

NIST Backs Overhaul of 1974 Privacy Act

The Information Security and Privacy Advisory Board of the National Institute of Standards and Technology' (NIST) issued a report calling upon Congress to amend and update the 35-year old federal privacy law governing the public sector. The 40-page report cited the need to improve federal privacy notices; clearly cover commercial data sources; expand the definition of "system of records" to encompass relational and distributed systems based on government use of records, not just its possession of them; and create a federal Chief Privacy Officer within OMB.

Ten More HR Data Breaches

Breaches of HR data were reported in May by the following ten organizations: Godwin Pumps of America (stolen laptop with data on 180 employees); Catalent Pharma Solutions (personal data of 2,656 employees exposed when a laptop was stolen from a vehicle in New Jersey); United Food and Commercial Workers Union (at least 19,000 members of Oregon’s largest private-sector union, and 28,000 members in Alberta, jeopardized by a laptop stolen in the union’s New York office); Continental Airlines (a second laptop stolen this year, impacting an undisclosed number of employees); Pfizer (once again in the news when an undisclosed number of individuals were impacted by a backup hard drive being thrown into the trash); Toledo Naval Recruiting Office (thousands of records relating to recruits discarded in a dumpster without proper shredding); New Jersey Department of Labor and Workforce Development (28,00 unemployed residents notified that their personal data was sent to the wrong employer because of a clerical error); Indiana Department of Workforce Development (SSNs of 4,500 unemployed residents sent to the wrong companies because of a printing error by Pitney Bowes Management Services); Boston-based Health Dialog Services Corporation (an undisclosed number of employees impacted by hacking of the corporate network); and Aetna (65,000 employees notified of a breach of a website that also contained contact information for 450,000 job applicants).

Proposal for New International Standard Moves Forward

Progress was reported on the development of a new international standard for the protection of personal information. The standard, developed over the last year under the auspices of the Spanish Data Protection Agency, is expected to be approved at the November Conference of Data Protection and Privacy Commissioners in Madrid and then submitted to the United Nations as the basis for a treaty.

French Pass Law to Speed Data Transfer Approvals

According to DataGuidance News, a law was enacted in France to simplify the procedures of the French Data Protection Authority (CNIL), by giving the power to approval international data transfers to the President of the CNIL. Previously, the CNIL Assembly as a whole had to approve each transfer application, a process typically requiring two to four months of waiting time. France is one of the few EU member states to require such advance authorizations.

Online Personal Health Records to Remain in Canada

Within the next 8-12 months Canadians will be able to keep their health records and manage doctor's appointments and prescriptions online, through a partnership between Telus Health Solutions and Microsoft. Microsoft has promised that the records will be stored on Canadian computers and remain within the country. Canada Health Infoway, a government-funded organization pushing for an electronic health record system, and Ann Cavoukian, the Privacy Commissioner of Ontario, expressed support for the offering, which will be known as the Telus Health Service. Telus plans to make the service available to governments, health regions, hospitals, insurers and employers.

Forrester and Chambers Urge Heightened Scrutiny of Cloud Security

Forrester issued a report entitled “How secure is your cloud?”, pointing out unlike in traditional outsourcing relationships, companies using cloud computing applications share servers with other customers and may not know where their data is stored or how it is replicated. According to the report, the lack of visibility and control needs to be compensated for by increased scrutiny of how the vendor protects data at rest and in motion; the vendor's documentation available to auditors; authentication and access control procedures; and whether the vendor has proper data segregation and data leak prevention measures. Separately, John Chambers, the Chairman of Cisco and a big supporter of cloud computing, conceded that it currently was a “security nightmare”.

April 2009

FTC Issues Draft Breach Notification Regulations

The FTC released proposed data breach notification regulations for electronic health records, as called for in the HITECH Act. The regulations, open for public comment until June 1, 2009, are the first set of breach notification requirements at the federal level in the US. Furthermore, they will greatly expand the number of companies that would be subject to notification requirements. The extent to which any health-related records that an employer may maintain in an electronic form will fall under the coverage of the regulations remains to be determined. The FTC’s hard-line approach to enforcement is likely to come as a shock to the healthcare industry, according to Pam Dixon of the World Privacy Forum.

Eight HR Data Breaches in April

HR data breaches blossomed in April, with data losses reported by the University of Washington (SSNs of 6,000 employees exposed through a security lapse in two parking-management servers); State of Maryland (8,000 employees impacted when information about their participation in health savings accounts was lost in the mail); State of Illinois (170 employees notified that their SSNs and names were exposed through inappropriate use of P2P software to download music by a staff member of the Department on Aging); Irving TX School District (3,400 employees exposed and some victimized when confidential records were placed in a dumpster); New Orleans public schools (personnel records left in an abandoned unlocked warehouse owned by the school system); Fujitsu Consulting (data of over 3,000 employees of Travelers and other clients lost by an overnight courier service); Fox Entertainment (data of an undisclosed number of employees mis-appropriated by a benefits department employee who was arrested and fired); and FairPoint Communications (portable storage device with personal data of 4,200 employees reported missing).

DHS Privacy Office in Forefront on Use of Social Media

The Homeland Security Department’s privacy office will hold a conference to explore privacy and security issues in the use of social media by government agencies. The “Government 2.0: Privacy and Best Practices” conference, to be held June 22-23 in Washington DC, is open to the public.

Corporate Spying Scandals Continue to Mount in Germany

Scandals over corporate spying on employees continue to roil public opinion in Germany. The head of Lidl, the German-based discount chain that operates in every EU member state as well as in the US and Canada, was fired and the company fined some $2 million, following revelations in March that it used private detectives to spy on its employees. Compounding the privacy law violations, documents found in a dumpster contributed to the unearthing of the covert surveillance scheme. Another major German company, Airbus, also admitted spying on its own workers between 2005 and 2007, without the awareness of its works council, in an effort to prevent corruption. Along with recent similar privacy abuses by Deutsche Telekom and Deutsche Bahn, pressure continues to ratchet up for new employee privacy legislation at the national level. According to Privacy Laws & Business, a new bill or set of guidelines is expected to be promulgated before Parliamentary elections this fall.

NIST Issues Password Management Guidance

The National Institute of Standards and Technology (NIST) announced the publication of a draft Guide to Enterprise Password Management, released for public comment until May 29, 2009. The guide, SP 800-118, is intended to help organizations understand and mitigate common threats against character-based passwords, focusing on topics such as defining password policy requirements and selecting centralized and local password management solutions.

Privacy-information Services: The Free, the Cheap and the Pricey

Computerworld published a valuable summary of privacy information services, designed to help track and explain the expanding universe of privacy news, developments, regulations and laws. The survey, prepared by Jay Cline, covers free websites, newsletters and news feeds; fee-based periodicals; and fee-based databases.

March 2009

Behavioral Targeting Moves to Center Stage

Behavioral targeting, the practice of tailoring ads to web users by tracking their online activities, made headlines around the world in March. As Google began serving up what it called “interest-based ads”, privacy advocates in the US called upon the FTC to stop the practice, several congressmen promised legislation that would require opt-in consent and the head of consumer affairs for the European Union threatened a crack-down on what she termed the “World Wild West.” Technical responses also emerged: a Harvard University fellow released a browser plug-in called TACO that will block the targeting; Microsoft released Internet Explorer 8, which facilitates opt-outs on a per-session basis; and a University of Pennsylvania professor urged creation of a tracking icon that would accompany targeted ads.

Most March HR Data Breaches in Public Sector

Seven breaches of HR data in the public sector, as well as two in the private sector, were reported in March: New York Police Department (80,000 active and retired officers impacted by the theft of a backup tape by the department’s civilian telecommunications director); Sonoma County Sheriff’s Department (1,000 employees at risk when thieves stole four laptops from police cars in Santa Rosa, CA); Idaho National Laboratory (a disc containing records of 59,000 current and former employees of the Dept. of Energy facility went astray during shipping by UPS); Penn State Office of Physical Plant (SSNs of 1,000 employees exposed by a virus that infiltrated an administrative computer); Central Ohio Transit Authority (personal data of 900 current and former employees accidentally sent to dozens of insurance companies who were bidding for work with the agency); Elk Grove Unified School District (a paper document with SSNs of more than 500 employees lost by an employee); Kentucky Retirement Systems (personal data of 28,000 state retirees e-mailed without encryption by Walgreens Health Initiative, the state’s pharmacy benefits manager); Kaiser Permanente (29,500 workers impacted by the theft of a computer from the offices of a union); and Xcel Energy (an e-mail containing SSNs of an undisclosed number of employees distributed internally to parties not needing them).

PHR Vendors Slow to Embrace ARRA Requirements

Although David Blumenthal, President Obama’s choice to be the national coordinator for health information technology, believes that Congress intended the 2009 stimulus bill to subject personal health-record (PHR) systems developed by Microsoft and Google to federal privacy and security laws, the vendors themselves do not agree. Google stated that the American Recovery and Reinvestment Act (ARRA) will not bring its PHR services under HIPAA, while Microsoft, the Mayo Clinic and the Cleveland Clinic said they were still studying the issue.

Google Security Questioned

The security of Google Docs came under fire in March as the company admitted that a glitch in its software caused some documents to be accessible without proper permission and a security analyst subsequently said he found three flaws that could expose private data in other ways. The Electronic Privacy Information Center (EPIC) urged the FTC to investigate the security of all of Google’s cloud computing apps and to enjoin Google from offering them until they have been found to protect data in a satisfactory manner.

Worker Blacklist Scandal in UK

A major privacy scandal affecting the private sector broke in the UK, where the Information Commissioner launched an investigation into, and then shut down, a secret database that blacklisted construction industry workers who raised safety concerns or had links to unions. Forty of the top construction firms in the UK were reported to be paid subscribers to the database.

EC Issues Guide to Data Protection Compliance

The European Commission published a useful 54-page set of questions and answers, including a flowchart, to help companies understand their obligations when sending personal data abroad and the means they may use to meet these obligations.

February 2009

Major Changes Coming in HIPAA Requirements

Congress passed an economic stimulus bill containing significantly expanded federal protections for health information and electronic medical records. The new law, which imposes more stringent HIPAA requirements on health plans, received cross-the-board praise from privacy advocates.

Massachusetts Delays Data Security Regs Until 2010

For the second time, the Massachusetts Office of Consumer Affairs and Business Regulation delayed the implementation deadline for its comprehensive information security requirements, this time from May 1, 2009 to January 1, 2010. In addition, a revised version of the regulations was issued which softened the requirements relating to third party vendors and eliminated the need to obtain written certifications of compliance from them.

Report Explores Privacy Issues in Cloud Computing

The World Privacy Forum, a San Diego-based privacy think tank, released a 26-page report prepared by Robert Gellman entitled “Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing”. While privacy issues involved in software as a service (SaaS), cloud computing and other Web 2.0 applications are increasingly discussed at conferences and in the media, this is the first in-depth examination of privacy and security questions that need to be addressed before embracing externally-run Internet applications. Separately, the National Institute for Standards and Technology (NIST) is preparing guidelines for federal agencies concerning the use of cloud computing applications; the guidelines are expected later this year.

HR Data Breaches Keep on Coming

Seven HR data breaches were reported in February, including the FAA (a hacker was able to locate two files that had been used in system testing and then forgotten about, containing personal data of 45,000 employees); federal agencies such as the Dept. of Defense, the Dept. of Homeland Security and the National Guard, where employees were caught up in the breach reported last month at SRA International; Kaiser Permanente (29,500 employees impacted by the theft of a laptop from the office of an employee union); Parkland Memorial Hospital (personal data of 9,300 employees of the Dallas hospital exposed on a stolen laptop); Arkansas Department of Information Services (data from 12 years of criminal background checks, on 807,000 individuals, unaccounted for by virtue of a missing backup tape); JetAviation Direct (2,227 employees at risk because of a stolen laptop); and Steamboat Springs School District (SSNs and other data on 1,300 employees of the Colorado school district exposed when a laptop was stolen).

Germany Rocked by Spying on Employees Scandal

In response to a major scandal relating to spying on employees by Deutsche Bahn, the national railroad, the German government convened a meeting of top government, union and industry representatives to discuss the need for new workplace privacy legislation. The CEO of Deutsche Bahn is under intense pressure to resign, following revelations that the company utilized private investigators to covertly examine the bank accounts of nearly all its 220,000 employees over an eight year period in an attempt to root out corruption. The snooping scandal follows others at Deutsche Telekom and several supermarket chains. The government was previously reported to be also advancing a new data breach notification law.

Canada Launches Certification Service for EHR Vendors

Infoway, a Toronto-based non-profit organization funded by the Canadian government to accelerate the adoption of electronic health records, has launched a new certification service for vendors who create consumer e-health applications, such as Microsoft HealthVault and Google Health. When applying for certification, a vendor will need to fill out a self-assessment form on how well their product meets Infoway’s standards, provide an overview of their privacy policy and demonstrate very specific test scripts through their applications. The certification effort parallels one in the US by the Certification Commission for Healthcare Information Technology (CCHIT).

January 2009

2009 Begins with Ten Breaches of HR Data

The job site Monster announced its third major breach in as many years, with millions of job seekers impacted as hackers stole user names, passwords, telephone numbers, e-mail addresses, demographic data, birth dates, gender and ethnicity data. Other breaches included the City of Madison (WI) (data on 300-500 city employees lost on a laptop stolen from a city office, but later recovered); Merrill Lynch (an undisclosed number of employees and applicants impacted by a burglary experienced by a third party consulting service); Pepsi Bottling Group (payroll data of US employees lost after being downloaded to a portable storage device during an audit); State of Indiana (SSNs of 8,775 current and former state employees accidentally posted on the Internet); Continental Airlines (background check information on 230 employees, vendors and applicants exposed when a laptop was stolen from a company office in Newark); SRA International (hacking of SRA network exposed the personal data of all current and former employees, customers, and dependents of employees); the World Bank (names and bank account numbers of an unknown number of employees accidentally posted on the Internet); Occidental Petroleum (spreadsheet of personal data of an undisclosed number of former employees e-mailed to the personal e-mail account of a former employee); and Beaumont City (TX) (personal data of 500 current and former employees accidentally posted online).

NIST Issues New Draft Standard on Protecting PII

The National Institute of Standards and Technology (NIST) announced the release of a draft “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)” for public comment. The 58-page guide provides many insights into how to determine confidentiality impact levels and craft protective measures appropriate to those levels.

BSI Publishes Draft Data Protection Standard

BSI British Standards published a draft data protection standard which it hopes will become a national standard for how public and private sector organizations can manage personal information in a manner compliant with the Data Protection Act 1998. The standard, BS 10012, describes how an organization can create and manage a Personal Information Management System (PIMS) to achieve this end. Public comment on the draft standard is invited until March 31, 2009; comments already submitted can be viewed online.

Canadian Privacy Commissioner Issues Transborder Guidelines

The Office of the Privacy Commissioner of Canada published “Guidelines for Processing Personal Data Across Borders”, explaining how federal privacy law (PIPEDA) applies to transfers of personal information to third parties, some of whom may be operating outside of Canada. The 10-page guidelines stress that organizations remain accountable for data transferred out of Canada and must use contractual or other means to “provide a comparable level of protection while the information is being processed by the third party.”

Personality Tests Undermined by Availability of Cheat Sheets

As candidates compete for a dwindling supply of retail jobs, those facing employers who use personality assessments in the screening process are finding ways to identify the answers that will get them in the door. According to the Wall Street Journal, applicants for jobs with companies such as Best Buy, CVS Caremark, and Blockbuster can find the “right” answer through help from friends or by Internet searches. For example, those taking a popular Unicru test provided by Kronos can find job-winning answers in a “Workers and Employers Against Unicru" group on Facebook; a page on correct Unicru answers also was posted on Wikipedia until removed by editors.

December 2008

HHS Issues New Privacy Guidelines for EHRs

The Department of Health and Human Services released new privacy guidelines designed to establish a single, consistent approach to defining the roles of individuals and the responsibilities of those who hold and exchange electronic health records (EHRs), regardless of the legal framework that may apply to a particular organization. The eight privacy principles of the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information include patient access; correction of records; openness and transparency; patient choice; limitations to the collection, use, and disclosure of personal health information; data integrity; safeguards; and accountability. HHS also published a privacy and security toolkit and an extremely innovative facts-at-a-glance sample privacy notice.

Employers Face Challenges with Social Networking

During an interview on the need to include privacy as one component of a larger information governance strategy, GE’s CPO, Nuala O'Connor Kelly, noted that some 13,000 GE employees have self-identified on Facebook as GE employees, sometimes using their GE e-mail address and putting up GE logos to create discussion groups. The legal and organizational challenges posed by such activities were underscored by three separate reports, the first being that Salesforce.com has found a novel way to help companies recruit using Facebook. With an employee’s permission, companies can run Salesforce.com software that scans the profiles of an employee’s Facebook friends in search of the right candidate for an open position. The second source of concern relates to the Facebook’s newly announced Connect feature, which raises questions as to what user information will be shared with other websites as a result of Connect’s single sign-on functionality. The third relates to potential violations of HIPAA by an OB/GYN nurse in Pennsylvania who complained about patients on her MySpace page.

Cobbler’s Children Once Again Go without Shoes

Two firms that offer data security products, HP and Symantec, each reported breaches of employee data in December, along with six other organizations: HP (at least several thousand employee records exposed on a laptop stolen from an HP employee in the Houston area); Symantec (100 employees or less impacted by the theft of a laptop from an employee’s home); the Library of Congress; (at least 10 employees victimized by the theft and misuse of their identities by a staff member of the Library’s HR department); the DC public schools (65 job applicants and employees similarly victimized by a program support specialist employed by the school system); Florida Agency for Workforce Innovation (sensitive information of 250,000 job seekers who sought state help exposed to Internet searchers by a breach in computer security); the University of North Carolina at Greensboro (2,700 employees jeopardized by use of a virus-infected computer to process payroll); North Pacific Group (information on 2,249 employees exposed by the theft of several laptops and other computer equipment); and Lehigh Hanson (payroll files on an undisclosed number of employees accidentally placed on the Internet).

FTC to Co-Sponsor International Data Security Conference

The FTC, in conjunction with the Asia-Pacific Economic Cooperation (APEC) forum and the Organisation for Economic Co-operation and Development (OECD), will host a two-day international conference: “Securing Personal Data in the Global Economy.” The conference, which will address how companies can manage personal data security issues in a global information environment where data can be stored and accessed from multiple jurisdictions, will be held in Washington DC on March 16-17, 2009. As with recent government-sponsored privacy conferences in Europe, the conference will be webcast.

Switzerland Accepts US-EU Safe Harbor Framework

Switzerland’s Federal Data Protection Commissioner signed an agreement with the US establishing a US-Swiss Safe Harbor Framework. Benefits for companies in Switzerland are that they no longer need to prepare model contracts for transferring personal data to the US nor submit the contracts to the Federal Data Protection Commissioner for review. According to a report in Privacy Laws & Business, it is uncertain when the framework will enter into effect.

November 2008

Massachusetts's Data Security Law Delayed

The deadline for compliance with Massachusetts’s comprehensive information security requirements, originally scheduled for January 1, 2009, has been postponed until May 1, 2009; the requirement for obtaining written certifications of compliance from third-party vendors has been put off to January 1, 2010. According to a press release issued by the state, the implementation deadline was extended “in light of intervening economic circumstances… to provide flexibility to businesses that may be experiencing financial challenges brought on by national and international economic conditions.”

Employee Snooping Back in News

Employee snooping was back in the news in November, with reports that Verizon fired a number of workers for inappropriately accessing the cell phone records of President-Elect Obama. Earlier in the year State Department workers and contractors were sacked for looking at Obama’s passport records. Separately, a hospital in Little Rock fired six employees for snooping into the medical records of a local TV station anchorwoman, following a routine patient-privacy audit. A common theme in all the snooping cases is employees enjoying greater access to information than called for by their responsibilities.

Starbucks Not the Only Employer Spilling the Beans

Seven HR data breaches were reported in November, including Starbucks (97,000 employees put at risk because of a stolen laptop); Lenscrafters (information on 59,000 employees exposed through a mainframe breach); the Veterans Administration (sensitive data of 1,600 veterans inadvertently posted on the Internet); the University of Missouri (41,000 employees and retirees in jeopardy in connection with an extortion threat made against Express Scripts, a company that manages prescription benefits for millions of employees); Maryland Department of the Environment (data on 1,367 former employees exposed when two laptops were stolen); Sinclair Community College (Ohio) (names and SSNs of 1,000 employees accidentally posted for a year on the Internet); and the Seattle School District (personal information of 5,000 employees unintentionally released to a local union representing some workers).

Bermuda Preparing EU-Style Privacy Law

The government of Bermuda announced that it was preparing legislation that would bring it into conformance with European standards for protecting personal information. Bermuda would become the second Caribbean nation, after The Bahamas, to enact EU-style data protection legislation.

Employee Firing for Blog Comments Upheld

An arbitrator upheld the firing of a public service employee in Alberta over inappropriate comments about her supervisor and co-workers in a blog. In upholding the dismissal in Alberta v. Alberta Union of Provincial Employees the arbitrator noted “that a blog is a form of public expression is, or ought to be, self-evident” and held that the employee, by “expressing contempt for her managers, ridiculing her co-workers, and denigrating administrative processes, engaged in serious misconduct that irreparably severed the employment relationship.”

October 2008

Six HR Data Breaches, Six Different Causes

A half-dozen HR data breaches were reported in October, each illustrative of a different way in which sensitive personal information can be compromised: the City of Fresno (5,700 employees impacted by a break-in and theft of computer equipment from a vendor processing workers compensation claims); City of Charleston (information on 535 Administration Department employees exposed when a laptop was stolen from an auditor’s vehicle); Shell Oil (an undisclosed number of employees jeopardized by an IT contractor who used stolen data to file fake unemployment claims); Medical Mutual of Ohio (11 computer disks with information on 36,000 employees and retirees missing in the mail); NYS Labor Department (personal data of 400 applicants for unemployment insurance mistakenly mailed to other applicants); and PSS World Medical (an undisclosed number of job applicants impacted by unauthorized access to private information associated with an online job board).

Mutual Recognition Pact May Speed BCR Approvals

The data protection authorities of nine EU member states have agreed to give mutual recognition to the approval any one of them gives to Binding Corporate Rules submitted by a company. The countries involved are France, Germany, Ireland, Italy, Latvia, Luxembourg, the Netherlands, Spain and the UK. The step is designed to speed the process of securing approvals from multiple DPAs, which currently takes years to achieve. An early test may come in the next few months, with Sanofi-Aventis's BCR application to the CNIL.

European Privacy Conferences Available Online

Streaming webcasts of the complete programs of two major privacy conferences held in Europe in October are available online, including the 30^th International Conference of Data Protection and Privacy Commissioners, held in Strasbourg, and the European Commission’s Workshop on International Transfers of Personal Data, held in Brussels.

More Funding, Powers for UK DPA

The Office of the Information Commissioner of the UK will get an extra £6-million and added powers, including the power to conduct data security spot checks and to fine companies for violations of the Data Protection Act. The strengthening of oversight powers, expected before the end of 2008, comes amidst a steady and ongoing drumbeat of well-publicized public and private sector data breaches (277 within the past year).

Uruguay Enacts Comprehensive Data Protection Law

A comprehensive data protection law, modeled upon those in Europe, went into effect in Uruguay in August. According to a report in a Privacy Laws and Business newsletter, the law contains a full set of data protection principles including consent, notices, special provisions for sensitive data, limitations on certain transfers of personal data and a provision banning the transfer of personal data to destinations lacking adequacy. The law also calls for establishment of a Regulatory and Personal Data Control Unit, expected to come into existence in 2010.

September 2008

Massachusetts Mandates Rigorous Data Security Program

The Massachusetts Office of Consumer Affairs and Business Regulation issued regulations, effective January 1, 2009, that require businesses to develop and implement a comprehensive, written information security program for handling ID theft-related personal information in either paper or electronic form. The security program must contain more than a dozen components that collectively are more rigorous than those normally imposed by the FTC in its enforcement actions, including: designation of responsible individuals; risk assessments; security policies; employee training; disciplinary sanctions; personal information inventories; passage of security program requirements on to vendors; documentation of breach-related activities and responses; and encryption of personal information on portable devices and in transmission. The regulations, promulgated on September 22, were authorized by a data breach law passed in August 2007.

Financial Crisis May Spur More Regulation of Privacy

The disastrous failure of government oversight of Wall Street companies and mortgage lenders may mark the end of 30-year period of belief in limited government intervention in the marketplace. Should the pendulum of public opinion swing back towards greater regulation, stronger laws for protecting privacy, as opposed to the prevailing emphasis on industry self-regulation, may be one outcome.

Google Remains in Art 29 WP Crosshairs

The Article 29 Working Party announced that it will hold hearings with Google over the company’s claim that European data protection laws do not apply to it, even though it has offices and servers in Europe and collects personal data from Europeans. The Working Party, while praising Google’s decision to reduce the time it stores results of web searches from 18 to 9 months as a step in the right direction, pressed for a six month period and criticized what it said were inadequate anonymization routines. Google also came under fire in South Korea for exposing sensitive ID numbers of thousands of Koreans and in the US for privacy lapses in Chrome, its new Internet browser.

HR Data Breaches Slow in September

September was a relatively quiet month for HR data breaches, with losses reported by Intuit (22,000 employees impacted by a previously reported break-in at an HR outsourcing vendor, Colt Express, that also affected 19 other companies); Orbitz Worldwide (loss of an undisclosed number of employees’ information on a laptop stolen from a car); and U.S. Foodservice (a significant but undisclosed expansion in the number of employees impacted by a previously reported laptop theft).

Who is Guarding the Guardians?

A new Cyber-Ark Software survey of 300 IT security professionals reveals that 88 percent of IT administrators, if laid off tomorrow, would take valuable and sensitive company information with them, including the CEO's passwords, customer databases, R&D plans, financial reports, M&A plans, and the company's list of privileged passwords.

August 2008

DOJ Backtracks on Attorney-Client Privilege

In a major advance in corporate privacy, the Justice Department announced it would no longer pressure companies to wave attorney-client privilege and not pay the legal fees of employees accused of crimes. The announcement came on the same day as a federal court ruling dismissing charges against 13 employees in the KPMG tax fraud case, in which the government used these tactics. Under the new policy, the Department will evaluate corporate cooperation based upon information provided by a company, rather than whether it was willing to waive attorney-client privilege.

Laptop Seizures Gaining Attention of Lawmakers

Pressure mounted against seizures of laptops at border crossings following the Dept. of Homeland Security’s release of policy guidelines governing such actions. The government is claiming expansive powers to randomly search laptops, decrypt and translate any information on the machine, and even retain the laptop for an indeterminate amount of time. Several legislators have said they will introduce bills prohibiting such open-ended, suspicion-less searches when Congress returns after its summer recess. The Canada Border Services Agency was reported to be following a similar policy at its border crossings.

Only Four HR Data Breaches in August

Following the record-setting 11 data breaches reported by employers in July, only four were noted in August, by Charter Communications (a dozen laptops containing detailed personal information on 9,000 current and former workers nationwide stolen from a South Carolina office); Delphi (a flash drive with SSNS and other personal data about 2,600 former Dayton-area workers removed from the unattended laptop of a state employee); Ohio Police & Fire Pension Fund (data of 13,000 retirees improperly taken by a former fund employee); and the US Army (data of 50,000 noncommissioned officers on promotion lists compromised by inadvertent posting on the Internet).

Russia Establishes DPA, Website and Registration

Two years after enacting a comprehensive data protection law, implementation efforts are finally reported to be underway in Russia. The Federal Service for Oversight of Mass Media, Communications and Protection of Cultural Heritage, the agency emerging as responsible for overseeing compliance with the law, has launched a website and begun registering data controllers. Although there are a number of exemptions to the registration requirement, more than 11,500 businesses have registered to date, with 300 signing up during the last week of July alone.

ALRC Issues Massive Report on Privacy Law Changes

The Australian Law Reform Commission released its final report on its multi-year review of Australian privacy laws. The 2,700 page report contains some 295 recommendations, including removal of exemptions for employee records and small businesses, institution of a statutory cause of action for privacy invasions, a mandatory data breach notification requirement and tighter controls on cross-border data transfers. Observers expect a year or more to pass before any of the recommendations are adopted and enacted into law.

July 2008

Privacy Certification Coming for Personal Health Records

The Certification Commission for Healthcare Information Technology (CCHIT) launched an industry working group in June that will create a certification plan to protect the privacy of consumers who use personal health record (PHR) technologies. CCHIT, which hopes to begin certifying personal health record providers and services in July 2009, has adopted a “big tent” definition of PHRs as any product or service that performs either or both of the following activities: (1) collecting, receiving, storing, or using personal health information (PHI) as part of a consumer data stream or PHR services; and (2) transmitting or disclosing to a third party any PHI gathered through or derived from a consumer data stream or PHR services.

Eleven HR Data Breaches in July

July was a banner month for HR data breaches, with reports of data losses from 11 employers: Google (all pre-2006 employees exposed to ID theft when thieves stole computer equipment from the offices of a former vendor, Colt Express Outsourcing Services); Bristol-Meyers (an undisclosed number of employees impacted by a stolen back-up tape); Baxter International (personal data of 6,900 employees exposed when an HR staff member’s laptop was stolen from a Chicago hotel room); Computer Associates (973 employees and dependents also affected by the Colt Express break-in); Huron Consulting Group (an undisclosed number of employees warned of the theft of payroll information by a fired employee); US Army - Fort Lewis, WA (personal information of 700 soldiers lost when a laptop was stolen from an Army employee’s truck); Washington DC Transit Authority (accidental publishing of SSNs of 4,700 employees on a website); Missouri National Guard (personal data of 2,000 soldiers at risk from a breach of an undisclosed nature); Anheuser-Busch (theft of laptops during the burglary of a company office in St. Louis); California Dept. of Consumer Affairs (5,000 employees jeopardized by the unauthorized download of their data by a personnel specialist on her last day of work); and Hillsborough Community College, FL (sensitive information of 2,000 employees exposed when a programmer’s laptop was stolen).

CNIL Audits Employment Sector

CNIL, the French data protection authority, announced in late June that it had carried out audits of the human resources function of 50 unnamed French companies, with the audits leading in several cases to enforcement actions. The most frequent problems the CNIL encountered were failure to inform employees about their data protection rights; failure to adequately protect employee personal data, particularly in cross-border data transfers; and the absence of policies for the disposal of data. CNIL also reported that anonymous whistleblower hotlines required by SOX are rarely used by French employees, and that many employers failed to notify the CNIL before putting them in place. Over the past several years the CNIL, under the leadership of Alex Türk, who also chairs the influential Article 29 Working Party, has emerged as one of the most vigorous data protection regulators in Europe.

Top Canadian Court: Attorney-Client Privilege Trumps Privacy

The Supreme Court of Canada issued a unanimous ruling in the Blood Tribe case that attorney-client privilege supersedes the power of the Federal Privacy Commissioner to compel the disclosure of personal information when investigating possible breaches of PIPEDA.

DOC Issues Safe Harbor Certification Mark

The Commerce Department has developed a certification mark for use by participants in the US-EU Safe Harbor program. The mark, now illustrated on the Safe Harbor website, may be used by companies to signify that they have self-certified compliance with the provisions of the Safe Harbor Framework. Suitable locations in which to use the mark include a corporate website’s online privacy policy, the main page of HR portals used by both US and European employees, and an online applicant privacy policy.

June 2008

Outsourcing of Communications Creates Right to Privacy

In a major decision, the Ninth Circuit Court of Appeals ruled that employers need either a court warrant or consent to read the e-mail or text messages of employees when it contracts with outside entities to provide such services. The ruling stemmed from a lawsuit by Ontario CA Police Sgt. Jeff Quon and three others against the city's service provider and the city and Police Department for violating the 4th Amendment prohibition against unreasonable search and seizure. An estimated 28% of employers use outside vendors to host e-mail and text-messaging services.

Tech and Health Care Firms Announce PHR Privacy Guidelines

Google, Microsoft, Cisco Systems, Intuit, Aetna, Blue Cross Blue Shield and 25 other organizations announced support for a privacy guideline framework for protecting the data people keep in their online personal health records (PHRs). The privacy framework, hundreds of pages in length, is the outcome of a Markle Foundation initiative that supported an industry working group over the past 18 months. The guidelines, known as the Common Framework, are based upon the idea that information in a PHR should be under the control of the individual. They consist of a set of 17 mutually-reinforcing technical documents and specifications, testing interfaces, code, privacy and security policies, and model contract language. About 9 in 10 Americans call privacy-related factors essential or significant to their use of an online PHR, according to a recent Markle survey.

Connecticut Mandates Employee Data Protection Policy

In response to a series of massive security breaches, Connecticut became the second state (after Michigan) to mandate that private employers publish a policy on the protection of employee SSNs. The new law, An Act Concerning the Confidentiality of Social Security Numbers, effective October 1, 2008, also imposes a statutory obligation to safeguard, and properly dispose of, personal information. For purposes of the law, personal information is defined broadly as any "information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number."

And the Beat Goes On

The familiar drumbeat of HR data breaches continued in June, with reports of losses by six employers: AT&T (a laptop containing unencrypted payroll data for an undisclosed number of managers was stolen from an employee’s car); Stanford University (a stolen laptop impacting 72,000 current and former employees); CNET (more than 6,500 employees and relatives exposed to ID theft after burglars stole computer systems from the offices of a vendor, Colt Express Outsourcing Services); California State Department of Consumer Affairs (5,000 employees, contractors and board members warned of a security breach when a Word document was improperly transmitted); Dickson County (TN) Board of Education (sensitive personal data of 850 employees lost when a laptop computer was stolen from the office of the district school superintendent); and the New Mexico Department of Workforce Solutions (four boxes of manila folders with documents containing names and SSNs found in a trash bin behind the Roswell office).

Article 29 WP Encourages Use of BCRs The Article 29 Working Party continued its effort to support and encourage corporate use of binding corporate rules at its June plenary session, announcing creation of a BCR toolkit and working to streamline the approval process. During a special meeting on BCRs convened earlier in the month in Paris by Alex Türk, who heads up both the CNIL and the Working Party, data protection authorities in attendance agreed that although Safe Harbor and model contracts are also available, BCRs are the best compliance option available to global companies.

May 2008

New Genetic Information Law Poses Challenges

President Bush signed House Bill 493, the Genetic Information Nondiscrimination Act, into law on May 21. The bill, which prohibits employers and insurers from discrimination on the basis of genetic information, contains some surprises and challenges for employers. Genetic information is defined broadly, to include not only the results of genetic testing but also information about "the manifestation of a disease or disorder in family members”, such as that found in family medical histories of the employee or of the employee’s spouse or dependents. The law does not become effective until November 21, 2009.

Facebook: Coming Soon to an Employee Portal Near You?

As some corporations, such as Dell, begin to utilize Facebook’s social networking software, privacy advocates and regulators continue to pressure the company to improve its privacy policies and practices. In Canada, Federal Privacy Commissioner Jennifer Stoddart said in a speech at Queens’ University that websites such as Facebook and MySpace were “the single biggest threat to the security of Canadians' personal information.” A few weeks later CIPPIC, a Canadian public policy group, filed a complaint with Commissioner Stoddart charging Facebook with 22 separate violations of a Canadian personal information protection law. In the US, Facebook reached an agreement with Attorneys General from 49 states and the District of Columbia to strengthen privacy protections for minors and teenagers using the site.

Google Launches Health Service in Beta Mode

Google began giving users a central place online to store their health records and then share them with health-care providers, with the beta launch of Google Health. Individuals can go to www.google.com/health and create profiles that include information such as existing medical conditions, allergies and any medicines being taken. They can also import medical records from US pharmacies and medical facilities that have signed on as partners, although few have so far. With the service still a work-in-progress, concerns about privacy and security remain a big hurdle.

Sixth Pfizer Data Breach in a Year

Pfizer set an unwanted record when it experienced its sixth loss of employee data in a year, when a laptop and flash drive containing information on 13,000 employees was reported stolen from an employee’s car. Other HR data breaches reported during the month included the Marine Corps Reserve Center in San Antonio (a former contractor pled guilty to unauthorized access to a computer and aggravated ID theft after being accused of selling names and SSNs of 17,000 military employees); Bearing Point Management & Technology Consultants (a laptop stolen from an employee's vehicle containing records of an undisclosed number of employees); LPL Financial (personal data on 2800 employees lost when a laptop was stolen from an employee's car); Las Cruces Public Schools, NM (a part-time computer analyst inadvertently posted personal data of 1,750 district employees on the Internet); University of Iowa (946 current and former employees impacted by improper access of a computer application); and BB&T Insurance (a laptop containing personnel data of an unknown number of Harrisonburg City (VA) Schools employees stolen from an agent’s car).

UK DPA Gains Power to Fine Data Breachers

Passage of the Criminal Justice and Immigration Act has given the UK Information Commissioner’s Office the power to impose substantial fines on public and private sector organisations that deliberately or recklessly commit serious breaches of the Data Protection Act. Observers believe the new powers, comparable to those of the Financial Services Authority, will cause the ICO to be taken far more seriously. One legal expert, Dr. Chris Pounder, finds the authority given to the ICO to be so substantial that security breach notification legislation is no longer necessary.

April 2008

Congress Passes Genetic Non-Discrimination Act

After a decade of debate, both houses of Congress passed a bill designed to bar discrimination by employers and insurance companies on the basis of information obtained from genetic tests. The bill, the Genetic Information Non-Discrimination Act (GINA), was sent on to the President, who previously indicated he would sign it into law. 31 states already have laws related to genetic discrimination by employers. The employment provisions of the bill will not apply until 18 months after enactment. Critics of the bill, including Deborah Peel and Sue Blevins, say the law doesn’t go far enough, for example by not prohibiting disclosure of genetic information without consent.

No Spring Break for Employee Data Breaches

Seven breaches of employee data were reported in April: Pfizer, in its fifth breach in 15 months, disclosed that a laptop containing records of 800 employees was stolen from the home of a contractor proving travel services; the West Seneca School District (NY) reported that information on 1,800 employees was exposed by hacking by two teenage students; the University of Toledo, which suffered a breach last month, disclosed that payroll information of 6,488 employees was accidentally posted on the university’s intranet; the Baltimore Highway Administration announced a breach of 1,800 employee records due to an inappropriate use of a shared network drive; Siemens disclosed that information on 3,542 employees was exposed when a laptop was stolen from the home of an employee; Stryker reported that its VPN had been repeatedly penetrated by an unauthorized user using an administrative password, exposing personal information of an undisclosed number of employees; and SPX disclosed that information of 403 employees was missing on a laptop stolen from a vendor, USintemetworking.

European Commission to Study Privacy Law Changes

The European Commission issued a contract notice in March seeking bidders for a “study on different approaches to tackle the new privacy challenges in particular in the light of development of new technologies and security issues.” Among the objectives of the study are the identification of privacy challenges created by “globalization and ubiquity of personal data,” and a comparative analysis of the ways in which different legal systems and self-regulatory systems deal with these challenges. The legal basis for transborder data flows is likely to receive particular attention.

CNIL Fines Another Employer

CNIL, the French data protection authority, reported that it had imposed a 40,000 Euro fine on the Service Innovation Group (SIG) France, a direct marketing company, after the company was found to have included irrelevant subjective information about both permanent and temporary employees in its personnel files. SIG was also found to have failed to comply with the subject access requirements of French data protection law.

JAL Employees Reject $473,000 Settlement Offer

The Japanese media reported that 194 employees of Japan Air Lines (JAL) rejected an offer of 48 million Yen (about $473,000) to settle a lawsuit in filed in Tokyo District Court alleging that their personal information had been collected and disclosed unlawfully without their consent. The employees claimed that some 150 items of personal information, including names, addresses, physical descriptions, medical records, and notes of “character traits” were shared with their workplace union without their consent, in violation of the 2003 Personal Information Protection Act.

Japan Issues Guidelines for Working with Data Processors

The Japanese Ministry of Economy, Trade and Industry (METI) released new guidelines at the end of February requiring tighter oversight of data processors and restricting the kind of data they may receive. The guidelines have four major points: (1) the data processor may only receive data necessary to fulfill their designated duties; (2) the data processor must employ adequate data protection measures; (3) the data processing contract must state the measures the data processor will take to protect the data; and (4) the data controller must inspect the operations of the data processor from time to time.

March 2008

HR Groups Support New Federal Work Eligibility Bill

A group of HR organizations, led by the Society for Human Resource Management, is backing a federal bill that would replace the E-Verify program with one based on existing state systems used to locate non-child-support-paying parents. The New Employee Verification Act (H.R. 5515), introduced by Reps. Sam Johnson, R-Texas, Kevin Brady, R-Texas, and Paul Ryan, R-Wis, would expand the use of databases currently used by 90% of US employers and eliminate the paper-based I-9 process. Supporters claim the new approach would help prevent ID theft and be more reliable than the E-Verify program.

Patriot Act Chills Acceptance of Software-as-a-Service

Companies seeking to adopt web-based Software-as-a-Service (SaaS) applications are facing opposition from abroad over government access to information in the applications via the US Patriot Act. For example, employees at Lakehead University in Thunder Bay, Ontario have filed a grievance against the introduction of Google Gmail and other applications. Companies with European employees will need a legal basis to transfer personal information from Europe to servers located elsewhere, before they can begin using SaaS applications.

Breaches of HR Data Reach Peak Levels

Nine employers reported data breaches in March: Kraft Foods (20,000 employees impacted when a laptop was stolen from an employee who was migrating information from one computer to another as part of a systems project); MTV Networks (5,000 employees affected after an Internet connection in an employee's computer was compromised by someone outside the company); Nestle Waters North America (8,245 employees impacted by a theft of computer equipment from Systematic Automation Inc., a vendor of employee benefits statements); Presbyterian Intercommunity Hospital (CA) (5,000 employees also affected by the Systematic Automation breach); Nevada Dept of Public Safety (109 job applicants affected by the loss of a thumb drive by Crown, Stanley and Silverman, a vendor carrying out background checks); Rhode Island Dept of Administration (1,400 employees impacted by a computer disk that was missing after the relocation of an office); Broward School District (FL) (38,000 employees exposed to ID theft because of hacking by a high school senior); and Agilent Technologies (51,000 employees affected when a laptop was stolen in San Francisco from a car of a vendor, Stock & Options Solutions); and Georgia Dept of Human Resources (information on an undisclosed number of current and former employees exposed when an external hard drive went missing).

Consultation on Use of RFID Chips in Workplace

The Privacy Commissioner of Canada opened a period of public consultation on uses of RFID technology in the workplace and issued a very informative and worthwhile 38-page consultation paper. The paper includes a list of questions that employers are invited to provide their opinions and feedback on. The deadline for submissions is April 30, 2008.

Research Shows Weak Wireless Security at Airports

Research conducted at 14 airports around the world by AirTight Networks found that less than 3% of users were protecting data on their laptops by using virtual private networks (VPNs). Most of the networks detected at airports used by the remaining 97% of users were completely unsecured, and many of those with some protection used easily-defeated security protocols such as WEP.

February 2008

Electronic Health Records Taking Center Stage

Google announced a pilot project involving the creation of electronic health records (EHRs) of up to 10,000 patients of the Cleveland Clinic. Last year Microsoft introduced a similar service called HealthVault, and AOL co-founder Steve Case is backing one called Revolution Health. Like the other services, Google’s will allow individuals to create and manage a password-protected health profile, including information about prescriptions, allergies and medical histories. Separately, the World Privacy Forum warned of the potential pitfalls of using these services offered by companies not subject to federal regulations on privacy and security, such as HIPAA. These concerns were detailed in a 17-page legal and policy analysis entitled Personal Health Records: Why Many PHRs Threaten Privacy. The Privacy Commissioner of Austria also called for public debate about EHRs, questioning whether they are really needed for most people, and arguing that current European data protection law does not provide adequate protections for EHRs.

Laptops Subject to Search and Seizure at US Borders

Employers may want to inform employees traveling outside the US that their laptops and other electronic devices are subject to warrantless search and seizure by customs officers when they return to the US and also develop a policy to address the issue. This long-standing US practice gained renewed prominence in early February with the filing of a lawsuit against the Dept. of Homeland Security by the Electronic Frontier Foundation and the Asian Law Caucus, two California-based civil rights groups. The Association of Corporate Travel Executives (ACTE), which filed an amicus brief in a related case last June, expressed concerns about potential lack of access to business records, possible significant damage to a traveler’s professional standing, and uncertainty over whether providing customs officials with an encryption key was required.

Stolen Computers, Vendors Dominate February Breaches

February easily qualified as Watch Out for Stolen Computers and Vendors Month, with at least six employers reporting thefts of laptops and desktops: Towers Perrin reported the theft of five laptops from its offices in Manhattan, affecting a potentially huge but undisclosed number of its own and its clients’ employees; ADC Telecommunications notified authorities that 2,600 of its employees and retirees were impacted by the theft of a laptop owned by its benefits administrator; 4,000 marines and others stationed on Okinawa and Iwakuni were jeopardized by the theft of a laptop of a federal contractor; the Diocese of Providence (RI) reported the theft of four desktop computers containing information on 5,000 school employees; a laptop lost while an employee of Memorial Hospital in South Bend (IN) was traveling had SSNs and other information on 4,300 employees; and in California, a hard drive holding the names, addresses, birth dates and SSNs of 3,500 Modesto City Schools’ employees was reported stolen from a benefits vendor. Finally, the inadvertent posting of personal information on a company file sharing site affected an undisclosed number of employees of Lexmark International.

Swedish DPA Blocks Processing by Standard & Poor’s

The Swedish data protection authority refused to authorize a subsidiary of Standard & Poor’s to process employee criminal records. The subsidiary had been asked to obtain employees’ past criminal records by its US parent company so that the parent could become a member of a “Nationally Recognized Statistical Rating Organisation” (NRSRO) in the US. The Swedish DPA rejected the request on the grounds that it was not directly connected or relevant to the company’s undertaking.

Disk Encryption Not Always Effective

Nine computer researchers, in a paper entitled "Lest We Remember: Cold Boot Attacks on Encryption Keys", argue that encryption keys can be extracted directly from a laptop’s RAM if the device has been locked with a screen saver, left in sleep mode or just recently been turned off. Subjecting RAM chips to simple cooling techniques can lead to their retaining data for hours or even days.

January 2008

Ninth Circuit Court Hands JPL Employees a Victory

A federal appeals court ruled that NASA should be blocked from conducting intensive background checks on low-risk employees at its Jet Propulsion Laboratory, saying the practice threatens workers' constitutional rights. The government had demanded that the workers, who include scientists involved with the Mars Rover mission, fill out questionnaires on their personal lives, waive the privacy of their financial, medical and psychiatric records and permit open-ended interviews with third parties about them. As a result of the decision, NASA will be enjoined from proceeding with the investigations while a suit brought by the workers proceeds.

New York Law Restricts Use of Truncated SSNs

With the passage of a new law that became effective on January 1, New York became the fifth state to restrict even the use of truncated Social Security Numbers by companies. A total of 29 states now have laws prohibiting certain common uses of SSNs. The New York law also requires companies to take “reasonable measures” to ensure that access to SSNs is strictly for “a legitimate or necessary purpose” and that “necessary or appropriate” safeguards are in place to protect the confidentiality of SSNs.

Microsoft Seeks Patent on Worker-Monitoring System

Microsoft has filed a patent application for a computer system that links workers to their computers via wireless sensors allowing managers to monitor employees’ performance by measuring their heart rate, body temperature, movement, facial expression and blood pressure. Such systems have been used for astronauts, pilots and firefighters, but never for office workers. While described as a tool to alert managers to the need to intervene when a worker experiences excessive stress or frustration, revelation of the patent application drew strong criticism from unions, civil rights lawyers and privacy advocates. A separate patent application from Microsoft presents a method of collecting offline information from users' cell phones, geolocation systems, credit-card information and other data sources to build individual profiles that can facilitate "targeted advertising" when the users go online.

HR Data Breaches Continue in January

There was no lessening of breaches of employee data in January, with losses reported by the Workers Compensation Fund in Utah (a laptop containing information on 2,800 individuals stolen from the garage of a staff auditor); Health Net in Connecticut (5,000 employees affected by a laptop stolen from a vendor); University of Wisconsin-Madison (information of 200 employees exposed on the Internet); the Navy Surface Warfare Center (up to 10,000 employees at risk when four ID thieves were apprehended with employment verification reports); and two beaches of workers compensation systems in Newfoundland and Labrador (exposing the information of at least 1,420 claimants on the Internet via a file-sharing program).

Spain Issues New Data Protection Regulation

On January 19 the Spanish Data Protection Agency published a new Regulation on Data Protection (Royal Decree 1720/2007, of December 21, 2007, currently available only in Spanish). The Regulation establishes new rules on the relationship between data controllers and data processors, on security measures and on paper files. It also authorizes the Data Protection Agency to declare that a non-European country has an adequate level of protection for purposes of data transfers, even if that country has not been approved by the European Union. A provision that calls for getting consent from family members could affect conflict of interest and benefits practices of employers.

FTC Releases Data Security Resources

The FTC has published “Protecting Personal Information: A Guide for Business”. The 28-page high-level guide, which may be most valuable to small and medium-sized businesses, promotes a data security plan built upon five key principles: Take Stock; Scale Down; Lock It; Pitch It; and Plan Ahead. The FTC website makes the basic content of the guide available in an online multi-media tutorial (mistakenly called “interactive”), as well as in a set of PowerPoint slides.

December 2007

Top Federal Panel Calls HIPAA Woefully Inadequate

A top advisory board to the US federal government on health care privacy has concluded that current laws and rules are woefully inadequate and is recommending passage of new legislation to strengthen and expand protections far beyond those provided by HIPAA. The 40-page report by the National Committee on Vital and Health Statistics (NCVHS) could become the basis for new national policy following the 2008 election, with profound implications for employers handling medical information in any context.

Moody's to Rate Vendors on Information Risk

Moody's Investors Services is preparing to launch a new service providing risk/quality ratings of vendors who process information for financial services firms in 11 areas: information security policy; organization; information classification; physical security; communications and operations management; access control; application security; incident management; business continuity; data security; and privacy. According to an interview in the December issue of the IAPP’s Privacy Advisor, Moody’s plans to build on the experience in the financial arena to expand the rating service to vendors serving clients in other industries.

HR Data Breaches Resume Normal Pace

Breaches of employee data resumed their normal pace in December, with embarrassing losses by two forms that provide data security advice: Forrester Research (a laptop stolen from a staff member’s home, affecting an undisclosed number of employees) and Deloitte & Touche (a laptop stolen from a pension advisor, affecting an unknown number of partners, principals and employees). Other breaches were reported by the New York State Dormitory Authority (back-up tapes missing in transit, affecting 800 employees); the Greenville County (SC) School District (computer hacking, affecting hundreds of employees; DHS is investigating, as a rash of government computers have been hacked in the state); and the US Air Force (a laptop missing from Bolling Air Force Base (WA), affecting 10,500 airmen).

UK : Breach Firestorm and PIA Handbook

The firestorm surrounding the November HMRC data breach affecting 25 million UK citizens continues to grow, with reports of hundreds of past losses by government agencies; new breaches of the data of those applying for passports and drivers licenses; Parliamentary hearings; and mounting pressure for tougher data protection laws and C-level accountability. Independently of this, the UK Information Commissioner released a Privacy Impact Assessment Handbook, the first by a European regulator, and Pinsent Masons, a prominent legal firm, called into question the data protection practices of Santa Claus.

November 2007

Mandatory Wellness Programs Probe Off-Duty Life

More employers are not just rewarding workers who are healthy, but penalizing those whose off-duty habits and environments contribute to increased health care costs. For example, starting in January the Tribune Company plans to require its employees to pay $100 a month more in insurance premiums if they or any of their covered family members smoke. Amongst employers refusing to hire smokers are The Cleveland Clinic, Meritain Health, and Scotts Miracle-Gro. Other employers, such as the Principal Financial Group, are requiring employees to complete health risk assessments that can lead to higher insurance deductibles and co-pays for failure to curb risky habits and behaviors. Such mandatory wellness programs, welcomed by some, are frequently viewed as intrusive and challenged by unions or through legal action.

Another Lull in Employee Data Breaches

Data breaches affecting employees dropped to a two-year low in November, with only the Veteran’s Administration in the news again, this time with a report that three computers containing information on 12,000 veterans had been stolen from a VA medical center in Indianapolis. The VA also reported that 185,000 SSNs judged to be at risk were found on the home computer of an ex-VA auditor arrested for ID theft; interestingly, the auditor had quit his job at the VA when he learned that a background check was going to be required. Separately, mediation between opposing sides began after a federal judge ruled that lawsuits can go forward over the data theft last year affecting 26.5 million veterans.

Firestorm over UK Data Breach

A massive data breach in the UK by HM Revenue and Customs has exposed sensitive financial records of 25 million adults, representing half of the population. The breach, caused when computer disks being sent to auditors went missing, prompted a firestorm of criticism and a public apology by PM Gordon Brown, the launching of data security reviews in all Cabinet agencies, the initiation of a high-profile investigation and review of current data protection laws, reports of additional government breaches, and calls for increased powers for the Information Commissioner to conduct independent audits and to levy fines. Rubbing more salt in a very public wound, HM Revenue and Customs then mailed millions of apology letters containing the sensitive information that had been exposed, thereby creating further exposures for those whose mail goes astray.

Confusion over Controller/Processor Distinction

European regulators are increasingly criticizing the data controller – data processor distinction that underlies European data protection laws. The latest evidence of confusion over the distinction can be found in Charles Millard’s report in a Privacy Laws & Business newsletter that the Spanish Data Protection Agency, in an unpublished decision, has concluded that SWIFT, the international financial transactions body, “acted, at all times, as the data processor” including when it made the “crucial decision” to transfer data to the US Treasury Department. Some ten months earlier the Article 29 Working Party issued an opinion which held that SWIFT was a “joint data controller” with the financial institutions it services. The Article 29 WP ruling has been criticized for threatening to disrupt many established controller/processor relationships, including a wide range of conventional service provider and outsourcing arrangements.

Changes Called for in Alberta PIPA

As part of a mandatory review, the Select Special Committee of the Alberta Legislature has issued a 65-page report on how to improve the province’s Personal Information Protection Act. Amongst some 48 recommendations are the following: requiring notification of individuals when personal data will be transferred to a third-party service provider outside Canada; requiring notifications when data breaches occur; allowing organizations to assume that consent has been obtained for those enrolled by others in insurance or benefit plans; not amending the Act to include a “work product” exemption; requiring organizations to destroy or anonymize records no longer needed; and restricting the need to maintain data accurately and completely to what is reasonable for the purposes involved.

(Current News Above)

Privacy Archives:

March 2007 - October 2007

November 2006 - February 2007

March 2006 - October 2006

November 2005 - February 2006

March 2005 - October 2005

November 2004 - February 2005

March 2004 - October 2004