01-15 January 2014

Biometrics

UK – More Than One Million Students Fingerprinted

Big Brother Watch, a UK-based privacy advocacy group, estimates that 1.28 million students have been fingerprinted at their secondary schools, nearly one-third without parental consent. Based on a Freedom of Information request, data shows that four out of 10 schools employ biometric technology to identify students. Big Brother Watch has said the development is concerning because students will grow up thinking “it is normal to be tracked like this all the time.” Big Brother Watch Director Nick Pickles said, “Going to school should not mean kids are taught that they have no privacy, especially at a time when we are sharing more data about ourselves than ever before.” [The Independent] See also: [New facial recognition app ‘creepy’, says kids entertainer Raffi]

US – At CES, Company Announces New Open Standards

Hoyos Labs announced at the Consumer Electronics Show the formalization of its Biometric Open Standards Protocols. The document sets up rules for secure communications between devices and the server “managing the acquisition and manipulation of biometric data captured by those devices,” according to a press release. CEO Hector Hoyos said the company “created a rule-based system by building upon the U.S. Department of Defense’s core infrastructures” that “is available to any company that wants to implement it” upon request. The document addresses identity assertion, role gathering, access controls, auditing and assurance. [DarkReading] [Consumer Electronics Show will highlight new ways to collect biometric data]

Canada

CA – OPC: Google Health Ads Violated Privacy Law

After an investigation, the Office of the Privacy Commissioner (OPC) said that Google violated a Canadian citizen’s privacy rights when he was targeted with health-related advertisements . After a man searched the Internet for information on sleep apnea, he began receiving advertisements for devices related to the health disorder. In response to the OPC’s order, Google has said it will take steps to stop the privacy-intrusive advertisements. “We are pleased Google is acting to address this problem,” said Interim Privacy Commissioner Chantal Bernier in a press release, adding, “It is inappropriate for this type of information to be used in online behavioral advertising.” Bernier, whose office received support from the U.S. Federal Trade Commission, also said, “We will be contacting various advertising stakeholders in the near future to share these investigation results and remind them of their privacy obligations.” Online behavioural advertising guidelines issued by the Office of the Privacy Commissioner of Canada two years ago make clear that advertisers should avoid collecting sensitive personal information, such as individuals’ health information, for the purpose of delivering tailored ads. [OPC News Release] SEE ALSO: [Canada:  Conservatives deny request to view full guest list for speech from the throne] and [Spy agency admits it spies on Canadians ‘incidentally’]

CA – Sudden Resignation from Sask. Privacy Commissioner

Saskatchewan’s information and privacy commissioner Gary Dickson has resigned, citing personal reasons. Dickson said in a news release he would step down at the end of the month. First appointed to the position in 2003, Dickson was reappointed to another five-year term in April, 2009. During his time in the post, Dickson has been a strong advocate for more rigorous protection of personal medical data, and critical of lapses in the public sector. He has also said the government needs to extend its privacy legislation to cover that sector. Dickson said his resignation was “solely for personal reasons.” He did not provide any details. [Source]

Consumer

US – Facebook Users File Suit Over Data-Mining

Two Facebook users are suing the social network for allegedly intercepting the “content of the users’ communications” to “mine user data and profit from those data by sharing them with third parties—namely, advertisers, marketers and other data aggregators.” In their December 30 class-action, the plaintiffs allege “Facebook’s use of the word ‘private’ in relation to its messaging system is misleading, given the way the company treats the info contained within those messages,” the report states. Facebook has denied the allegations , calling them “without merit.” The class-action is seeking $100 for each day of violation or $10,000 per class member and “statutory damages of either $5,000 per class member or three times the amount of actual damages, whichever is greater,” the report states. [Ars Technica] See also: [IRE:  The privacy of a billion people on the Internet is controlled by one Irishman]

US – Consumers Trusting Fewer and Fewer With Their Data

“People are becoming more aware of the data being collected about them online. And that’s eroding the trust they have with collecting companies.” The statement is based on research by McCann Truth Central shared at the Consumer Electronics Show (CES). The McCann Truth Central survey examines which companies consumers see as “the greatest threat to the future of privacy” while also highlighting which they trust with their data. The Ad Age report also highlights comments by FTC Commissioner Julie Brill at CES that “we need legislation around privacy … We actually need specific data-broker legislation.” Meanwhile, amidst privacy concerns, anonymous search engine DuckDuckGo has announced 2013 saw more than one billion searches made—its biggest year to date. [Ad Age]

US – Ford CEO Calls for Driver Privacy Provisions

Ford Motor Company CEO Alan Mulally says drivers’ privacy must be protected by law as vehicles increasingly use data for location tracking. The company is “supportive and participating” in talks with regulators considering such legislation, the report states. “It’s just really important that we have boundaries and guidelines to operate,” Mulally said. Sen. Al Franken (D-MN) recently questioned Mulally on what kind of data the company collects via vehicles’ GPS systems and how driver consent is obtained. Franken’s questioning comes after a company executive said last week the company can infer a person’s driving habits via the navigation systems in Ford vehicles, as referenced in this recent Privacy Perspectives post. [Bloomberg] [Franken presses Ford on location data collection practices]

E-Government

NZ – Agencies Too Slow In Destroying Shared Data

Kiwis’ private information is being mishandled by government agencies, which break their own rules when sharing people’s details. Reports from the Office of the Privacy Commissioner reveal agreements between Government agencies to share personal information have been “non-compliant” and have had “substantial issues”. Several agencies have been caught holding on to the information of hundreds of thousands of people after they had previously agreed to destroy it. In another report, the Ministry of Social Development was caught tracking people using their tax numbers, which is illegal under the Privacy Act. Privacy Commissioner Marie Shroff said the breaches were disturbing. “This is a highly complex environment with huge amounts of citizens’ data, and you do need a watchdog carefully checking what is going on to keep them honest.” [Source] [CA – Government departments consider banning portable data devices in wake of security breaches in 2013] and [New Ideas for Mitigating Insider Threat: Presidential Panel Suggests Series of Steps, Government Information Security]

 

E-Mail

CA – CASL: What You Need to Know and When

Shaun Brown of nNovation offers a detailed breakdown of the newly published regulations under Canada’s Anti-Spam Legislation (CASL). Implementation of CASL will come in three waves, the first of which, rules that apply to computer programs, is already in force. While many of the regulations mirror those pre-published in the draft released at this time last year, there are some changes, including new exceptions for closed platforms, limited-access accounts where organizations communicate directly with recipients, messages targeted at foreign persons and fundraising by charities and political parties. [IAPP Privacy Tracker]

 

Electronic Records

US – Experts Say HealthCare.gov Still Has Numerous Security Issues

Experts testifying before congress said that the government’s healthcare exchange website still contains many security problems. One of the security issues identified last year has been partially addressed, but the other 17 remain, and 20 new issues have been detected. According to a statement from the Centers for Medicare and Medicaid Services (CMS), “There have been no successful security attacks on HealthCare.gov and … [no one] has maliciously accessed personally identifiable information from the site.” [CNET] [Ars Technica] [NBC News] [TrustedSec] See also: [Centers for Medicare and Medicaid Services Official Says Site is Now Secure] and [ghg and OptimizeRx join forces on electronic health records]

UK – Patients Asked To Opt Out Or Be Included In Database

NHS England has begun sending leaflets out to every household in England to inform residents that information from their patient records will be used in a national database unless they actively opt out. The ambitious care.data programme aims to join up anonymised patient data from a number of care settings into one data collection kept by the Health and Social Care Information Centre. This will be available to clinicians and researchers. The leaflet, entitled “Better information means better care”, is part of a £2m publicity campaign launched in the wake of concern being raised by GPs and privacy campaigners that patients were not being well enough informed about the new database. [Source]

 

Encryption

US – Yahoo Implements Default Encryption

Yahoo has begun automatically encrypting Yahoo Mail users’ connections. Automatic HTTPS is now the default. The move is in response to concerns about government surveillance. Google recently made a similar change, and Microsoft and Facebook have announced stronger encryption keys will be coming in the future. Meanwhile, following allegations that a major security firm accepted $10 million from the NSA to implement an “intentional cryptographic flaw” in one of its encryption tools, several high-profile security experts have begun canceling their appearance at the firm’s annual conference [CNET]. [Yahoo users exposed to malware attack]

WW – Quantum Computer Could Crack Most Encryption

The U.S. NSA is allegedly building “a cryptologically useful computer” that could break virtually all encryption on the Internet, including banking, medical, business and government records. Documents provided by former contractor Edward Snowden reveal the plans are part of a $79.7 million research program going by the name “Penetrating Hard Targets.” Unlike classical computers, which run on binary bits—ones or zeroes—quantum computers seek to use bits that are simultaneously ones and zeroes, making it exponentially quicker and more efficient. Some experts, however, are skeptical that such a full-scale system would be ready in the near term. [The Washington Post]

 

EU Developments

EU – No Successor Yet for EDPS Hustinx

In his last speech of his mandate as European Data Protection Supervisor (EDPS), Peter Hustinx urged Germany to take the lead in reform of the EU data protection framework. And now, after 10 years of service, Hustinx is retiring from “what is in essence the EU’s top data protection authority.” But the future leadership of the office is in question. Earlier this month, news came out that a “selection board” found that none of the successor candidates were “sufficiently qualified” for the position, thereby delaying the selection, possibly by months. “After working in Brussels for the last 15 years,” writes Wilson, Sonsini, Goodrich & Rosati Senior of Counsel Christopher Kuner, “I have become accustomed to the byzantine machinations of European politics.” [IAPP]

EU – Is the EU’s “Anti-FISA” Clause Practical?

The Snowden revelations have helped reintroduce into the EU’s proposed General Data Protection Regulation a provision that would limit and control personal data transfers to third countries. Often referred to as the “anti-FISA” clause, the provision gives rise to a number of concerns regarding practicality and legality, writes Danish Ministry of Finance Senior Policy Advisor Christian Wiese Svanberg, who notes, “the issues raised by the proposal are numerous,” adding, “does the word ‘judgment’ also cover court orders, subpoenas, letters of request … And what constitutes an ‘international agreement’ for the purposes of the provision?” [Full Story] See also: [US: Spy court judge slams proposed privacy advocate]

EU – LIBE Publishes NIS Directive Draft Amendments

The Committee on Civil Liberties, Justice and Home Affairs (LIBE) has published “a list of draft amendments MEPs in the group would like to see made to the European Commission’s proposed Network and Information Security (NIS) Directive.” The proposed NIS Directive, first published last year, “aims to ensure that banks, energy companies and other businesses involved in the operation of critical infrastructure maintain sufficiently secure systems,” the report states. MEP Marie-Christine Vergiat has suggested the standard of protection should differ by organisation, while other proposals include recommending the NIS Directive’s implementation be postponed until after the introduction of EU data protection reforms. [Full Story]

EU – Shutting Down EU Is Not the Way to Defend Privacy

In reaction to the release of the European Parliament’s LIBE Committee draft report on U.S. National Security Agency (NSA) mass surveillance, Field Fisher Waterhouse Partner Eduardo Ustaran writes, “Shutting down pretty much all transatlantic data flows in order to prevent unreasonable access to data by the U.S. intelligence services would not only be disproportionate, but it would be hugely damaging to the information society we all rely on.” Ustaran looks at several specific provisions of the draft report, noting that though it’s extreme, there is no need to panic. Meanwhile, TechCrunch reports that the LIBE Committee has invited former NSA contractor Edward Snowden to testify on U.S. surveillance. [Out-Law.com]

EU – Court of Human Rights Supports Finnish Court Decision

A European Court of Human Rights ruling supports an earlier Finnish court decision to fine author Susan Ruusunen for writing “a tell-all book” in 2007 about then-Prime Minister Matti Vanhanen. “The judgment is the latest example of the Strasbourg-based court having to toe the line between upholding the European Convention on Human Rights articles of freedom of expression and the privacy rights of people, even those in the spotlight,” the report states. Finland’s Supreme Court found against Ruusunen and her publisher back in 2010. [The Wall Street Journal]

 

Facts & Stats

WW – Snapchat Assures Users Spam Is Unrelated to Breach

Following reports from some Snapchat users that they’ve received an excessive amount of spam, the company has apologized but assured users the messages are unrelated to a recent breach that exposed millions of usernames and phone numbers. “While we expect to minimize spam, it is the consequence of a quickly growing service,” Snapchat said in a blog post. [Los Angeles Times]

 

Finance

US – E-Receipts Come With Privacy Concerns

Stores are increasingly offering to send customers email receipts, which are convenient and save paper. But if you choose an e-receipt, experts warn that convenience comes with a price: your privacy. “Once you’ve given up your email address, that retailer can use it for any purpose,” said consumer advocate Richard Holober. Holober said that includes sending you more emails, using it for targeted marketing and even selling your information to a third party. “The question that the consumer should be asking the retailer is, ‘What are you doing with my information?’” she said. “Sometimes, if it’s online with the terms and conditions, you’ll clearly see that whoever you’re signing up with is clearly saying that they are going to be giving that information to third parties. [New York News]

US – Regulators Have Concerns About Lenders’ Use of Facebook, Other Sites

More lending companies are mining Facebook, Twitter and other social-media data to help determine a borrower’s creditworthiness or identity, a trend that is raising concerns among consumer groups and regulators. Lending companies—some of which are backed with venture funding from Google Ventures, the venture-capital arm of Google Inc., and Accel Partners, an early Facebook Inc. investor—are looking at potential problems such as whether applicants put the same job information on their loan application as they posted on LinkedIn, or if they shared on Facebook that they had been let go by an employer. A small business that draws negative reviews on eBay also could undermine its chances of getting more credit, lending companies say. Consumer advocates say the trend increases the chance borrowers, including small businesses, will be unfairly denied credit or saddled with higher interest rates based purely on their social-media presence. They say federal laws haven’t kept up with the trend, leaving borrowers exposed. “The data we have on customers via social networks says more about them than their FICO,” Mr. Sion said, referring to the three-digit credit score widely used to estimate risk. “You can make credit decisions based not on a faceless score, but on who you know.” Companies are tapping into other sources of data, including PayPal and eBay accounts, to determine not just whether a borrower should get a loan but whether their credit line should be increased. [The Wall Street Journal]

CA – Bitcoin ATM Arrives in Toronto

Toronto has its first Bitcoin machine, located at King Street West and Spadina Avenue. Bitcoin, which allows people to convert their money to digital coins or bitcoins, is the first decentralized digital currency.

The only other Canadian Bitcoin ATM is located in Vancouver and it has seen massive success since it was unveiled in late-October of 2013.While some view it as a passing fad and have questioned its validity, others see it as the replacement for the current monetary system. The volatility of the emerging digital currency has been a focus of attention for market regulators, with its stock price rising from 30 cents in 2012 to a peak of about $1,200 in 2013. Today it is closer to $900. In 2013, a U.S. judge ruled that Bitcoin is a real currency. [Source] See also: [Canada Revenue Agency reviewing issue of taxpayers wrongfully declared dead]

 

FOI

IN — E-records to Have Longer Archival Life

Computerized records of birth and death certificates, land, passport, Aadhaar and ration cards among others should now have a longer archival life. The city-based Centre for Development of Advanced Computing (C-DAC) has developed a national digital repository that will preserve all important government documents in the electronic format. Termed the ‘trusted digital repository’, the system is capable of saving electronic data generated by all state governments for a longer period of time. [Source]

 

Google

WW – Google Acquires Nest for $3.2 Billion

Google announced it will acquire Nest Labs—maker of smart home thermostats and smoke alarms—for $3.2 billion. Nest CEO Tony Fadell said, “We’re thrilled to join Google. With their support, Nest will be even better placed to build simple, thoughtful devices that make life easier at home and that have a positive impact on the world.” According to The New York Times, Nest’s products use software, hardware, sensors and algorithms to learn the behavior of home dwellers in order to program a home’s system and allow users to remotely access and control it. Fadell said Google has agreed that Nest’s privacy policy will remain unchanged. “That was a major concern or question we had,” he said, “and they have done an amazing job convincing us that our privacy policies are going to be well-respected in their organization.” [Google Investor Relations blog]

US – Google Privacy Lawsuit Revised, Says Execs Made “Conscious Decision”

Privacy lawsuit against Google revised. The suit alleges the company comingled data across its services and products—in a Google project called Emerald Sea. U.S. Magistrate Judge Paul Grewal ruled in December that the plaintiffs failed to demonstrate harm caused by Google’s actions, and for the case to proceed, the plaintiffs must show how the comingling of data deprived them of the “economic value” of their data, the report states. The revised complaint alleges Google executives in 2010 “made a conscious decision to withhold from the public information pertaining to the Emerald Sea plan, including Google’s intention to violate all existing privacy policies that placed any limitations on Google’s ability to combine information across platforms by doing precisely that once Emerald Sea became a reality.” [Bloomberg]

US – Court of Appeals Denies Google’s Wiretap Act Argument

The U.S. Court of Appeals for the Ninth Circuit has ruled against an appeal by Google, holding that payload data transmitted over a WiFi network is not considered “radio communications” as defined under the federal Wiretap Act. In the case, Google defended its collection of data transmitted over open WiFi networks during its Street View mapping project, saying the data it collected was unencrypted and available to the general public. [Business Standard]

WW – Privacy Advocates Concerned About New Google Feature

In its Official Gmail Blog, Google updates users on a new feature that allows those using Gmail and Google+ where “Gmail will suggest your Google+ connections as recipients when you are composing a new e-mail.” The blog notes “your e-mail address is only shared with the people you want … You control whether people can reach you this way with a new setting in Gmail.” However, Los Angeles Times reports , privacy advocates believe the feature should have been opt-in. The Electronic Privacy Information Center’s Marc Rotenberg alleges the new feature is “eerily similar” to Google Buzz, which resulted in a settlement with the FTC. [Source]

WW – Google’s Public Policy Vet Moves to LinkedIn

LinkedIn has hired Google veteran Pablo Chavez as its vice president of public policy, Silicon Valley Business Journal reports. Chavez has worked at Google since 2006 and was responsible for engineering the company’s political strategy, the report states. Chavez’s LinkedIn profile notes his political advocacy efforts for Google on issues including privacy, security and online free expression. [Syrian Electronic Army hacks into Xbox Twitter accounts too]

EU – CNIL Issues Its Largest-Ever Fine to Google

French privacy regulator the CNIL has fined Google $204,000 for breaking the law with its unified privacy policy—its biggest fine to date. The CNIL said the company implemented its shift to one privacy policy across all its services without properly informing users of the ways in which their data would be combined and for what purposes. That’s similar to The Netherlands’ data protection authority assertion in November, while Spain’s data protection authority fined the company $1.2 million last month. The fines are the latest in European displays of dissatisfaction with online tracking, which may impact EU-U.S. business relations, The Wall Street Journal reports. [GigaOm] [Google appeals French fine as data privacy row continues]

WW – Google Announces Alliance to Support Android-Connected Cars

Google has created an alliance of car manufacturers that are working to make their products Android-connected. The initiative is known as the Open Automotive Alliance (OAA). It is “committed to bringing the Android platform to cars starting in 2014 … in a safe and seamless way.” Google is developing an Android platform “that will enable the car itself to become a connected Android device.” Questions about the alliance’s plans for addressing security issues were not answered directly. Charlie Miller, a Twitter security engineer who has given presentations about cars’ vulnerability to hacking said he believes “these automotive efforts need to have security experts brought in from the beginning.” [SC Magazine] See also: [US:  Feds May Require Cars to Talk to Each Other to Avoid Crashes]

 

Health / Medical

US – House Passes HealthCare.gov Security Bill

The US House of Representatives has passed a bill that would impose strict new security requirements on the HealthCare.gov website. The legislation would require the Department of Health and Human Services (HHS) to notify people within two days if their personal information is compromised. HHS officials say that the website meets the government’s information security standards and that no personal information has been compromised. The bill is unlikely to pass in the Senate. [NextGov] [Political Ticker]

US – FDA Seeks Electronic Records for Drug Safety Data

As part of the FDA’s ongoing efforts to evaluate the safety of drugs and biological products, the agency quietly began a search for access to electronic health records (EHRs) in December. The agency plans to use the information gleaned from EHR data to augment its MedWatch reporting system and other actions taken by the FDA’s Office of Surveillance and Epidemiology. In a notice posted to Federal Business Opportunities, a website used by government agencies looking to contract outside vendors, the FDA wrote that it is seeking direct and continued access to EHR data. The FDA emphasized that the identities of all patients would be obscured. The data provided by the contractor will allow reviewers to “evaluate drug-related safety issues of high regulatory priority in a timely manner” and assess several risk factors. In the notice, the FDA said it sees benefit from access to longitudinal information regarding the patient population. The agency is looking for real-time access to a database that includes demographic and diagnostic information; laboratory test orders and results; drug and biological agent use; the National Death Index; and health history, including visits to hospitals and specialists. On Jan. 8, the response date for the EHR notice had passed, and three contractors had posted to the website expressing their interest. In a separate notice, the FDA also sought database access to demographic information regarding over-the-counter drug purchases. [Source]

US – Survey: Privacy Officers Need More Staff, Anticipate Greater Enforcement

A recent survey indicates healthcare privacy, information security and compliance officers most desire increased budget, compliance software, more staff, training and audit help. In the ID Experts survey, respondents said an increased budget would help with investing in audit software and increasing training and proper staffing in an effort to meet regulations, among other needs. Asked to make predictions for 2014, respondents expected increased enforcement on privacy and security by the government and intensified auditing. [HealthITSecurity]

WW – Social Media Posts Risk Patient, Public Mistrust

Increasingly common violations of patients’ privacy when medical practitioners take photos of patients on their personal devices and share them on social media. Approximately 30% of state medical boards have reported receiving complaints of “online violations of patient confidentiality,” according to a recent survey published in the Journal of the American Medical Association. The violations have the potential to “undermine a proper physician-patient relationship and the public trust,” says the Federation of State Medical Boards. [Full Story] [NZ -Privacy Questions Raised Over Medical Record Database]

US – IMS Health Goes Public; When Docs Google Patients

IMS Health plans to go public. According to the report, the company has assembled “85% of the world’s prescriptions by sales revenue and approximately 400 million comprehensive, longitudinal, anonymous patient records.” IMS Health then sells the data and reports to the top 100 global pharmaceutical and biotechnology companies, advertisers, consulting firms and other government and financial organizations. In a recent filing with the Securities and Exchange Commission, IMS Health said it processes data from 45 billion health records per year. Meanwhile, an All Voices article looks into the fine line between marketing and health privacy, and according to The California Report, health kiosks pose several privacy risks. In a column for The New York Times, one doctor opines on the pros and cons of “Googling” his patients. “I am tempted to prescribe that physicians should never look online for information about their patients…”

US – OCR to Get New Director

Personnel changes at the Office for Civil Rights (OCR) would have a “major impact on healthcare IT security in 2014.” President Barack Obama reportedly intends to nominate OCR Director Leon Rodriguez to fulfill a role in immigration services, leaving questions as to who would replace Rodriguez, especially during such a critical time as the OCR prepares for its 2014 HIPAA audits. In other healthcare-related headlines, a breach lasting four years was discovered at a Virginia health system during a random company audit in November, and patients affected by the data breach at Kaiser Foundation Hospital Orange County have filed a class-action lawsuit in California. patients, though I think the practice will become only more common,” he writes. [Forbes] [HealthITSecurity]

 

Horror Stories

US – Target Says Malware Found of Point-of-Sale Terminals

Target is now acknowledging that there was malware on its point-of-sale terminals. In addition, the breach, already one of the largest known breaches of payment card data to date, affected as many as 110 million Target customers, nearly three times the initial estimate. Target CEO Gregg Steinhafel says the company is planning “significant changes” in response to the breach, but did not elaborate. [SC Magazine] [CNET] [Krebs Security] [ComputerWorld] [Yahoo] [Target Data Breach Larger than Estimated, 70 Million More Affected]

US – Neiman Marcus Investigating Payment Card Data Breach

Neiman Marcus says that it was also targeted in a data breach over the past few months. The retailer says its database was infiltrated in December. As in the Target breach, the attack affects people who shopped in physical stores but not online shoppers. Neiman Marcus is working with the Secret Service to investigate the breach. [CNET] [Krebs on Security] [US – More retailers reportedly victims of holiday data breaches: At least three more US retailers suffered unpublicized attacks similar to the one on Target, Reuters reports]

US – Lawmakers Want Update from Target; Investigating Neiman Marcus Incident

Lawmakers are seeking answers from Target’s chief executive on the company’s response to its recent breach. Sens. John Rockefeller (D-WV) and Claire McCaskill (D-MO) have asked that the company’s information security officials brief committee staff on its latest internal findings. A Target spokeswoman said, “We have received the chairmen’s letter and are continuing to work with them and other elected officials to keep them informed and updated as our investigation continues.” The heads of the Senate Banking and Judiciary committees are also responding to the breach. Meanwhile, three states have begun investigating a breach at Neiman Marcus. [Source]

US – Data Protection & Breach Notification Legislation Reintroduced in Senate

US Senator Patrick Leahy (D-Vermont) has reintroduced legislation aimed at protecting people’s privacy. This time, the bill includes provisions calling for the establishment of a federal standard for data breach disclosure, and data protection standards for businesses retaining sensitive information. The bill would also impose criminal penalties for people convicted of attempted computer hacking and conspiracy to commit computer hacking. [LOHUD] [RT.COM]

 

Identity Issues

WW – FIDO’s 2014 Authentication Agenda

To help reduce reliance on passwords, the FIDO Alliance of 70 member companies is developing standard technical specifications for advanced authentication. Michael Barrett and Daniel Almenara of FIDO describe the impact the effort could have in 2014. “The thing to remember is that the whole FIDO methodology is rethinking how authentication is handled from the ground up,” says Barrett, president of the alliance. FIDO plans to publish in the first quarter of this year its first official draft of authentication specifications. The alliance hopes to eventually help launch a certification program to verify that hardware and software is “FIDO enabled” and uses the group’s specifications.The FIDO authentication model will support any device, including a wide variety of mobile hardware – as well as a wide variety of authentication methods. That’s because it’s common for end-users to use multiple devices to access systems. [Source] SEE ALSO: [Canada: Researchers develop ‘narrative authentication’ system]

MY – Malaysia to Introduce High-Tech ID Cards for Foreign Workers

In a bid to check the influx of illegal foreign workers, Malaysia will soon issue new biometric identity cards to nearly 2.3 million foreigners in the country. Malaysia relies heavily on foreign workers to support its tourism and infrastructure industry. There are 2.25 million documented foreign workers in the country right now. Labourers from countries like India, Indonesia, Bangladesh and Cambodia also works in its rubber and palm plantations. Officials said the new ID cards, embedded with high-tech chips, would ensure only legal foreign workers were in the country. The cards were originally planned to be introduced late last year. [indiatimes.com] [Editorial:  We need a new jurisprudence of anonymity] See also: [IN — India: The Aadhaar trap: Why you should be really, really worried]

 

Internet / WWW

US – U.S. Commerce Secretary: New Rules Needed for Potential $19T Market?

At the Consumer Electronics Show in Las Vegas, privacy was a hot topic. Particularly, the Internet of Things is getting close attention, as wearables and micro computers are among the most common new products. Cisco Systems CEO John Chambers made headlines with his keynote, predicting the Internet of Things market could be as large as $19 trillion by 2020. This and other news led U.S. Commerce Secretary Penny Pritzger to say, “I think we need to … have a real look at the issue of privacy and where you draw the lines and what are the rules … I don’t think there is consistency or clarity right now … in terms of what companies are collecting and what they can do with that data.” [Full Story]

WW – IAPP and CSA Announce New Strategic Alliance

The IAPP announced that it has created a new strategic alliance with the Cloud Security Alliance, a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. The alliance’s most tangible result will be the joining of the IAPP Privacy Academy and CSA Congress into a single event to be held September 17 to 19 at the San Jose Convention Center in San Jose, CA. “Cloud security and privacy matters continue to twist and turn, especially given events of late, with the industry in constant pursuit for the best knowledge and practices to stay ahead of what’s next in securing all forms of computing,” said CSA CEO Jim Reavis. “Through this union, this event is now the center of gravity for information governance and management professionals to navigate the continually evolving challenges of the digital economy,” said IAPP President and CEO Trevor Hughes. [IAPP] See also: [NSA Snooping Triggers Foreign Business Flight From US Cloud Services]

WW – How Algorithms Can Probe and Influence Consumer Behavior

Pandora’s Internet radio service has begun mining user preferences to better determine the types of ads that will be most engaging. Pandora’s chief scientist said, “It’s becoming quite apparent to us that the world of playing the perfect music to people and the world of playing perfect advertising to them are strikingly similar.” According to the report, some businesses are attempting to differentiate themselves by creating algorithms that not only understand their consumers’ behavior but also try to influence their behavior. One computer science professor said, “I would guess, looking at music choices, you could probably predict with high accuracy a person’s worldview,” including “people’s stance on issues like gun control or the environment” or, in some cases, political party affiliation. [The New York Times]

 

Law Enforcement

US – Study Finds NSA Phone Metadata Collection Not Effective Against Terrorism

A study from the New America Foundation finds that the NSA’s bulk collection of phone metadata “has had no discernible impact on preventing acts of terrorism.” The NAF analyzed the cases of “225 individuals … charged in the United States with an act of terrorism since 9/11.” In the majority of instances, conventional investigative methods provided the impetus to open the case. The study found that just one case had been initiated due to information obtained through the wholesale data collection. [Washington Post] [Ars Technica] [Study] See also: [Hong Kong Bar Association opposes planned drug testing scheme]

 

Location

CA – Making a Business on Phones’ Continuous Broadcasting

Turnstyle Solutions is a start-up in Toronto using small sensors placed throughout downtown to track the movements of individual consumers. The firm then sells that data, showing businesses where else their customers frequent, in the name of customizing offerings. One restaurant emblazoned its logo on tanktops when it became clear that customers also frequented a local gym. Turnstyle’s success, the report says, along with that of other startups like Euclid Analytics, “speaks to the growing value of location data … but Turnstyle is among the few that have begun using the technology more broadly to follow people where they live, work and shop.” [The Wall Street Journal]

US – YP Acquires Sense Networks

Search and advertising company YP has confirmed its acquisition of Sense Networks. YP’s David Lebow confirmed that “acquiring Sense’s technology, with its ability to create custom consumer profiles for use in mobile ad targeting, will give YP a real competitive advantage,” the report states. Lebow has suggested the deal is part of YP’s shift from more traditional publishing models to “placing a premium on technology.” [Tech Crunch]

WW – Tracking Device Lets Mom and Dad Track Junior

A new tracking device allows parents to track their children’s movements. FiLIP is a phone for children allowing parents to install a free app on their mobile devices to link to FiLIP to follow its location. It allows parents to set a “safe zone,” which sounds an alarm if a child wearing a FiLIP device travels beyond it. [The New York Times]

 

Offshore

SG – Companies Can Send Certain Messages Without Checking DNC Registry

The Personal Data Protection Commission (PDPC) of Singapore has determined companies are allowed to “send marketing messages to customers that have registered to be listed on a new Do-Not-Call (DNC) Registry under certain circumstances.” While businesses are required to consult the DNC Registry before sending messages—and face fines in certain circumstances—”a new exemption allows businesses to send either text or fax messages to promote ‘related products and services’ to individuals they have an ‘ongoing relationship’ with,” the report states, noting in such instances, companies are not required to consult the registry first. “As the exemption order does not apply to voice calls, organizations are still required to check against the DNC Registry before making telemarketing calls,” the PDPC said. [Out-Law]

 

Online Privacy

WW – Privacy-Enhancing Phone, Dating App Unveiled

The creators of Silent Circle announced they will unveil a privacy-enhancing smartphone called Blackphone. The device, which will be available for preordering on February 24, uses a secure version of Android called PrivatOS and will have the capability to transmit secure phone calls, texts, file exchanges and storage, and video chat, and anonymizes use via a virtual private network. Creator Phil Zimmerman said the phone “provides users with everything they need to ensure privacy and control of their communications, along with all the other high-end smartphone features they have come to expect.” Meanwhile, the makers of SinglesAroundMe have announced a patent-pending technology that allows users to change their locations to preserve their privacy. The “Position-Shift” algorithm gives users control over their location and who knows it. Fujitsu Labratories have announced an encryption search that keeps data encrypted to maintain privacy, and Twitter has announced it is enforcing SSL encryption for apps connected to its API. [GigaOM] SEE ALSO: [Engineers and Lawyers in Privacy Protection: Can We All Just Get Along?]

WW – Twitter Scores Points for Privacy; Messaging Apps Compete

An Electronic Frontier Foundation (EFF) report on how companies respond to government data requests has given Twitter its highest rating for protecting privacy. The EFF examined companies on criteria including transparency, whether they require warrants and if they fight for users’ privacy in courts. Twitter and Internet access company Sonic.net alone “earned a ‘star’ for all six categories,” the report states. Meanwhile, in the wake of a recent breach, Snapchat has reportedly “at times, given law enforcement unopened snaps.” New iOS application Confide is responding with its own message service, and one investigative report finds that “Confide’s encrypted storage of message contents are indeed a step above Snapchat’s plain text storage … But totally self-destructing, these messages are not.” Separately, The Exchange reports on concerns over a new tracking feature on Apple’s iPhone. [Business Insider]

 

Other Jurisdictions

AU – Australian DPA Issues Further Guidelines on Australian Privacy Principles

The Australian data protection authority, the Office of the Australian Information Commissioner (OAIC), has issued two sets of guidelines on the Australian Privacy Principles (APPS) that will provide the framework for Australia’s Privacy Amendment (Enhancing Privacy Protection) Act 2012 scheduled to take effect beginning 12 March 2014. The most recent sets of guidelines relate to rights of data subjects under APP 12 ‘access to personal information’ and APP 13 ‘correction of personal information’.

Key points to note from APP 12:

  • APP entities that hold personal information about individuals must give individuals access to that personal information on request (whether in writing or otherwise informally).
  • Applications for access requests must be free of charge, and any charges relating to providing the information must not be excessive.
  • The right to access information under APP 12 operates alongside other legal procedures, e.g., the Freedom of Information Act (FOI Act).
  • APP entities can refuse to grant access to information by providing the individual written notice justifying the circumstances for refusal. These circumstances include the grounds for refusing consent under the FOI Act, as well as the following:
  • Reasonable belief that giving access would pose a serious threat to life, health or safety of an individual
  • Access would have unreasonable impact on privacy of other individuals
  • The request is frivolous or vexatious
  • Information relates to anticipated or existing legal proceedings and would not be disclosable under discovery
  • Access would reveal intention of negotiations with the individual or would prejudice enforcement activities for misconduct
  • Access would reveal information in connection with a commercially sensitive decision-making process
  • Giving access would be unlawful
  • APP entities must respond to access requests within 30 calendar days by either providing a notice of refusal or granting access in the manner requested by individual.

They key points to note from APP 13:

  • APP entities must take reasonable steps to correct personal information to ensure information held is accurate, up-to-date, relevant and not misleading.
  • Privacy policies must provide a mechanism for individuals to make a request to an APP entity for correction of their personal data.
  • Reasonable steps must be taken to notify other APP entities of the correction.
  • Individuals who request that their information be corrected but are refused must be provided with a complaint mechanism and written notice of the grounds for the refusal to correct the information.
  • It is not permissible to impose any charge on individuals for requesting the correction of their personal information.
  • APP entities must respond to requests for correction within 30 calendar days by either correcting the information or notifying the individual of the grounds for refusing the correction. [mondaq.com]

AU – Australian Privacy Act Changes to Introduce Risky Uncertainties

Changes to the Australian Privacy Act are bound to trigger the same uncertainties introduced by the USA’s Sarbanes-Oxley (SOX) legislation, with organisations at risk of financial and reputation damage if unable to adjust to the challenges, according to Centrify APAC regional director, Matt Ramsey. “SOX compliance costs and complexity have run out of control in the US during the past decade. The SOX legislation is prescriptive without being descriptive; it tells you to jump, but not how high. As a result, US corporations need to jump a very high bar to avoid the threat of non-compliance.” From March, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 will implement a new set of harmonised privacy principles to regulate the handling of personal information by both Australian businesses and government agencies. Ramsay attributes the revisions to Cloud services and mobility. Ramsey claims these changes risk the cost and compliance challenges of the SOX legislation as it will require organisations to “take reasonable steps” to demonstrate compliance without specifying exact obligations. [Source]

AU – Australia: Will Entities Use Privacy Act “Get Out of Gaol Free” Cards?

In a series of blogs, Brett Winterford explores “the improbability of Privacy Act compliance,” noting that as the 12 March deadline looms, “Australia’s new Privacy Act will come into effect during a period of tremendous turbulence in the technology sector, owing to a surge in subscriptions to cloud computing services.” Winterford advises organisations that use or plan to use “public cloud computing services that are hosted offshore … consider Australia’s amended Privacy Act in detail.” Winterford also details the Office of the Australian Information Commissioner’s “two ‘get out of gaol’ cards“—commensurate contract and consent—that “corporate Australia will make use of.” [IT News]

AU – Australian Orgs Should Set Responsible Disclosure Expectations

Highlighting cases where organisations were informed—sometimes by researchers or “white hat” hackers—of vulnerabilities but did not take appropriate action, Bugcrowd’s Jonathan Cran is quoted as saying, “It really comes down to ‘don’t be a jerk’—on both sides. But that’s not legally scalable … Unless the organization defines what they expect with a responsible disclosure or bug bounty policy, the researcher is often left guessing.” Cran discusses the importance of organisations becoming “proactive in defining ‘reasonable’ or ‘responsible’—and setting expectations” or researchers are left “to decide what it means for both parties. Often, researchers have a sense of civic responsibility to let the public know what they’ve found.” [ZDNet]

 

Privacy (US)

US – Obama to Endorse Some NSA Changes; Telcos Off the Hook

President Barack Obama is expected to comment on possible changes to NSA surveillance reform. Though he is “expected to endorse changes to the way government collects millions of Americans’ phone records,” he will likely leave specific changes and decisions to an already divided Congress, the report states. In his speech, Obama is also expected to announce further privacy protections for non-U.S. citizens, and according to The New York Times, he will propose an advocate within the Foreign Intelligence Surveillance Court (FISC) but will not back a plan to have telecommunications firms retain metadata. PC World reports that FISC judges are not supporting calls for a privacy advocate within the court, and Politico reports that the Center for Security Policy has issued a report rejecting most of the recommendations set forth by an intelligence review group. Meanwhile, all five members of Obama’s intelligence review group testified before the Senate Judiciary Committee yesterday.

US – Obama to Announce NSA Recommendations This Week

President Barack Obama will announce the results of his review of the NSA surveillance programs on Friday, January 17. Privacy and Civil Liberties Oversight Board (PCLOB) Chairman David Medine, who met with the president last week, said, “We wanted to be able to provide input into the decision-making process.” The PCLOB is expected to release its own findings on January 23. The Hill reports on how Obama’s decisions around NSA reform have put his legacy on the line. Meanwhile, the European Parliament’s decision to have Edward Snowden testify on NSA surveillance programs has divided MEPs due to fears it could damage EU-U.S. relations. Politico reports that, based on last week’s Consumer Electronics Show, fears of NSA spying have not affected consumers’ excitement for emerging technology. However, according to a new survey , a quarter of Canadian and UK businesses are looking away from U.S.-based cloud storage companies due to NSA spying. [Source] See also: [SCOTUS Is Scared of Tech, But Privacy Pros Can Help]

US – Lawmakers Unsure of Obama’s NSA Reform

President Barack Obama met with a group of “hand-picked” lawmakers to discuss potential reform to the NSA surveillance programs. The meeting included proponents of existing programs—such as Sen. Diane Feinstein (D-CA)—and vocal critics, including Rep. Jim Sensenbrenner (R-WI). Several of the lawmakers left the meeting unconvinced the president was going to reform the programs enough. House Judiciary Chairman Bob Goodlatte (R-VA) said, “it’s increasingly clear that we need to take legislative action to reform” the agency’s intelligence gathering. Sen. Ron Wyden (D-OR) said, “The debate is clearly fluid” and that the president “is wrestling with these issues.” The Wall Street Journal reports Obama will extend privacy protections to noncitizens and will restructure the phone data program. Phone carriers could foot a bill of up to $60 million per year if they’re required to retain data for intelligence agencies. The NSA fallout is also prompting several states into action. [National Journal]

US – FTC Director of Consumer Protection Talks Priorities

The FTC’s Jessica Rich discusses her new role as director of the FTC’s Consumer Protection Bureau. Rich says “native advertising” will be big with the FTC in the near future. “I want to make a broader push into mobile, mobile security, mobile payments, making sure we are able to bring mobile investigations, just as we are able to bring brick-and-mortar investigations.” She adds that the time for privacy legislation has come. Meanwhile, recent data breaches at Target and Snapchat have incited calls from Washington, DC, for legislative action and raised questions about the FTC’s efficacy on data protection. [AdWeek]

US – Pamela Jones Harbour Moves to BakerHostetler

Former Federal Trade Commissioner Pamela Jones Harbour has moved to BakerHostetler where she will help lead its privacy and data protection team. Harbour, who served as a commissioner for six years, will work as a partner assisting clients with data breach notifications and assessments as well as advising on data transfers. “This is an exciting time to join the firm’s antitrust and privacy teams,” Harbour said in a statement. [The Hill]

US – Schneier Moves to Co3; Evidon Hires First COO

Co3 Systems has hired security and privacy expert Bruce Schneier as its chief technology officer, while Evidon has hired its first chief operating officer. Schneier currently serves as a fellow at Harvard’s Berkman Center for Internet and Society, board member of the Electronic Frontier Foundation and advisory board member of the Electronic Privacy Information Center. Emily Riley comes to Evidon from her prior role as a digital ad industry analyst for Jupiter Research and Forrester Research and, most recently, as a VP at behavioral targeting firm Audience Science. Riley says Evidon aims to help people understand the trade-off between free digital content and tracking technologies. [AdAge]

 

Privacy Enhancing Technologies (PETs)

WW – Confide App Erases Your Text Messages After They’re Read

Borrowing a page from Snapchat, a new iOS app promises to let users send self-destructing text messages. Confide is a free message-deleting IM app for iPhone, iPad, and iPod Touch users. You can send text messages to any e-mail address, either by choosing someone from your contact list or manually entering the address. To read your message, however, your recipient must also sign up for a Confide account and download the app. Viewing a message for the first time prompts them to do so. Reading the message on an iOS device requires your recipient to drag a finger across the screen to reveal each word. A read receipt is also sent to you once your message has been read. After the message is closed, though, it disappears for both the sender and the receiver, which is the whole point behind the app. The messages themselves are also private and encrypted to protect them on their journey. [Source]

 

Security

US – Gov’t Seeks Access to Gun Buyers’ Mental Health Data

The White House announced two new executive actions “that would expand the government’s access to mental health information during background checks on gun buyers,” noting these “clarify what constitutes a mental health problem that might prohibit gun ownership and allow states more wiggle room in disclosing such personal medical information.” One executive action modifies the HIPAA Privacy Rule and allows mental health data “relevant to gun ownership” to be included in the National Instant Criminal Background Check System (NICS), while the other “clarifies what exactly in someone’s mental health history would prohibit them from owning or purchasing a gun.” [The Daily Caller]

US – Pending Legislation Would Require Inspection of Chinese IT Equipment

US legislators in both houses are expected to approve bills that would prohibit certain agencies from purchasing IT equipment manufactured in China until it is inspected by federal authorities. The provision is part of a 2014 fiscal spending package in the House of Representatives. The agencies that would be affected by the bills are the Department of Commerce, the Department of Justice, NASA, and the National Science Foundation. [NextGov] See also: [UAE May Scrap Satellite Deal with France Over Backdoors in US Components]

WW – Microsoft to End Support for Windows XP in April

In what appears to be a concerted effort to urge users to upgrade from Windows XP to a more current version of the operating system, Microsoft has announced that when is stops supporting XP in April, it will also cease support for Security Essentials on XP. [v3.co.uk] [Ars Technica]

WW – The Internet of Things Poses a Growing Threat

Bruce Schneier says that embedded systems pose a growing security threat because “there is no good way to patch them.” He notes that two decades ago, PCs were facing a similar challenge, which has been addressed by full disclosure of vulnerabilities and automated patching. However, embedded systems are products of several different companies, none of which has particular incentive to make sure that they are secure. Schneier says that embedded systems vendors need to be pressured to create more secure products; driver software needs to be open-source; and automated update mechanisms need to be used to keep the products secure. ISPs are a likely locus to initiate this shift. [WIRED] See also: [Russia’s Olympic security to set new surveillance standard at Sochi]

 

Smart Cards

US – Startup Looks to Thwart Credit Card Hacking

A Texas-based start-up is planning to introduce new technology aimed at thwarting credit card hacking attacks like the 2013 holiday shopping season’s high-profile Target breach. Epic One is developing technology that protects credit cards with biometric readers that scan the cardholder’s fingerprint to avoid such hacks. The start-up will introduce its pilot cards later this year. “The root cause of fraud is the exposure of this information,” said Epic One CEO William Gomez Jr., adding, “The Epic One card does not hold any details of any credit cards. Neither does the Epic One application that runs on your smartphone. None of these devices hold any of your credit card information.” [Forbes]

 

Surveillance

US – Feinstein on Drones: “Proceed with Caution”

Sen. Dianne Feinstein (D-CA) once found “a drone peeking into the window of her home—the kind of cautionary tale she wants lawmakers to consider as they look at allowing commercial drone use.” Speaking as a special witness at a recent Senate Commerce Committee hearing on drones, Feinstein urged that her fellow legislators “proceed with caution.” Feinstein indicated privacy concerns are “significant” and, according to the report, called for “close scrutiny and recommended a search warrant requirement” for government-operated drones and “strong, binding enforceable privacy policies that govern drone operations … before the technology is upon us.” [Politico] See also: [US: Border-patrol drones being borrowed by other agencies more often than previously known]

US – NSA Using Radio Tech to Snoop on Machines Not Connected to Internet

The NSA has put malware on 100,000 computers that allow it to conduct surveillance, even when the machines are not connected to the Internet. The NSA has been using the technology since 2008. The technology involves the use of small transceivers and in some cases, small circuit boards placed inside targeted machines. [NY Times] [ComputerWorld] [NBC News] [Ars Technica] [SC Magazine] [BBC.co.uk]

US – FISC Jurists Oppose Transparency, Oversight  Recommendations

Current and former Foreign Intelligence Surveillance Court judges says that White House task force recommendations for change to court procedures would place a greater burden on the court and hinder its ability to do its job. The letter, written by former FISC Chief Judge John D. Bates, expresses the jurists’ opposition to appointing an independent privacy advocate to represent public interest; requiring the FISC judges’ approval for national security letters; broadening the selection process of FISC judges; and the cessation of the NSA’s phone call metadata collection program. [Washington Post] [LA Times] [ComputerWorld] [CNET]

US – Both NSA Metadata Gathering Rulings Will be Appealed

Both recent rulings regarding the legality of the NSA’s phone metadata gathering program will be appealed. On Thursday, January 2, the ACLU filed a notice of appeal in its lawsuit challenging the data collection program; Judge William Pauley III dismissed the ACLU’s challenge the previous week. On Friday, January 3, the US Justice Department (DOJ) filed an appeal of a ruling from Judge Richard Leon in Klayman v. Obama, which found that the NSA’s data collection likely violates the constitution. [ComputerWorld] [ZDNet]

US – NSA Metadata Gathering Program Might Not Reach Supreme Court

If each of the federal judges’ rulings on NSA data gathering is upheld on appeal, it is likely the Supreme Court would step in to resolve the issue. However, according to Orin Kerr, a Fourth Amendment scholar at George Washington University, it is not a sure thing. Kerr points out in a Volokh Conspiracy post that the provision of the Patriot Act (Section 215) that is being held up as license to continue the snooping expires on June 1, 2015. By that time, legislators will likely be debating the issue, and this “lessens the likelihood of the Supreme Court stepping in to the debate at that time, both because the issue may be mooted by statute and because the Court may feel that statutory regulation is preferable to constitutional regulation in this context.” [WIRED] [Orin Kerr’s post] In the meantime, the Foreign Intelligence Surveillance Court (FISC) has renewed the NSA’s phone data collection program. The FISC has to renew the program every 90 days. The court makes clear that the program does not permit the NSA to collect the content of phone calls. [SC Magazine]

US – States Respond to Citizens’ Surveillance Concerns

While states don’t have the authority to shut down NSA surveillance, many state lawmakers are doing their best to enact legislation that will put limits on state and local law enforcement’s abilities. The need for limits on government surveillance of U.S. citizens is one of the few things Democrats and Republicans seem to agree on; according to a USA Today report, “the same proportion of Democrats and Republicans said they are more worried about their civil liberties than they are about terrorism.” From cellphone location data to drones, online browsing to license-plate scanning, coast to coast and left to right, state lawmakers are proposing anti-surveillance laws. In fact, Wisconsin Rep. David Craig noted, “There are so many different facets of technologies that can be misused that lawmakers need to keep our heads on a swivel.” Well, in this legislative session, it seems there’s a bill out there trying to stop every one of them. Many anti-surveillance bills have already become law, but here are some that are on their way down the pike. [US – NSA Insiders Reveal What Went Wrong]

Arizona – Arizona Sen. Mae Beavers (R-Mt. Juliet) says she will introduce legislation requiring state and local police agencies to obtain a warrant prior to “accessing or retrieving” residents’ location data through an electronic device, reports The Chronicle of Mt. Juliet. “We cannot let technological advances sidestep the Fourth Amendment,” said Beavers, who plans to model the legislation after a Montana law. And, as the Privacy Tracker previously reported, Sen. Kelli Ward (R-Lake Havasu City) also plans to introduce a bill to prohibit state and local law enforcement from providing support to the NSA and state-owned utilities from providing services to NSA facilities.

California – California Sens. Joel Anderson (R-San Diego) and Ted Lieu (D-Torrance) have introduced the Fourth Amendment Protection Act, which would make information collected by the NSA without a warrant inadmissible in state court. The law would also ban University of California and California State University employees from establishing “NSA research facilities or recruiting grounds,” reports Raw Story. The OffNow Coalition, a faction of the Tenth Amendment Center, helped to develop this bill along with other similar bills being considered in Oklahoma, Missouri and Kansas.

Indiana – The Indiana House Courts and Criminal Code Committee had its first hearing on a bill that would limit law enforcement’s use of drones and other surveillance equipment on private property, reports mydesert.com. Rep. Eric Koch (R-Bedford) authored the bill, which requires search warrants for electronic surveillance or data collection, with some exceptions.

Kansas – As previously reported, State Rep. Brett Hildabrand (R-District 23) has pre-filed the Kansas Fourth Amendment Preservation and Protection Act, which addresses the issue of information sharing.

Maryland – Maryland Sen. Christopher Shank (R-Washington) announced plans to introduce four bills during the current Assembly that would restrict the ways local and state police use technology to monitor e-mail, location tracking through cell towers and license-plate readers, reports Herald Mail Media. Three of the four bills would require law enforcement to get a warrant, rather than a court order, prior to beginning surveillance activities, increasing the burden of proof for approval.

Massachusetts – Rep. Jonathan Hecht (D-Watertown) has introduced legislation that would put a 48-hour limit on police retention of data obtained through license-plate readers, unless it is directly related to an investigation.

Michigan –Rep. Sam Singh (D-East Lansing) wants to see limits on license-plate readers (LPRs) in that state, reports Landline Magazine. “His bill would prohibit LPRs from recording pictures of drivers, require that local department-level policies govern their use and allow the attorney general’s office to ban use of the technology at agencies found in violation,” the report states, noting, “The bill would also mandate that license-plate records collected by the readers must be deleted from data systems within 48 hours after they were collected. An exception would be made when the record is linked to criminal activity.”

Missouri – Sen. Will Kraus (R-Lee’s Summit) has filed SB 599 to restrict “the storage and use as evidence of data collected through automated license-plate reader systems.” The bill would require jurisdictions that collect data using an automatic license-plate reader to delete that data after 30 days,” according to Kraus’s website.And, as previously reported, a resolution proposed in the state would make information including e-mails, phone records and Internet records obtained without a warrant inadmissible in court

New Hampshire – While New Hampshire is currently the only state that prohibits the use of license-plate scanners, the House will consider a bill this week to authorize their use, reports CBS.

New Jersey – The New Jersey Assembly has approved new requirements for law enforcement and fire departments’ use of drones, reports The Star-Ledger. The bill had bipartisan sponsorship and passed 74-1. While it is very similar to a bill passed in the New Jersey Senate last summer, this bill includes a warrant requirement, which sponsors say would help protect personal privacy as that technology becomes more common. Reps. Amy H. Handlin (R-District 13) and Caroline Casagrande (R-District 11) in November introduced a bill that would require “judicial approval prior to installation or use of automated license-plate reader by law enforcement agency.”

Ohio – In Ohio, HB 69 would “prohibit the use of traffic law photo-monitoring devices by municipal corporations, counties, townships and the State Highway Patrol to detect traffic signal light and speed limit violations, except in certain circumstances.”

Oregon – Within the next month, Oregon lawmakers are expected to introduce at least three bills aimed at preserving privacy. The Oregonian reports the three known proposals will include one to limit the use of license-plate readers by law enforcement agencies; another to “exempt from public records laws the travel histories linked to electronic fare cards the transit agency plans to introduce in a few years,” and the last is aimed at prohibiting law enforcement agencies from obtaining cellphone location data, Internet, e-mail and social media account data and television-watching history without a warrant, except in certain circumstances. These proposals will come on the heels of the passing of a law that limits drone use by law enforcement in the state.

Virginia – Del. Bob Marshall (R-13th District) is sponsoring legislation that states, “a cellular phone or other wireless telecommunications device is a tracking device when it is used to track the movement of a person and that such use requires a warrant issued by a judicial officer.”

Wisconsin – Reps. David Craig (R-Vernon) and Fred Kessler (D-Milwaukee) and Sen. Tom Tiffany (R-Hazelhurst) introduced legislation last November that would limit police us of license-plate scanning. According to a Wisconsin State Journal report, “The bill would allow the cameras to be turned on only during the investigation of a crime. It also would prohibit sharing the stored information with nongovernment entities and require data destruction within 48 hours, unless it was necessary for a criminal investigation.”

US – Tracking Equipment Keeps Getting Cheaper, Study Finds

New research published in The Yale Law Journal by independent researcher Ashkan Soltani and New America Foundation’s Open Technology Institute Policy Director Kevin Bankston has found that the cost of tracking the location of an individual is growing dramatically cheaper. Based on work submitted to the Privacy Law Scholars Conference in 2013, Soltani writes on his personal blog, “tracking a suspect using a GPS device is 28 times cheaper than assigning officers to follow him.” Soltani also notes, “If technical and financial barriers previously provided some protection from large-scale surveillance by the government, these implicit protections have been essentially eliminated by the low costs of new surveillance technology,” adding, “Once the cost approaches zero, we will be left with only outdated laws as the limiting function.” [Ashkan Soltani]

US – “Granny Cams” Raise Privacy Concerns

The use of surveillance cameras or “granny cams” in nursing homes is a practice that is currently legal in Oklahoma, New Mexico and Texas, “to collect evidence of abuse and neglect.” While their use has positive implications for stopping abuse, the report cautions there are privacy implications not only for patients but for roommates, visitors and caregivers. In addition to the potential invasion of patients’ privacy during such personal activities as bathing, the report notes that those with dementia may be unable to consent to the surveillance. [AARP Blog]

 

Telecom / TV

US – Telcos Not Warming Up to Obama’s Retention Plan

Telephone companies are “quietly hesitating” at a potential plan to have them alter how they collect and retain Americans’ phone records to help the NSA’s surveillance programs. According to the report, phone company executives and their lawyers have said they prefer the NSA to keep control over the records. A representative from CTIA-The Wireless Association said, “Our members would oppose the imposition of data retention obligations that would require them to maintain customer data for longer than necessary.” One key concern for the phone companies is liability. Former NSA official Stewart Baker said Congress “grudgingly” gave legal protection to phone companies after the 2001 terrorist attacks. “The phone companies were seared by their experience in Congress and can’t be enthusiastic about a return engagement,” he added. [The Associated Press]

 

US Government Programs

US – Court Upholds “Reasonable Suspicion” Requirement for Device Searches

The US Supreme Court has let stand an appellate court ruling that says border agents may search electronic gadgets without reason for suspicion. However, the lower court ruling also found that for the border agents to conduct in-depth forensic analysis of the devices, they must have reasonable suspicion of criminal activity. The case involves a California man whose laptops and cameras were seized and searched upon his return to the US from Mexico. The agents found evidence of child pornography on the devices. The appellate court ruled that the agents did have reasonable suspicion to search Howard Cotterman’s devices because his name was on a watch list as he is a convicted sex offender and travels frequently to places known for sex tourism. While agents are allowed to search devices on a whim—just as they would a vehicle—the court upheld the appeals court ruling that using software to “decrypt password-protected files or to locate deleted files” cannot be done without facts pointing to illegal activity, the report states. [WIRED] [ComputerWorld]

US – FISC Approves Gov’t Metadata Collection

National Intelligence Director James Clapper released a memo stating that the government has filed an application with and received approval from the Foreign Intelligence Surveillance Court to collect telephony metadata in bulk. “It is the administration’s view … that the telephony metadata collection is lawful,” the memo states. Meanwhile, The New York Times reports on a federal appeals court ruling that allows the Justice Department to continue to withhold a memo that allegedly “opened a loophole in laws protecting the privacy of consumer data.” The Times also reports on Jill Kelley, who is seeking damages and an apology from the government for revealing her name in the David Petraeus scandal. Washington University in St. Louis Prof. Neil Richards said, “This case shows that privacy is really important and that the legal rules we have are not tailored for modern technology.” [NBC News]

US – One-Hour Breach Mandate Is Wasteful, Says GAO Report

A GAO report released last month calls into question the effectiveness of new U.S. Office of Management and Budget (OMB) rules that require federal agencies to report PII-related data breaches to the Department of Homeland Security within an hour of their discovery. Further, “OMB staff said that they were unaware of the rationale for the one-hour timeframe, other than a general concern that agencies report PII incidents promptly,” the report reads, while saying that agencies are likely to have little to report with so little time to investigate what happened and why. Meanwhile, there are privacy hurdles to overcome with teenagers and new online patient portals. How much information should parents be allowed to see, and how can that be controlled? [FierceGovernmentIT]

 

US Legislation

US – Sens. Push for More Data Privacy; FTC Wants “Regulatory Humility”

US senators are calling for action on data privacy legislation in the wake of the Target breach, while on the same day, Federal Trade Commissioner Maureen Ohlhausen called for “regulatory humility” in light of the emerging Internet of Things market. Sen. Deb Fischer (R-NB) said, “Our nation’s entire data security system is in desperate need of revamping … That’s going to require congressional action.” Sen. Patrick Leahy (D-VT) also reintroduced his Personal Data Privacy and Security Act . Amidst such calls for legislative action, Ohlhausen said in prepared remarks at the CES that if new technologies do give rise to harms, “we should carefully consider whether existing laws and regulations are sufficient to address them before assuming that new rules are required.” Meanwhile, in light of a recent GAO report, Sens. Tom Coburn (R-OK) and Susan Collins (R-ME) are calling on agencies to adhere more strictly to federal guidelines and for the Office of Management and Budget to update its policies and increase oversight of breach procedures. [The Hill]

US – Documented Consent Needed to Avoid TCPA Claims

A federal court has denied a motion to dismiss a Telephone Communications Protection Act (TCPA) case, indicating that companies need to have proof of consent in order to avoid TCPA claims. The case involves a customer offering up her cellphone number in a loan application, which the Federal Communication Commission (FCC) has held as a valid form of prior consent; however, the company did not produce the customer’s actual application but an example of the application the company used at the time. “Were Defendant CheckSmart able to submit Plaintiff’s actual loan application showing that she provided these phone numbers, the court would need to evaluate the issue further,” wrote Judge Karon Owen Bowdre. According to the report, this serves as “a reminder that companies should ensure that they collect and retain sufficient documentation of compliance with the TCPA.” [Inside Privacy]

US – Ohlhausen: We Don’t Need New Laws

Law360 reports that during a Technology Policy Institute event last week, FTC Commissioner Maureen Ohlhausen pushed for government officials to “focus on enforcing the powerful laws we already have,” adding, “We simply do not need new talk, new laws or new regulations.” Ohlhausen voiced her opinion that Big Data doesn’t raise “fundamentally new issues,” and before assuming new rules are needed, officials should consider whether existing law will address problems that arise from new technologies.

US – House Passes Two ACA Security, Transparency Bills

On January 10, the House of Representatives passed the Health Exchange Security and Transparency Act that would require the Department of Health and Human Services to notify individuals within 48 hours of a health exchange breach. While House Republicans say it’s important for patients to know of breaches quickly, President Barack Obama has said it would mean “unrealistic and costly paperwork requirements,” noting that it does nothing to improve perceived security flaws in the exchanges. The bill is expected to fail in the Senate. [HealthIT Security] On January 16, it passed the Exchange Information Disclosure Act, which, among other provisions, would mean Congress would receive weekly reports on technical problems with healthcare.gov, “including those related to consumer privacy and data security,” [reports GovInfo Security]

US – 20 Bills to Watch This Year

Inside Privacy offers up a list of pending legislation that privacy professionals should keep an eye on this year. Included in the list are the Personal Data Privacy and Security Act of 2014, the Electronic Communications Privacy Act Amendments Act of 2013 and the Drone Aircraft Privacy and Transparency Act of 2013 in the Senate and in the House, the Do Not Track Kids Act, the Cyber Privacy Fortification Act of 2013 and the GPS Act.

US – CA Rep. Introduces NSA Collection Restructuring Bill

Rep. Adam Schiff (D-CA) has introduced a proposal that would eliminate call records from the types of information the government can collect under the USA PATRIOT Act, according to a press release. Instead, approval from the Foreign Intelligence Surveillance Court would be required to access call records on a case-by-case basis. The bill “mirrors the restructuring of the telephone metadata program recommended by the President’s Review Group on Intelligence and Communications Technologies, as well as changes that Congressman Schiff has been advocating for since before the metadata program was made public,” the release states.

US – Proposed California Bill Would Ban Agencies from Helping NSA

Two California state senators have introduced legislation that would prohibit state officials, state agencies, and companies providing services to the state from helping the NSA with surveillance without a specific warrant. Information gathered without such a warrant would be inadmissible as evidence in California courts. State and locally owned utilities would also be prohibited from supplying NSA facilities with water and electricity. [ComputerWorld] [SC Magazine]

US – CA Bill Would Prohibit Selling of License-Plate Camera Data

Sen. Jerry Hill (D-San Mateo) has introduced SB 893, which would prevent police from selling data from license-plate reading cameras to privacy parties, while still allowing them to use the data in investigations. The bill would also require police to obtain a warrant to access license-plate data more than five years old and allow victims to sue and recover damages. [The Almanac]

US – Florida to Reconsider Prescription Drug Database

State Senator Aaron Bean (R-District 4) is drafting a bill that would restrict access to the state’s prescription drug database. The Florida Department of Health last year gave defense attorneys the prescription histories of 3,300 people. Bean claims this was outside the scope, and the incident inspired him to write legislation to address it. [WOKV]

US – Maine Considering Social Media Bill

LD 1194, sponsored by Rep. Michael McClellan (R-Raymond), would prohibit employers or educational institutions from requiring a student, employee or prospective employee to provide access to social media or personal e-mail accounts.  Opponents of the bill say it could make it harder for school officials to address cyberbullying; however, an ACLU of Maine representative said provisions in the bill allow for schools to access an account after contacting a parent in specific circumstances. The Judiciary Committee is scheduled to consider the bill again this week. [Kennebec Journal]

US – Maryland to Consider Anti-Surveillance Package

A bipartisan group of lawmakers in Maryland introduced a package of bills that would require state and local police to get a warrant before intercepting e-mail communications or tracking individuals using drones, mobile phones or license-plate readers, reports The Washington Post. “The technology has gotten way out in front of the law,” said Sen. Jaime Raskin (D-Montgomery).

US – South Carolina Considers Digital Privacy Legislation

Members of the South Carolina House say they plan to pass a digital privacy law this year that would give similar protections to mobile phones as afforded to homes, reports heraldonline.com. House Speaker Bobby Harrell (R-Charleston) says since the 2012 breach at the Department of Revenue, the issue of protecting citizens’ data has gained momentum, noting, “In today’s society, privacy is becoming a harder and harder thing to protect.” A state law enforcement spokeswoman said officers have concerns that a digital privacy law would “affect our ability to get violent offenders off the streets.”

US – NH Reps. Introduce State Drone Privacy Bill

After a failed attempt to pass a drone privacy bill last year, New Hampshire Reps. Neal Kurk (R-District 2) and Joe Duarte (R-District 2) have introduced bills requiring police to get a warrant in order to use information obtained through drone use in court. In an effort to thwart concerns voiced last year, Kurk’s bill includes a provision stating that it would only take effect if allowed under federal law. [Associated Press]

US – Washington Sen. Calls for Student Data Study

Rep. Elizabeth Scott (D-Monroe) has sponsored a bill calling for a study into how much student data is being released without consent. The bill aims to help the legislature decide whether it should change data handling practices. Scott says she’s concerned about changes to the Family Educational Rights and Privacy Act that allow personally identifiable data to be shared with companies, adding that the growth of programs like the Common Core State Standards will increase the amount of data collected. The House Education Committee is scheduled to discuss the bill on Wednesday. [KUOW]

KY – Kenyan Official to Get Access to Mobile Network User Info

The Kenya Information and Communication Amendment Act 2013 is expected to be signed into law this week and would mean the Communications Commission of Kenya (CCK) would have unlimited access to mobile network consumers’ confidential information. There are questions surrounding the constitutionality of the act, however. While one article guarantees citizens a right to privacy, another—used to justify the regulation—allows any citizen access to “information held by the state or any information that is held by another person and that is required for the exercise or protection of any right or fundamental freedom,” the report states. [ITWeb Africa]

US – U.S. Lawmakers to Introduce Bill on Driver Privacy

Privacy concerns based on increasingly sophisticated technology systems in cars. While automakers say they are responding to consumer demand, privacy advocates disagree. Sens. John Hoeven (R-ND) and Amy Klobuchar (D-MN) will soon introduce a bill that would put car owners in control of the data collected on the vehicle event data recorders commonly known as black boxes. “We’ve got real privacy concerns on the part of the public,” Hoeven said. “People are very concerned about their personal privacy, especially as technology continues to advance.” [The New York Times]

US – Court Denies Suit Alleging Data Broker’s Liability

The U.S. Supreme Court has denied a New York man’s request to hold a data broker liable for illegally selling data taken from Department of Motor Vehicles records. The records were sold to a stranger who allegedly tracked down Erik Gordon and harassed him. The court “refused to grant certiorari” to Gordon’s challenge to a Second Circuit ruling, which rejected his efforts to sue Softech International for the alleged privacy breach. [Law360]

US – TeleCheck to Pay $3.5M for FCRA Violations

The FTC announced that TeleCheck Services, a check authorization service company, along with its associated debt-collection entity, TRS Recovery Services, has agreed to pay $3.5 million as part of a settlement. The FTC charged the firm with violating the Fair Credit Reporting Act (FCRA) by not following proper dispute procedures and sometimes not investigating disputes at all when consumers had their checks denied by retailers based on TeleCheck’s information. Further, the FTC claimed TRS did not abide by the “Furnisher Rule,” which mandates that those providing credit information ensure that information’s accuracy and integrity. The settlement amount is the second-largest for a FCRA violation. [Full Story]

US – Kentucky May Become 47th Breach Notification State

Breach notification bills are beginning to pile up in the U.S. Senate, and lawmakers in Kentucky have introduced data breach notification legislation that, if passed, would make Kentucky the 47th state to enact such legislation. One expert says there currently isn’t support for a bill covering the private sector, but there is for the public sector. [GovInfoSecurity]

US – Anti-NSA Surveillance Legislation Proposed in MO and KS

A resolution proposed in Missouri would make e-mails, phone records and Internet records, among others, obtained without a warrant inadmissible in court, reports Tenth Amendment Center. SJR 27 proposes an amendment to the state’s constitution that adds “electronic communications and data” to the list of things protected from unreasonable searches and seizures. In Kansas, State Rep. Brett Hildabrand has pre-filed the Kansas Fourth Amendment Preservation and Protection Act, which addresses the issue of information sharing. “The bill would ban all state and local government in the state from ‘possessing or attempting to possess’ such information unless a person gives ‘express and informed consent,’ or the local or state government ‘obtains a warrant, upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized,’” the report states. [The Washington Times]

CY – New Data Protection Bill in the Caymans Expected

After receiving less-than-positive feedback last time it was introduced for comment, a revised data protection bill is expected to come before the Legislative Assembly in the coming year. The bill would apply to both public- and private-sector organizations in the Cayman Islands as well as “entities outside the islands that have certain data processing functions here,” the report states. The Human Rights Commission has reviewed the bill and passed it along to the Legislative Assembly, identifying some concerns including the complexity of the bill. [CayCompass.com.]

US – PA Bill Would Expand DNA Collection

The Pennsylvania House of Representatives is considering a bill that would require police to collect DNA samples from people arrested for any felony or misdemeanor that requires registration as a sex offender. Senate Majority Leader Dominic Pileggi (R-DE) introduced the bill and says passing the bill would put the state on par with others that have expanded their DNA databases. [TribLive]

US – Trends for 2014? Try Increased Enforcement

California’s Do-Not-Track (DNT) law has gone into effect, mandating websites indicate in their privacy policies how they respond to DNT signals. Interactive Advertising Bureau Senior VP and General Counsel Mike Zaneis said, “There’s always smoke in a handful of state legislatures, but there’s only fire in California.” In light of NSA surveillance of Europe, the EU is expected to come down strong on its Safe Harbor agreement with the U.S. ZwillGen Privacy Counsel Mason Weisz said, “The Europeans are upset, and I think there will be some attempt to placate them in the U.S.” Finally, industry and federal enforcement is expected. The Better Business Bureau has promised to increase enforcement in the behavioral advertising ecosystem, while the FTC is expected to bolster enforcement of the recently updated Children’s Online Privacy Protection Act. With pressure from industry and federal regulators, Weisz said it will “encourage companies to make more representations … and more representations means more risk.” [AdAge]

 

Workplace Privacy

US – Balancing Wellness Programs and Proper Data Sharing

HR pro Michelle Hicks writes on the proper way to balance implementation of wellness programs at your firm while being mindful of employee privacy. While these programs offer many benefits both for the employees themselves and for the corporate bottom line, they also “ask employees to share information that is so personal that they may not even tell their spouse,” Hicks writes, “like their weight and their body mass index.” She then walks you through the important questions to be asking, information to be sharing and practices to put in place so that both employer and employee are protected. [Idaho Business Journal]

WW – When the Quantified Self Is In the Office

As the quantified-self movement continues to grow more popular, how does it fit into the workplace? Stanford Graduate School of Business Associate Prof. Harikesh Nair said, “It’s definitely an incredible revolution that is going to happen in workplace measurement,” adding it can be a positive development for businesses, giving employers clearer insight on how their employees interact with one another and what makes them successful, the report states. One company is using wearable devices to track its sales staff to improve responsiveness and productivity—which has shown a five- to 10-percent raise in productivity gains. [Fast Company]

US – Overview of Workplace Privacy Legislation for 2014

New laws that went into effect on January 1 are a harbinger of what employers may expect to see in the coming year regarding workplace privacy: more restrictions on access to applicants’ and employees’ criminal history, credit information and personal social media content. To further complicate the challenges of addressing privacy in the workplace, employers will be required to grapple with next-generation issues raised by the use of social media as a business tool and the increasing adoption of bring your own device (BYOD) programs. As reflected in the summary below, the ever-shifting balance between employer prerogative and employee privacy likely will continue to move in a direction that favors employee privacy.

Criminal History Information: With the start of 2014, Minnesota and Rhode Island joined the wave of jurisdictions that have “ban-the-box” legislation. These laws generally prohibit employers from requesting criminal history information in the employment application. Ban-the-box laws have also been enacted in Buffalo, NY; Hawaii; Massachusetts; Newark, NJ; Philadelphia, PA, and Seattle, WA. Similar bills are pending in 26 states. These laws create challenges for employers because they establish both varying rules on the point in the hiring process at which an employer can request criminal history information and different procedural requirements surrounding such requests. Also effective on January 1 is a new California law that prohibits employers from asking about or considering information concerning applicants’ criminal convictions that were judicially dismissed or ordered sealed. This new law adds to a growing list of state law restrictions on employers’ inquiries into criminal history information—in addition to restrictions on inquiries about criminal history in the employment application. In addition to new legislation in this area, employers likely will also see continued aggressive enforcement by the Equal Employment Opportunity Commission (EEOC) regarding employers’ use of criminal history for employment decisions and increased litigation by the plaintiffs’ class action bar which won several seven-figure settlements in 2013 based on employers’ alleged violations of the federal Fair Credit Reporting Act (FCRA) when conducting criminal history checks.

Credit Information: On January 1, regulations implementing Colorado’s Employment Opportunity Act became effective. The law and its implementing regulations are similar to laws enacted in nine other states that restrict the use of credit information for employment purposes. These laws generally prohibit employers from procuring credit information on applicants and employees unless the information is “substantially job related.” However, the laws establish materially different definitions of that key statutory term. The states that have enacted such laws, in addition to Colorado, include California, Connecticut, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont and Washington. Similar bills are pending in 35 states. In addition, in December 2013, U.S. Senator Elizabeth Warren introduced a bill that would impose restrictions on employers’ use of credit information for employment purposes that are more stringent than any of these state laws.

Social Media Passwords: On January 1, Oregon became the twelfth state with a “social media password protection” law, joining Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Jersey, New Mexico, Utah, and Washington. These laws share one common thread: they all prohibit employers from asking applicants for their user name, password or other login credentials for their personal social media accounts, and all of the laws, except New Mexico’s, impose the same prohibition with respect to employees. Unfortunately, beyond that, the laws vary materially in terms of prohibited conduct, exceptions and remedies. Employers will likely face increasing complexity in this area in 2014 as bills addressing access to applicants’ and employees’ personal social media accounts are pending in 15 states.

Other Social Media Issues: Since January 2011, the National Labor Relations Board (NLRB or “Board”) has repeatedly struck down provisions of employers’ social media policies and reversed employer discipline of employees based on employees’ personal social media activity. According to the Board, these employers violated Section 7 of the National Labor Relations Act (NLRA) by implementing policies that interfered with employees’ right to discuss the terms and conditions of employment or by disciplining employees for exercising that right in social media. Because social media have become an integral part of daily life for so many employees, in 2014, employers will continue to confront these issues. Employers also may encounter a new set of issues arising from their growing reliance on social media to advance their business interests. Recent decisions by the NLRB’s administrative law judges and recent statements by the NLRB’s recently confirmed general counsel suggest that if employers allow employees to use corporate social media platforms, such as Yammer or Chatter, or corporate social media pages for non-business purposes, the NLRB will attempt to impose the same restrictions on employers that it has applied to employees’ personal social media activity. In other words, without carefully drafted policies or terms of use, employers run the risk that corporate-sponsored social media sites could be subverted for employees’ complaints about the terms and conditions of employment.

Bring Your Own Device: The “consumerization of IT” will continue to expand in 2014 as more employers hope to reap savings from employees using their personal devices, rather than corporate-owned devices, to conduct their employer’s business. These bring your own device programs pose fundamental challenges for employers seeking to balance the need to safeguard customer and corporate data without unlawfully accessing employees’ personal information. While many employers have addressed the balance through BYOD policies and user agreements, maintaining that balance will become only more challenging to maintain in 2014 from an operational perspective as employees increasingly rely on mobile apps to store sensitive information about themselves, such as blood pressure, blood sugar level and heart rate. For multinational employers, the roll-out of BYOD programs in 2014 to their employees in the European Union and other jurisdictions with broad data protection laws can create even more substantial challenges. In many of these jurisdictions, employers face greater restrictions than in the U.S. on access to an employee’s personal device. In addition, employers must implement systems that will permit data subjects to obtain access to, and update, the data subject’s personal data even when it is stored on an employee’s personal device.

Conclusions and Recommendations: In sum, it is likely that two major trends will continue to play out in 2014 in the area of workplace privacy, and in a direction that favors employees. First, legislators, enforcement agencies and the plaintiffs’ bar will likely continue their efforts to narrow the scope of information that employers can consider when making employment decisions about applicants and employees. Second, technology will continue to blur the lines between work and personal life, with personal life expanding into work life—not the other way around. However, the widening scope of the NLRA and the increasing number of countries with broad data protection laws will compel employers to tolerate this “intrusion” of personal life into work. Employers should consider the following steps in response to these trends:

  • Review existing practices for collecting and using criminal history, credit and personal media information about applicants and employees and implement policies to ensure compliance with state law restrictions on the collection of such information as well as with the federal Fair Credit Reporting Act’s background check requirements;
  • Implement a social media policy, or update the organization’s existing policy, to address recent NLRB decisions with respect to both employees’ personal social media activity and employees’ social media activity on the employer’s behalf;
  • Require that all U.S. employees execute a BYOD user agreement before permitting them to use a personal mobile device to conduct company business;
  • Before rolling out a BYOD program to non-U.S. employees, evaluate whether local law will permit the employer to take the necessary steps (such as access to, and monitoring of, the personal device and remote wipe) to safeguard corporate and customer data and develop systems for complying with requests by data subjects to exercise their rights with respect to data stored on employees’ personal devices.

+++

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: