16-30 November 2014

Canada

CA – Privacy Czar Doesn’t Get Chance to Testify on CSIS Powers

Federal Privacy Commissioner Daniel Therrien has flagged concerns about legislation to broaden CSIS’s foreign spying powers, saying the Conservatives’ bill does not include adequate safeguards against possible future human rights violations, or enough oversight. But the Conservative-dominated committee studying the bill swiftly wrapped up testimony without accepting Therrien’s request to appear. In fact, over the objections of opposition MPs and civil libertarians who wanted to testify, no more witnesses will be called. [Windsor Star] See [CBC News: Privacy Commissioner Daniel Therrien has warned senators “that the increased police powers proposed in the government’s cyberbullying and Internet surveillance bill need to be matched with ways of tracking their use.”] and [Geist: Choosing Between Privacy and Cyberbullying: My Appearance on Bill C-13 Before the Senate Legal and Constitutional Affairs Committee] [The Supreme Court of Canada dismissed the appeal of a BC man who says his rights were violated when the RCMP handed over the results of wiretaps to U.S. authorities]

CA – Privacy Commissioner Signs MOU on Cooperation

The purpose of this Memorandum of Understanding is to set out a framework to support federal/provincial collaboration and co-operation; each participant in the Memorandum of Understanding will allow the OPC, OIPC AB and OIPC BC share information between offices for the following purposes – assess jurisdiction and transfer complaints as necessary, evaluate whether or not investigations or complaints relate to the same or similar matters in order to assess whether or not a parallel or joint investigation is appropriate, conduct parallel or joint investigations, and otherwise assist in the conduct of an ongoing or potential investigation of a complaint or, where applicable, audit. [Source] See also: [Privacy and Access Council of Canada (PACC): The overall privacy landscape in Canada]

CA – Alberta Considers Privacy Amendments Allowing Union Intrusions

The Alberta Legislature is considering privacy legislation amendments giving unions considerable scope to collect and disclose personal information. The amendments, which have already been endorsed by the Privacy Commissioner of Alberta, respond to a 2013 Supreme Court of Canada decision striking down the province’s Personal Information Protection Act. The province has until April 30, 2015 to remedy the constitutional deficiencies before the decision takes effect. If the legislation is passed, trade unions will be able to collect, use and disclose personal information without consent when the purpose is to inform the public about a matter of significant public interest or importance relating to a labour relations dispute involving the trade union; the collection, use or disclosure is reasonably necessary for the purpose; and it is reasonable to collect, use or disclose the personal information without consent for that purpose, taking into consideration all relevant circumstances, including the nature and sensitivity of the information. More changes may be in the offing as PIPA requires a review of its provisions as of July 1, 2015. [Financial Post] and [AB: Union says province’s privacy act changes ignore spirit of top court ruling] See also: [AB: Opposition want Alberta’s Privacy Commissioner called in after phone bill leak]

CA – Canadians Growing Concerned Over Internet Privacy, Poll Shows

Canadians are growing more wary about their privacy on the Internet, according to a new survey commissioned by the Centre for International Governance Innovation. The poll found that nearly 70% of Canadians are worried about hackers stealing their banking information or personal messages and photos. The same percentage of Canadians reported they’re concerned about private companies tracking their Internet usage and attempting to monetize their information. More than half (52%) reported that they’re concerned about government and law enforcement authorities monitoring their Internet activity. The poll comes as the governing Conservatives are moving two controversial pieces of legislation on Internet monitoring and information sharing through Parliament. Bill C-13, introduced in the name of cyberbullying victims, gives private companies legal immunity for handing over their users’ personal information to authorities. [Source]

CA – FB Info Sharing Created Zoosk.Com Dating Profile for Married Woman

Online privacy advocates say current legislation fails to protect Canadians’ privacy online. Last January, Mari Sherkin, married for 25 years, says she got a pop-up ad on Facebook from Zoosk.com. “I didn’t know what it was,” she said. “So I clicked on the X to close it. At least I thought I did. She says that within minutes, she started getting messages in her Facebook inbox from men. “‘A Zoosk member wants to meet you,’ [it read]. I was absolutely unaware of what was going on. “So I opened it and found out — unbeknownst to me — Zoosk had created a dating profile for me.” Dating profile used Facebook photo. Sherkin says she was horrified to see the dating profile, which used her Facebook photo, her name and her postal code. And Mari isn’t the only one. There are many similar complaints online from women who say they have no idea how a dating profile was created for them on Zoosk. Zoosk Victims is just one of the Facebook pages that feature dozens of complaints about the dating website and how it creates profiles. Graham Williams, a Vancouver-based technology expert, points to what is known as an “open authentication protocol” — or OAuth — where people often unwittingly share personal information with third-party websites. “This open authentication scheme is used by Facebook, it’s used by Google, it’s used by Twitter. “And it is basically saying to users out there — you don’t want to have to remember 100 different passwords or 100 different log-ins, so we’re going to let you log in with your Facebook credentials.” So, by logging in with Facebook, for example, you automatically agree to share your private information with other websites. [Source]

CA – Fitbit Data Now Being Used in the Courtroom

A Calgary-based law firm is currently working on the first known personal injury case using data gleaned from a client’s Fitbit, Forbes reports. The client in question was once a personal trainer, but because of an accident four years ago, the lawyers want to demonstrate with the device that her physical activity levels are below that of her age and profession. McLeod Law’s Simon Muller said the data will “back up what she’s been saying.” The report notes what is “intriguing” and “a little creepy” is such cases could make it possible for such data to be used in prosecutions as well. Muller added, “Insurers will want it as much as plaintiffs will.” [Forbes] See also: [Canada: The Fitbit detectives that could be using your data in court]

Consumer

US – Are Consumers’ Privacy Expectations Hypocritical?

Two reports focus on consumer expectations of privacy and the trade-offs provided by smart technology. CNet looks into Amazon’s newest product, Echo, and it’s lack of a privacy policy. The virtual assistant is voice-activated and gets smarter with continued use. One consumer said the product is “a bit creepy, but I’d totally use one in my classroom,” adding he understands businesses make money off him by using his data. “It’s a trade-off,” he said. A report for The Guardian questions whether the Internet has turned consumers into hypocrites, noting people worry about their privacy but happily share their personal information online, leading columnist John Naughton to ask, “could it be that what we’re getting is not the Internet we say we want but the Internet we deserve?” [CNET]

US – Pew Internet Survey Reveals Privacy Policies Misunderstood

The Pew Center for Internet and American Life released a new survey to shed light on the average consumer’s “Web IQ,” or their digital literacy. Questions included identifying famous leaders of technology companies, such as Bill Gates and Sheryl Sandberg, and basic digital meanings, including whether a kilobyte is larger than a megabyte. Noticeably, however, was a general lack of understanding by consumers about what a privacy policy protects. More than half of the respondents said they thought it was true that privacy policies ensure “that the company keeps confidential all the information it collects on users.” Hayley Tsukayama wrote, “But that is not at all what privacy policies do; in fact, they are generally there to tell you exactly how companies are not keeping your data confidential and how they’re sharing your information with their partners.” [Pew Internet Research]

US – Public Perceptions of Privacy and Security in the Post-Snowden Era

The Pew Research Foundation has released its Public Perceptions of Privacy and Security in a Post-Snowden Era based on a survey of U.S. adults, noting, “Across the board, there is a universal lack of confidence among adults in the security of everyday communications channels—particularly when it comes to the use of online tools.” Justin McNaughton asks whether the post-Snowden perceptions of privacy will change the way consumers and organizations treat privacy policies. With the U.S. Federal Trade Commission cracking down on violations and recently releasing guidance, McNaughton offers some things to address in your company’s policy. Meanwhile, the makers of the game Fruit Ninja will soon update its privacy policy to better inform consumers of its practices. [Mondaq Report]

US – Studies Offer Insight on Breach Response Times, Consumer Fears

A study from FireEye shows the average time it takes organizations to detect a breach is 229 days. The report states one reason for the lengthy timeframe is that two-thirds of organizations find out about a breach through a third party, and it recommends data minimization and proactive issue spotting to hasten the process. A separate study has found that 23% of consumers plan to do less online shopping due to privacy concerns and 64% believe they will be the victim of a breach within the next year. [BankInfoSecurity]

US – Home Depot Spent $43 Million on Data Breach In Just One Quarter

Home Depot has announced it is facing at least 44 civil lawsuits and “investigations by a number of state and federal agencies” related to its breach earlier this year, which, it says, “may adversely affect how we operate our business, divert the attention of management from the operation of the business, and result in additional costs and fines.” [Ars Technica] [Source]

Electronic Records

US – ClassDojo Revises Data Deletion Policy

Student behavioral tracking app ClassDojo has announced it will change its data deletion policy and now retain records on students for one year, which recently ran a story on the privacy concerns related to this app and others like it. “We are not a data company. So we have no need to keep any data beyond allowing it to be communicated between teachers, parents and students,” said Sam Chaudhary, the cofounder of ClassDojo. The new deletion policy directly addresses concerns about the possibility of sharing student data with third parties; however, the debate over use of the app also touches on its ability to publicly display behavior scores and parents’ ability to access them. [The New York Times]

US – ClassDojo Sparks Privacy Concerns

ClassDojo and other apps that help teachers “automate the task of recording classroom conduct” and “communicate directly with parents” are raising privacy concerns. ClassDojo is being used in roughly one out of three U.S. schools, the report states, and “some parents, teachers and privacy law scholars say ClassDojo, along with other unproven technologies that record sensitive information about students” are being adopted without fully considering “the ramifications for data privacy and fairness, like where and how the data might eventually be used.” [Source]

US – Law Firm Releases 8,000 Students’ Info

Meanwhile, Seattle Public Schools is seeking the U.S. Department of Education’s after a law firm contracted with the school department released the personal information of 8,000 students receiving special education services. [Seattle Times]

Encryption

WW – Internet Architecture Board Calls for Default Encryption;

The Internet Architecture Board (IAB) has issued a statement calling for encryption to be the standard across the web, saying it “now believes it is important for protocol designers, developers and operators to make encryption the norm for Internet traffic.” The IAB also said default encryption at all levels of the Internet “will help restore the trust users must have in the Internet.” [IAB Statement on Internet Confidentiaity]

US – AT&T Stops Using Undeletable Phone Tracking IDs

AT&T has stopped its controversial tracking program that assigned undeleteable identification numbers to its mobile customers’ online activity. Verizon has said it will continue its program, but added, “as with any program, we’re constantly evaluating.” Though it has put the brakes on its “Relevant Advertising” program, an AT&T spokeswoman said, “we could have one in the future.” [ProPublica]

US – Case Suggests How Government May Get Around Phone Encryption

The U.S. Department of Justice is using a novel legal maneuver to get around smartphone encryption by using a law created in 1789 called the All Writs Act. In October, prosecutors convinced a Manhattan-based federal magistrate to order an unnamed phone maker to provide “reasonable technical assistance” for unlocking an encrypted cell phone. The All Writs Act gives courts broad authority to carry out their duties such as this, the report states. Stanford University Center for Internet and Society Civil Liberties Director Jennifer Grannick said, “It’s part of what I think is going to be the next biggest fight that we see on surveillance as everyone starts to implement encryption,” adding, “Does this mean you have to do something to your product to make it surveillance friendly?” [The Wall Street Journal] See also: [Privacy groups have sent a letter to the National Institute for Standards and Technology calling for encryption standards that are “free from back doors or other known vulnerabilities | Letter]

WW – WhatsApp Adopts End-to-End Encryption

In what is being called the largest implementation to date, messaging services WhatsApp has announced it will now bring end-to-end encryption to its 600 million users. The new security feature will be included in the company’s latest security update for Android. Open WhisperSystems, which has helped develop the feature, said it will take time to get it out to all of its users, but Android will be the first mobile platform to receive it. [Gizmodo] WhatsApp has upped its encryption game to offer better protection for messages sent from Android devices running the app. The change means that WhatsApp will not be able to decrypt users’ messages. The encryption system WhatsApp has chosen to use encrypts messages from the time they leave one device until they arrive at the recipient’s device. [v3.co.uk] [NBCNews] [SCMagazine] [Ars Technica]

US – EFF Launches Certificate Authority

The Electronic Frontier Foundation has announced the unveiling of Let’s Encrypt, a certificate authority it plans to launch in 2015 in conjunction with Mozilla, Cisco, Akamai, IdenTrust and University of Michigan researchers. The initiative seeks to help transition the web from HTTP to encrypted HTTPS. Let’s Encrypt will offer free encryption services to any website.

EU Developments

EU – A29 to Google: Forget the .Com Links, too

Just as Google announced new capabilities for users to monitor the devices that are accessing their Google accounts, the Article 29 Working Party in the EU has released a new set of guidelines that runs contrary to Google’s current compliance with the so-called “right to be forgotten” court decision. As recounted from the DPC stage last week, Google has been removing references to specific people only on its country-specific URLs, like those with .de for Germany or .es for Spain. However, the new guidelines from A29 say web sites should apply the right to be forgotten to all domains, including Google.com. “The court says the delisting decision has to be effective,” A29 Chair Isabelle Falque-Pierrotin told the WSJ. “These decisions should not be easily circumvented by anybody.” [The Wall Street Journal] SEE [Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” c-131/121] and Out-Law.com: The European Parliament’s Civil Liberties, Justice and Home Affairs Committee has said the Court of Justice of the EU’s decision on the Data Retention Directive needs to be reviewed “before they agree to a new EU Passenger Name Record Directive’”

EU – EU Considers Binding Powers for Privacy Regulators

Italy, which currently holds the EU presidency, has issued a new proposal that would give a a new body of European data protection authorities “the power to adopt legally binding decisions in cross-border disputes over a company’s misuse of personal data.” The so-called European Data Protection Board would be an alternative to the controversial “one-stop-shop” proposal that has divided member states and slowed the reform process. Some governments, the report states, are concerned, however, that the process will get more complicated by allowing multiple authorities to intervene in a case. [Reuters] See also: [UK: Look out: That data protection watchdog can bite] [Reuters: Italy has issued a new proposal for a European Data Protection Board with “the power to adopt legally binding decisions in cross-border disputes over a company’s misuse of personal data.”] [The proposed EU General Data Protection Regulation will be finalized in 2015] The Dutch data retention legislation will remain in place, despite an EU court ruling earlier this year that struck down the associated EU directive.

EU – Giovanni Buttarelli Named New Data Protection Watchdog

The next European Data Protection Supervisor (EDPS) will be Giovanni Buttarelli, Parliament’s President Martin Schulz announced. His Assistant Supervisor will be Wojciech Rafal Wiewiórowski. Messrs Buttarelli and Wiewiórowski were listed as Parliament’s top candidates for the two posts after hearings in the Civil Liberties Committee on 20 October. [Source] See also: [60 things European legislators don’t want Canada to learn about air passengers] [RTE News: The Irish government is seeking “the support of the European Commission in a legal battle involving the U.S. federal authorities and tech giant Microsoft.”] and [U.S. Federal Trade Commissioner Julie Brill and Article 29 Working Party Chairwoman Isabelle Falque-Pierrotin discussed Safe Harbor at the IAPP Data Protection Congress.

UK – Phone Data of 1,700 Murdoch Staff Probed

Scotland Yard has examined the mobile phone records of more than 1,700 journalists, lawyers and staff working for News UK, it emerged last night. In a major breach of privacy laws, Vodafone handed over data from phones belonging to journalists, lawyers, secretarial staff and senior executives working for The Times, The Sunday Times and The Sun newspapers between 2005 and 2007 to the Metropolitan Police. Detectives working on Operation Elveden, which is investigating alleged payments by journalists to ‘public officials’, requested data last October from the phone of one reporter who had been arrested. But when the telecoms giant mistakenly disclosed a mass of staff phone records, police held onto the material for seven months despite requests to return it. It is feared that the data could have compromised confidential journalistic sources. Detectives conducted an analysis of the records and built a spreadsheet listing outgoing calls made from 1,757 phones, even know they knew the information relating to innocent journalists had been passed on improperly. The data breach is now being investigated by the privacy watchdog bodies, the Information Commissioner (ICO) and the Interception of Communications Commissioner’s Office (IOCCO). The latter, which is also investigating police use of surveillance powers against journalists, said the case was of ‘very significant concern’ and it has urged the publisher News UK to take up the matter with the Investigatory Powers Tribunal. The case comes amid concerns about the extent to which police use surveillance powers under the Regulation of Investigatory Powers Act (Ripa) against journalists and their sources. [Source]

Facts & Stats

WW – Nearly a Billion Records Were Compromised in 2014

In first nine months of 2014, after 1,922 confirmed incidents, criminals managed to compromise 904 million records. Many of the incidents reported in 2014 were record setting, including twenty of them that resulted in the compromise of more than a million records each. According to data given to CSO Online by Risk Based Security, nearly 85% of the records exposed in the first nine months of this year were due to hacking (external influence), accounting for 74% of the reported incidents. Another lesson learned this year centers on keeping all of one’s eggs in a single basket. As mentioned, twenty incidents reported in 2014 exposed one million records or more in each instance, but three of them resulted in the compromise of a combined 489 million records. [Source] Untangling Breach Loss Liability: Target says that it is not liable for losses incurred by banks as a result of the retailer’s massive breach during the holiday shopping season a year ago. Five of the banks that issued the compromised cards – there were at least 40 million card numbers affected – have filed a federal lawsuit against the company. Target’s legal team said that the company is not liable for the banks’ losses because payments are processed by third parties. [Ars Technica] [Insurance Journal]

US – Colleges Finding Less Damaging Material Online

A poll of 403 undergraduate admissions officers by Kaplan Test Prep indicates fewer “are finding online material that could derail a student’s chance of admission, even though an increasing number of college admissions officers consider the public social media accounts of applicants as fair game.” Of those polled, 35% indicated they had visited applicants’ social networking pages, up 9% from 2012, but those who found “information online that had hurt a student’s application” had dropped from 35% in 2012 to 16 percent in the most recent poll. “Students are more aware that any impression they leave on social media is leaving a digital fingerprint,” said Kaplan’s Seppy Basili. [The New York Times]

Filtering

EU – French ‘Right to be Forgotten’ Decision Takes Link Removal Beyond Europe

A recent decision by a French court that relied on the European ‘right to be forgotten’ has landed Google’s subsidiary there with a €1,000 per day fine unless it stops linking to a defamatory article. The case involved Dan Shefet, a lawyer who sued Google in France last August to counter a “defamation campaign” aimed at his firm, which he details here. He won a court order for Google to remove certain URLs on a worldwide basis, however, the search company only took them down from google.fr and, according to Shefet, ignored subsequent demands based on that order. Shefet told The Guardian that the court’s decision means that people in any EU country may obtain an injunction against their local Google subsidiary if they want a result that can only be completed by the parent company. Previously, if the complainant wanted a result removed from google.com, they would need to sue Google in the US since Google Inc controls the search engine worldwide. “Until now a subsidiary could not be legally forced under the threat of daily penalties to deliver a result which was beyond its control.” [Source] [Google Removal Tool] and See also: [Doxxing defense: Remove your personal info from data brokers] [Google’s advisory council meetings on the RTBF led to more questions than answers] and also: [Office of the Privacy Commissioner of Canada contacts search engine over individual’s complaint]

Finance

WW – PCI SSC Hopes Emerging Tech Will Help Thwart Breaches

As “one of the worst ever” years for data security nears its end, CSO reports the Payment Card Industry Security Standards Council (PCI SSC) hopes emerging technologies will help prevent future breaches. PCI SSC International Director Jeremy King said, “We hope to get better. Unfortunately, the criminals are getting better.” As of January 1, organizations must be compliant with PCI-DSS 3.0, the report states. Meanwhile, a “brightening economic picture spurred more people to buy homes and renovate them,” resulting in gains for Home Depot and easing concern the retailer’s recent breach “would scare customers away,” The New York Times reports. In a blog for ComputerworldUK, Forrester Analysts discuss privacy as a competitive differentiator, suggesting data can “be the downfall for an organization when improperly handled or lost.” [PCI Council] ALSO: [Financial Sector Terrorism Threat Grows] and [The Consumer Financial Protection Bureau has finalized a rule allowing financial institutions to post their annual privacy notices online rather than having to mail them to customers individually]

FOI

UK – Highest Court Urged to Overturn Decision to Allow Royal Correspondence to Politicians to Be Released

Seven justices at the Supreme Court in London are hearing the latest round of a lengthy legal dispute over disclosure of the royal correspondence. The Attorney General, the Government’s principal legal adviser, is challenging a decision by three Court of Appeal judges earlier this year that he has unlawfully prevented the public seeing the letters. In March they unanimously ruled that he has “no good reason” for using his ministerial veto and overriding the decision of an independent tribunal, chaired by a High Court judge, in favour of disclosure. In 2005 Guardian journalist Rob Evans applied to see a number of written communications between Charles and various government ministers between September 2004 and April 2005. [Source]

Health / Medical

US – How Worried Are Americans About Their Health Information?

To what degree are American citizens concerned with the privacy of their personal health information? According to the NPR-Truven Health Analytics poll, “in general, worries don’t run very high.” Nearly 75% of those surveyed have doctors who use electronic health records, but only 14% had privacy concerns with their hospitals. Additionally, two-thirds of respondents said they were willing to share health data with researchers as long as it was de-identified, the report states. [NPR]

US – Government Storing Baby Blood Data Raises Privacy Concerns

The Nafkes of Apex have two healthy daughters, and their girls are among the millions of children already screened. Both of their results came back perfectly normal. But it’s what the government is doing with your child’s DNA after the children are screened for diseases that is raising ethical concerns. The Nafkes had no idea that DNA left over from their daughter’s newborn screening tests, called dried blood spots, are stored in a government facility for up to five years in North Carolina. [Source]

US – Providers Vindicated in Patient Privacy Case

A California Superior Court sided with Prime Healthcare Services and Shasta Regional Medical Center in a civil case over an alleged violation of patient privacy rights. The healthcare providers accurately contended that “the patient had implicitly waived her privacy rights” when, at the behest of the United Healthcare Workers West union (SEIU-UHW), she had agreed to share her medical information from Shasta Regional with the media. General Counsel Troy Schell commented the suit was “part of SEIU-UHW’s malicious corporate campaign against the company and hospital,” adding the providers are committed to protecting patient rights. [PR Newswire release] see also: [BC: Privacy breach at Island Health leads to dismissals] and [A recent Connecticut Supreme Court ruling may offer a way for individuals to bring claims against healthcare providers and others who engaged in activities that violate HIPAA].

CA – NL: Western Health Privacy Breach Court Decision Favours Plaintiffs

The Supreme Court of Newfoundland and Labrador has decided that a group of patients who had their health information inappropriately accessed by a Western Health employee have grounds to continue with a class action lawsuit against the health authority. The legal action was launched in light of the privacy breaches involving Donna Colbourne, a clerk at Western Memorial Regional Hospital. She was fired from her position in 2012 after she allegedly inappropriately accessed patient files while on the job. Those who had their health information accessed applied for certification of a class action law suit. The application was divided into two stages, with the first stage determining whether the pleadings disclosed a cause of action and whether the proposed class was identifiable. In his decision, Goodridge agreed that the pleadings disclosed a cause of action. He said the proposed class, as long as it was limited to the 1,043 people known to be affected, would be identifiable and acceptable for certification purposes. The civil action is still not certified at this stage. The determination of whether the action is appropriate for certification has been deferred until completion of the second stage of the application. [Source] See also: [UK: Pharmacist Fined for Spying on Friends’ Medical Records]

Horror Stories

CA – Canada Tax Agency Breach Reveals Info of High-Profile Citizens

A Canada Revenue Agency spreadsheet was mistakenly sent to CBC News revealing the value of tax credits granted to hundreds of high-profile Canadians. The likes of author Margaret Atwood and former Prime Minister Jean Chrétien were affected by the detailing of tax-deductible donations of items like manuscripts, fine art and other items of value to non-profit organizations, along with home addresses and the value ascribed to the donation. One affected party donated a Rubens work valued at $200 million. It was an erroneous response to a request for unrelated records under the Access to Information Act. Revenue Minister Kerry-Lynne Findlay told the CBC it acknowledges the breach and has notified the House of Commons and the privacy commissioner, along with affected parties. [CBC News] See also: [How sweet it isn’t: Godiva notifies employees that stolen laptop held their data] and [NZ: Error exposes carparkers’ details] See also: [No data breached in City of Ottawa website hack, mayor says]

US – Beth Israel to Pay $100,000 Fine for 2012 Breach

Beth Israel Deaconess Medical Center will pay a $100,000 fine for a 2012 data breach that exposed sensitive personal information of nearly 4,000 patients. Massachusetts Attorney General Martha Coakley said the organization failed to follow data protection policies and to appropriately notify those affected, as required by law. Beth Israel Chief Information Officer John Halamka said they have worked “to ensure that (the hospital) adopts state-of-the-art security policies and technologies,” adding, “Every device we purchase is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted.” Meanwhile, a server containing sensitive personal information of 48,000 Visionworks’ customers may have been compromised, and a breach hit approximately 10,000 public school employees. [The Boston Globe] See also: [ON: Rouge Valley hospital clerk charged with misusing confidential patients records]

US – Lawyer: $1.4M Judgment Sets National Precedent

The Indiana Court of Appeals has upheld a $1.4 million verdict for a Walgreens customer whose prescription information was provided to a third party in what the attorney who argued the case is calling “a national precedent.” Attorney Neal Eggeson said this marks the first time a healthcare provider “has been held liable” for Health Insurance Portability and Accountability Act (HIPAA) violations committed by employees. Meanwhile, emerging trends in healthcare privacy and security mean that “risks have upped the ante for HIPAA security and privacy officers and increased fines have many on edge.” [Indianapolis Business Journal]

US – Breach May Have Compromised SSNs; Courts Asked to Amend Lawsuits

Thomson Reuters is notifying subscribers to Westlaw of a data breach that may have compromised their Social Security and driver’s license numbers, as well as other personal information. Individuals are thought to have used valid subscriber login information to infiltrate the public records database and conduct unauthorized searches. Meanwhile, CNN wants a federal judge to dismiss a lawsuit claiming the company’s iPhone app violates the Video Privacy Protection Act, and Community Health Systems and its subsidiaries have asked an Alabama judge to dismiss portions of a proposed class-action related to its recent data breach, saying that few injuries are described. [InfoDocket]

WW – Sony Pictures Security Breach

Sony Pictures is in digital lockdown while it investigates a breach in which intruders reportedly stole more than 200MB of data and defaced employees’ workstations. Sony Pictures staff are being asked to disconnect computers and personal devices from the network and to shut down virtual private networks (VPNs). [The Register] [NextGov]

Identity Issues

US – Who’s Anonymous Now? KKK Members Losing Their Digital Hoods

As a grand jury prepares to deliver the outcome of its investigation, things are again heating up in Ferguson, MO, where this summer’s racially charged events prompted hacktivist collective Anonymous to use PII as a weapon against those who would harm the city’s protestors. Jedidiah Bracy examines the cyber-war Anonymous has declared on the Ku Klux Klan (KKK) by disclosing its leaders’ personal information and conducting cyber-attacks against its websites. “The KKK has always operated under a hood, fueled by hatred. Remaining anonymous, ironically, has been important for its members,” Bracy writes. While even 10 years ago the techniques Anonymous is using to fight discrimination would not have been possible, the control of PII is a powerful, double-edged sword in the Digital Age. [Source] See also: [Ottawa: Hackers pledge more attacks] See also: [New Tricks to Deanonymize Tor Users] San Francisco Chronicle: a federal appeals court has barred California from enforcing a law that would require more than 70,000 registered sex offenders to disclose their Internet identities to police

WW – A New Service Will Help You Wrest Your Online Identity from Google

A new group called Indie Hosters is looking to remedy the potential privacy concerns of letting your favorite social network or search provider as your login for “countless other services across the net.” Now in its earliest stages Indie Hosters aims to provide web identities that its users control. “So far, there are only two members of the network, the project’s founders Michiel de Jong and Pierre Ozoux. But they hope more hosts will join them,” the report states, noting the pair has “launched a crowdfunding campaign to work on building the tools and network to make that happen.” [Wired] See also: [5 Web Cookie Myths Exposed] The Wall Street Journal: A new report from the Information Technology and Innovation Foundation states the EU’s cookie notification policy costs billions of euros per year and offers few benefits.

Internet / WWW

WW – UN Panel Approves Anti-Bulk Surveillance Resolution

A UN panel has approved a resolution prompting the General Assembly to call on member nations to respect and protect digital privacy. The draft, called “Right to privacy in the digital age,” was sponsored by Brazil and Germany and would mostly be considered a symbolic move by the UN. The new resolution also included a mention of protecting metadata in the context of digital surveillance, the report states. Ambassador Harald Braun, Germany’s permanent representative to the UN, said, “This means that human rights obligations of states also apply when they use private companies for surveillance purposes.” [PC World]

Law Enforcement

CA – AG: Police Need Better Data on Criminals Returning From Abroad

An audit of government efforts to support the fight against transnational crime found Foreign Affairs, Trade and Development Canada does not notify the RCMP because of restrictions in the Privacy Act and Charter of Rights. Police can gain access to the information when it clearly relates to criminal investigations, or when the public interest outweighs any invasion of privacy from disclosure. Still, of 34 such requests in 2010-14, only 17 were met. [Source]

ON – Hamilton Police Launch Online Crime Mapping Tool

Hamilton police have launched at crime mapping tool that allows residents to search when and where certain types of crimes have happened in the city. The new tool, which was introduced at the monthly Hamilton Police Services Board meeting, tracks the following types of crimes for the past 60 days: The crimes are posted with a one-day delay. To protect victims’ privacy, crime locations are randomly offset, and addresses are mapped to the block level. For example, 123 King St. becomes 1xx King St. In addition to the mapping feature, the tool is also equipped with basic analytical features that show crime density, crime type by day of the week and other trends. Residents can set up crime alerts to receive email and text notifications of crimes in their chosen areas. An iPhone app is also available for this purpose. A new feature will also be added soon to allow residents and businesses to register their security cameras to help police build a database of cameras and turn them into law enforcement tools. To help residents navigate the new tool and its features, police have posted a tutorial video on YouTube. Hamilton is the second police agency in Canada to work with the company for the mapping service. London, Ont., police have been using the mapping tool for less than a year, according to the presentation. [Source]

US – State AG: Cops Don’t Need to Ask Permission to Use Body-Cams

Washington Attorney General Bob Ferguson says police do not have to ask permission to use body cameras to record their interactions with the public in most circumstances. Ferguson said citizens must assume interactions with on-duty police are public and so officers are under no obligation to turn off body cameras even when asked, the report states. Ferguson added, citizens have the same right to film uniformed police officers in public. Ferguson referred to the Supreme Court opinion recognizing that “a conversation between a police officer and a member of the public that occurs in the performance of the officer’s duties is not private.” [The Seattle Times]

Location

US – Will Rideshare Incident Prompt Location Privacy Law?

Some are calling it “the gaping hole in the nation’s privacy laws” for protecting users’ location information. “Right now we protect health data, we protect financial data, we protect kids’ data, but location isn’t protected,” said Georgetown University Center on Privacy and Technology Executive Director Alvaro Bedoya. “As long as a company is not deceiving you about how they’re using the data, they can pretty much do whatever they want.” In response to last week’s news that Uber may have misused some of its users’ data, Uber competitor Lyft has changed its internal privacy policies to limit employee access to user data. The company said it has implemented “tiered access controls.” [The Hill] [Uber touts “strict” privacy rules, but terms suggest broad access] [U.S. Senator Al Franken questions Uber’s privacy policies]

Offshore

Online Privacy

WW – Yahoo to Honor DNT in Firefox; Tweets Become Searchable

Mozilla has announced Yahoo will now be the default search engine in its Firefox browser for users in the U.S., but other search options will continue to be available, according to a blog post by the company. As part of the partnership, Yahoo agreed to honor the Do-Not-Track option for U.S. customers using Firefox but will not do so for users of other browsers. “We will now focus on expanding our work with motivated partners,” Mozilla writes, “to explore innovative new search interfaces, content experiences and privacy enhancements across desktop and mobile.” Meanwhile, Twitter has announced it will make every public tweet since 2006 available to search, raising privacy concerns for some who may have posted regrettable content in the past. [Mozilla Blog]

WW – Group Launches Transparency Index Tool

Digital rights organization Access has announced the release of its Transparency Reporting Index, a tool designed to help users “see whether their favorite app or service discloses user data and to learn about corporate policies on government demands for data and disruptions.” According to Access, “Transparency reporting is one of the strongest ways for technology companies to disclose threats to user privacy” and can help educate the public about government access to user data. The tool includes a list of companies that have issued transparency reports and links to them. [Source] [Doxxing defense: Remove your personal info from data brokers]

UK – Owner Shuts Down Webcam Website

Following calls from data protection authorities (DPAs), the owner of a Russian-based website connecting to tens of thousands of webcam streams has shut down, BBC News reports. The site, which at one point connected to more than 73,000 webcams using default password settings, prompted concerns from DPAs in the UK, Canada and others. UK Information Commissioner Christopher Graham said, “If we can take one lesson away from this experience, it is that default passwords do not provide protection from the threats that exist in the modern world.” Foscam’s Chase Rhymes said, “An analogy best describing this would be just because someone leaves their window open it does not give permission for an unauthorized individual to set up a camera outside their window and broadcast the feed worldwide.” [BBC] See also: [The Big Data Security Risks Of Little Things] [Australia, Canada, UK and China weigh in on Insecam privacy issue] See also: [Algorithms Are Great and All, But They Can Also Ruin Lives] and [Public Health Surveillance and Privacy in the Age of Ebola]

WW – Image Search, Analysis Emerge as Powerful Tools, Privacy Threat

The rise in smarter image systems, including recent technology called neural net artificial intelligence (AI), is raising some personal privacy concerns. Neural net AI allows computers to understand what is occurring in a given picture—for example, recognizing that a boy is throwing a Frisbee to a dog. “Combine this technology with facial recognition,” the article states, “and anyone with access (which will be everyone) will be able to search the web for people doing things or involved with or associated with some activity.” Combined with mass photo surveillance, such technology could present equally positive and negative uses. “Love it or fear it,” the article adds, “this technology is happening now.” [eWeek] See also: [Toronto police considering facial recognition software to identify suspects] AND:

WW – Facebook Tests Buy Button, Tweaks Basic Privacy Settings

Starting January 2015, users of social networking giant Facebook may be able to buy things online—and, hopefully, have more control over what they share. Facebook said these tweaks are contained in its terms and policies, as well as in its newly rolled out Privacy Basics. Also, Facebook will continue to improve ads based on the apps and sites people use off Facebook and expanding users’ control over the ads they see. “Privacy Basics” is a how-to guide on the new features and controls available to Facebook users. Updates to Facebook policies include:

  • Discover what’s going on around you: Facebook explains how it gets location information depending on the features users avail of.
  • Make purchases more convenient: in some regions, Facebook is testing a Buy button that helps people discover and purchase products without leaving Facebook.
  • Find information about privacy on Facebook at the moment you need it: moving tips and suggestions to Privacy Basics. Facebook’s data policy is shorter and clearer, making it easier to read.
  • Understand how Facebook uses the information it receives.
  • Users’ information and advertising: Facebook will continue to help advertisers reach people with relevant ads without telling them who its users are. [Source] See also: [Social media terms of service may be trumped by Canadian law]

Privacy (US)

US – FTC Settles With TRUSTe

The FTC announced a settlement with privacy seal provider TRUSTe on charges the company “deceived customers about its recertification program for company’s privacy practices, as well as perpetuated its misrepresentation as a nonprofit entity.” FTC Chairwoman Edith Ramirez said, “TRUSTe promised to hold companies accountable for protecting consumer privacy, but it fell short of that pledge … Self-regulation plays an important role in helping to protect consumers. But when companies fail to live up to their promises to consumers, the FTC will not hesitate to take action.” In a blog post, TRUSTe CEO Chris Babel wrote, “we take very seriously the role we play in the privacy ecosystem” and that both issues raised by the FTC have been addressed. [FTC] [FTC says firm that offered online privacy certificates didn’t check compliance] The FTC announced a settlement with privacy seal provider TRUSTe on charges the company “deceive customers about its recertification program for company’s privacy practices, as well as perpetuated its misrepresentation as a nonprofit entity.”

US – FTC: Two ‘Tech Support’ Firms Tricked Customers Out of $120 Million

The Federal Trade Commission announced that it has temporarily shut down two telemarketing operations that, the agency alleges, were dedicated to tricking customers into buying fake technical support. The agency announced action against two separate operations, both based in Florida. One case includes charges against the makers and sellers of software called “ PC Cleaner”; the other names companies doing business as Boost Software Inc. and OMG Tech Help. The FTC says the two companies have cheated consumers out of $120 million. [Source]

US – FTC Denies AgeCheq COPPA Verifiable Parental Consent Method

After a window for public comment and review, the FTC has denied AgeCheq, Inc.’s application for its proposed Children’s Online Privacy Protection Act (COPPA) verifiable consent method. In a letter to AgeCheq, the FTC stated that the company’s proposed method “incorporates methods already enumerated in the (COPPA) Rule …” AgeCheq recently proposed another verifiable consent method and that is currently open for public comment. [FTC]

US – Judge Dismisses Some Claims in Apple Class-Action

U.S. District Judge Lucy Koh “dismissed some but not all claims in a class-action accusing Apple of intercepting and failing to deliver text messages sent from iPhones to non-Apple cell phones” that alleged Apple violated the Stored Communications Act, the Electronic Communications Privacy Act and California’s unfair competition and consumer laws. Meanwhile, a class-action has been filed against Jimmy John’s Gourmet Sandwiches following a breach involving customers’ credit and debit cards, and a New Jersey woman has filed a suit against a law firm “that works with debt collection agencies for putting her account number on the collection notice sent to her home.” [Courthouse News Service] and [US: Judge threatens detective with contempt for declining to reveal cellphone tracking methods]

US – CNN Wants Video Privacy Case Thrown Out

CNN is asking a federal judge to dismiss a lawsuit alleging that the company’s iPhone app violates a federal privacy law by sending information about users’ devices to the analytics company Bango. The company argues in papers filed on Friday that any information transmitted to Bango is “anonymous” and doesn’t personally identify users. CNN argues that the federal Video Privacy Protection Act – a 1988 law that prohibits video rental companies from disclosing consumers’ personally identifiable information – doesn’t apply when companies transmit device identifiers. “The history of the VPPA and recent case law confirm that a random numerical string associated with an electronic device is outside the VPPA’s scope,” CNN argues. “No court has accepted the contention that a number that identifies a device (e.g., a computer, tablet, modem, set-top-box or phone) constitutes PII.” The lawsuit, filed this February by Illinois resident Rick Perry, centers on allegations that CNN sends Bango information about the clips that iPhone users watch, along with their 12-digit Media Access Control addresses. A similar lawsuit against Dow Jones was dismissed in October. In that matter, U.S. District Court Judge Thomas Thrash, Jr. ruled that an Android ID isn’t personally identifiable information. The consumer who sued, Mark Ellis, is appealing that ruling. [Source]

US – Other News

US – Legislators Seeking Answers on Breaches

Senate and House Democrats have sent letters to 16 financial institutions seeking information on recent breaches. Those receiving letters from Sen. Elizabeth Warren (D-MA) of the Senate Banking Committee and Rep. Elijah Cummings (D-MD) of the House Oversight and Government Reform Committee included banks and investment firms. “The increasing number of cyber-attacks and data breaches is unprecedented and poses a clear and present danger to our nation’s economic security,” Cummings and Warren wrote. Meanwhile, Staples has said it is not yet “reasonably” able to estimate the costs it will incur in connection with last month’s breach. [Reuters]

Privacy Enhancing Technologies (PETs)

WW – New Product Aims to Ease Data Transfer

IBM has patented a design for a privacy engine that it says will “eventually enable businesses to aggregate international requirements for data transfers on individual projects and flag any cross-border privacy issues.” The engine, still in its infancy, will also ease data-sharing between private clouds. IBM Chief Privacy Officer Christina Peters says the invention “provides a privacy technique that helps businesses navigate an increasingly complex compliance landscape of regulations to help companies avoid unknowingly sharing data that could put their business at risk.” [ZDNet]

WW – Detekt Lets You See If Somebody’s Watching Your Computer

Detekt is a free tool released by a coalition of privacy and civil liberties groups including Amnesty International, Electronic Frontier Foundation, Privacy International and Germany’s Digitale Gesellschaft. Detekt is designed for those who might be targets of government scrutiny, including journalists and human rights advocates and looks for spyware that “might be collecting emails, listening to Skype video calls, observing through a computer camera or even monitoring keystrokes to determine passwords and Internet activity,” the report states. The coalition cautioned there are few regulations “to safeguard against these technologies being sold or used by repressive governments or others … for serious human rights violations and abuses.” Meanwhile, NameRemoval.com recently launched to provide “robust powerful privacy and reputation management services to businesses and individuals.” [The Hill]

WW – Yik Yak Raises $73M

Anonymous messaging app Yik Yak has closed a $62 million round of financing led by a venture capital firm. The total amount raised in three rounds is about $73 million. The app allows users to chat anonymously with one another based on location. [IAPP]

Security

WW – Small Biz Thinks Workers Are Weak Cybersecurity Link

In a new report from security firm CloudEntr, 77% of Internet technology managers at small- to medium-sized businesses say employees are their biggest security concern. “The empoloyee factor is huge,” said one executive. “For most companies it’s the single biggest exposure point.” Another survey finds companies plan to increase spending on cybersecurity budgets by $2 billion over the next two years. Meanwhile, the U.S. State Department shut down its unclassified computer network over the weekend due to concerns it was hacked. In a column for The Hill, former Minnesota Gov. Tim Pawlenty writes that “notifying customers of a problem after it occurs does not prevent the problem … Legislation is also necessary to ensure businesses are held to a higher standard” for protecting customer information. [CNBC] and [10 security mistakes that will get you fired] [The National Institute of Standards and Technology has released draft guidelines to help organizations share information about cyber-attacks]

Surveillance

UK – DPAs Warn About Webcam Website

A website connecting to more than 73,000 unsecure webcams has gotten the attention of data protection regulators around the world. They are warning the public about the site and asking its operators to shut it down. UK Information Commissioner Christopher Graham said he aimed to “sound a general alert,” to warn the public “there are people out there who are snooping.” Graham said the baby-monitor webcam access is “spooky,” adding, “But after all, it is the responsibility of the parents to set a proper password if you want remote access.” The ICO’s Simon Rice also wrote a blog post today about the site. [BBC News] and [AUS: Topless neighbour’s drone picture prompts calls for privacy law overhaul]

US – AT&T Wants Warrants from Law Enforcement for Location Data

An amicus brief filed by AT&T that states law enforcement may need to obtain warrants prior to accessing user cell phone data. The brief was filed in a federal appeals case and asks courts to set a clear standard of what type of approval law enforcement must get to obtain user data. Meanwhile, responding to reports that law enforcement is accessing cell phone data from airplanes, [The Wall Street Journal]

US – Franken Wants Answers on Airplane Spying

Sen. Al Franken (D-MN) wants more information about the programs from U.S. Attorney General Eric Holder. “While I understand that law enforcement agents need to be able to track down and catch dangerous suspects, this should not come at the expense of innocent Americans’ privacy,” wrote Franken.

US – Markey: Auto Privacy Principles Don’t Go Far Enough

Sen. Edward Markey (D-MA) says he plans to investigate the automotive industry’s privacy and security practices and will release the findings. The statement comes a week after a coalition of automakers issued a privacy pledge . Markey said the principles “represent an important first step toward protecting the information collected by modern technology in our cars … However, the proposed principles fall short in two key areas: choice and transparency.” The senator said, in addition to releasing his findings, “I will call for clear rules-not voluntary commitments-to ensure the privacy and safety of American drivers is protected.” The Future of Privacy Forum has released a paper exploring connected cars and privacy. [Source] See also: [Car Camera Network Could Produce Virtual Maps of Pedestrians] and [US: #HappyTracksgiving : How your travels are tracked this holiday season]

Telecom / TV

US – Secret US technology Said to Intercept Cellular Communications

Fake cell phone signal receivers on airplanes gather cell traffic in a secret government program, a new report reveals. The next time you use your cell phone in a crowd, the US Marshals may be listening in. The way it works is through a specialized box affixed to an airplane flying overhead, according to a report from The Wall Street Journal. That box is designed to trick mobile phones into communicating with it, sending all sorts of information through the air and into the device. And innocent Americans are just as likely to have their information collected as anyone else. The Justice Department, which houses the Marshals Service, did not immediately respond to a request for comment. [Source]

US – Judges Require Stricter Rules for Stingray Use

Law enforcement agencies in Pierce County in Washington state must now specify when they will use stingray technology in their investigations and must also swear in the affidavit that they will not retain data belonging to people who are not the target of the order. The 22 Pierce County Superior Court judges have approved a new requirement for law enforcement agencies “… requir[ing] language in pen register applications that spells out [that] police intend to use the [tracking] device.” [Ars Technica] [SC Magazine] [The News Tribune]

UK – Bill Would Expand Law Enforcement Access to Internet User Information

UK home secretary Theresa May is expected to propose a bill that would require companies to provide law enforcement agencies with information about the identities of people using computers and mobile devices. The bill would require service providers to retain data that links users to devices based on IP addresses, which are often shared by multiple users and often change. The data retention changes are expected to be part of the Counter-Terrorism and Security Bill. The plan has met with criticism because it allows for broad surveillance of online activity. The Lib Dems insisted that the communications data bill – branded the “snooper’s charter” – was “dead and buried.” Emma Carr, director of campaign group Big Brother Watch, said: “It is perfectly reasonable that powers to provide the police with the ability to match an IP address to the person using that service is investigated. “However, if such a power is required, then it should be subject to the widespread consultation and comprehensive scrutiny that has been sorely lacking to date with industry, civil society and the wider public when it comes to introducing new surveillance powers. “Before setting her sights on reviving the snooper’s charter, the home secretary should address the fact that one of the biggest challenges facing the police is making use of the huge volume of data that is already available, including data from social media and internet companies. The snooper’s charter would not have addressed this, while diverting billions from investing in skills and training for the police.” [Source] [BBC] [v3.co.uk]

US Government Programs

US – Reports Critical of DHS, VA Privacy Practices

A new report from Department of Homeland Security (DHS) Inspector General John Roth reveals the agency is struggling to protect personally identifiable information and create an effective management system to secure and protect data. “DHS did not take appropriate steps to identify and mitigate physical risks to the security and confidentiality of records,” Roth stated. “We observed instances in which passwords, sensitive IT information … could be accessed by individuals without a ‘need to know,’“ he added. A separate report from the Government Accountability Office indicates the Department of Veterans Affairs has not fully addressed its cybersecurity vulnerabilities and has not done enough to mitigate them. [GovInfoSecurity]

US Legislation

US –Senate NSA Bill Blocked in Procedural Vote

By a narrow margin, the US Senate has blocked a bill aimed at curtailing NSA data gathering practices from reaching the floor. The USA Freedom Act was two votes short of the 60 it needed to pass. The bill would have ended bulk phone metadata collection, instead leaving those data under the control of telecommunications companies from which the NSA can access them with court orders from the Foreign Intelligence Surveillance Court. It would also have required the NSA to focus its search terms more narrowly to ensure that only relevant records are accessed. It would also have granted telecommunications companies more transparency in disclosing the number and types of data requests it receives. The bill’s author, Sen. Patrick Leahy (D-VT) said, “I am disappointed by tonight’s vote, but I am not new to this fight,” adding Republicans failed to work “productively to protect Americans’ basic privacy rights and our national security.” In a strongly worded column responding to the vote, The Intercept’s Glenn Greenwald writes, “the last place one should look to impose limits on the power of the U.S. government is … the U.S. government.” However, the White House says it will pursue a new bill in 2015.[NationalJournal] [WIRED] [CNET]

US – Tech Coalition Urges Surveillance Reform; DoJ Defends “Dirtbox” Spying

A group of technology giants have published an open letter to the U.S. Senate urging it to pass the USA FREEDOM Act. The legislation, which may be voted upon this week, would limit the National Security Agency’s bulk collection of phone data. Aol, Apple, Dropbox, Evernote, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo all support the bill, which they say “both protects national security and reaffirms America’s commitment to the freedoms we all cherish.” In separate surveillance news, the Justice Department is defending a practice that uses “dirtboxes” on airplanes to collect cell-phone data of suspected criminals, saying the program is legal. Sen. Edward Markey (D-MA), however, has sent a letter of inquiry about the program to Attorney General Eric Holder. [Source] See also: The Hill reports on a number of technology and privacy issues that policy-makers will look into in the coming months, including National Security Agency and email privacy reform. Jeff Kosseff explores 10 ways the recent election could affect privacy and data security law.

US – Other News

Workplace Privacy

US – Slack Alters Privacy Policy to Let Bosses Read Your Messages

Slack, a workplace communication tool, has announced it will begin selling a number of tools aimed at system administrators. Stack Plus will give companies the ability to request every message employees have sent on the service from that point forward, including direct messages to coworkers. Slack has revised its privacy policy to communicate the changes. [Source] See also: [Oklahoma’s social media privacy law went into effect November 1, meaning employers are prohibited from requiring employees or prospective employees to hand over social media log-in information]

US – Court Finds Deletion of Fired Employee’s Info Not a Violation

A federal judge has ruled that no privacy rights were violated when a company deleted personal information from a fired worker’s cell phone. The company asks its employees to use personal devices to carry out various work functions, and the plaintiff used his iPhone to access email. According to the claim, Design Tech, after firing the worker, remote-accessed his iPhone and, without warning, “wiped or erased all of the information on the plaintiff’s device, including all of plaintiff’s personal and professional information.” The plaintiff claimed the action violated the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, but a judge disagreed, saying he had “not produced evidence of any costs he incurred” from the action. [Courthouse News Service]

+++

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: