01-15 August 2014

Biometrics

US – Facial Recognition Leads Feds to Fugitive After 14 years

A cold case comes back to life after facial recognition software recognizes an alleged US outlaw who’d been hiding out in Nepal. In 2000, after being accused of child sex abuse and kidnapping in New Mexico, Neil Stammer skipped town and went underground. Fourteen years later he was arrested in Nepal. How did the authorities catch this fugitive? Facial recognition technology. [C|Net]

Big Data

US – FTC to Consider Data Collection’s Impact on Low-Income Consumers

The FTC will host its “Big Data: A Tool for Inclusion or Exclusion” workshop in Washington, DC, on September 15. The workshop will look at the ways advancing technologies are increasingly collecting data for commercial purposes and the impact that has on consumers, including low-income and underserved individuals. Panel discussions will assess the current environment, look at what’s on the horizon, survey the legal landscape and map the path forward. [FTC Announcement and Agenda] [NYT Debate: Does Big Data Spread Inequality?]

US – Disagreement Among Tech Giants on Comprehensive Privacy Legislation

Stakeholders from industry to advocacy to regulators have submitted comments to the National Telecommunications and Information Administration (NTIA) on how the U.S. government should protect consumers in the era of big data. On one side, some urge President Barack Obama to initiate strong legislation for data collection while others say industry can self-regulate. Microsoft is calling on Congress to enact “strong, comprehensive privacy legislation,” noting that although big data “holds great promise for technology, for the economy and for the people,” such legislation “can and should be part of unlocking that promise.” On the other side, the Internet Association—which represents Google, Facebook and Yahoo, among others—advocated for “a flexible and balanced self-regulatory responsible use framework.” The NTIA has compiled a complete list of comments. [The Hill] See also: [NYT: As Data Overflows Online, Researchers Grapple With Ethics]

US – Advocates: Self-Regulation Isn’t Working; We Need a Law

A coalition of advocacy groups are reiterating the call for a privacy “bill of rights” that would limit marketers’ ability to collect or use individuals’ data. The organizations, which include the ACLU, the Center for Digital Democracy, Consumer Action, Consumer Watchdog and Common Sense Media, submitted the comments in response to the National Telecommunications and Information Administration’s request for opinions on how to balance privacy principles with the value that data collection can bring. “Industry self-regulation is not enough and has failed to inform or protect consumers,” said the groups last week. [MediaPost]

US – Berkman Releases Paper on Privacy in Longitudinal Studies

Long-term longitudinal research studies often collect highly specific and sensitive data about individuals. The benefits are in the ability to link sets of behaviors in specific people, but that is also where the danger lies: It’s difficult to keep those individuals from being identifiable from their unique traits. In the first in a series of reports based on the “Integrating Approaches to Privacy Across the Research Data Lifecycle” workshop held by the Privacy Tools for Sharing Research Data project at Harvard University last year, Harvard’s Berkman Center provides an overview of the long-term longitudinal study use case. It describes the disclosure risks as well as common legal and technical approaches for managing confidentiality and identifies “urgent problems” for privacy in the research environment. [Source]

US – Exploring the Privacy Paradox

Chris Hoofnagle explores the phenomenon known as the “privacy paradox,” where privacy concerns do not relate to people’s behavior. “The privacy paradox is a major problem for consumer advocates. It suggests that advocates are out of touch with average consumers and that government should not intervene in privacy because individuals really do not care about it,” he writes. Examining the book, Exit, Voice, and Loyalty, he suggests if the privacy paradox “is understood with the impoverished view that only exit matters, we will misinterpret individuals’ actions and policy-makers can buy into narratives that people are hypocrites who do not really care about privacy. If we consider voice, attitudes and action may not be in conflict.” [Source]

US – Commissioner Talks FIPPs, Big Data; LabMD Seeks Sanction for FTC

Federal Trade Commissioner Maureen Ohlhausen sent a letter to the National Telecommunications and Information Administration this week on the tension between privacy advocates’ push for officials to support Fair Information Practice Principles (FIPPs) limiting companies’ ability to collect, retain and use data and the potential value to be gained from maximizing the benefits of big data. While FIPPs call for companies to explain to consumers why data is being used and to gain their consent, big data can yield insights unforeseen at the time of collection. Ohlhausen called for strategies such as de-identification to bridge the gap. Meanwhile, LabMD has asked a judge to sanction the FTC for allegedly having a secretive relationship with the source of a key piece of evidence in the data breach case against the company [MediaPost]

Canada

CA – CSEC Won’t Say How Long It Keeps Canadians’ Private Data

The federal government’s secretive electronic intelligence agency is not disclosing how long it can hold onto Canadians’ communications – even though its leaders have said that “firm” time limits are in place to protect privacy. The strictures surrounding Communications Security Establishment Canada’s data-retention periods – including those affecting recognized “private communications” and also “metadata” – are blacked out from an operational document obtained by The Globe and Mail. [Source]

CA – Police Record Checks Under Scrutiny In Ontario

The disclosure of non-conviction information on police record checks costs many people educational and job opportunities in this province. But steps are being taken to ensure innocence is presumed until proven guilty. Police services across the province are evaluating what they disclose on record checks. They’re debating whether they should end the practice of noting how many times a person has had contact with police. The Ontario Association of Chiefs of Police recently revised its voluntary record check guidelines to limit the practice. Brian Beamish, the acting information and privacy commissioner for Ontario, called the recommendation a step in the right direction. But Beamish said he’d like the reporting of non-conviction information eliminated from police records altogether. “I think it points to the need to have some kind of provincial standard,” he said. “So that this is no longer a voluntary process for police services that they have a standard that they have to guide their actions by. It needs the force of law.” The Canadian Civil Liberties Association is currently in talks with the provincial government to create that legislation. Association spokesperson Abby Deshman said she wants to see all police services adopt the guidelines. [Source]

CA – Should Your Home’s Selling Price Be Public Information?

The selling prices of homes are currently the property of real estate boards. Should they be forced to share it with the public? If you’re in the market for a house and know what other houses in the area are selling for, would that help you to make an offer? This question is at the heart of the lengthy proceedings between the Competition Bureau and the Toronto Real Estate Board (TREB). The Bureau wants anyone to have access to the Multiple Listing Service (MLS) owned by real estate board. TREB says the information is private. In a Supreme Court of Canada decision given last week, the parties were basically told to keep fighting.[Source]

Consumer

US – Whitepaper Measures Whether Consumers Are “Getting the Message”

The Lares Institute has released whitepaper on whether consumers are “getting the message” about steps they can take to protect their own privacy. The FTC has suggested, for example, that individuals know who they share their information with; store and dispose of sensitive data securely; ask questions before deciding to share personal data, and maintain appropriate security on electronic devices. The paper is based on data from multiple years of surveys that asked consumers questions about their own privacy-protective behavior, such as whether they carry their Social Security cards in their wallets, shred documents that include personal information or use antivirus programs. [Source]

US – Poll: Consumers Concerned About In-Store Tracking

A new survey reveals that a majority of retail consumers are concerned in-store tracking invades their privacy. According to the PunchTab survey, brick-and-mortar retailers need to overcome consumer perceptions about whether in-store communications from tracking provide useful information. Merely 27% of respondents would allow in-store tracking for deals and relevant messaging, while 50% were not open to tracking at all, citing privacy as their biggest concern. However, providing discounted prices, coupons and shorter checkout times were found to be acceptable uses of in-store tracking. [eMarketer]

UK – Beacon Deployment Hampered by Consumer Privacy Concerns

Companies like Lord & Taylor and Hillshire Brands indicate they’re seeing positive early results from the rollout of Bluetooth technology location-tracking beacons to enhance services and boost sales. A new report by Forrester analyst Adam Silverman suggests “beacons will succeed where Wi-Fi, near-field communication and other location-focused technologies have failed,” largely because it is an opt-in location-tracking solution. But privacy remains a major barrier to the use of such technology: Forrester’s research indicates 56% of customers overall aren’t comfortable sharing their in-store location with retailers. Given an offer or discount, 41% are still uncomfortable. [MediaPost]

EU – 3rd Party Data Must Be ‘Properly Sourced, Permissioned and Cleaned’ for Use in Direct Marketing Under New Industry Code

Companies buying personal data from third parties to use in direct marketing campaigns must “satisfy themselves” that data was “properly sourced, permissioned and cleaned”, according to a new industry code developed by the Direct Marketing Association (DMA). [Out-Law] [The new DMA code (12-page / 321KB PDF)] BACKGROUND: [Reding: US authorities wrong to ask Microsoft directly to hand over customer data stored in the EU 02 Jul 2014] | [Apple and Cisco back Microsoft challenge to US data search powers 17 Jun 2014] | [US search powers extend to data stored on foreign servers, rules judge 30 Apr 2014] | [Microsoft commits to offer non-US storage of data 24 Jan 2014]

UK – Information Commish Concerned About Data Security in Legal Profession

The UK Information Commissioner’s Office (ICO) has received reports of 15 incidents in the past three months involving mishandling of client data by those in the legal profession. The ICO is warning that barristers and solicitors who do not take adequate precautions to protect their clients’ data would face fines of up to GBP 500,000 (US $840,000). [Source]

E-Government

UK – Government to Unveil New Personal Data Sharing Plans

Plans to allow personal data stored on different public sector databases to be aggregated could be unveiled by the UK government later this year. Under the plans being considered, “all bodies providing public services” could be given greater freedom to share the personal data they store to “improve outcomes in health, education or employment”, according to a report by the Daily Telegraph. According to the paper, individuals might not be asked whether they consent to the sharing of their data. The white paper to be published will also contain plans to enable greater sharing of anonymised data by public sector bodies, the Telegraph reported. [Out-Law]

WW – Twitter Says Governments Asking for More User Data than Ever

Twitter said government requests for user data grew sharply in the past six months as more countries asked for a greater amount of information about users. More than half of the requests came from the United States, as has been the case since Twitter began issuing its “transparency report” in 2012. Typically, the requests are part of criminal investigations. San Francisco-based Twitter Inc. said in a blog post Thursday that it received 2,058 requests from 54 countries in the first six months of the year, including from eight countries that had not previously submitted requests. Twitter produced at least “some information” that the governments asked for in 52% of cases worldwide and in 72% of requests coming from the U.S. [CBS News] SEE ALSO: [Twitter vows to “improve our policies” after Robin Williams’ daughter is bullied off the network]

WW – White Paper Examines Gov’t Access to Data in the U.S. and Latin America

Hogan Lovells has published Pan-American Governmental Access to Data in the Cloud, the fifth installment in a series of White Papers examining government access to data held by Cloud service providers. Examining the right of governments in the United States and Latin America to access data in the Cloud, the White Paper concludes that the physical location of Cloud servers does not significantly affect government access to data stored on those servers, and that it is fundamentally incorrect to assume that the United States government’s access to data in the Cloud is greater than that in the Latin American countries examined. [Hogan Lovells] See other papers in this series: [A Global Reality: Governmental Access to Data in the Cloud comparing government access in the United States, Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, and the United Kingdom] | [Individual Rights to Challenge Government Access to Data in the Cloud, comparing the ability of citizens and non-citizens to challenge government access to data in the U.S., France, Germany, the UK, and Australia] | [An Analysis of Service Provider Transparency Reports on Government Requests for Data, comparing the number of government access requests to Cloud service providers who have published those numbers]; and [A Sober Look at National Security Access to Data in the Cloud, comparing the mechanisms international governments can use to access sensitive foreign intelligence information]

E-Mail

US – Justice Dept. Gets Involved in Microsoft Email Privacy Case

The next chapter in the Microsoft email privacy case has unfolded as the U.S. Department of Justice has asked a New York court to vacate a stay on an order that would compel Microsoft to turn over to the U.S. government certain emails currently being held on servers in Dublin, Ireland. Microsoft had asked for the stay to pursue an appeal, but may now have to refuse to comply with the order if the court follows the DoJ’s lead. If the company refuses the order, then the New York court is requested to issue “a contempt order that would, in turn, be a properly appealable final order, which could be stayed on consent pending appeal.” The European Commission, last week, expressed concern about the case. [PC World] See also: [Out-Law: Microsoft Launches Further Appeal Over US Ruling to Hand Over Emails Stored In the EU]

US – Judge: Path May Appeal Text-Spam Ruling

Path has been authorized to appeal a ruling in a text-spam case. Northern District of Illinois Judge Manish Shah said, “An immediate appeal may materially advance the ultimate termination of the litigation.” The 2013 lawsuit, which seeks class-action status, alleges Path sent Kevin Sterk a text message saying that his friend, a Path user, wanted to share photos with him and contained a link to a Path registration page. Sterk argues Path violated the Telephone Consumer Protection Act by sending him an automatic message. Shah said, “The course of the litigation depends on the interpretation of automatic telephone dialing system.” [MediaPost] See also: [US: Enforcing The Canada Anti-Spam Legislation (CASL) Against U.S. Companies]

US – Yahoo Must Face Email Scanning Suit; Google Beats Privacy Suit

Yahoo has been ordered by a federal judge to face a privacy class-action alleging it scanned its users’ emails for targeted advertising. U.S. District Judge Lucy H. Koh did grant the company’s request to throw out a federal wiretap allegation as well as throw out claims that Yahoo did not properly disclose it would collect and store users’ content for future use, the report states. However, Koh ruled she will permit the suit to move forward under a different wiretap claim alleging the company may have illegally shared content between Yahoo and non-Yahoo users. Meanwhile, a California federal judge has dismissed a putative class-action against Google that alleged the company violated a contract with users by giving their private data to third-party app developers. [Bloomberg]

WW – Unsubscribing from Annoying E-Mails Just Got Easier For Gmail Users

Have you ever got frustrated trying to find the “unsubscribe” link at the bottom of promotional e-mails? Google just made it a lot easier. In a change announced Wednesday in a Google+ post, Gmail users will now find the unsubscribe button at the top of those newsletters and promotional e-mails. The new feature will display the unsubscribe link right next to the sender’s e-mail address. The feature relies on the existing filtering system used in Gmail’s Inbox tabs that categorizes social, promotional, updates and forum e-mails. It will only work for e-mails that include an unsubscribe link within them. [Source] See also: [‘Google Glass on your windshield’ lets you check your phone with eyes on the road]

Electronic Records

US – California’s Ahead of the E-Health Game, But Breach Concerns Persist

California’s Cal Index system will transition one in four state residents to electronic health records by the end of the year thanks to a partnership between Blue Shield and Anthem Blue Cross. The system will be the biggest health information network anywhere in the U.S. and aims to make for faster and better healthcare. However, some opponents are concerned about the potential for data breaches while others don’t like the idea of their medical information being readily available. [Southern California Public Radio].

US – Court Rules In Favor of Providing Officials Access to Entire Email Account

A Judge in Columbia ruled that providing law enforcement with access to an entire email account in an investigation did not violate the Fourth Amendment to the U.S. Constitution that prohibits unreasonable searches and seizures of property. The order by Chief Judge Richard W. Roberts of the U.S. District Court for the District of Colombia reversed an earlier decision by Magistrate Judge John M. Facciola who refused to allow a two-step procedure whereby law enforcement is provided all emails relating to a target account, and is then allowed to examine the emails at a separate location to identify evidence. The striking down of Judge Facciola’s ruling will likely fuel the privacy debate in the country. A New York judge defended last month his order that gave the government access to all content of the Gmail account of a target in a money laundering investigation. [Source] See also: [Judge orders destruction of residential school documents after 15-year holding period]

Encryption

US – Breach Index: Encryption Used in only 4% of Q2 Incidents

Last quarter, organizations that reported data breaches only used encryption around four percent of the time to further safeguard data, a report found. [SC Magazine] See also: [US: No noise is good noise, Cary police say of plan to encrypt radio traffic]

WW – Google Rewarding HTTPS Sites with Higher Search Rankings

Google says it is giving sites that use HTTPS a slightly higher ranking in Internet searches in an effort to stimulate further adoption of the protocol. In tests, Google has found HTTPS yields positive results as a ranking signal, though for now it carries less weight than such signals as high-quality content, according to two Google webmasters. Over time, “we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.” Meanwhile, Yahoo said yesterday it will join Google’s efforts to create a secure email system that could make it nearly impossible for hackers or governments to read users’ email. [ZDNet]

EU Developments

UK – Cyber Security Body Warns of IT Security Flaws, Risks Posed by Malware

Weak passwords and unpatched software is enabling hackers to use organisations’ own servers as the hosts of cyber attacks, the UK’s National Computer Emergency Response Team (CERT-UK) said. [Out-Law] [CERT-UK’s quarterly report (20-page / 1.26MB PDF)]

UK – Government to Unveil New Personal Data Sharing Plans

Plans to allow personal data stored on different public sector databases to be aggregated could be unveiled by the UK government later this year. [Out-Law] [The Telegraph’s report] UK ministers plan to “link up thousands of state databases used by schools, councils, police and civil servants, “which is expected to bring privacy concerns. The Irish Department of Public Expenditure and Reform launched a public consultation on the planned Data Sharing and Governance Bill, which deals with data sharing between public-sector agencies.

Facts & Stats

WW – Infographic for More Compelling Big Data statistics

Did you know that 90% of the world’s data was created in the last two years? And that 80% of data today is unstructured? like these in an easy to consume graphic deliverable. [GCN]

Finance

CA – Women File Suit Over FATCA

Two Ontario women allege “Canada has violated the charter rights of nearly a million Canadians by agreeing to share their financial details with authorities in the United States,” in a lawsuit launched against the Attorney General of Canada. The suit alleges Ottawa breached Canada’s constitution by complying with the U.S. Foreign Account Tax Compliance Act. Attorney David Gruber said, “The non-U.S. person would presumably not have any potential liability to the U.S., but nevertheless, they would have the intrusion of their privacy.” He said the case argues Canada’s government has breached the Charter of Rights and Freedoms. [The Canadian Press] [Marni Soupcoff: Ottawa is violating Canadians’ constitutional rights to help the U.S. collect taxes]

FOI

UK – FOI Requests in Particular Formats Must Be Adhered To: Court of Appeal

Public bodies must generally adhere to individuals’ requests for information to be provided in a specific electronic format under freedom of information (FOI) laws, the Court of Appeal in London has ruled.

[Out-Law] [The Court of Appeal judgment (22-page / 413KB PDF)]

UK – Evidence During FOI Disputes Can Be Provided in Secret: Court of Appeal

Public bodies defending a decision to withhold information requested under freedom of information (FOI) laws can submit evidence to an information rights tribunal in secret, the Court of Appeal has ruled. [Out-Law]

US – Snowden Isn’t the Only NSA Whistleblower

A former State Department official in April filed a whistleblower complaint arguing National Security Agency (NSA) data collection practices violate Americans’ Fourth Amendment rights. John Napier Tye had top-secret clearance and worked on Internet freedom issues. He knew the Obama administration was considering a proposal that an internal White House document said represented “significant changes” for handling Americans’ data collected by the NSA from fiber-optic networks abroad, unbeknownst to Congress or the American people. Meanwhile, Wired sat down with Edward Snowden in a hotel room in Moscow to discuss his ordeal over the last year. [The New York Times]

UK – FOI response times not good enough in Scotland, says watchdog

Many public authorities in Scotland are failing to respond quickly enough to requests for information, the Scottish Information Commissioner’s Office (SICO) has said. [Out-Law]

Health / Medical

US – White House Offers Agencies Security, Privacy Tips

Learning from mistakes made during last year’s rollout of Healthcare.gov, the Obama administration has announced it is offering other federal agencies help—including a focus on privacy and security—for their own IT rollouts. Part of the White House’s latest efforts stem from the newly created U.S. Digital Service, an elite team of technology experts (“the country’s brightest talent”) designed to work with federal agencies “to remove barriers to exceptional service delivery and help remake the digital experience that people and businesses have with their government.” Additionally, the administration is offering a “Digital Services Playbook“ to provide best practices for building digital services, which includes “managing security and privacy through reusable processes.” [GovInfoSecurity]

US – Insurance Giants Creating Massive Database of Patient Records

The benefits could prove useful in emergency rooms, where doctors would be able to review patients’ histories instantly. It’s expected to go online by the end of the year. Insurers say the new system, called Cal Index, will help save money be reducing repetitive tests and procedures. Anthem and Blue Shield are providing $80 million in seed money to start the nonprofit database, with the hope it ultimately will survive on subscriptions paid by health providers. Technological challenges have caused previous attempts to fail. Patient privacy is another concern, said Pam Dixon, executive director of the World Privacy Forum. People who suffer from rare diseases, domestic-abuse victims and others are often concerned about keeping their records private, Dixon said. [LA Times]

WW – Apple HealthKit Aims to Centralize Health Data

Apple has been working out how its HealthKit will integrate with a number of healthcare providers and aims to centrally locate health data generated from thousands of third-party health apps for its users. Expected to be released next month as part of the company’s iPhone 6, HealthKit will need to navigate the web of privacy regulations under HIPAA. Joy Pritts, who recently served as chief privacy officer for the Office of the National Coordinator for Healthcare IT, said Apple may need to reassess its responsibility to protect data with each new partnership—meaning a partnership with a wearable tracking company would not be subject to HIPAA but one with a clinic would. [Reuters]

NZ – Report Slams Medical Privacy

A damning Privacy Commission review shows snooping doctors, nurses and even admin workers can access patients’ most personal medical records. The Office of the Privacy Commissioner identified significant flaws in the security and regulation of three shared care record (SCR) portals used by a number of district health boards. A draft review leaked to the Sunday Star-Times has major concerns about all three portals, noting they need to be “more demanding” of patient security with none of the reviewed SCRs able to provide a compelling picture of how access was audited. There was also a concern health information was being electronically recorded and monitored without patient knowledge. [Source] See also: [AU — AUS: Concerns over PCEHR survey privacy quelled]

US – Your Baby’s Cute, But No More Pics on the Doc’s Wall

For generations, doctors have proudly displayed in their offices pictures of the babies they’ve delivered. But that’s a practice patients will see less and less. “I’ve had patients ask me, ‘Where’s your baby board’,” said Columbia University Medical Center’s Mark Sauer. “We just tell them the truth, which is that we no longer post them because of concerns over privacy.” Under the Health Insurance Portability and Accountability Act (HIPAA), baby photos are protected health information. Meanwhile, in a separate report, Khaled El Emam and Scot Ganow discuss the best methods of protecting patient privacy and data de-identification under HIPAA. [The Boston Globe]

Horror Stories

WW – Security Firm Says Russian Gang Amassed 1.2 Billion Passwords

A security firm has discovered a collection of stolen passwords, usernames and email addresses has been amassed by a ring of Russian hackers. According to Hold Security, the collection includes 1.2 billion username and password combinations and more than 500 million email addresses. The company will not disclose the victims due to “nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable,” according to the report. The firm’s CEO said the hackers not only targeted Fortune 500 companies but small websites as well. Meanwhile, Target has announced it will book $148 million in expenses in its second quarter results stemming from last year’s massive data breach. [The New York Times] SEE ALSO: [Krebs: Q&A on the Reported Theft of 1.2B Email Accounts] and [Vast majority of hackers believe they’re above the law — survey]

US – Suit Alleges Hospital’s Lack of Procedures Led to Breach

Two Ohio women have filed a lawsuit alleging their privacy was violated when employees at Kettering Health Network accessed their health information. Vicki Sheldon says her ex-husband Duane Sheldon, who worked in an administrative position at the hospital, accessed her files and those of her daughter. In subsequent months, other people accessed her records, she says, and the health network didn’t have the appropriate procedures in place to protect them. An attorney for Duane Sheldon, who is also named in the suit, said the claims are inaccurate. [2News] See also: [PR Expert on Commonly Made Breach Response Mistakes] see also: [WSJ: An Argument for Not Disclosing Breaches]

US – Bank, Hospital Report Data Breaches

A Florida-based bank is alerting approximately 72,500 customers of a data breach involving personal information that may include account balances, personal identification numbers and Social Security numbers. An unauthorized third party accessed the TotalBank network. Meanwhile, Jersey City Medical Center says an unencrypted computer disk containing patient information from 2011 was lost when a package sent through the mail failed to arrive. Letters are being sent to the affected patients, although there’s no evidence to suggest the lost information has been made available to unauthorized parties or used in nefarious ways. [TweakTown] See also: [AU – Hospital kills off 200 patients by mistake] and [BC: 1,628 patients at Kamloops hospital had privacy breached]

US – Judge Rules on Portal Case; Paddy Power Breach Examined

A U.S. federal judge has ruled that Travelers Indemnity Co. of America must defend Portal Healthcare Solutions against class allegations that it posted confidential medical records online, ruling Travelers’ policy covers electronic publication of private information [Law360]. Meanwhile, a Canadian man found himself faced with a convoy of forensics experts and representatives from recently breached Irish company Paddy Power, holding court documents and subsequently seizing a hard drive and other equipment from his basement, after he sold data that had initially been stolen from the company in a 2010 hacking. [Irish Times] see also: [DHS contractor suffers major computer breach, officials say]

US – Advocates Want Google Settlement Quashed

A coalition of privacy groups is urging the FTC to ask a California judge to reject Google’s $8.5 million class-action settlement, alleging the company illegally divulged search information. The group says the FTC’s involvement is necessary in order to “quash the unfair and ineffective deal,” the report states. Meanwhile, the FTC has responded to a letter from the Electronic Privacy Information Center urging it to oppose the settlement, saying it “systematically monitors compliance” with its consumer protection orders and “takes alleged violation(s) of an order seriously” but cannot disclose details of investigations before a formal complaint is issued. [Law360]

WW – Mozilla Developer Network Info Accidentally Exposed

The Mozilla Foundation has apologized following an incident where “tens of thousands of email addresses and encrypted passwords” were accidentally exposed. The email addresses, which belonged to about 76,000 Mozilla Developer Network members, were exposed on a public server for a month, the report states, noting some 4,000 encrypted passwords were also exposed. “We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you,” two Mozilla spokesmen wrote, adding that while the encrypted passwords cannot be used to access the site, anyone who reused a password on another site should change it. [IT News]

Identity Issues

EU – Survey Reveals Business Attitudes to ‘Bring Your Own Identity’ Potential

Allowing customers to use an “existing digital or social identity” to access applications can help organisations deliver simple and secure services to customers, according to a new survey. [Out-Law] [The Ponemon report into BYOID attitudes (registration required)]

US – Inspector General Finds Risks with ONC’s Certification Process

In a report released this month, the Department of Health and Human Services Office of Inspector General concluded that the Office of the National Coordinator (ONC) for Health Information Technology “essentially has an insufficient compliance program to maintain the privacy and security of the protected health information hosted by electronic health records (EHRs).” The report found the ONC’s oversight of authorized testing and certification bodies (ATCBs) did not ensure they developed procedures to “periodically evaluate whether certified EHRs continued to meet federal standards” and developed a training program “to ensure that their personnel were competent to test and certify EHRs and to secure proprietary or sensitive EHR information.” [Med Law Blog]

Intellectual Property

WW – In Three Days, Facebook Class-Action Gains 11,000 Members

Days after the announcement by Europe v. Facebook’s Max Schrems on the filing of a class-action lawsuit “inviting adult noncommercial Facebook users located anywhere outside the U.S. and Canada to join in … (the) civil action has pulled in some 11,000 participants.” About 50% come from “German-speaking countries,” the report states, and a Europe v. Facebook spokesperson noted, “Reasonable numbers come from all European countries and South America.” The class-action is targeting what the group describes as “unlawful acts” by Facebook, including its alleged support of the U.S. NSA’s PRISM surveillance program and lack of “effective consent” for many uses of user data, the report states. [TechCrunch] Schrems is seeking 500 euros per Facebook user, and people can join the case by logging in with their Facebook credentials at www.fbclaim.com.

Internet / WWW

US – Man Launches Kickstarter Campaign to Live “A Year Without Privacy”

Noah Dyer calls himself an “anti-privacy” activist, and he’s seeking $300,000 in a Kickstarter campaign to fund a yearlong live-stream of his life. He calls the project, “A Year Without Privacy.” Dyer is a professor of mobile app and game programming at the University of Advancing Technology, and he believes government should be allowed to gather all data on its citizens, and likewise, the government itself should have no privacy. Meanwhile, an Internet privacy start-up has raised $100,000 in Kickstarter funding. The iCloak is a small USB device that thwarts companies’ attempts to track Internet browsing. [Source] see also: [Can Google be sued for a mere search suggestion? A Hong Kong judge says yes.]

Law Enforcement

US – Police Dept. Surveillance Potential Raises Concerns

Seattle’s police department still hasn’t released a draft policy on how it will use the surveillance cameras and communication nodes it installed as part of a federal port-security grant. Privacy and civil liberties advocates say the city must put a strong review process in place for the information collected via the surveillance cameras, smart meters and two aerial drones recently purchased with a Homeland Security grant. “We know that whenever these systems are put in place, they can be abused,” said a spokesman for the Seattle Privacy Coalition.. [Government Technology] See also: [Spy satellites fighting crime from space] and [Could drones get X-ray vision through Wi-Fi?] and [UK – Police want right to see medical records without consent]

US – FBI Using Drive-by Downloads to Catch Criminals

The FBI has been using drive-by downloads to identify people who visit certain suspicious websites. Specifically, the Justice Department is attempting to identify people who visit child pornography websites hiding in the Tor network. The tactic has paid off – more than a dozen people are now facing trial. However, critics say that the FBI has “glossed over the technique when describing it to judges” and has hidden its use from defendants. The FBI calls the method a network investigative technique (NIT) and has been using some form of it since 2002. There is also concern about mission creep, because the technology’s deployment has grown from targeted operations to a dragnet-like approach. Others are worried about weakening a technology useful to human rights and other activists. [WIRED]

Location

US – How Fast You Drive Might Reveal Exactly Where You are Going

Rutgers researchers have shown that GPS technology is not needed to show where a driver traveled. A starting point and the driver’s speed are enough. In our constantly connected, information-rich society, some drivers are jumping at the chance to let auto insurance companies monitor their driving habits in return for a handsome discount on their premiums. What these drivers may not know is that they could be revealing where they are driving, a privacy boundary that many would not consent to cross. A team of Rutgers University computer engineers has shown that even without a GPS device or other location-sensing technology, a driver could reveal where he or she traveled with no more information than a starting location and a steady stream of data that shows how fast the person was driving.[Source]

Offshore

AU – Data Retention Risks Private Information Leaking: Privacy Commissioner

Australia’s federal Privacy Commissioner says it remains “unclear” what information the Abbott government’s mandatory data retention proposal would require telecommunications companies to collect for law-enforcement purposes and has indicated that collecting the data increased “the risk of a data breach.” In a statement published on the Office of the Australian Information Commissioner’s website, commissioner Timothy Pilgrim said it was important there was “an opportunity for public consultation and debate” on the proposals once the detail was available. “At this stage, it is unclear exactly what type of information would be retained,” he said. “However, there is the potential for the retention of large amounts of data to contain or reveal a great deal of information about people’s private lives, and that this data could be considered ‘personal information’ under the Privacy Act.” [Sydney Morning Herald] see also: [Australian Government’s Data Retention Plan: Everything You Need To Know] [AU – The Australian Federal Cabinet has given its support, in principle, for a requirement that telecommunications companies retain certain undetermined customer data for up to two years for warrantless investigation by government agencies.

SK – Korea: New Korean Privacy Protection Law Set To Take Effect

A new personal information protection law is set to take effect this week, banning companies and website operators from collecting citizens’ resident registration numbers as the government steps up efforts to prevent identity theft, the home affairs ministry said. The law, which will go into effect on this week, comes after a series of recent personal data theft cases involving popular website operators as well as some credit card and financial companies. [Yonhap News] See also: [South Korea’s Personal Information Protection Act came into effect last week.] and [Concerns linger over the new South Korean law prohibiting public institutions and companies from collecting resident numbers]

Online Privacy

WW – Facebook Unveils Cross-Device Ad Reporting

Facebook has rolled out cross-device ad reporting to allow marketers to see how people are moving among devices, mobile apps and the web. For example, advertisers can see the number of customers who clicked on an iPhone ad but then later used a desktop. The reporting “relies on data from Facebook’s conversion pixel, a piece of tracking code used in conjunction with the social network’s software development kit, to get reports on which device someone saw an ad and eventually converted,” the report states. A recent analysis found that “among people who viewed a mobile Facebook ad in the U.S., nearly a third eventually clicked on the same ad on the desktop within 28 days.” [MediaPost]

WW – Google Acquires Chatting Service; Foursquare Releases Tracking Service

Google has acquired a start-up that offers an instant-messaging tool that also can monitor chats, infer what people are talking about and insert relevant links. A nearby café might pay for an ad to appear every time the word “coffee” appears in a user’s chat, for example. The service, called Emu, is part of a “much larger trend to monitor and thus profit” from such data, the report states. Meanwhile, Foursquare aims to boost its revenues by releasing a new version of its app that will function more like a “tracking machine.” [Wired] and [Google Street View Adds More Images of College Campuses]

EU – Wikipedia Fights RTBF; Auto-Complete Concerns Raised; Better Redress Sought for Cyber-Abuse

Online, open-sourced encyclopedia Wikipedia is countering Europe’s right-to-be-forgotten ruling by listing the articles the site has been asked to remove. Wikimedia Foundation Executive Director Lila Tretikov said, “Accurate search results are vanishing in Europe with no public explanation, no real proof, no judicial review and no appeals process.” That results, he said, in “an Internet riddled with memory holes …” Meanwhile, Google’s auto-complete function is being challenged in a Hong Kong court where a local businessman has been allowed to sue the company for what he views as negative suggestive terms in his search. Separately, University of Maryland Law Prof. Danielle Keats Citron, in a column for Slate, argues that a recent revenge porn lawsuit should prompt Facebook to improve how it deals with reports of abuse. [Reuters] and [The Internet Never Forgets: Google Inc.’S “Right To Be Forgotten” EU Ruling And Its Implications In Canada]

US – Federal Sites Working to Address “Canvas Fingerprinting”

The new online tracking tool “canvas fingerprinting“ has “latched onto” federal websites including those of the Department of Homeland Security, White House and Social Security Administration, according to research from Princeton and KU Leuven universities. The code for canvas fingerprinting comes from the AddThis widget, which is exploring the tool as an alternative to cookies. The agencies affected are looking for ways to address privacy concerns as they try to comply with privacy standards set by the Office of Management and Budget. The Transportation Security Administration plans to remove the AddThis widget from its site today, and the General Services Administration is reviewing its terms of service with AddThis. [FCW] [Canvas Fingerprinting and Why Website Operators Need to Take Control]

Other Jurisdictions

RU – Russian Government Bans Anonymous Wi-Fi

Russian Prime Minister Dmitry Medvedev has signed a decree prohibiting anonymous wireless Internet access. People using public wi-fi must provide identification before they are allowed to access the network. [The Register] [ZDNet] [CBC] see also: [Malta: Parents present Letter of Complaint opposing processing of student data] and [Chinese scientists develop mini-camera to scan crowds for potential suicide bombers] [The Turkish government has forwarded a data protection convention to the Turkish Grand National Assembly for ratification]

Privacy (US)

US – CDD Complaint Alleges Companies Are Breaking Safe Harbor Promises

A complaint filed with the FTC alleges at least 30 U.S. companies are “failing to provide” safeguards for European citizens promised under the Safe Harbor framework. The Center for Digital Democracy says Salesforce, Adobe, AOL and other companies are “compiling, using and sharing EU consumers’ personal information without their awareness and meaningful consent … All of the companies, we believe, fall far short of the commitments they have made under the Safe Harbor.” [ZDNet] [Dozens of U.S. tech firms violate EU privacy promises] see also: [US – DEA Improperly Paid $854,460 for Amtrak Passenger Lists]

US – Facebook Gets Support from Industry, Advocates in NYDA Case

A number of major tech companies, the New York Civil Liberties Union and the ACLU have filed amicus briefs with the court in support of Facebook over its fight with the New York District Attorney’s Office (NYDA) over protecting consumer data from government investigations. The groups say warrants like the one that required Facebook to hand over user data for 381 users to the NYDA are problematic, especially when they are attached to gag orders preventing the company from disclosing the data-sharing to users. “Unless Facebook is able to assert its subscribers’ constitutional rights … the legality of the government’s actions with respect to those subscribers will escape review altogether,” the groups wrote. [The Verge]

US – Schumer Warns About Wearables: “Privacy Nightmare”

Sen. Chuck Schumer (D-NY) has expressed harsh criticism and concerns about potential privacy issues related to wearable fitness trackers. “Personal fitness bracelets and the data they collect on your health, sleep and location should be just that—personal,” he said. “The fact that private health data—rich enough to identify the user’s gait—is being gathered by applications like Fitbit and can then be sold to third parties without the user’s consent is a true privacy nightmare.” The senator called on the Federal Trade Commission to require businesses to notify users that fitness and location data are being sold to third parties and provide opt-outs. A Fitbit spokesperson said the company does not sell user data and is willing to “work with” Schumer. [Business Insider] See also: [QR codes find a warm reception in Anchorage Mausoleum] and [UBC research on eye-tracking devices sheds light on the implications of wearable technology like Google Glass] and [Wearable users tracked with Raspberry Pi]

US – Citizens Don’t Want to Trade Privacy for Nat’l Security, Lower Prices

A new survey reveals that 42% of U.S. citizens would give up their privacy for national security and only 25% of respondents were willing to do so for lower prices. Released by the Public Affairs Council (PAC), the survey also found Republicans less likely than Democrats to trade some privacy for national security. PAC President Doug Pinkham said, “If you value your privacy, everyone says yes (that they are against giving up any of their privacy), but life is about trade-offs of cost or convenience or some other issue.” [The Wall Street Journal]

Privacy Enhancing Technologies (PETs)

WW – Computer Scientists Developing Web-Tracking Alternative

EU-based computer scientists have been developing peer-to-peer technology that could serve as an alternative to current web-tracking practices. Researchers from Germany’s Saarland University and the Center for IT Security, Privacy and Accountability and Italy’s IMT Institute for Advanced Studies have created Privada, which collects behavioral metrics on visitors to websites but separates the various metrics and sends them to different third-party servers, preventing any centralized database. “It’s a bit like tearing a picture apart and giving pieces to friends,” said one student involved in the project, adding, “They can only see the whole image if they put their pieces together.” [The Sydney Morning Herald]

WW – What’s Happening with Dark Mail?

Ladar Levison, creator of the now defunct Lavabit encrypted email service, described the progress of his new project, which aims to revolutionize email. Speaking at DefCon, Levison said that he is unhappy that the communications environment is such that “we need a [military grade] cryptographic mail system … just to be able to talk to our friends and family without … fear of government surveillance.” Now known as DIME, for the Dark Internet Mail Environment, the project uses layered cryptography to provide one-click, end-to-end email encryption. Levison expects DIME to be running by early next year. [The Register] [CNET] [TIME]

RFID

EU – Tech Standards for ‘Smart Tags’ Developed With Data Protection in Mind

Businesses making use of ‘radio frequency identification’ (RFID) chips will be able to comply with EU data protection laws if they adhere to new standards for the chips that have been finalised, according to the European Commission. [Out-Law] [New RFID standards from CEN/TC 225 – AIDC technologies]

Security

US – NIST Cybersecurity Guidelines Just a Starting Point

The National Institute of Standards and Technology’s cybersecurity guidelines for utilities, banks and other industries serve as the baseline for what affected companies should be doing to protect their networks from attacks. Some companies have come together to develop additional recommendations while other companies have created their own policies, the report states. The Financial Services Information Sharing and Analysis Center’s Third-Party Software Security Working Group, which included members from major financial institutions, had been looking at the issues since 2012, for example. Neuberger Berman’s chief information security officer said good companies will develop their own policies that exceed any standard—which always addresses the minimum controls needed. [The Wall Street Journal] See also: [Privacy Is Serious Business At Black Hat Security Conference]

US – Registration Now Open for NIST Event

The National Institute of Standards and Technology (NIST) is holding its second Privacy Engineering Workshop September 15 and 16, collocated with the IAPP’s Privacy Academy and CSA Congress. The workshop will consider draft privacy engineering definitions and concepts and the results will “inform the development of the NIST report on privacy engineering.” You can find a draft agenda here. If you’d like to be a part of the discussion, you can now register, for free, to attend the event, which will be held at the San Jose Marriott, in San Jose, CA. [NIST Press Release]

US – NIST Updates Draft Security, Privacy Assessments Guide

The National Institute of Standards and Technology (NIST) has released for public comment a draft update of the primary guide for assessing security and privacy controls that safeguard federal information systems and networks. The deadline for public comment is September 26. “We have made some significant changes to our security control assessment guidelines to support continuous monitoring and ongoing authorization,” said NIST Fellow and Joint Task Force Project Leader Ron Ross. “These changes can lead to greater efficiencies and cost-effective testing and evaluation of our critical information systems and supporting infrastructure.” [NIST press release]

US – Companies Doing Business with DoD Brace for New Rules

Organizations that conduct business with the Department of Defense (DoD) will be facing new rules for reporting computer breaches, and some fear the rules could hurt small- to medium-sized businesses. The pending rule change is part of a DoD effort to better understand the scale of hacking and to ensure businesses processing classified data inform the Pentagon of cyber-attacks. TechAmerica’s Mike Hettinger said the changes have “the potential to become too onerous” if minor breaches must be reported. Hogan Lovells Partner Harriet Pearson said, “What it really means is any defense contractor who intends to be able to handle classified information needs to review and update their breach detection, response and reporting.” [Bloomberg] See also: [Expert: Cybersecurity, privacy and government policy must adapt to a changing, complex environment | Video]

WW – PCI Security Standards Council Releases Third-Party Security Guidance

The Payment Card Industry (PCI) Security Standards Council has released guidance “to help organizations and their business partners reduce this risk by better understanding their respective roles in securing card data,” according to a PCI press release. With more businesses using third-party operations, risk of security incidents increase, the report states, hence the guidance aims to “ensure payment data and systems entrusted to third parties are maintained in a secure and compliant manner.” The “Third-Party Security Assurance Information Supplement“ has been informed by more than 160 organizations and includes recommendations to conduct due diligence and risk assessment, expectation-setting, appropriate third-party agreements and an ongoing monitoring process.

US – Most Companies Unsatisfied with Their Security Incident Response

A SANS study found that just nine percent of organizations believe that their response to security incidents is “highly effective.” More than a quarter of those responding said they were dissatisfied with their incident response. Among the impediments to effective response programs are lack of review and practice of response procedures, and insufficient budgets. [ZDNet]

US – Does It Matter That Wearables Often Have Bad Security?

As wearables proliferate—anything from medical devices to fitness trackers to infants’ onesies, all connected to the Internet—concerns about the security of the devices have consistently been raised. However, medical device manufacturers and the doctors who use them seem to be saying, “who cares?” One report notes that doctors can’t see why anyone would actually want to hack a pacemaker. Security experts call this “faith-based mismanagement.” Further, a pair of articles in CIO note that wearables are changing online privacy in significant ways and that it’s important to read privacy polices extensively before using such products. [IDG News Service] [NetworkWorld]

Smart Cards

CA – SecureKey to Launch New BC Services Card

Toronto-based SecureKey, a provider of organizations that deliver online consumer services, has announced that the Province of British Columbia (BC) is using SecureKey briidge.net Connect 3.0 as the foundation for the BC Services Card, the world’s first public sector Services Card for online authentication. The implementation also includes support from the world’s leading supplier of secure smart card microcontrollers, NXP Semiconductors. The BC Services Card replaces the existing provincial health CareCard and creates the foundation for multiple uses in the future. Citizens of British Columbia have the option of combining the BC Services Card with their driver’s license into a single, convenient card. It is envisioned that citizens will be able to use this card in the future for secure and private authentication to access in-person and online government services.[Government Security News Magazine]

Surveillance

US – How One City’s Video Surveillance System Got Hacked

Redlands, CA, employs a robust network of surveillance cameras to help law enforcement stymy drunk-driving, vandalism and other crimes, but the system was easily vulnerable to hacks. Two IT experts discovered the cameras were part of a mesh network but were not password-protected. The two were able to gain access to the police’s bird’s eye view of the city, creating a map of what the cameras watched—including the entrance to an adult movie store. A Redlands police commander said, “Our cameras only capture something happening in public view, so we weren’t incredibly concerned … But when we saw teasers for the presentation, we encrypted all the feeds out of an abundance of caution.” [Forbes] See also: [Halifax: City isn’t sure how many security cameras it has] and [About Those Facial Recognition Experiments at Your Nearest Music Festival] and also: [California PD Doesn’t Believe FAA Has Jurisdiction Over Its Drone Acquisition]

Telecom / TV

WW – Researchers Reveal Surveillance Capabilities in Phone Gyroscopes

The motion-detection capabilities in smartphones may have the potential to become a surreptitious eavesdropping sensor, according to researchers from Stanford University and Israeli defense research group Rafael. Gyroscopes help stabilize images for built-in cameras, aid in motion-based games and more, but the researchers also found they are sensitive enough to pick up on some sound waves, making them into rudimentary microphones. What’s more, apps do not need permission from a user to gain access to the gyroscope, the report states. One researcher noted it’s “quite dangerous to give direct access to the hardware like this without mitigating it in some way,” adding, “The point is that there’s acoustic information being leaked to the gyroscope.” [Wired]

US – FTC Approves iKeepSafe Under COPPA

The FTC has announced its approval of the Safe Harbor program of iKeepSafe, also known as the Internet Keep Safe Coalition, under COPPA. The application was approved in a 5-0 vote because of its compliance with the FTC’s COPPA rule, which requires online sites and services directed at children under the age of 13 to provide notice and obtain permission from parents before collecting personal information. The FTC said iKeepSafe provides “the same or greater protections for children” as those in the COPPA rule. [FTC]

US – California’s ‘Kill-Switch’ Bill Will Have Big Impact in U.S.

Legislation on California Gov. Jerry Brown’s desk, if signed, would require the sale of smart phones with a “kill switch” that could be activated by consumers if the devices are lost or stolen. Because of California’s immense size –12% of U.S. residents live in the state — the practical impact of the legislation could be the sale of smart phones with deactivation capabilities across the nation. California Senate Bill 962, which passed the Senate this week and the Assembly last week, would prohibit retailers from selling smart phones in California after next July 1 unless they come pre-equipped with theft-deterring technology. Consumers would have the opportunity to opt-out of using this technology. Retailers selling devices without the anti-theft technology could face fines of between $500 and $2,500 for each smart phone sold. The bill would require the smart phone, during the initial device setup process, to prompt a user to enable the technology to deactivate the device. Consumers could opt out of implementing the kill switch. [Source]

US Government Programs

US – FISA Court Judge Criticizes NSA for “Overcollection”

According to newly declassified documents, a National Security Agency (NSA) metadata program was fraught with “systemic overcollection” of private Internet connections. In the 117-page decision, Foreign Intelligence Surveillance Court Judge John Bates criticizes the agency’s management of its top-secret electronic surveillance metadata program, noting the NSA had difficulty collecting the metadata without also collecting other data, including the contents of communications, the report states. Bates’ memorandum calls out the NSA for “long-standing and pervasive violations of the prior (court) orders in this matter” and also notes the frequency that employees shared data about U.S. residents showed a “widespread ignorance of the rules…” [The Wall Street Journal]

US – NSA’s MonsterMind Aims to Detect and Stop Cyber Attacks Instantly

An NSA program known as MonsterMind, currently under development, is being designed to detect and stop cyber attacks against the US; the system would also be capable of launching retaliatory cyber attacks. Described in broad terms, the program would analyze metadata to detect anomalous network traffic. [WIRED] [SC Magazine]

US Legislation

US – Destroy Securely: Delaware Adopts New Data Destruction Law

Delaware recently adopted a new law that will add requirements related to the destruction of records containing “personal identifying information.” With that law, Delaware joined a number of other states that place restrictions on the ways in which entities destroy or dispose of personal information. The Delaware law will become effective January 1, 2015. [Hogan Lovells]

US – Proposed USA Freedom Act Updated for Improved Privacy

Efforts to reform government surveillance laws continue to push through Congress. The USA Freedom Act of 2014 is the latest step in that direction. [eWeek]

US – Law to Close NY Privacy Loophole Signed

A law to close a privacy loophole in New York was signed Friday by Governor Andrew Cuomo. A press release says the law will ensure people who have their image broadcasted without their consent will be able to take legal action. “No one should be humiliated by having their image broadcast without their consent – and this common-sense legislation ensures that any victim of such an act will have the law on their side,” Gov. Cuomo said. The law will allow law enforcement to charge individuals with unlawful surveillance in the second degree if they use a device to view, broadcast, or record another person engaged in sexual conduct without their consent – regardless of what’s being broadcasted. The law will take effect November 1. [Source]

Other news: A federal judge has said Sen. Patrick Leahy’s (D-VT) anti-surveillance bill could undermine “the twin goals of protecting privacy and national security“ and may even be unconstitutional.

The North American Securities Administrators Association wrote to leaders of the House and Senate Judiciary Committees saying provisions of the Email Privacy Act (HR 1852) and the Electronic Communications Privacy Act Amendments Act of 2013 (S 607) could significantly limit the effectiveness of state civil and administrative investigations.

A court decision may stop California Invasion of Privacy Act class-actions against companies.

Watchdog.org reports Missouri citizens voted to constitutionally protect electronic communications and data from warrantless police searches, and FBI Director James Comey thinks it’s a good idea.

Workplace Privacy

US – Tiffany’s Policy Too Broad, NLRB Finds

A National Labor Relations Board administrative judge has found that Tiffany & Co. exercises an “overly broad confidentiality policy prohibiting employees from disclosing information readily available on employee lists, including names, addresses and phone numbers of other employees,” Law360 reports. Judge Steven Davis ruled the retailer’s privacy agreement is too broad and violates the National Labor Relations Act. The ruling comes after a former employee sued Tiffany’s for allegedly maintaining unlawful policies since last December, the report states. [Law 360]

+++

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: