1-8 January 2016

Big Data

US – FTC Issues Guidance on Big Data

The report looks at the end uses of that ubiquitous collection of data from a variety of sources after it has been analyzed and chronicles such upsides as boosting education, non-traditional access to credit, specialized healthcare and access to employment. But it also surveys risks, which it identifies as “inaccuracies” about certain groups, exposing sensitive information, targeting vulnerable consumers for fraud, increasing the price of goods in lower-income communities, and reducing consumer choice. [Broadcasting News] [Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues] SEE ALSO: [Data in 2016: 5 Trends That Will Drive Big Data]


CA – IPC Recommendations to Protect PHI When Using Various Technologies

The IPC has provided guidance on best practices for protecting personal health information. When retaining PHI on mobile or portable devices, strong encryption should be used (keys should be of a sufficient length and error messages should be monitored and responded to immediately) and the device should have strong password protection (random string of letters, numbers and symbols). Shared electronic health record systems should have harmonized policies and procedures that address training, consent management, breach management, complaints and inquiries. [IPC Presentations From the 2015 PHIPA Summit]


US – Pew Survey Indicates Confusion Over Online Data-Sharing Decisions

A new Pew Research Center survey indicates a “significant minority” of American adults have felt confusion about whether to share personal information with companies. The survey found that while 50% said they were confident they understood what would happen with the information they shared, 47% said they were not. 35% of respondents said they were discouraged with the effort required to try to understand data uses, while 38% said the information provided in various companies’ privacy policies confused them. 29% said they found themselves impatient in that they needed to make a decision quickly but felt they wanted to learn more. [Full Story]

US – Study Finds Simplified Privacy Notifications Ineffective

A new survey-based study by two University of Chicago Law professors published on the Social Science Research Network found that the simplification of privacy disclosures did not modify user behavior. “Simplification of disclosures is widely regarded as an important goal and is increasingly mandated by regulations in a variety of areas of the law,” said the study authors. “In privacy law, simplification of disclosures is near universally supported.” However, “our results reveal that none of the simplification techniques help inform respondents or affect their behavior. They call into further question the wisdom of focusing much regulatory effort on improved disclosures,” they continued. [Source]

Electronic Records

UK – NHS to Implement Platform that Integrates Imaging, Genomic Data

England’s National Health System will be implementing an integration platform that will link medical imaging and genomic data, with the intent of bringing together key information at the point of care. The NHS will be rolling out the system from Kanteron Systems that will allow NHS to have exclusive and unrestricted access to its medical imaging and genomic data integration platform. Kanteron is working with various technology partners that have significant business with U.S. healthcare providers. They include IBM, Microsoft and Hitachi Data Systems. Kanteron executives said the company will offer additional services, such as consulting, implementation, integration, migration, tech support and more, to support adoption of new clinical workflows. [Source]


EU – Dutch Govt Rejects Backdoors in Encryption

The Dutch government has published a position paper in which it opposes the ideas of creating backdoors in encryption products. The paper says, in part, “The government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability, and use of encryption within the Netherlands.” The paper notes that placing backdoors in the products “would also make encrypted files vulnerable to criminals, terrorists, and foreign intelligence services.” [The Hill] [The Register] [Dutch government backs strong encryption to contradict UK stance] [Security experts support Dutch stance on encryption] [What lessons can the UK learn as the Dutch champion data encryption, oppose backdoors] See also: [David Chaum, the Father of Online Anonymity, Has a Plan to End the Crypto War] and [There’s a huge debate over an encryption expert’s plan solve the problem of online privacy]

EU Developments

EU – EU Commission Provides Overview of Data Protection Reform

The European Commission released a fact sheet regarding the impact of the “General Data Protection Regulation (the “Regulation”). The GDPR safeguards freedom of expression and historical/scientific data (through the right to be forgotten) and provides specific protection for children (parental consent required for processing of minors); the use of Big Data analytics is encouraged (through GDPR promotion of anonymization, pseudonymization and encryption), and the one-stop shop mechanism positively impacts companies (they only have to deal with 1 DPA, and will receive more consistent and faster decisions). [European Commission – Questions and Answers – Data Protection Reform] [PrivaWorks] Final drafts out of the trilogues: Final GDPR Text, December 15, 2015 | Final DPD Text, December 15, 2015] SEE ALSO: Top 10 operational impacts of the GDPR (IAPP Privacy Advisor): Part 1 – data security and breach notification | Part 2 – The mandatory DPO | Parts 3-10 TBD

EU – NIS + GDPR = A New EU Breach Regime

European lawmakers capped off a blockbuster week for privacy with an important step towards the first comprehensive information security legislation in the EU. The Network Information Security (NIS) Directive was initially proposed by the European Commission in February 2013 to raise cybersecurity capabilities across the EU’s 28 member states. After more than two years of negotiation, the European Council reached an informal agreement with the Parliament on December 7, and the agreed text was approved by the Member States December 18. The text now must undergo “technical finalisation,” and then needs to be formally approved by both the Council and the Parliament, which is expected, according to the Council, this spring. Member States will then have 21 months to implement the Directive into law, passing their own legislation in accordance with the Directive. The Directive aims to “increase cooperation between member states and lay down security obligations for operators of essential services and digital service providers,” according to a Council press release. To that end, it will require operators take measures to manage cyber risks and report security incidents. The Parliament and Council disagreed over which operators would be subject to the provisions. Ultimately, they extended the measures to operators of “essential services” and digital service providers. Perhaps most importantly for privacy and data protection professionals, the Directive introduces breach notification requirements that extend beyond those of the General Data Protection Regulation (GDPR). Unlike the GDPR, which mandates notification only when there is a risk to personal data, the Directive requires operators to notify competent authorities whenever there is a substantial impact on the provision of the operator’s service. Thus, while the GDPR includes security and notification provisions to protect personal data, the Directive seeks to improve security safeguards and the sharing of knowledge on cybersecurity threats. {IAPP Privacy Tracker]

EU – EDPS Releases Guidelines on E-Communications, BYOD

The European Data Protection Supervisor (EDPS) has published two sets of guidelines for EU institutions and bodies on personal data and electronic communications as well as personal data and mobile devices. The EDPS said the guidelines aim to help EU institutions comply with data protection rules, but they’re really applicable to any organization. In the guidelines, EDPS Giovanni Buttarelli said EU bodies looking to implement BYOD should look at the benefits of doing such processing “taking account of the risks and invasiveness that such use may imply.” [Press Release] SEE ALSO: [EDPS – Response to the Commission Public Consultation on the Regulatory Environment for Platforms, Online Intermediaries, Data and Cloud Computing and the Collaborative Economy]

EU – EDPS Opinion Calls for Enhanced Controls on Surveillance Tech

In a recently published opinion, European Data Protection Supervisor Giovanni Buttarelli called for enhanced controls on the export of technologies used for communications surveillance and interception. He said there is a “tension between the positive use of ICT tools and the negative impact that the misuse of technology can have on human rights, and especially on the protection of personal data and privacy.” Buttarelli said national and EU policies should address the tension but so should “all actors involved in the ICT sector.” [Full Story] See also: [EU privacy watchdog to set up ethics advisory group]

UK – ICO: Govt Should Not Have Right to Access Citizen’s Private Data

The UK government and security services shouldn’t have “willy-nilly” access to citizen’s digital communications and online activities, the Information Commissioner has warned. Such powers would represent an excessive invasion of privacy, he added. Christopher Graham made the comments while presenting evidence to a House of Lords Joint Committee on the draft Investigatory Powers Bill. The draft Bill – dubbed the “Snooper’s Charter” by critics – was introduced by Home Secretary Theresa May last year. It explicitly authorises security services to bulk-collect personal communications data and makes it illegal to even ask in court whether evidence was obtained via bulk surveillance. However, Graham warned that the legislation must not give the government carte blanche for collecting and storing citizen’s private data. “Simply by the fact that we’re all doing business, social actions and communications digitally, wherever we go, whatever we do; like it or not, we leave a digital trail,” he told the Joint Committee, and argued that data protection legislation requires much of this to remain private. “The challenge for the data protection framework is to make sure that remains private where it should be private.” Graham told the Committee that it shouldn’t be the case the state can access all of a citizen’s private data, just because it wants the power to do so. [Source] See also: [Facebook, Google, Twitter unite to attack ‘snoopers’ charter’] [UK mass surveillance ‘totalitarian’ and will ‘cost lives’, warns ex-NSA tech boss]

EU – German Federal DPA Completely Independent as of January 1, 2016

The federal German data protection authority (“DPA”) issued an update for 2016. A German law, effective January 1, 2016, establishes the federal DPA as the supreme federal authority (comparable to the Federal Court) and entirely independent, responsible only to Parliament; the DPA’s decisions are subject to judicial review. [DPA Germany – Update and Outlook for 2016]


CA – Investment Industry Regulator Issues Security Guide for Dealer Members

The Investment Regulatory Organization of Canada (“IIROC”) issued a guide for cyber incident management planning for small and mid-sized Dealer Members. The guide outlines possible causes of a cybersecurity incident, signs of possible information system compromise and recommendations for the phases of incident management (plan and prepare, detect and report, assess and decide, respond, and post-incident activity); an incident checklist is provided (whether there is a plan in place or not). [IIROC – Cyber Incident Management Planning Guide for IIROC Dealer Members]


CA – Law and Info Groups Challenge ‘Far-Reaching’ Retroactive Law

A retroactive Conservative law buried in last spring’s omnibus budget bill fundamentally undermines the rule of law and government access-to-information systems across Canada, according to court submissions in a paused constitutional challenge. Twelve of Canada’s 13 provincial and territorial information commissioners, as well as the Criminal Lawyers’ Association, are seeking intervener status in the case, which challenges the former government’s unprecedented rewrite of an old law to get the RCMP and any other government official off the hook for illegally destroying long gun registry records. The case, brought by federal information commissioner Suzanne Legault on behalf of individual Bill Clennett, is one of the messier legal challenges the new Liberal government will have to mop up in 2016. [GlobalNews]

CA – IPC Requires Ministry to Reveal Marijuana Grow-Op Info

This IPC order reviews the decision of the Ministry of Community Safety and Correctional Services to withhold records requested under FIPPA. Due to health and safety threats posed by properties formerly used for marijuana grow-operations, it is in the public interest for certain records to be released which provide address, dates and amounts of marijuana seized during OPP investigations; in the absence of sufficient evidence of an indoor marijuana grow-operation, the compelling public interest in disclosure of those records no longer exists and should not be disclosed to the public. [IPC ON – Order PO-3547 – Ministry of Community Safety and Correctional Services] See also: [Interim Order PO-3555 – IPC Upholds York University Decision to Deny Access to Security Reports]

CA – 2010 Olympic Records Are Not in Control of 3 Public Bodies: BC OIPC

This OIPC order reviews the decision reached by the City of Vancouver, the Resort Municipality of Whistler and the Ministry of Finance (collectively, the “public bodies”) relating to records requested pursuant to British Columbia’s Freedom of Information and Protection of Privacy Act. The Adjudicator agreed with the two municipalities and a government department that the records are not in their custody (e.g. Olympic committee bylaws determined the storage and inspection of the records) or control (e.g. the public body lacks the contractual authority to regulate the records’ use, disclosure and disposition). [OIPC BC – Order F15-65 – City of Vancouver, Resort Municipality of Whistler and the Ministry of Finance]

CA – Clayton: Post-Election Document Destruction Illegal

After an investigation of widespread document destruction by the Progressive Conservatives after losing an election to the NDP last year, Alberta Privacy Commissioner Jill Clayton and Public Interest Commissioner Peter Hourihan found that lack of oversight and accountability demonstrates the need for an overhaul of the province’s records management system. The joint investigation found that no one monitored the shredding of a vast amount of government documents. “Robust and accountable records management programs are critical to ensure Albertans can exercise their access to information rights,” Clayton wrote. “This investigation found there was confusion about the rules guiding records management, and there were no consequences for not following rules.” [Document shredding rules not followed after Alberta election, investigation finds] See also: [New details about Calgary healthcare workers privacy breach]

US – New Resource from ProPublica Aims to Simplify Info Access

ProPublica’s new online Policing Patient Privacy and HIPAA Helper tools allow the curious to stay on top of the healthcare privacy community’s goings-on as well as check to see if his or her hospital or healthcare provider was amongst the hacked. Among the newest stories in the Policing Patient Privacy database is a ProPublica report on the Department of Veterans Affairs mistakenly sending incorrect veteran data to war widows and an additional study on how companies rarely face serious consequences after repeated bungles. Meanwhile, the Department of Health and Human Services published a chart that ranks the top five healthcare privacy grievances by year, with “impermissible uses and disclosures” taking the top spot from 2004 through 2014. Healthcare records breached in 2015 topped 112 million. [ProPublica]


JP – Gov’t Says Genomic Info Considered PII

A panel of Japanese experts has decided genomic information should be considered personal information under the newly revised privacy act approved in September. The information will now be classified just as digitized facial features and fingerprints are, and genomic data related to diseases will be considered highly sensitive personal information. The government plans to add rules this year to cover grey areas surrounding protecting genomic data. [Lawyer Herald]

Health / Medical

CA – IPC Issues Guidance on Use of Health Card Numbers

The IPC released a FAQ’s on the use of health cards and health numbers by healthcare professionals pursuant to the PHIPA. Individuals have a right to refuse to provide their health cards and health numbers to a person who is not a custodian (custodians are persons and organizations prescribed in the regulations permitted to collect, use or disclose health numbers), but disclosure must be voluntary; it is an offence under PHIPA to require the production of a health card, except if it is required by a person or organization that provides provincially funded health resources to the individual. [IPC – Health Cards and Health Numbers – The Personal Health Information Protection Act]

Horror Stories

US – Comcast to Pay Penalty of $19,850,000 for Multiple Privacy Violations

The Superior Court of the State of California issued a stipulated judgment filed by the California Attorney General (“Plaintiff”) against Comcast Cable Communication LLC (“Defendant”) for unlawful: disposal of customer information; and hazardous waste disposal practices. Customer records (name, address and phone number) were disposed of without being shredded, erased or made unreadable or indecipherable; the company must designate a Privacy Officer responsible for overseeing its customer record disposal procedure, train employees on the procedures and post prominent signage about the procedures at its facilities. A third party auditor must conduct random audits to evaluate compliance with the procedures within 18, 36 and 54 months. [The People of the State of California v Comcast Cable Communications LLC – Complaint and Stipulation for Entry of Final Judgment – Superior Court of the State of California – County of Alameda | Press Release ]

Identity Issues

US – IRS Provides Tax Break on Pre-Breach ID-Protection Programs

The IRS is offering new tax relief for employers that offer pre-breach identity-protection services for employees. According to IRS Announcement 2016-02, employers do not have to count the value of the protection service in an employee’s wages and gross income or report the amounts on a tax return. However, the new provision “does not apply to cash received in lieu of identity protection services,” the IRS wrote, and “does not apply to proceeds received under an identity theft insurance policy; the treatment of insurance recoveries is governed by existing law.” [BNA.com]

US – Backlash Encourages IRS to Kill Non-Profit Donor Data-Sharing Scheme

After receiving nearly 38,000 public complaints, the International Revenue Service (IRS) withdrew its proposal that would permit non-profits to collect the Social Security numbers of select donors. Although the IRS maintained that the program was created to safeguard donor privacy and keep reporting simple for non-profits, many were nonplussed, and the axing of the proposed system incited widespread celebration from groups like the Tea Party Patriots and the National Council of Nonprofits (NCN). “Nonprofits have neither the financial resources nor sufficient staffing to combat hackers who will see an easy source for Social Security information,” said the NCN CEO. “This also creates a liability nightmare for innocent nonprofits. … To be asked to share their address, their credit card number, and their Social Security number all in the same place would be enough to scare even the most committed donor to decline to give.” [The Daily Signal]

SG – Singapore DPA Recommends Use of Anonymization Methods

The data protection authority in Singapore issued an e-newsletter providing guidance on anonymization. Common anonymization techniques include masking (e.g. certain data details removed while preserving the essential look and feel of the data), pseudonymization (identifiable data replaced with randomly generated values from which an identity cannot be inferred), aggregation values (displayed as a total figure), replacement (average figure replaces a value), and data suppression (a range is used instead of specific values). [Personal Data Protection Commission, Singapore – Anonymisation: Managing Personal Data Protection Risk]

Internet / WWW

WW – Microsoft to Warn of State-Sponsored Attacks

Microsoft has revised its account breach notification policy to specify when it suspects that state-sponsored attackers have targeted a user’s email or cloud services account. While Microsoft already has a policy in place that calls for notifying users of account breaches, the decision to identify a breach as coming from a state-sponsored entity was made “because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others.” [SC Magazine] [Bloomberg] [Washington Post] SEE ALSO: [Microsoft failed to warn victims of Chinese email hack: former employees]

US – Free Public Wi-Fi in NYC

New York City plans to install 10,000 free public Wi-Fi hotspots. Once operational, the kiosks will provide 2.0 strength in a 150-foot radius, as well as USB chargers, touchscreen Internet access, and free phone calls within the US. The project expected to realize US $500 million in advertising revenue over 12 years. The plan calls for the first 500 kiosks to be up within the next six months; 4,500 additional hubs are expected to be established over the next four years. The system will be encrypted. [CS Monitor]

Law Enforcement

CA – BCCLA to OIPC: Audit Use of Mobile Cop Surveillance Towers

Micheal Vonn, policy director for the B.C. Civil Liberties Association, said she has concerns about the deployment by law enforcement of new tower cameras over the holidays — particularly whether they have the capability to see into people’s homes — but cautioned that the association hasn’t concluded such equipment is unnecessary. “What we don’t want to start out by saying is that this kind of camera could never be justified — that’s not our position,” Vonn said. “But given the sensitivity of the information regarding the deployments, how can we know when it’s being appropriately deployed?” Vonn suggested the BC OIPC  consider an audit to determine whether the tower camera, which is also used by Abbotsford police and some other local police forces, is being used in a manner that doesn’t infringe on residents’ privacy rights. [Vancouver Courier]

Online Privacy

The Privacy Advisor’s Top 10 Stories of 2015

Between the U.S. President’s historic visit to the Federal Trade Commission to identity, privacy and data protection as priorities this year to the European Court of Justice invalidating Safe Harbor and the European Commission introducing the privacy reform that will change the privacy landscape globally, it’s been quite a year for the privacy profession. Here’s a look back at the top 10 stories reported in The Privacy Advisor, ranked by the number of reads each story got.

  1. Obama Stops by FTC; Announces Privacy Bills on ID Theft, Student Data, Consumer Privacy
  2. Cookies Are So Yesterday; Cross-Device Tracking Is In
  3. Safe Harbor Invalid, Rules ECJ
  4. GDPR Is Here: What’s a Privacy Pro To Do Next?
  5. With Safe Harbor Invalid, What’s a Privacy Pro To Do?
  6. Third-Party Vendor Management Means Managing Your Own Risk
  7. Would a Law Degree Take Your Privacy Career to the Next Level?
  8. His Task? Start Up a Privacy Program at a Start-Up
  9. How To Operationalize the PIA
  10. FTC’s Security Guide: A Sure-Fire Way To Stay Out of Trouble?

[Source] See also: [Why 2015 Was a Historic Year for Privacy]

US – Judge Allows Class-Action Against Yahoo to Proceed

In Chicago, a federal judge allowed a class-action lawsuit against Yahoo to proceed, which could make Yahoo liable for up to $1,500 in damages for each text message it sent to non-Yahoo customers on Sprint’s wireless network in March 2013. The suit claims Yahoo violated telecom rules by sending users who signed into Yahoo Messenger a follow-up text even though users had not given consent to be contacted. Yahoo could pay up to $750 million total “given that as many as 500,000 people could be covered in the class-action,” [Washington Post]

Privacy (US)

US – DHS Offers Drone Privacy Best Practices

The Department of Homeland Security Unmanned Aircraft Systems Privacy, Civil Rights and Civil Liberties Working Group has released 15 best practices for government agencies working with the emerging technology. In a joint statement, the co-chairs of the working group write, “The DHS Working Group neither proposes nor intends that this document regulate any other government entity. Our goal, rather, is simply to share the best practices we have identified as helping to sustain privacy, civil rights, and civil liberties throughout the lifecycle of an unmanned aircraft systems program.” The ACLU, however, said the guidelines are vague on data retention limits of collected data. [Federal News ERadio] See also: [UK Police to use drones for burglaries, sieges, protests] See also: [Drone Law Journal Launched]

US – DHS Releases New Year’s Resolutions for Privacy

The Department of Homeland Security’s Privacy Office reflects on its privacy progress while postulating on the future within its 2015 review. The office shed light on its involvement with the U.S.-Canada Beyond the Border Action Plan and the U.S.-E.U. Data Protection and Privacy Agreement. Among its 2016 plans is a DHS mobile app privacy policy and involvement in the Automated Indicator Sharing Initiative, in which the office will aim to “develop an automated, near-real-time capability and process for the Department of Cybersecurity and Communications Integration Center, to send and receive cyber threat indicators from government and private organizations.”[Federal News Radio reports]

US – CRS Sheds Light on Enforcement Authority in Data Breach Legislation

Most of the bills would task FTC with most of the enforcement duties, said a recent CRS report, but the legislation differs on whether the FCC should retain its existing enforcement authority over data security and breach notification for telecommunication providers. The transparency group Federation of American Scientists obtained the report and made it publicly available. [FierceGovtIT] See also: [LabMD and Wyndham Decisions Curtail FTC’s Data Privacy and Security Reach]

US – PrivacyCon to Hit Washington Jan 14

The FTC has announced the full agenda for PrivacyCon, a free and publicly accessible event, on January 14. Industry delegates, researchers, and government representatives will convene in Washington to discuss privacy and data protection research from a broad collection of academics. Among the research presentations is Cornell researcher Vitaly Shmatikov’s discovery that due to “subtle bugs,” some ads now have the ability to report a user’s medication usage and sexual preference, as well as his or her location. Registration for the event is on a “first come, first serve” basis. This event will be webcast [Source]

US – Data Privacy Day Observed by NCSA with State of Privacy Event

The National Cyber Security Alliance (NCSA) is hosting a State of Privacy event at the Pew Charitable Trusts in Washington on January 28, more formally known as Data Privacy Day. Speakers like the FTC’s Julie Brill and EDPS Giovanni Buttarelli, among others, will discuss both “consumers’ view on privacy” and “developing a sustainable big data ecosystem.” The free and publicly accessible event aims to “initiate a practical and solutions-focused dialogue addressing the current state and future of privacy.” [Full Story]


WW – 10 Data Security Trends That Will Impact You in 2016

Considering the events of the past year, here’s my take on trends and predictions for 2016.

  1. Consolidation of IT Security: The IT marketplace wants fewer vendors, not more.”
  2. The Internet of Things to Run Rampant: 6.4 billion connected “things” will be in use globally by the end of 2016 – up 30% from 2015 – and that number is expected to reach 20.8 billion by the year 2020.
  3. Responsible Disclosure: The upcoming year could bring about fundamental changes in how security researchers discover, prove, report and address vulnerabilities.
  4. Security Awareness to Expand to Consumers: In order to combat internal breaches, companies are providing their employees with cyber security awareness training.
  5. Data Breaches to Cause Extensive Implications: In the past, there have been significant delays in victims noticing the effects of a data breach – if at all. That is, until the hack of Ashley Madison, which highlighted the extent to which the personal and professional lives of a large group of people could be negatively impacted by a data breach.
  6. Privacy Regulations: With the ongoing debates around privacy regulation in Europe, security will undoubtedly be included in the conversation. Of particular note will be discussions around the case of Safe Harbor and how such European rulings will affect the global transfer and storage of personal data.
  7. SMBs to Invest More in Security: Cybercriminals are increasingly targeting SMBs because they’re seen as less secure, while oftentimes owning valuable customer data. Ransomware’ tops the list of company concerns for SMBs, and instances of cyber attacks targeting SMBs will continue to grow.
  8. Cloud Security to See Increased Shared Responsibility: Deploying a cloud-based IaaS, PaaS or SaaS provider can be a good business and security investment for companies with limited IT resources. However, companies must also understand that simply hosting in the cloud does not absolve them of security responsibilities.
  9. Incident Response to See Improvements: The onslaught of high-profile breaches has created a greater need for companies to respond to breaches in a timely manner.
  10. Collaboration Amongst Community to Increase: More than ever, security professionals are utilizing tools and platforms in order to better share and collaborate on security research and uncovering and responding to threats..

[Source] SEE ALSO: [DarkReading: 15 Cybersecurity Lessons We Should Have Learned From 2015, But Probably Didn’t] [Information Week: Top Data Privacy Issues to Scare You in 2016] [Wired: The Biggest Security Threats We’ll Face in 2016]  [CSO Online: Five Cybersecurity Names to Follow in 2016] [Data in 2016: 6 Changes to Expect in Security, Cloud and Mobile Tech]

Smart Cars

WW – Data Communication Modules Coming to 2017 Toyotas

Toyota announced that select 2017 model vehicles worldwide would employ “data communication modules” (DCM) that will connect the cars to “Toyota’s Big Data Center.” While the extent of the DCM’s application will vary from model to model, all cars will have, at minimum, an emergency alert reporting system that activates when the airbag is deployed. Other features are still a mystery, but Toyota did disclose that its data center will “analyze and process data collected by DCM, and use it to deploy services under high-level information security and privacy controls,” it said in a statement. [The Verge]


EU – Irish DPA Requires Transparency When Using Body Worn Cameras

The Irish Data Protection Authority released guidance on the use of body worn cameras, pursuant to the Data Protection Act. Individuals should be clearly informed of the use of body cameras, and clearly informed of all the purposes, who will have access to this information, and how long the images will be retained, mount conspicuous signage in the area in which the camera is operation, and the person operating the body worn camera should be visually identifiable (where possible/practicable, announce to the subjects of an encounter that video and audio recording is taking place using a body worn camera). [DPA Ireland – Guidance on the Use of Body Worn Cameras]

Telecom / TV

US – 2016’s Big Surveillance-Privacy Cases

It’s been 2.5 years since the first Snowden revelations were published. And in 2015, government surveillance marched on in both large (NSA) and small (the debut of open source license plate reader software) ways. Within the past year, Congress voted to end Section 215 of the Patriot Act—but then substituted it with a similar law (USA Freedom Act) that leaves the phone metadata surveillance apparatus largely in place even if the government no longer collects the data directly. Even former NSA Director Michael Hayden admitted in June 2015 that this legal change was pretty minor. We also saw some notable 2015 reforms as to how federal law enforcement uses stingrays, the invasive cell-phone surveillance devices in use by everyone from local cops all the way up to the FBI, DHS, and the IRS. The Department of Justice (the parent agency of the FBI) and DHS both announced new policies that require the agencies to get a warrant prior to deploying the snooping device. California Cops, Want To Use A Stingray? Get A Warrant, Governor Says: In October 2015, America’s most populous state implemented the California Electronic Communications Privacy Act. Among other reforms, this act imposed a warrant requirement for the state’s cops when using a cell-site simulator. Other states that already have similar laws include Washington, Virginia, Minnesota, and Utah. But perhaps 2015’s most notable surveillance happenings took place in the court room. Last year, we summarized five cases and trumpeted: “If the Supreme Court tackles the NSA in 2015, it’ll be one of these five cases.”

US Legislation

US – Key U.S. Cybersecurity Provisions Signed into Law

Last month, tucked into a 2,000-page spending bill, the Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law. Hogan & Lovells have summarized key cybersecurity provisions. The main goal of CISA is to encourage organizations to share information with the government about the cybersecurity threats they face and to help strengthen the mechanisms via which such information is disseminated to other organizations to help them improve their cyber defenses. Despite overwhelming support in Congress and backing from many in the private and public sectors, questions remain about some provisions in CISA, including whether privacy safeguards are adequate and whether liability protections are sufficient to allay organizations’ fears of being sued based on their participation in information sharing. How these issues are resolved will help determine whether CISA will make a real difference in the way organizations share, receive, and use cybersecurity information. [IAPP Privacy Tracker]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: