10–21 December 2016

Canada

CA – Make Federal Data Protection And Breach Reporting The Law, Mps Say

A group of MPs is advocating for new legislation requiring federal agencies to properly protect personal data and be required to report breaches in a timely manner. The recommendations come from the Commons Committee on Ethics, Information and Privacy and urge updates to the 33-year old Privacy Act. The committee cited the Health Canada breach in 2013, when 41,000 letters housed in windowed envelopes were sent to recipients taking part in the department’s medical marijuana program. The agency, at the time, did not report the incident to the Office of the Privacy Commissioner of Canada. [CBC]

CA – Op-ed: SCISA Statute Greatly Harms Privacy Rights

In an op-ed for the Toronto Star, former Privacy Commissioner of Ontario Ann Cavoukian and British Columbia Civil Liberties Association Policy Director Michael Vonn speak out against the Security of Canada Information Sharing Act statue within Bill C-51. The SCISA allows personal information to be shared among numerous government entities for analysis if it potentially impacts the country’s security. “There is no question that SCISA is a fiasco from the perspective of Canadians’ privacy rights, leaving only the question of whether it is nonetheless necessary for security. While information sharing is necessary for national security purposes, the previous law already made provisions for that.” “We join every privacy commissioner in the country in saying that no compelling explanation has ever been provided as to why our previous laws were inadequate for national security purposes, let alone why a ‘blowing-open-the-barn-door’ approach is the appropriate remedy.” [The Toronto Star]

CA – Quebec Commissioner Recommends Reforms to the Private Sector Act

The Commission d’accès à l’information has proposed recommendations to the Act respecting the protection of personal information in the private sector. It should be prohibited to collect, use and communicate personal information for any purpose other than medical, scientific or legal purposes, or genetic information for employment-related reasons, and express consent should be required for sensitive data processing (consent can be withdrawn at any time); transfers outside Quebec should be assessed for impacts and risks to personal information protection, and implementation of biometrics should require a risk assessment, storage measures, mandatory destruction of original characteristics, and localized databases. [Important Recommendations From the Quebec Privacy Commissioner on the Protection of Personal Information – Eloise Gratton and Raphael Girard – Borden Ladner Gervais LLP]

CA – Ontario Public Institutions Should Implement RIM Practices to Improve Records Access

The OIPC ON has provided guidance to assist institutions in understanding the relationship between good records and information management practices and the ability to meet obligations under FIPPA and MFIPPA. Information that is appropriately created (through proper classification), managed (by assigning responsibility), stored (using appropriate organizational, technical and physical safeguards), and destroyed (consistent with specific retention schedules) is easier for staff to find and use; access to records will then be processed with greater efficiency (staff time associated with searching for records is reduced, and risks from failing to provide records or meet response timelines are reduced. [OIPC ON – Improving Access and Privacy with Records and Information Management]

CA – OIPC SK Issues Privacy Breach Guidelines for Trustees

The Office of the Saskatchewan Information and Privacy Commissioner has issued guidance to health trustees regarding privacy breaches, pursuant to The Health Information Protection Act. Trustees must contain the breach (cease the unauthorized practice and shut down breached systems), investigate the breach (consider what PHI was involved, who was involved, who is affected, and the root cause), and prevent future breaches (determine additional safeguards and training, and whether a policies and procedures are being followed; when employee snooping is suspected, the employee’s access should be suspended, and an interview given to establish if their login information has been shared or if they regularly log off the account. [OIPC SK – Privacy Breach Guidelines for Trustees]

CA – NWT Supreme Court Finds No Harm from Disclosure of Public Body’s Agreement With Third Party

The Supreme Court of the Northwest Territories considered whether the Department of Industry, Tourism and Investment of the Government of the Northwest Territories erred in deciding to release records related to Deepak International Ltd. Release of monitoring, trademark licence and certification agreements would not harm the third party’s business interests; sensitive business information contained in the agreements was redacted by the public body, and the remaining content does not contain information that could impact the third party’s bargaining position, or result in a foreseeable negative impact or loss. [Deepak International Ltd. v. NWT and Hilary Bird – 2016 NWTSC 66 – Supreme Court of the NWT]

CA – Other Privacy News

Consumer

US – Forrester Offers New Research on Consumer Privacy Expectations

Forrester Principal Analyst Fatemeh Khatibloo discusses how Forrester wanted to create a way for businesses to assess their customers’ feelings toward privacy in order to better implement the privacy frameworks Forrester has created. Khatibloo writes about Forrester’s Consumer Privacy Segmentation, which defined four groups of consumers based on their attitudes and behaviors toward personal data collection and use. The report finds older, less tech-savvy consumers feel helpless to protect their data online, while younger customers tend to hold companies to higher standards. “It turns out that Millennials aren’t as cavalier about their personal data as some people would like to believe. And the moment they hit some key milestones in life — parenthood or homeownership, for example — their privacy attitudes change dramatically. But it’s not just data ethics they care about: they expect the companies they do business with to ‘give back,’ too.” [Forbes]

E-Mail

US – Gmail Scanning Case Reaches Settlement

Google has agreed to change its email processing procedures in order to settle a class action alleging that it scanned non-Gmail users’ messages in violation of state and federal wiretapping laws, The Recorder reports. The Tuesday-released settlement outlines Google’s promise to “eliminate any processing of emails to target ads or build marketing profiles until after messages have arrived in a Gmail users’ inbox” for at least three years, the report states. “Though the technical changes hardly seem to resolve the privacy concerns that spurred the litigation, plaintiffs’ lawyers … deemed them ‘substantial,’“ the report adds. The firms have asked for $2.2 million in fees. U.S. District Judge Lucy Koh, who is overseeing the suit, will either approve or deny the deal. [The Recorder]

Encryption

WW – New Site Checks News and Media Sites’ Use of Encryption

A new website launched by the Freedom of the Press Foundation (FPF), scans media websites and checks for their use of encryption, including their support of HTTPS. FPF’s Secure the News project checks to see if the sites implement encryption by default and whether the sites are susceptible to HTTPS downgrade attacks, in which browsers are tricked into downloading unencrypted versions of the site. Such attacks can be guarded against through the use of the HTTPS Strict Transport Security (HSTS) feature. Just four of the 104 sites listed received an A while 75 received Ds and Fs. [Wired]

WW – Filmmakers and Photojournalists Want Encrypted Cameras

More than 150 documentary filmmakers and photojournalists have signed an open letter from the Freedom of the Press Foundation asking camera makers to add encryption to the still photo and video cameras so that if the devices are stolen or seized by authorities, they will not immediately offer up sensitive information. Most smartphones encrypt stored data by default, and encrypted storage software is readily available for PCs, but cameras lack similar protections. [Wired.com | The Register | CNet.com]

EU Developments

EU – WP29 Releases Guidance on DPOs, Data Portability, One-Stop Shop

The EU’s Article 29 Working Party emerged from its December plenary meeting with a number of GDPR application guidance documents, including explanations for the mandatory DPO role, the mechanisms for data portability, how a “lead authority” to lead the one-stop shop enforcement mechanism will be established, and some notes on enforcement and the EU-U.S. Privacy Shield. The WP29 welcomes comments on the guidance from stakeholders through January 2017. Feedback can be directed to just-article29wp-sec@ec.europa.eu and presidenceg29@cnil.fr. [IAPP.org] [Guidelines on the Right to Data Portability – Working Paper 242]

EU – New France Law Requires Companies with Over 50 Employees to Implement Whistleblower Procedures

The French legislature has approved the Law on Transparency, the Fight against Corruption and Modernization of Economic Life (“Law”): the Law will come into force after publication of an administrative decree. Companies must implement internal alert procedures to allow employees to disclose criminal offenses, serious and obvious violations of an international commitment, and threats or serious risks to the general interest; companies can be liable for a criminal fine of up to €75,000 for restraining employees from alerting about a crime, and up to €50,000 for revealing information that could lead to identification of a whistleblower. [Law No. 2016-1691 of 9 December 2016 on Transparency and the Fight Against Corruption and Modernisation of the Economy Available in French | Related Article]

Facts & Stats

US – 4% of Americans Are Revenge Porn Victims: Report

A report from the Data & Society Research Institute and the Center for Innovative Public Health Research states 4% of internet users in the U.S. have been victims of nonconsensual pornography. The report found 3% of Americans have had someone threaten to post explicit photos of them online, with 2% stating a photo of them was posted online without their permission. The combined total of revenge porn victims equals roughly 10.4 million Americans. “Nonconsensual pornography can have a devastating and lasting impact on victims, so it’s vital that we understand how common this is and who is affected.” [DataSociety.net See also: The first person was sentenced to jail under Oregon’s recently enacted revenge porn law | New South Wales Attorney General Gabrielle Upton has called for national revenge porn law as state version garners support]

WW – 1.6B Records Compromised in 2016: Report

IT Governance has compiled a list of every data breach in 2016, estimating more than 1.6 billion records were compromised. The number is up from the 480 million breached records in 2015. June and November were the two worst months for data breaches in 2016. Voter breaches in June propelled the number of compromised records to 289,150,000, while 456,403,757 records were compromised in November, one of the worst months for security on record. More than 412 million of the records breached in November came from adult websites. [The Daily Dot]

US – Data Breach Insurance Claims Up in 2016

According to data from CFC Underwriting, the company handled more than 400 cyber breach policy claims in 2016. The majority of claims are from cases involving data breaches and money transfer schemes. [Insurers handling ‘hundreds’ of breach claims | The Register: Cyber insurance brokers: If it makes you feel any better, 2016 was not our year either]

Filtering

US – Bill Requires Porn Filters on New Computers

A bill introduced in South Carolina would require companies making and selling computers in that state to install filters to prevent users from accessing porn and other sexual content. The goal is to prevent access to sites facilitating prostitution and human trafficking. The South Carolina House Judiciary Committee will consider the bill when legislators reconvene in January. [New state bill wants to put porn blocks on new computers | South Carolina will debate bill to block porn on new computers]

Finance

US – Banks Finding Middle Ground for Data Portability

Many banks have resisted calls from data aggregators to make users’ financial data portable, a feature favored by many millennials. Banks have argued the practice is filled with risk and can lead to identity theft, but aggregators contend banks oppose the practice because of competition with other banks. According to a new report, some financial institutions are finding a middle ground by partnering with third-party providers that offer consumers some portability options. Wells Fargo is partnering with data-sharing platform Xero for this purpose. “Anytime a customer shares banking credentials, there’s risk involved,” said Wells Fargo’s Brett Mills. “Because of this, it’s imperative we work toward implementing ways to share information with third parties that don’t require our customers to provide their confidential login credentials.” [American Banker]

FOI

US – Google Publishes 21 National Security Letters

Google has released the content of eight National Security letters it received from the FBI between 2010 and 2015. In October, Google received permission from the FBI to publish the documents, which were all accompanied by gag orders when originally issued. The eight letters request information from a total of 21 accounts. [- CSMonitor | – Computer\World |- blog.google: ]

Health / Medical

EU – ENISA Issues Best Practices for Smart Hospitals

ENISA has published a study on information security in EU hospitals, surveying information security officers in more than 10 hospitals across the EU. Hospitals should implement BYOD controls on patient and employee devices, monitor how Internet of Things components interact with medical systems, implement whitelisting for application installation onto the hospital’s system, and ensure high level executives understand the compromise between cyber security measures and the impact on provision of services; industry and the EU should apply medical device regulation to critical infrastructure components, adapt information security standards to healthcare, and involve third parties in testing activities. ENISA – Smart Hospitals | Press Release | ENISA – Smart Hospitals Study]

US – Study: Privacy Concerns Keep Teens and Young Adults from Seeking Sexual Health Assistance

A U.S. National Center for Health Statistics report has found that an estimated 7% of teens and young adults would not seek sexual health assistance due to privacy concerns. “The youngest teens expressed the greatest reluctance… Almost one in five 15- to 17-year-olds said they would not seek that care because their parents could find out. There were also gender-based disparities. While the percentage of females with privacy concerns aged 18-25 and those without differed by 20%, “there were no large differences in the percentages receiving sexual and reproductive services based on confidentiality concerns” for males. “It’s important that we monitor any barriers that youth may experience to obtaining health care,” said the NCHS. [U.S. News & World Report]

US – ONC Creates Contest to Update Model Privacy Notice

The Office of the National Coordinator for Health Information Technology has created a new challenge for health care privacy professionals, software developers, and other stakeholders to enhance the voluntary Model Privacy Notice in order to have them better represent the current mobile health environment. The ONC wants contestants to draw from the existing Model Privacy Notice template “to create an online tool that can generate a user-friendly snapshot of a product’s privacy practices.” The ONC will award $35,000 in prizes and are asking for all entries to be submitted to Challenge.gov by April 10, 2017. [Health Data Management]

US – NGA Releases Report to Help Navigate Medical Privacy Laws

The National Governors Association has released a report designed to help states navigate around conflicting medical privacy laws and policies affecting the flow of health data. The NGA report covers challenges providers face when sharing patient information and highlights examples of states successfully developing strategies for distributing data. Recommendations from the NGA include creating a team of state government officials who have the authority to make policy decisions and an advisory group that can discuss the practical considerations for policy change. The report cites four states the passed legislation to supplant state laws to allow providers and hospitals to share patient information. “There are hundreds and hundreds and hundreds of state medical privacy laws, and the ugly truth is that it’s not possible to comply with all of them” said one attorney. [The Hill]

Horror Stories

WW – Yahoo Confirms 2013 Data Breach Affecting 1B Users, Biggest in History

Following its confirmation of a data breach in 2014 affecting 500 million users, Yahoo said it discovered another cyberattack from 2013, compromising more than 1 billion accounts. Yahoo believes the two incidents are connected and said the breaches are “state-sponsored,” Yahoo CISO Bob Lord wrote in a blog post. The attackers used “forged cookies” to access user accounts without passwords. While using these cookies, hackers could misidentify themselves as the primary user of the account. Yahoo said the compromised information could have possibly included names, email addresses, telephone numbers, dates of births, hashed passwords, and in certain cases, encrypted or unencrypted security questions and answers. Yahoo said no financial information was affected. The company is notifying affected users and asking them to change their passwords. The announcement has prompted Sen. Mark Warner, D-Va., to call for an investigation. [The Guardian | Wired | The Register | ZDnet | Krebsonsecurity]

US – Ashley Madison Settles FTC, State Data Breach Charges

The Federal Trade Commission announced the operators of AshleyMadison.com have agreed to settle FTC and state charges alleging the dating website deceived customers and failed to protect user information following the 2015 data breach affecting 36 million users. Ashley Madison will pay a total of $1.6 million in the settlement and will have to implement a comprehensive data security program, including assessments from third parties. “This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” said FTC Chairwoman Edith Ramirez. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.” [FTC.gov | Press Release | Order]

Identity Issues

US – Virginia State Court Rules License Plate Info is Not Personal Information

A Virginia State court considered cross-motions for summary judgment in a complaint against Defendants Fairfax County Police Department and Colonel Edwin C. Roessler, Jr., Fairfax Chief of Police pursuant to Virginia law. License plate numbers do not refer to an individual person, there is no privacy interest in information that is publicly disclosed (even if such disclosure is required by law), and U.S. case law provides that no Fourth Amendment search has occurred when a law enforcement officer runs a check of a license plate; Virginia may therefore deploy and use automatic license plate readers and subsequently store license plate numbers for 364 days under existing State law. [Harrison Neal v. Fairfax County Police Department et al. – Opinion – Nineteenth Judicial Circuit of Virginia]

EU – DPA Iceland Recommends Government Review Mandatory Disclosure of Personal ID Numbers for Health Purposes

The Icelandic data protection authority addressed a query concerning the proportionality of data collection by the Director of Health pursuant to the Data Protection Act. The Medical Association opposes the Directorate of Health’s ongoing request for extensive identifiable patient data, authorized by law, as disproportionate and unnecessary; the DPA advises that it is the courts (not the government) that must consider the constitutionality of the law, a data subject’s objection to processing under the Data Protection Act should be respected, and the Directorate may wish to examine whether changes to the legislation would be appropriate (in light of public opposition in other Nordic countries to such compelled disclosures. [DPA Iceland – Case No. 2016/766 – Directorate of Health]

US – Differential Privacy Integral to Harvard Privacy Tools Project’s Newest Research

A Harvard’s Privacy Tools Project team is developing a privacy tool that uses differential privacy to both share data like disease diagnoses or political leanings to researchers and protect the privacy of the subjects. “The differential privacy tool that the project is developing is a computational tour de force that achieves anonymity for individuals by introducing random noise into the way statistics about the data are computed… The amount of noise is carefully calibrated to hide the contribution of each individual person, but still reveal larger effects,” said Principal Investigator Salil Vadhan. “And so there is a trade-off… You get greater privacy protection the more noise you introduce.” [Harvard Magazine]

Law Enforcement

US – Federal Appeals Court Upholds Law Enforcement’s Use of GPS for Investigation of Minor at Risk

A federal court considered an appeal by an individual convicted of crimes based on evidence obtained through warrantless GPS tracking. Exigent circumstances involving the potential exploitation of a minor justified the tracking of appellant’s cell phone without a warrant (based on discussions with the minor’s birth mother, foster mother and social worker); there was significant risk of bodily injury as the minor may have been forced into prostitution. [United States of America v. Jabar Gilliam – 2016 U.S. App. LEXIS 21448 – United States Court Of Appeals For The Second Circuit]

Location

US – Congressional Report : Use of Stingrays May Be Unconstitutional

According to a report from the US House Committee on Oversight and Reform, the use of cell site simulators, also known as Stingrays, by law enforcement may be unconstitutional. “Absent proper oversight and safeguards, the domestic use (of Stingrays) may well infringe upon the constitutional rights of citizens to be free from unreasonable searches and seizures.” The report recommends that state and local police follow US Justice Department and Department of Homeland security policies, which require that law enforcement agents obtain a warrant prior to using the surveillance technology. It also asks that state and local law enforcement be forthright with the courts regarding the use of Stingrays. [Stingray use could be unconstitutional, House report finds | House.gov: Law Enforcement Use of Cell-Site Simulation Technologies: Privacy Concerns and Recommendations]

Online Privacy

US – Children Uploading YouTube Videos Poses Potential Issues

There is a growing trend of young children posting their activities online and the issues parents potentially face. Popular YouTube channels featuring children can receive millions of views per video. Those channels could result in millions of dollars in revenue, but children are also exposed to online commenters and channels where creators upload videos featuring popular characters performing adult acts. “For the youngest members of the next generation, sometimes called Generation Z, the line between the online world and real life is fading. Parents are having to explain to their toddlers that the children whose whole lives they see on the screen aren’t actually their friends.” [Washington Post]

WW – 45% Don’t Have Expectation of Privacy Online: Study

Auckland University of Technology’s 2015 World Internet Project in New Zealand survey has found that 45% of the 1,377 respondents do not believe privacy exists online. 11% of the surveyed said they had their privacy violated online. A University of Auckland professor in computer sciences thinks the responses indicate a changing attitude about what privacy means on the internet. “They’re shifting so rapidly now… I think many people are starting to become aware of the risks but don’t accept privacy has gone, it’s just that the boundaries are different.” [Stuff.cco.nz]

US – Twitter to Limit What’s Shared With Government Fusion Centers

In an ongoing effort to curb the amount of law enforcement access to its users, Twitter announced it will no longer provide government intelligence centers — also known as fusion centers — access to tools that can be used for bulk surveillance. Dataminr, a company partially owned by the social network, granted law enforcement access to real-time feeds of public posts and tools for filtering the content. Twitter’s decision comes after an ACLU of Northern California investigation found law enforcement used the tool to track activists and protests. [Mashable]

WW – Twitter Terminates Partnership With Third Surveillance Firm

Following its decision to terminate its contracts with Geofeedia and Snaptrends, Twitter has cut ties with a third social network surveillance firm. Twitter stopped Media Sonar from accessing its public API in October. Media Sonar is known for selling surveillance software to police departments across the U.S. Twitter’s partnership with Media Sonar was finished after it was discovered the surveillance firm was encouraging police departments to observe African-American protesters. The social media network ended its relationship with Geofeedia and Snaptrends for similar actions. Twitter said if Media Sonar attempts to create any other API keys, it will delete those as well, and will take further action against the firm. [Daily Dot]

Privacy (US)

US – FTC Releases Agenda for Second Annual Privacycon

The Federal Trade Commission released the agenda for PrivacyCon 2017. The event, taking place in Washington on Jan. 12, is designed to join together leaders from academia, research, consumer advocacy, and industry to discuss the privacy and security implications of new technologies. The public forum will cover five major topics, including the internet of things and big data, mobile privacy, consumer privacy expectations, online behavioral advertising, and information security. PrivacyCon will feature 18 research presentations on consumer privacy and security issues and a closing panel moderated by FTC Bureau of Consumer Protection Director Jessica Rich. [FTC.gov] See also: [FTC organizing privacy researcher meet up in January]

US – Cybersecurity Challenges at the US State Level

A study from the Pell Center for International Relations and Public Policy last year found that of the eight most populous US states, none was “cyber ready,” or adequately equipped to defend its systems against and recover from cyber attacks. A September 2016 study from Deloitte-NASCIO found that while some states are gaining a keener awareness of the importance of cybersecurity, the systems that states have been introducing in the name of helping constituents actually introduce additional cyber risks. [Are states ill-equipped to manage cybersecurity?: | State of the States on Cybersecurity (November 2015) | 2016 Deloitte-NASCIO Cybersecurity Study]

US – Evernote Backtracks on Changes to Privacy Policy After Outcry

Evernote, a popular note-taking app, has announced it will hold off on changes to its privacy policy after users and the media started raising privacy concerns. The proposed change would have allowed employees to read users’ notes to help train the company’s machine learning algorithms. At first, the company defended the changes, but, in a written statement, Evernote CEO later said, “We announced a change to our privacy policy that made it seem like we didn’t care about the privacy of our customers or their notes. This was not our intent, and our customers let us know that we messed up, in no uncertain terms. We heard them, and we’re taking immediate action to fix it.” [PCWorld]

WW – Evernote Changes Policy: Employee to Review User Notes

In a blog post, Evernote said it would have employees reading user notes beginning in early 2017, as a way to ensure its machine learning technologies were functioning properly. While its “computer systems do a pretty good job, sometimes a limited amount of human review is simply unavoidable in order to make sure everything is working exactly as it should.” While the company announced various controls for the process, many customers are frustrated with the changes. While there was speculation the move may be connected to Evernote’s adoption of Google’s cloud computing service, the company denied it. “We want to improve the service and see the advent and availability of many machine learning tools as very promising.” [Fortune]

US – Journal of Intellectual Freedom and Privacy’s First Issue Available

The American Library Association’s Office for Intellectual Freedom has released the first issue of its official publication, the Journal of Intellectual Freedom and Privacy. “JIFP is an expansion of The Newsletter on Intellectual Freedom, published between 1952 and 2015… Ever mindful of serials librarians’ woes, we hereby state that this new publication is a continuation of NIF, but begun over with vol. 1, no. 1.” The journal includes news, features, reviews and an editorial section, and is available in PDF format on the ALA’s website. [ALA.org]

US – Court Grants FTC Order Penalizing Data Brokers for Selling Consumer PI

This Court order settled FTC allegations that Corporate Defendants Sequoia One and Gen X Marketing unfairly sold consumer personal information in violation of the FTC Act. The 2 companies obtained PI from consumers who thought they were applying for payday loans online, and then sold the PI to a scam that withdrew funds from consumers’ bank accounts without their consent; Defendants must pay $45,000 (at which point the remainder of a $7.1 million judgment will be suspended), and are prohibited from disclosing sensitive (financial) PI, and making misrepresentations relating to financial products and services. [Federal Trade Commission v. Sequoia One, LLC, et al. – Default Judgment and Order for Permanent Injunction as to Defendants Sequoia One, LLC and Gen X Marketing Group, LLC – United States District Court District Of Nevada | Press Release | Judgment]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

US – NIST Seeks Tech Collaborators for Privacy-Enhanced ID Project

The National Cybersecurity Center of Excellence, a public-private collaborative initiative under the National Institute of Standards and Technology, has announced it is seeking technology collaborators for a privacy-enhanced identity federation project. The new project will analyze how privacy-enhancing technologies can be implemented within identity federation solutions to help maintain the privacy of users and organizations. The goal of the project is to produce a NIST Cybersecurity Practice Guide, which will be publicly available and include “practical steps needed to implement a cybersecurity reference design,” the NCCoE website states. Questions or suggestions for the project can be sent to petid-nccoe@nist.gov. [NCCOE] [Federal Register Notice | Privacy-Enhanced Identity Federation project description.

Security

WW – 42% of Companies Do Not Have Cyberattack Communications Plans

An EY report finds many companies do not have a plan for communicating with the public following a cyberattack. EY’s annual Global Information Security Survey revealed 50% of the 1,735 participating organizations said they were confident they could detect an attack, but 42% did not have a communications strategy in place if an attack took place. Another 48% said they would not notify impacted customers within the first week. “It’s imperative to address if any weaknesses or failures in the recovery plans become known, because the longer these problems continue, the worse the situation will get. In fact, many of the proposed regulations or laws around reporting of cyberattacks say that companies must notify customers within a certain number of days,” said the report’s author. Blanco Technology Group released a report revealing delays companies face in breach detection and notification and the regulatory challenges this causes for data protection. [CNBC]

Smart Cars / IoT

US – FTC, FCC to Focus on IoT Security in 2017

The Federal Trade Commission and the Federal Communications Commission will focus on internet-of-things security in 2017. The agencies commitment to IoT security comes after the massive DDoS attack affecting large parts of the United States this past October. “As we see the rise of mobile and the internet of things, we’re seeing a multiplicity of actors in the ecosystem,” said the FTC, “There’s going to be a lot of questions about the liability of these various actors.” [AdExchanger]

US – DOT Proposed Rules Would Require Cars to Share Information

The Department of Transportation has proposed a new set of rules requiring the auto industry to have technology allowing vehicles to share information with one another. The National Highway Traffic Safety Administration said the plans could reduce 80% of non-impaired crashes, but privacy advocates are concerned about the plans. “Vehicle-to-vehicle communications must be secure as Fort Knox,” said a the Consumer Union. “Automakers must be required to meet baseline, enforceable standards to protect both privacy and security as they roll out this technology. Communications should be protected through strong encryption, and security measures should be seamlessly updated so that consumers don’t have to worry about getting into a crash because their car has been hacked.” Sens. Edward J. Markey, D-Mass., and Richard Blumenthal, D-Conn., are pressing the DOT to implement strong cybersecurity and privacy protections before the rules are implemented. [Consumer Reports]

US – Study: Privacy Safeguards for Wearable Devices Are Insufficient

A study from the Center for Digital Democracy and the School of Communication at American University states the growing wearable device market raises a number of privacy concerns. Wearable manufacturers collect large amounts of personal data and share the information with other companies. The study finds existing privacy laws do not normally apply to wearable manufacturers, and the “weak and fragmented” U.S. health privacy regulatory system does not give consumers proper privacy safeguards. “Many of these devices are already being integrated into a growing Big Data digital health and marketing ecosystem, which is focused on gathering and monetizing personal and health data in order to influence consumer behavior,” the study says. [PC World]

SG –’City Brain’ Tech to Make Singapore an Internet of Things-Powered Hub

Singapore’s plan to embrace “city brain” technology, utilizing 100 million smart objects in five years, is both groundbreaking and rife with privacy questions. “In theory, a city brain could be used by municipal administrators to check on a wide variety of conditions,” such as weather, elderly housing and transportation issues, the report states. The program may additionally use “the estimated five million smartphones carried by Singaporeans” to make it happen. “Of course, there will be loss of privacy or, worst case, the chance of data being hacked,” said Gartner. “This is not just a Singapore problem; it’s a global problem… any government must still enforce certain laws to prevent misuse.” [Computerworld]

Surveillance

US – U.S. to Release Estimate of Americans Monitored Under Surveillance

A letter from U.S. lawmakers states the country’s intelligence community is planning to disclose the number of American citizens whose electronic communications have been intercepted through online surveillance programs designed for foreigners. The letter, sent to National Intelligence Director James Clapper, said the estimate was requested by the U.S. House of Representatives Judiciary Committee and should be released publicly as early as next month. The estimate would come as Congress is expected to commence the debate over whether to revamp the surveillance provision Section 702, which was added to the Foreign Intelligence Surveillance Act in 2008 and is set to expire Dec. 31, 2017. “ [Reuters]

US – Ex-Employees Claim Uber Continues Unauthorized Surveillance

After stating it had policies preventing employees from accessing trip and geolocation information, five former Uber security professionals reveal the company continued to allow its workers to access sensitive information. The revelation comes two years after Uber was first found using its internal “God View” to track users’ whereabouts in real time without permission. Some of the most recent allegations state Uber deleted files it was legally obligated to hold onto and for encrypting files during law enforcement investigations in its foreign offices. In response to the report, Uber’s Chief Information Security Officer sent an email to the company’s staff reminding them of their privacy obligations. [Reveal News]

Telecom / TV

US – FTC Publishes Do Not Call Registry Data Book for 2016

The Federal Trade Commission has released its National Do Not Call Registry Data Book for Fiscal Year 2016. “Now in its eighth year of publication, the Data Book contains a wealth of information about the Registry for FY 2016 (from October 1, 2015 to September 30, 2016), including: State rankings for National Do Not Call registry” as well as “the number of active registrations and consumer complaints since the Registry began in 2003.” The Data Book states that the Registry contained more than 226 million registered numbers at the end of the 2016 fiscal year, an increase from the 223 million reported at the end of fiscal year 2015. The Florida Record reports. [FTC.gov]

US Government Programs

US – Court of Appeals Upholds Warrantless FISA Surveillance of US National

Mohamed Osman Mohamud appealed from his conviction from use of weapons of mass destruction, in violation of 18 U.S.C. § 2332a(a)(2)(A). Acquisition of the individual’s email communications was lawful, since it resulted from contact with a foreign national being targeted for promoting terrorism (warrantless surveillance of non US persons is permitted); even if a warrant was required, the government’s search of the individual’s emails was reasonable since US persons have a limited expectation of privacy in information revealed to a third party, and applicable FISA procedures to safeguard the individual’s privacy interests were followed. [USA v. Mohamed Osman Mohamud – Opinion – US Court of Appeals for the Ninth Circuit]

US – California Educational Tech Providers Cannot Sell or Disclose Student Information

The Future of Privacy Forum provides an overview of obligations under the California Student Online Personal Information Protection Act. Providers that design and market sites, services and applications used primarily for K-12 school purposes can use student data to conduct legitimate research, and use deidentified information for product improvement, marketing and development; providers cannot sell or disclose student information (except for legal purposes, user safety, for K-12 school purposes), use student information to amass a profile, or use student information to engage in targeted advertising. [FPF Guide to Protecting Student Data Under SOPIPA – For K-12 Administrators and Ed Tech Vendors]

Workplace Privacy

US – Hiring Algorithms Are Not Neutral Sources: Op-Ed

In an op-ed for the Harvard Business Review, Gideon Mann and Cathy O’Neil explain why using algorithms in human resource departments cannot be considered a neutral source. Algorithms are created to mimic human decision making, meaning existing biases will become part of their makeup. “In other words, algorithms are not neutral. When humans build algorithmic screening software, they may unintentionally determine which applicants will be selected or rejected based on outdated information — going back to a time when there were fewer women in the workforce, for example — leading to a legally and morally unacceptable result.” The authors offer suggestions for working around this flaw, including ensuring hiring decisions aren’t based solely on algorithms, and conducting reviews to remove any hiring trends possibly appearing to be biased. [HBR.org]

US – Companies Look to Publicly Report Employees’ Health

A group of companies, including IBM, PepsiCo and Johnson & Johnson are working to find a way to publicly report and measure the health of their employees. The ratings, currently under consideration by a coalition of employers and insurers called the Health Metrics Working Group, would offer shareholders and other high ranking company officials a look into a company’s efforts to improve employee health and whether the efforts are working. The health information will be presented in the aggregate in order to comply with health privacy laws. “All the working group members support the concept of reporting on employee health metrics, but if and how that gets implemented will vary quite widely.” [The Wall Street Journal]

+++

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: