28 Oct – 04 Nov 2016


US – Judge Rejects Facebook’s Constitution Argument in Biometrics Case

U.S. District Judge James Donato presided over a hearing on a motion to dismiss the Facebook biometrics case. Facebook is currently facing three lawsuits claiming it violated the Illinois Biometric Information Privacy Act and another class action in California. The social network’s attorney Lauren Goldman has argued the Supreme Court’s recent Spokeo decision declared plaintiffs cannot sue unless they demonstrate concrete injury, as shown in Article III of the Constitution. Donato rejected Goldman’s argument, but pressed class attorney Rafey Balabanian to describe what kind of privacy injury came from Facebook’s biometric data collection. The judge said if he does decide for Facebook’s motion to dismiss the lawsuits, he will likely remand two of them back to the state jurisdictions in which they started. [Courthouse News Service] See also: A California court has held that a violation of the California Invasion of Privacy Act is, in itself, a concrete and particularized harm.

Big Data

US – Colleges Paying 50¢ per Student to Gain PI for Admissions Decisions

Just as companies pay for consumer data to make informed decisions, it turns out, colleges and universities do the same, according to a report by non-partisan think tank New America. The report, called “The Promise and Peril of Predictive Analytics in Higher Education,” detailed the ways in which colleges pay for student data. For less than 50 cents a name, colleges glean student data from third-party groups. The College Board, which administers the SAT, the ACT, and the National Research Center for College and University Admissions (NRCCUA) all collect student information that schools pay for. All three are non-profits. The students’ demographic information is then used for “predictive analytics,” a little-known x-factor that colleges often use for enrollment management. The process pulls a multitude of data points into a model that predicts the probability a particular student will apply to a school, choose to attend after they’ve been accepted, or perform well once enrolled. The third-parties also have their own predictive models that colleges can pay for, which can include around 300 different data points on students. The report also explained how colleges rank students based on this data. Admissions teams individually score students’ likelihood of becoming an applicant, being admitted, and deciding to enroll, usually on a scale of 0-10 based on factors like: race and ethnicity, zip code, high school, and anticipated major, according to the authors. Predictive analytics raises questions about discrimination. [Business Insider]


CA – BC Supreme Court Compels Newspaper to Disclose Information Related to Professional Association Investigation

The BC Supreme Court considered a motion to quash production orders issued by the Law Society to a journalist and his employer newspaper in relation to an internal investigation. The Legal Profession Act, which includes subpoena powers, applies to non-lawyers, and the production order issued by a law society to the newspaper and journalist for purposes of investigating a member’s conduct was reasonable; the order was not seeking the petitioner’s PI or proprietary corporation information, the petitioners’ article placed the information in the public domain, and the regulation of professions is a compelling objective. [Mulgrew v. The Law Society of British Columbia – 2016 BCSC 1279 – In The Supreme Court of British Columbia]

CA – Professional Regulatory Bodies in Saskatchewan Should Consider De-Identification of Published Disciplinary Decisions

The Office of the Information and Privacy Commissioner in Saskatchewan has issued guidance on publication of disciplinary decisions by professional regulatory bodies. Decisions published on websites of regulatory bodies may contain sensitive personal information or personal health information (wrongdoings, opinions about members, physical or mental health information); staff should consider de-identification of names and other identifiable information (especially of witnesses, complainants, affected individuals), and determine that documents only contain personal information that the regulatory body has the authority to disclose. [OIPC SK – Guidance for Professional Regulatory Bodies – Transparency of Discipline of Members]

CA – OIPC SK: Administrative Tribunals to Redact PI When Posting Decisions

The OIPC SK has examined administrative tribunals’ decisions that are published on the internet. Tribunal decision can involve sensitive issues such as alleged wrongdoings and traumatizing incidents. Key advice for tribunals:

  • determine whether including all PI is necessary when posting a decision
  • ensure staff know about what can and cannot be done with PI
  • notify citizens that some PI may be published online (prior to commencement of the proceedings)
  • If publishing a decision online, consider de-identifying or removing PI or writing the decision in such as way that the parties are de-identified and the least amount of PI is disclosed.

[OIPC SK – Decisions of Administrative Tribunals – How Much Is Too Much? ]

CA – OIPC NS Recommends Reforms to the Personal Health Information Act

The Office of the Information and Privacy Commissioner recommends areas of improvement under the Personal Health Information Act. Recommendations to bring PHIA up to date include permitting a substitute decision maker to exercise any right or power conferred on an individual, and setting clear standards for breach identification and notification to affected individuals, health custodians, and the OIPC; provisions should also allow the OIPC to require any relevant record to be produced (regardless of whether the record is subject to the provisions of PHIA), exchange information with extra-provincial commissioners, and receive immunity from privacy-related lawsuits. [OIPC NS – PHIA Review Recommendations]

CA – OPCC: Political Parties Need Rules for Collecting Canadians Data

Canada’s privacy watchdog said no rules for political parties collecting Canadians’ data a “gap” that needs fixing. Parliament needs to address political parties’ ability to operate outside the Canada’s privacy safeguards, the federal privacy watchdog says. Currently there are no rules governing how political parties collect and use sensitive personal information about Canadians, such as political beliefs, family composition, and financial information. Privacy Commissioner Daniel Therrien has argued for the need for oversight into parties’ data activities. But Therrien isn’t arguing just for oversight — he wants some basic rules. The Star reported that a House of Commons committee is considering looking into how political parties use data harvested from millions of door-to-door interactions, fundraising drives, and other interactions with citizens. Very little is known about the extent of parties’ data operations. All three major parties — Liberals, Conservatives and the NDP — have either recently overhauled their database programs or are in the process of doing so. But all of these data operations are running with, at most, voluntary privacy policies and practices with no independent oversight or governing rules. Therrien said that the kind of information collected by parties is among the most sensitive information Canadians hold. It’s not only internal misuse that’s a danger, the privacy commissioner said. Successive privacy commissioners have done everything they could to move the issue forward, Therrien said, and it remains up to parliamentarians to “actually do something about it.” [The Star]


WW – FOC Releases Cybersecurity Guidelines Protecting Human Rights

The Freedom Online Coalition has released new policy recommendations for human rights-based cybersecurity strategies. The recommendations are targeted toward policy makers and others in the cybersecurity industry, covering issues such as user security online and offline, responding to cyber threats, encryption, and anonymity. “These recommendations are a first step towards ensuring that cybersecurity policies and practices are based upon and fully consistent with human rights — effectively, that cybersecurity policies and practices are rights-respecting by design,” reads the guideline’s preamble. The recommendations received the support of all 30 FOC government member states. The U.S. and Canadian governments and industry representatives such as Mozilla have also backed the guidelines. [APC]


US – NIST Issues Draft eMail Security Guidance

The US National Institute of Standards and Security’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has released daft guidance on email security. The document describes several technologies that, if adopted, could increase the security of email communications. Comments will be accepted through December 19, 2016. [Uncle Sam emits DMS email security guide – now speak your brains] [DNS-Based Secured Email] See also: [Why do people still use email — or at least not secure it?]

EU Developments

EU – Article 29 WP Offers Tentative Support for EU-US Umbrella Agreement

The Article 29 Working Party, in a “revealing statement,” offered signs of support for the EU-U.S. Umbrella Agreement, while also delivering recommendations to ensure the act complies with EU law. The WP29 supports the initiative in creating a general data protection framework to bolster trans-Atlantic cooperation and in protecting and sharing data for law enforcement investigations. While the WP29 said the Umbrella Agreement “considerably strengthens the safeguards in existing law enforcement bilateral treaties with the U.S., some of which were concluded before the development of the EU data protection framework,” the group added clarification may be needed for the agreement to be consistent with EU law, specifically since personal data and data processing have different definitions in EU and U.S law, and restrictions on individuals’ rights to access their data are broad. [Hogan Lovells’ Chronicle of Data Protection]

EU-U.S. Umbrella Agreement Gets ‘Amber Light’ from Article 29 Working Party

The Article 29 Working Party has issued a revealing statement about the so-called EU-U.S. Umbrella Agreement, which is aimed at creating a high-level data protection framework in the context of transatlantic cooperation on criminal law enforcement. While broadly supportive, the Working Party intends to monitor whether the Umbrella Agreement fully satisfies key data protection requirements and whether it is in compliance with Article 7 and Article 8 of the Charter of Fundamental Rights of the European Union. It also recommends requesting further assurances from the US government explaining and confirming the scope of redress rights granted to data subjects in the EU through the Judicial Redress Act, how records from US law enforcement agencies are exempted from the application of the Privacy Act, and the compatibility of these practices with the Umbrella Agreement. The Working Party adds that clarification may be needed to ensure that the level of protection of personal data afforded by the Umbrella Agreement is fully consistent with EU law, particularly given that:

  • The concepts of “personal data” and “data processing” are differently defined by US and EU law.
  • The data retention period is insufficiently strictly defined in relation to the purpose pursued.
  • The restrictions on individuals’ access rights are very broad.
  • Access could be improved by the establishment of an indirect access right mechanism.

Once the Agreement is approved by the European Parliament, the Working Party intends to continue to monitor its implementation and oversight measures to ensure that the rights afforded are effective. As part of this exercise, the Working Party undertakes to follow future developments in legislation and in the courts in the U.S. and the EU. This statement by the Working Party follows its recent announcement that it had created a working group for enforcement actions on organisations targeting several member states, which is yet another sign of the growing international ambitions of the EU data protection authorities. [Source]

EU – Personal Information Management Systems Can Support Data Protection Principles: EDPSR

The European Data Protection Supervisor has explored the concept of technologies and ecosystems that empower individuals to control the sharing of their personal data that are known as personal information management systems (“PIMS”). PIMS are technologies and ecosystems that use local or cloud-based storage to empower individuals to control the sharing of their personal data, using security and data protection as the main drivers (e.g. cryptography, data minimisation and anonymisation); PIMS use consent management and automated mechanisms to achieve the objective of allowing users to define at a granular level how their PI should be used and for what purposes, and enable then to track the way the PI is used. European Data Protection Supervisor – Opinion 9/2016 on Personal Information Management Systems | Press Release]

UK – ICO UK Issues Code of Practice on Privacy Notices

The UK Information Commissioner’s Office has issued key recommendations to develop a clear and effective privacy notice, including:

The GDPR’s rules on notice are more detailed and specific than in the Data Protection Act (e.g. information must be concise, transparent, intelligible and easily accessible, written in clear and plain language, particularly if addressed to a child and free of charge), but data controllers may still consider where the information should be displayed in different layers of a notice; use a privacy notice checklist (i.e. what to include, where to give the notice, when to give the notice, and how to give the notice), and then test it, roll out and continuously review it. [Information Commissioner’s Office, United Kingdom – Privacy Notices, Transparency and Control: A Code of Practice on Communicating Privacy Information to Individuals]

UK – ICO Recommends Personal Liability of Directors for Breaches of Data Protection Law

At a recent Parliamentary meeting to discuss the draft Digital Economy Bill, the UK Information Commissioner recommended imposing personal liability and accountability upon company directors. If such liability is imposed, it will mark a radical departure from the current law, under which directors of companies generally have no personal liability or accountability for breaches of data protection law committed by their companies. The ICO’s recommendations to the Committee

  • Reviewing the Bill against the GDPR, to ensure that the new requirements imposed by the Bill are consistent with the GDPR – in particular, the new rights afforded to individuals.
  • Putting the ICO’s Data Sharing Code of Practice and Direct Marketing Code of Practice on a statutory footing, effectively giving those Codes the force of law (whereas currently they are merely guidance).
  • Obliging companies to make their data sharing activities transparent at two levels, by requiring them to: (i) ensure that the purposes of the data sharing, and how it will occur, are made clear either at the point of collection of data, or in ways that are easily accessible by individuals; and (ii) implement safeguards and transparency in line with the ICO’s Privacy Notice Code of Practice.
  • Ensuring that data sharing, whilst beneficial for public interest reasons, is always kept proportionate, minimised as far as possible and undertaken in accordance with the Data Protection Act 1998.
  • Ensuring that the requirement for age verification does not result in an open-ended approach that allows the relevant websites to take large amounts of personal data from individuals. Secure and accredited third party providers of age verification systems should be used to ensure that the bare minimum of data are disclosed to such website owners.
  • Lowering the threshold for the requirement of ‘harm’, in relation to nuisance calls, to make it easier for the ICO to take enforcement action and issue fines.

Whitecase.com | Regulator seeks further enforcement powers in its fight against nuisance marketing | Lexology

EU – Other EU Developments

Facts & Stats

CA – Tracking of Journalist Highlights Need for Guidance to Courts: Privacy Czar

Parliament has a role to play in instructing the courts on when to grant police a warrant to obtain sensitive data, privacy commissioner Daniel Therrien told a House of Commons committee this week. “This is a very worrisome issue,” Therrien said under questioning at a meeting of the Commons information, ethics and privacy committee, which is conducting a review of the federal Privacy Act. …”It’s one thing to say that the courts are involved,” Therrien said. “That’s a good start. But this case leads me to believe that that’s not adequate in itself. It may be useful to give the court tools so that they’re better able to exercise their power.” Among Therrien’s recommended revisions to the federal privacy regime is a call for agencies involved in law enforcement to publish regular reports on the requests they make to telecommunications companies for information about subscribers. Therrien noted that many communications outlets produce such transparency reports about the data they hand over to police and spies. “It’s one thing for companies to do it. But the ones who should really be transparent are those who ask for and use the information,” he said. Montreal-based La Presse newspaper said this week it had learned at least 24 surveillance warrants were issued for columnist Patrick Lagace’s iPhone this year at the request of city’s police service. Three warrants reportedly authorized police to get the phone numbers for all Lagace’s incoming and outgoing texts and calls, while another allowed them to track the phone’s location via its GPS chip. National News Watch | Police surveillance of journalist ‘worrisome’: Senator Pratte |Premier promises greater protection of journalists, sidesteps call for inquiry | Privacy czar decries tracking of journalist

US – Washington State Attorney General Releases Data Breach Report

The personal information of at least 450,000 Washington state citizens was compromised between July 2015 and July 2016, according to a report from Attorney General Bob Ferguson. The report highlights the 39 data breaches that affected at least 500 individuals as part of the stricter notification rules adopted by the state in 2015. While most breaches affected less than 10,000 individuals, T-Mobile reported an incident where an intruder received the sensitive information of nearly 330,000 people. “Information is power, and this new law gives my office and Washingtonians valuable information about potential risk to their personal information and their businesses,” Ferguson said. “Data breaches are a serious threat to our security, and my office can use this information in our efforts to protect the people of Washington.”[Full Story]


WW – 70 Rights Groups Urge Facebook to Clarify Its Content Removal Policies

In a letter sent to Facebook, more than 70 rights groups have called on the organization to explain its content removal policies, “especially at the behest of governments.” The missive alleges Facebook has removed content concerning police violence or war imagery, the report states. “When the most vulnerable members of society turn to your platform to document and share experiences of injustice, Facebook is morally obligated to protect that speech,” the letter said. While a Facebook spokeswoman said it was reviewing the letter, the company is still facing “international scrutiny amid several controversial takedowns and reversals in recent months, including the company’s handling of an iconic Vietnam War photo showing a naked girl burned by napalm,” the report adds. [Reuters]


WW – Google Releases Transparency Report for First Half of 2016

According to Google’s most recent transparency report, which covers the first six months of 2016, it received nearly 45,000 requests for information regarding more than 76,000 accounts from governments around the world. While the volume of government requests Google receives for data from Google have risen, the proportion of those requests it complies with has remained steady at about 64 percent. The report also notes that the FBI lifted a gag order on a National Security letter issued in the second half of 2015. [Google discloses FBI inquiry | Government Requests for Google User Data Rise Steadily | Building on Surveillance Reform (Google blog)]

CA – Ontario Health-care Watchdogs Making Cautions Issued Over Mistakes or Bad Behaviour Public

Ontario’s health-care watchdogs are lifting the veil of secrecy surrounding cautions given to dentists, nurses, pharmacists and others for mistakes or improper behaviour. Doctors’ cautions became public last year. Until recently, cautions — such as those issued for drug-dispensing errors or delays in sending patients for crucial followup appointments — were kept secret from the public, including future patients critics say deserved to know the track record of each health professional. The decision was prompted by a 2013 Toronto Star investigation. Since the Star stories, Ontario’s health regulatory colleges have been developing measures that would tell the public when their members receive cautions. There are now 26 colleges that regulate the province’s more than 300,000 health-care professionals. Most colleges have decided to post cautions publicly on their websites, while three are considering proposals to do so. The College of Physicians and Surgeons of Ontario began making cautions public last year. [The Star]


US – NIH-Funded Genetic Sequencing Project Filled with Privacy Concerns

A National Institutes of Health-funded genetic sequencing project is offering parents of newborns the opportunity to discover if their infants are more likely to have genetic conditions, but privacy concerns have emerged. Researchers are using the BabySeq project to determine whether discovering a child’s genetic makeup could benefit their health or increase health care costs. However, any results from the genetic sequencing will permanently go on a child’s medical record. Federal law prohibits health care providers and workplaces from discriminating against medical conditions, but life insurers can use the information to determine who receives a policy. “It really gave me pause that this would be part of the medical record that private companies would have access to,” said Lauren Patrick, a parent who declined participating in the project. “That was my full stop in the end.” [Full Story]

Horror Stories

AU – 550,000 Blood Donors’ Data Leaked in Red Cross Blood Service Breach

Australian Red Cross Blood Service CEO Shelly Park has said that a mistake made by a contractor in charge of the organization’s website led to the accidental publication of more than 550,00 blood donor’s personal information on a public-facing, unencrypted development section of the site. The data was accessed and sent to Microsoft’s Troy Hunt, who “reported the person who gained access to the information had contacted him, revealing [his] own personal details and a 1.74GB data file containing the records,” the report states. Park said the organization was looking into the breach and notifying the affected, with Australian Privacy Commissioner Timothy Pilgrim announcing his office’s own investigation. [The Sydney Morning Herald]

Internet / WWW

EU – Merkel: Internet Platform Algorithms Need More Transparency

German Chancellor Angela Merkel is pushing internet platforms to be more transparent with their algorithms. Merkel believes the lack of transparency harms debating culture and advocates for internet users to have a means by which to find out how they received information through search engines. “I’m of the opinion that algorithms must be made more transparent, so that one can inform oneself as an interested citizen about questions like ‘what influences my behaviour on the internet and that of others?’” said Merkel. “Algorithms, when they are not transparent, can lead to a distortion of our perception, they can shrink our expanse of information.” [The Guardian]

UK – Company Says It Can Determine Voters’ Personality to Help Target for Campaigns

Cambridge Analytica CEO Alexander Nix claims that the company can “determine the personality of every single adult in the United States of America,” and the Trump campaign is paying “millions of dollars” for the company’s assistance. “The firm says it can predict how most people will vote by using up to 5,000 pieces of data about every American adult, combined with the result of hundreds of thousands of personality and behavioral surveys, to identify millions of voters who are most open to being persuaded to support Trump,” the report states. Some are critical that the company can do that successfully. Yale University’s Eitan Hersh, author of “Hacking the Electorate,” argues that Cambridge Analytica’s claims are “basically impossible … You can do better randomly guessing.” [The Washington Post]

WW – Facebook Tool Allows Advertisers to Target, Exclude ‘Ethnic Affinities’

Facebook allows advertisers to tailor ads to exclude or target groups it dubs “Ethnic Affinities.” The Civil Rights Act of 1964 and the Fair Housing Act of 1968 make such moves illegal, the report states. “This is horrifying. This is massively illegal,” said civil rights lawyer John Relman. “This is about as blatant a violation of the federal Fair Housing Act as one can find.” Facebook representatives said they would be moving the “Ethnic Affinity” category out of the “Demographics” section of its ad-building tool. “We take a strong stand against advertisers misusing our platform: Our policies prohibit using our targeting options to discriminate, and they require compliance with the law,” said Facebook Privacy and Public Policy Manager Steve Satterfield. [ProPublica]

Law Enforcement

CA – Montreal Cops Have Tracked a Journalist’s Cellphone for the Past Year

On Monday Montreal newspaper La Presse published details on surveillances warrants, at least 24 in total, obtained to surveil journalist Patrick Lagacé. …Lagacé, who works at La Presse, had been in contact with Faycal Djelidi, a Montreal police officer under investigation for a number of crimes, including perjury and obstruction of justice. When Lagacé’s number popped up on Djelidi’s phone, the Montreal police obtained the initial surveillance warrants for the journalist’s device. …The case, just one of many instances of Canadian cops investigating journalists in recent years, shows how willing police are to compromise journalist’s protection of their sources, La Presse said in a statement. [Vice.com | | ‘A Detrimental Chilling Effect’: VICE Pushes Back in Legal Fight With Canadian Police – April 29, 2016 | Media Coalition and Civil Liberties Groups Granted Say in VICE Case Against RCMP  – October 27, 2016 | How Canada’s Anti-Cyberbullying Law Is Being Used to Spy on Journalists | Montreal police spied on La Presse journalist Patrick Lagacé | La Presse columnist says he was put under police surveillance as part of ‘attempt to intimidate’ | We’re spied on more often than you think, journalists groups say | 3 other journalists allegedly under surveillance by Montreal police | Police surveillance scandal: Quebec tightens rules for monitoring journalists

US – On-Demand Cell Phone Searches Hurt Teenagers on Parole

Should law enforcement get an all access, long-term pass to a teenager’s cell phone, just because he or she had a run in with police? That question is in front of California’s highest court, and in an amicus brief filed earlier this month, EFF and the three California offices of the ACLU warned that it was a highly invasive and unconstitutional condition of juvenile parole. In this case, a teenager known in court documents as Ricardo P. admitted to two cases of burglary. One condition of his parole was that he submit his phone to search at any time, whether by his probation officers or any peace officer, even though his phone use had nothing to do with the commission of the crimes. But the U.S. Supreme Court has ruled that you cannot treat personal electronic devices so cavalierly. In 2014, the court in Riley v. California recognized that government searches of cellphones implicate personal privacy in ways that few things do, and rejected the government’s claims that cellphones can be searched without a warrant. After all, cell phones contain the sum of all of our lives, including our religious views, our sexual orientations, our health conditions, or physical movements throughout the day, and more. And the privacy implications go far further than the individual juvenile on parole. Everyone the child talks to also has personal information that is exposed to law enforcement. An on-demand search without any probable cause is like letting the government have a long-running wiretap—unprecedented for a probation condition for a juvenile. [EFF]


US – FedRAMP Improvements Made

FedRAMP (the Federal Risk Authorization and Management Program) has streamlined the process cloud services companies must go through to be approved, which has increased the number of authorized services. FedRAMP has also implemented a new dashboard that is easier for federal agencies to use.[Federal News Radio: FedRAMP overhaul begins paying dividends]

Online Privacy

WW – How Despots Use Twitter to Hunt Dissidents

Twitter’s ‘firehose’ of a half billion tweets a day is incredibly valuable—and just as dangerous. …if Twitter provides a rare outlet for criticism of repressive regimes, it’s also useful to those regimes for tracking down and punishing critics. There have been dozens of Twitter-related prosecutions in Saudi Arabia, according to Human Rights Watch. Twitter is still popular in Saudi Arabia but it no longer hosts much dissent. Activists are careful to tweet in coded language, if they tweet at all. “People don’t openly discuss important things on Twitter anymore,” says Ali Adubisi, a Saudi human-rights activist. “Twitter is totally different, totally silent, totally weak.” [Bloomberg]

WW – Company to Pull Plan to Price Car Insurance Based on Facebook Posts

Admiral has been forced to scrap plans to use Facebook posts to analyse the personalities of car owners and set the price of their insurance after the social media company said the scheme breached its privacy rules. In an embarrassing U-turn, the insurance firm pulled the product less than two hours before it was due to officially launch. The product, called firstcarquote, was launched later with “reduced functionality”: users can log in to the product with Facebook but it will no longer analyse their data. Facebook said protecting the privacy of its users was of the “utmost importance” and that it had clear guidelines about how information obtained from the site should be used. Privacy campaigners welcomed Admiral’s reversal but said that it was only the start of other companies trying to use personal data in a similar way. The scheme would be voluntary and not apply price increases to drivers deemed to be more risky. [The Guardian]

Privacy (US)

US – Judge Rejects Settlement Over Surveillance of Muslims by NYPD

A federal judge has rejected the settlement of a lawsuit stemming from the New York Police Department‘s surveillance of Muslims, saying the proposed deal does not provide enough oversight of an agency that he said had shown a “systemic inclination” to ignore rules protecting free speech and religion. In January, Mayor Bill de Blasio, a Democrat, agreed to appoint a civilian lawyer to monitor the department’s counterterrorism activities as a means of settling two lawsuits accusing the city of violating the rights of Muslims over the past decade. But the judge, Charles S. Haight Jr., in an opinion published on Monday, said the settlement did not go far enough for an agency that had become “accustomed to disregarding” court orders. “The proposed role and powers of the civilian representative,” Judge Haight wrote, “do not furnish sufficient protection from potential violations of the constitutional rights of those law-abiding Muslims and believers in Islam who live, move and have their being in this city.” The decision means lawyers for both sides will have to negotiate changes to the settlement or fight the lawsuit in court. Jethro Eisenstein, a civil rights lawyer in the case, said he and his colleagues planned to discuss the ruling with city lawyers. [New York Times]

US – Judge Rules Anxiety Cannot Be Used To Claim Damages

Plaintiffs in a class-action lawsuit against Barnes & Noble stemming from a 2012 data breach were able to prove their standing, but could not adequately claim they suffered damages. The plaintiffs claimed the book chain invaded their privacy and violated several laws after the incident where cyber criminals hacked Barnes & Noble PIN pad terminals. The plaintiffs’ original complaint was shot down in 2013, and their amended complaint was also rejected by a judge last month. “Plaintiffs did allege monetary harm such as costs associated with renewing identity protection monitoring services,” said Reed Smith Associate Brian Willett. “But the court found that those claims, in addition to suffering anxiety based on the PIN pad tampering, were insufficient to support the suit.” In other news, an appeals court ruled the victims of a Nationwide Insurance data breach do not need to establish their standing to prove they are in danger. [Penn Record]

US – Anthem Breach Victims File Class Action, Seek OPM Audit Data

Victims of the 2015 Anthem data breach have filed a class-action lawsuit against the health insurer. Plaintiffs are also asking for information on an audit conducted by the U.S. Office of Personnel Management on the state of Anthem’s network security. The OPM first conducted an audit in 2013, but Anthem turned down the agency’s request to conduct tests, with the company citing “corporate policy” issues. The OPM conducted its second audit following the breach, but the findings were not released to the public. The plaintiffs claim if the audit discovered security vulnerabilities, then Anthem had the ability to prevent the cyberattack, making it important for the information to be made public. [Modern Healthcare]


WW – Study: One-Third of Targeted Breaches Succeed While Majority of Execs Say their Infosec Practices Work

An Accenture survey of 2,000 security officers from large enterprises worldwide has found that one-third of targeted breaches against companies are successful, but three-quarters of executives are still confident in their infosecurity practices. “To survive in this contradictory and increasingly risky landscape, organizations need to reboot their approaches to cybersecurity,” the report, entitled “Building Confidence: Facing the Cybersecurity Conundrum,” states. “Ultimately, many remain unsure of their ability to manage the internal threats with the greatest cybersecurity impact even as they continue to prioritize external initiatives that produce the lowest return on investment.” Focusing mainly on data protection law compliance isn’t enough to protect data, the study adds. Meanwhile, a BDO USA survey of 160 companies has found that 74% of directors say that their boards are increasingly discussing cybersecurity issues. [Bloomberg Technology]

US – Report: Private Sector Must Incorporate ‘Active Defense’ Into Cybersecurity Efforts

The GW Center for Cyber and Homeland Security has released a report detailing the private sector’s role in implementing cybersecurity protocols. “Into the Gray Zone: The Private Sector and Active Defense Against Cyber Threats“ explains why the private sector is responsible for defending itself against attacks while the government will offer assistance by providing a framework for incorporating “active defense” into cybersecurity methodology. “These activities fall into two general categories, the first covering technical interactions between a defender and an attacker. The second category of active defense includes those operations that enable defenders to collect intelligence on threat actors and indicators on the internet, as well as other policy tools that can modify the behavior of malicious actors,” the report states. In other news, research firm Forrester predicts the next president will face a cyber crisis within the first 100 days of his or her term. [Lawfare]

Smart Cities

US – D.C. Plans Streetlights That Save Money, Offer Wi-Fi, Help with Parking

D.C.’s technology office envisions a Washington with streetlights that not only have a motion detector but also offer Wi-Fi and live video of every street in the city, and trash cans that let the city know when they need to be emptied. There are more than 71,000 streetlights in the District, not all of them working. Chief Technology Officer Archana Vemulapalli is leading an effort to convert all of them to smart technology hubs that will one day bring free Wi-Fi to students who don’t have internet connectivity at home, provide police real time video of every street in the District and allow the District’s Department of Transportation to monitor and regulate traffic from one remote location. [NBC]


WW – Holiday Shoppers’ Appetite for New Smartphones Comes With Steep Data Privacy Price

A new research study released by Blancco Technology Group, “Holiday Shopping: When Smartphone Upgrades Go Wrong in a BYOD Workplace“ reveals that 68% of mobile users plan to purchase a new smartphone during the holiday shopping season. But new smartphones and insecure mobile data practices will come with a steep data privacy price – both for smartphone owners and their employers. Key findings from the study include:

  • Promotional incentives and discounts sway holiday shoppers to ditch old phones.
  • Data privacy fears don’t halt holiday shoppers’ plans to trade in and resell old phones.
  • Customer records, patent filings and system login credentials top the list of corporate data loss fears.
  • Despite Fears of Credit Card Numbers, Company Emails and Customer Lists Being Exposed, 72% of Mobile Users Automatically Connect to Available WiFi Connections & 76% Connect to Company Networks.
  • Keeping mobile data safe is thorny issue for users and employers. Over half (56%) of the surveyed mobile users reported storing both personal and corporate information on their smartphones.
  • However, 42% of mobile users said their company does not have visibility into which types and quantities of corporate data are stored on their smartphones. [Newswire]

Telecom / TV

US – FCC Approves New Internet Data Privacy Rules

The US Federal Communications Commission (FCC) has approved new rules aimed at protecting sensitive consumer data. The rules require broadband providers, including Verizon, Comcast, and AT&T, to obtain customers’ permission before sharing data the FCC has deemed to be sensitive. These data include precise geo-location; financial information; health information; children’s information; web browsing and app usage histories; and contents of communications. ISPs also must be clear about what information they collect and with whom they share it. FCC ruling means users must ‘opt in’ to let data be sold | FCC approves new privacy rules for ‘sensitive’ internet data | FCC imposes new consumer privacy rules on ISPs | The FCC just passed sweeping new rules to protect your online privacy | FCC Adopts Privacy Rules to Give Broadband Consumers Increased Choice, Transparency, and Security for Their Personal Data] SEE ALSO: [The FCC’s new privacy rules are toothless]



Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: