US – DHS Chief: Single Biometric Identity Card for Multiple Uses Is The Goal

Secretary Michael Chertoff said the Homeland Security Department’s goal is to develop a single biometric card that could allow people to use the same card to meet the requirements of multiple access and security programs at border crossings. The department is seeking to create an integrated system for a new program to serve travelers who frequently cross the border and an existing trusted traveler program for Canadians, Mexicans and truck drivers. [Source] [Text of Chernoff Remarks]

CA – Day Says No to ID Cards for Travel to U.S. – Passports Will Suffice

The Conservative government said this week it has no plans to introduce a new national identity card for citizens travelling to the U.S. and is advising Canadians to obtain a passport if they plan to cross the border once new U.S. security rules are enforced in 2008. “We are not suggesting at this time that we are launching into a program of a Canadian identity card or anything of that nature,” Public Safety Minister Stockwell Day said following meetings with U.S. Homeland Security secretary Michael Chertoff. Mr. Day’s comments mark the clearest statement yet on how the Conservative government intends to comply with new U.S. travel restrictions set to begin taking effect next year. Acting on legislation passed by Congress, the Bush administration will require Canadians entering the U.S. by air or sea from Canada to carry passports starting January 2007. The U.S. has said it will require a passport or another form of security border identification card at all land border crossings by the start of 2008. The travel requirements also extend to American citizens traveling between the two countries. But, amid concerns that the plan is too costly and will sharply curb tourism and trade, the U.S. recently said it will try to prevent problems by introducing its own border ID card, or “passport lite.” Dubbed a PASS card, it will fit in a travellers’ wallet and cost about half the price of obtaining a regular U.S. passport. The U.S. has said that it would accept a similar card from Canadian travellers, but Mr. Day said the federal government is not actively investigating that option. [Source] [Source] [Premier McGuinty: Ottawa Should Rethink Decision on Border ID Cards] [ID card still in Canada’s future?]

CA – Sex Registry Plan Under Fire: Conservatives Aim For Major Expansion

At a time when a U.S. sex offender registry is under scrutiny, the federal Conservatives are planning a major expansion of the Canadian database that would require all sex offenders past and present to register their whereabouts with police. The current registry is significantly more limited, listing only the 12,000 sex offenders who were still in the justice system when the database came into effect in December 2004. [Source] See also: [Editorial: Sex Offender Registries Should Remain Private] [Do Sex Offender Registries Endanger Lives of Ex-Cons? Double Murder of Maine Men Sparks Debate About Online Sex Registries] [Maine slayings prompt debate on registry]

CA – Privacy Commissioner Rules Surveillance Videotapes May Be Used In Litigation

The Office of the Privacy Commissioner of Canada has clarified that PIPEDA does not prevent a party to a lawsuit from conducting surveillance. The ruling stemmed from a lawsuit filed by a woman who claimed she was unable to perform domestic chores because she was injured by another driver in a crash. The other driver’s insurance company hired a private investigator who took videos of the woman performing routine tasks, including carrying boxes. The woman complained to the privacy commissioner that the information collected about her was done without her consent, which violated PIPEDA. The privacy commissioner found that the complaint was “not well-founded.” [Source] [Finding]

CA – Retired Deloitte Partner: Adopt Stiffer Penalties for Privacy Violations

During an upcoming review of PIPEDA, retired Deloitte partner Robert Parker said Canadian governments should consider the adoption of tougher penalties for violations of the law. Privacy Commissioner Jennifer Stoddart is posting information about offenders on her Web site - but that is the only penalty, according to Parker. [Source]

CA – B.C. Information and Privacy Commissioner Investigates Security Breach

A computer containing information about Fraser Health Authority employees who sought counseling is missing from the Vancouver office of the Employee and Family Health Assistance Program. The computer contained personal information, including names, birth dates and the reasons why thousands of the workers sought help for personal issues. [Source]

CA – Alberta Crook Used Dumped Credit Data

A crook used stolen credit card information to buy a laptop computer after an Edmonton company dumped 2,606 credit and debit card sales receipts in an unlocked dumpster, says the Information and Privacy Commissioner’s office. Monarch Beauty Supply came to the attention of Privacy Commissioner Frank Work last September after Edmonton city cops advised that someone had turned over documents containing personal information from the Monarch Beauty Supply store in west Edmonton. The documents included the store’s daily financial records along with customer credit and debit sales receipts containing customers’ names, credit card numbers, expiry dates, customers’ signatures and debit card numbers. [Source] [Source] [Investigation Report]

CA – Choose ‘Yes’ On Census, Urges Group

An Ontario geneology organization wants Ontario residents to know that their future relatives might never know they existed if they don’t check off ‘yes’ to a question on an upcoming government census. The Uxbridge Genealogy Group has put a call out to residents to inform them 2006 Canada Census forms are being distributed in the near future. This year, for the first time in 340 years, according to the group, residents will have a choice whether their information can be released in 92 years. If you check ‘no’, future genealogists will be faced with gaps in their family history research. [Source] [Source]

US – Federal Government Seeks Input on How to Fix Credit Reporting System

U.S. federal regulatory agencies and the FTC are asking for comments from the public in an effort to develop more accurate credit reports. They are looking for examples of mistakes, corrected information ignored by the credit bureaus and other problems that can hamper the accuracy and integrity of your credit report. Also, they want ideas to improve procedures and policies. Public comments must be submitted no later than May 22^nd. [Source] [Source]

US – FTC Calls for International Anti-Spam Efforts

The FTC joined 29 other countries this week in calling for increased cooperation between nations in combating spam. The FTC signed off on a set of anti-spam recommendations by the OECD. Among the top OECD action items are calls for government agencies such as the FTC to have the power to take action against spammers located outside their jurisdiction and increased information sharing between countries. The OECD also said there should be greater cooperation in international efforts to reduce the incidence of inaccurate information about holders of domain names. [Source] [Source]

US – FTC Settles CAN-SPAM Charges Against Two Big Spammers

Two more large-scale spammers have settled charges with the FTC that they sent commercial e-mails in violation of the CAN-SPAM Act. According to the FTC, the firms sent millions of unwanted and unsolicited e-mail while concealing the true identity of the sender. [Source]

US – AOL Blames “Glitch” for Blocking Some Critical E-mail

America Online apparently began blocking e-mail on its servers containing the Web address of a petition against the company’s upcoming certified-mail program, an issue the company called a “glitch.” An AOL spokesman said the issue arose because of a software glitch that “affected dozens of Web links in messages,” including the Dearaol.com. [Source]

US – County Web Sites Exposing Sensitive Data

Counties around the U.S. have been posting documents that contain sensitive personal data that could be used to commit identity fraud. The data, including Social Security numbers, driver’s license numbers and bank account information, are included in public land records and other documents. The documents are posted on the Internet but not redacted for privacy. Most counties will honor citizens’ requests to have their personal information removed. [Source]

WW – Encryption Still Underused In Financial Transactions, Warns PwC

22% of those who accept financial transactions do not encrypt the data they receive to ensure its confidentiality and integrity, according to PwC research. Fewer than one-third of smaller firms encrypt the data they receive. [Source]

EU – Article 29 Working Party: Adopt Data Retention Directive With Caution

The EU’s Article 29 Working party has released a two-page opinion that outlines some concerns about the recently approved Data Retention Directive. The purpose of data retention, which will allow investigators to identify certain details about calls and emails but not their content, is to make relevant information available for the detection and prosecution of crimes. Member states must retain the data for a minimum of six months but no longer than two years. The WP warned in its opinion that member states must implement the Directive with “measures curtailing the impact on privacy.” [Source] [Source] [Opinion]

EU – EU Watchdog Warns About Anti-Terror Rules

Peter Hustinx, the EU’s data protection supervisor, used his annual report this week to warn the 450 million citizens of EU countries that they better be aware that the new EU data retention legislation was approved without adoption of proper privacy safeguards. The law, which requires the retention of email and cell-phone call data, and the plans to approve passports and visas with biometric technology, could lead to privacy violations, Hustinx warned. Hustinx said he was prepared to file complaints of any privacy rights violations with the EU’s high court in Luxembourg. [Source] [Annual Report]

UK – Information Commissioner Issues Guidelines for Sale of Customer Databases

The UK Information Commissioner’s office has released guidelines regarding the sale of customer databases following a business’s closure. According to the guidelines, the data can be used only in the manner which was indicated when the information was initially collected; if it is to be used for other purposes, the new owners must obtain express consent from those whose information is in the database. The guidelines also address the length of time the data may be kept. [Source] [Source] [Source]

US – More Phishing at Tax Time

Phishing incidents continue to escalate, according to the Anti-Phishing Working Group. Record levels of phishing emails that seek to trick people into divulging personal financial information were seen in January and February. Phishing incidents in those months were sharply higher than at any time in 2005. This tax season, the IRS has warned about the fake emails intended to trick people into believing they originate from the federal agency. The phishers’ level of sophistication is increasing with particular emails timed to coincide with current events. Phishing experts also are seeing an increase in “crimeware,” which cyber criminals install without a user’s knowledge to capture keystrokes or redirect them to a Web site that looks like their intended destination - but actually is a fake site to allow a hacker to gather personal information. [Source]

UK – Survey: 81% Give Up Sensitive Info for Chance to Win Easter Eggs

Organizers of the annual information security event outside London’s Victoria Station concluded their project with the same result seen in other years: people eagerly give out personal details when enticed with the promise of free goodies. Infosecurity Europe conducted the survey, finding that 81% of the commuters they talked with were willing to surrender all the personal information needed to steal their identity in exchange for a chance to win an Easter prize. [Source]

AU – Major ISPs Say No to Porn Filter Trial

Australia’s two largest ISPs, Telstra and Optus, have rejected invitations to co-operate in the most extensive internet content filtering experiment ever carried out in the country. The trial, to be launched in Tasmania, was expected to include the entire state’s internet population. [Source]

CA – Watchdog: Canadian Money Laundering Laws Lax

Gaps in Canadian laws that are supposed to combat money laundering and terrorist financing must be filled - and fast, says a federal watchdog. Canada has fallen behind global standards and must get things cleaned up by next year, says a briefing note to Finance Minister Jim Flaherty from the head of the Office of the Superintendent of Financial Institutions. [Source]

UK – Information Commissioner Criticized for FOIA Implementation

The UK Freedom of Information Act has produced wider access to information - but the legislation has been implemented in a way that hinders requests, and the Information Commissioner is partly to blame, a House of Commons committee has heard. Oral evidence was presented to the Constitutional Affairs Committee of the House of Commons. The Information Commissioner, when challenged by MPs on 14th March, rejected most of the complaints but claimed his office was under-funded. [Source]

CA – Nymity Interview with Ken Anderson on PHIPA

Ken Anderson, Assistant Commissioner, Information and Privacy Commissioner/Ontario, provides his perspective on the Personal Health Information Protection Act including the impact of it being deemed substantially similar to PIPEDA. He also discusses challenges for health information custodians, the number of complaints received, how orders can extend beyond health information custodians, cross-border transfers of personal health information and the prospect of changes to privacy legislation in Ontario. [Source]

AB – Health Records Legislation Updated To Reflect Current Technology

Legislative amendments under Bill 31, the Health Information Amendment Act, will help address technical enhancements to provincial electronic health records, coordinate the retention periods for records held by professional bodies and clarify disclosure rules. “These amendments aim to balance individual privacy with the protection of the public and the public health system,” said Iris Evans, Minister of Health and Wellness. Proposed amendments will:

§ allow information disclosure among governments and some third parties for the purposes of paying for services and ensuring accountability;

§ allow discretionary disclosures for reasons of public safety and to prevent or report public health system fraud; create consistency with the Health Professions Act;

§ allow Alberta Health and Wellness to better track drug trends;

§ facilitate greater use of the electronic health record by giving pharmacists and doctors more complete patient drug histories; and

§ protect the privacy of Albertans by ensuring their health and other personal information cannot be automatically disclosed in response to a United States court order under the Patriot Act. [Source]

US – Survey: HIPAA Compliance Behind Schedule For Some Healthcare Companies

Phoenix Health Systems and Healthcare Information and Management Systems Society found in its most recent survey that 20% of healthcare companies are “unable or unwilling to implement federal privacy requirements.” This week, another HIPAA deadline hits that requires companies - with less than $5 million in revenue - to meet security standards. The survey found that 55% of large healthcare providers and 72% of insurers met HIPAA’s security requirements, which took effect a year ago. [Source]

US – California Gov. Signs Bill to Track HIV Cases by Patient Name

Gov. Arnold Schwarzenegger signed a bill Monday that will require epidemiologists tracking the spread of HIV in California to use data based on patient names instead of a code-based system plagued by problems. The former system was designed to protect patient confidentiality, but it was riddled by errors. Opponents initially opposed tracking HIV by patients’ names, but measures to protect the data have been strengthened, according to officials. [Source]

CA – Saskatchewan Government Laptop Containing Health Data Stolen

A laptop containing personal health records for about 1,500 people in Saskatchewan was stolen last month from a software contractor’s Toronto office, according to officials. The provincial government said the data from the Saskatchewan Health Information Network contained health registration numbers, but they were “heavily encrypted.” The computer also was password-protected. Because of those security measurers, the government said it will not notify individuals in writing about the theft. Health officials have been in contact with the privacy commissioner. [Source] [Source] [No names on stolen computer]

US – Security Breach at New Jersey Medical and Dental School

A computer security breach at the University of Medicine and Dentistry of New Jersey exposed sensitive data belonging to nearly 2,000 students and alumni. The breach was detected on February 24, though it is unclear when it actually took place. University officials kept quiet about the breach during an investigation. Students have been sent letters informing them of the breach and warning that they could be victims of identity fraud. [Source]

US – University of South Carolina Students’ SSNs Accidentally Exposed

A database containing the Social Security numbers of as many as 1,400 University of South Carolina students was inadvertently attached to an email regarding summer classes. The affected students have been notified and advised to take steps to protect themselves from identity fraud. The University of South Carolina is in the middle of switching from using Social Security numbers as student identifiers to assigning new student ID numbers; the change is scheduled to be complete in fall 2007. [Source]

US – Judges Finds Wells Fargo Not Negligent in Data Theft Case

A US District Judge in Minnesota ruled that two people who had filed a class action lawsuit against Wells Fargo had not actually suffered any damages and were thus unable to demonstrate “reasonably certain future injury” due to the theft of computer hardware from a Wells Fargo contractor. The hardware contained unencrypted Wells Fargo customer data. The judge said the thieves never used the information and that time and effort the plaintiffs spent monitoring their credit reports “was not the result of any present injury, but rather the anticipation of future injury that has not materialized.” The judge found Wells Fargo not negligent because the information was never misused by the thieves. [Source]

US – Religious Groups Join Fight Against National IDs

Critics of federal legislation to establish nationwide identification standards are tapping into religious groups to galvanize resistance to the statute. The authors of a New Hampshire bill to make the Granite State the first to reject the so-called REAL ID Act have cited financial and constitutional concerns about its implementation. But several conservative Christian groups that have endorsed the New Hampshire proposal are largely motivated by their belief that the law is a sign of the apocalypse. According to leaders of the movement against the statute, the cause has benefited immensely from the active participation of groups that view the law as the fulfillment of a biblical prophecy. Such groups refer to scripture that predicts that humans will be numbered by marks on their foreheads and hands before the arrival of the antichrist. [Source] [Source]

UK – ID Database Will Become National Population Register

The U.K. government says the ID card database will become a national population register of basic personal information for the public sector to verify identity and has called for the development of a children’s register as well. The Treasury confirmed this week that the newly created Identity and Passport Service (IPS) will take over the work being done by the Office for National Statistics on the Citizen Information Project to create an adult population register containing a person’s name, address, date of birth and a unique ID reference number. [Source]

US – EFF Reports on “Unintended Consequences” of DMCA

A new report from the Electronic Frontier Foundation takes aim at the Digital Millennium Copyright Act, a controversial law enacted seven years ago to protect intellectual property in the digital age. “Unintended Consequences: Seven Years Under the DMCA“ is a collection of well-known and obscure stories about the misuses of the DMCA. [Source] [PDF Report:]

US – DNA Samples From All Suspects Controversial

A bill pending in the Kansas Legislature would require authorities to take DNA samples from all suspects arrested for felony crimes. The DNA, taken with a swab of skin cells lining the mouth, would be entered into the state’s DNA database used to identify suspects in unsolved crimes. State Rep. Kasha Kelley, R-Arkansas City, has said earlier that she opposes the measure because of privacy issues. [Source] [Source]

US – Sprint Nextel Unveils GPS-Enabled Cell Phones

Sprint Family Locator, a GPS feature that allows parents to check up on their children’s whereabouts, is the latest in location-based services that cell phone companies are expected to offer in the next few years. Sprint Nextel’s service costs $10 a month and works on most of its current phones. To dispel the perception that “Big Brother is watching,” the child will receive a text message each time their phone is pinpointed. Location-based services have become more commonplace in businesses. But the wireless companies have been careful to introduce the technology to consumers because of privacy concerns. [Source]

[Commentary] [Concerns over GPS child tracking]

US – Ponemon Institute Conducts Outsourcing Survey

Larry Ponemon has done a survey to gauge how much Americans are troubled by outsourcing of data to foreign countries. While most people expressed concern about outsourcing of medical records, those surveyed were less worried about the transfer of financial information and other information overseas. One of the survey’s notable findings was that India - despite negative perceptions about the integrity of outsourcing operations there - ranked third behind Ireland and Canada as the most trustworthy for outsourcing work. But in the event of a large-scale data breach in another country, there are no international disclosure requirements that would require notification of consumers that their information had been compromised. [Source] [See also House report on privacy protection laws in 20 outsourcing countries]

US – Terrorists’ Web Chatter Shows Concern About Internet Privacy

Postings on jihadist Web sites indicate that terrorist groups are seeking advice about spyware, Internet privacy and password protection. One forum posted a terrorist-linked group’s how-to guide on remaining anonymous online. The advice included a suggestion to use a software program that erases Web addresses or other identifiable information. [Source] [Source]

UK – UK Computer Misuse Act to be Updated

The UK’s new Police and Justice Bill will update the outdated Computer Misuse Act (CMA) of 1990 this summer. Section Three of the CMA will be revised to make any unauthorized act performed against a computer an offense. The term “unauthorized act” is deliberately undefined; the law will no longer require data modification to have taken place to deem an act an offense. In addition, denial-of-service has been made a specific offense. People found guilty under the revised law will find themselves faced with longer jail sentences. [Source]

US – Librarians Win as U.S. Relents on Secrecy Law

After fighting ferociously for months, federal prosecutors relented and agreed to allow a Connecticut library group to identify itself as the recipient of a secret F.B.I. demand for records in a counterterrorism investigation. The decision ended a dispute over whether the broad provisions for secrecy in the USA Patriot Act trumped the free speech rights of library officials. The librarians had gone to federal court to gain permission to identify themselves as the recipients of the secret subpoena, known as a national security letter, ordering them to turn over patron records and e-mail messages. It was unclear what impact the government’s decision would have on the approximately 30,000 other such letters that are issued each year. Changes in the Patriot Act now allow the government discretion over whether to enforce or relax what had been a blanket secrecy requirement concerning the letters. [Source] [Source] [Source]

US – Wisconsin Launches New Privacy Office

Gov. Jim Doyle has opened a new state office, the Office of Privacy Protection, to handle identity theft complaints. Staffed by four people, the office will help state, local and federal authorities investigate identity theft crimes. The state office also will help ID theft victims, lawmakers and businesses. [Source]

US – ChoicePoint’s Privacy Chief Takes Steps to Improve Privacy Protections

Carol DiBattiste is the architect of a new system of checks and balances to prevent another security breach at the company. DiBattiste heads an independent office that reports to ChoicePoint’s board of directors’ privacy committee. Hired shortly after the data broker’s infamous data breach became public in February 2005, DiBattiste is focused on tightening controls for customer credentialing, alignment of privacy and security and introducing prevention measures to insulate the data broker from security breaches. [Source]

US – Nuala O’Connor Kelly Appointed to Serve as New IAPP Board Member

April 18, 2006 – Nuala O’Connor Kelly, General Electric Company’s Chief Privacy Leader and Senior Counsel, has been named to the International Association of Privacy Professionals’ (IAPP) board of directors, the IAPP announced April 18. [Source]

US – Portland Picks Company to Operate Free Wireless Network

MetroFi Inc. said it was selected by the city of Portland, Oregon, to design and operate a citywide Wi-Fi network that will provide free wireless Internet access and improved public services. MetroFi said the Portland system will be built at no cost to the city, which expects to save millions of dollars in productivity and wireless Internet service fees by using the network. [Source]

US – Cases Show Anti-Cyberstalking Laws Not Always Effective

State legislatures took notice around 1999 and began passing laws that make cyberstalking a crime. Three months ago, President Bush signed federal anti-cyberstalking legislation. But some cases make it clear that the problem is not easily legislated away and show how devastating it can be to individuals caught in its web. [Source]

US – NIST Releases Guide to Computer Security Log Management.

NIST has announced a new draft document, SP 800-92, Guide to Computer Security Log Management. Many logs within an organization may contain records related to computer security events. Organizations are facing larger quantities, volumes, and varieties of computer security logs, and also need to address requirements to analyze and retain certain logs to comply with Federal legislation and regulations, including FISMA, HIPAA, the Sarbanes-Oxley Act of 2002, and the Gramm-Leach-Bliley Act. As a result, many organizations have a greater need for computer security log management--the process for generating, transmitting, storing, analyzing, and disposing of computer security log data. Log management assists in ensuring that computer security records are stored in sufficient detail for an appropriate period of time. [Source] [Source]

US – RFID Travel Cards Could Pose Privacy Threat

Future government-issued travel documents may feature embedded computer chips that can be read at a distance of up to 30 feet, a top Homeland Security official said this week, creating what some fear would be a threat to privacy. Jim Williams, director of the Department of Homeland Security’s US-VISIT program, told a smart card conference that such tracking chips could be inserted into the new generation of wallet-size identity cards used to ease travel by Americans to Canada and Mexico starting in 2008. Those chips use radio frequency identification technology, or RFID.[Source] [Source] [Source]

US – Tech Industry Attacks State Anti-RFID Laws

Political climate unfriendly to ID devices, backers say: In at least a dozen states, the electronics industry has been waging a battle against a rash of proposed laws aimed at limiting—and in some cases outlawing--use of electronically readable chips in personal identification documents. No states have enacted such laws yet, but bills have been up for debate in California, New Hampshire, Washington, Rhode Island, New Mexico, Illinois and Missouri, among others, during the past couple of years, panelists said at an industry conference about smart card use by the government. [Source] [Source]

US – Wal-Mart Plans to Use New RFID Tags. RFID-Enabled Forklifts

Beginning June 30, Wal-Mart will stop using Gen 1 tags on cases and pallets it receives from suppliers, the company announced recently. The retailer plans to switch to Gen 2 tags, which have shown improved read rates of products in motion. The company also announced that it is launching a pilot testing of RFID-enabled forklifts at six Sam’s Club locations. [Source]

US – Privacy Controversy May Delay National Animal ID System

Opposition to establish a National Animal Identification System (NAIS) is complex, but appears centered on privacy issues and the increased implementation costs, which could be borne by producers. The objective of establishing a national animal ID program is to enhance the animal disease surveillance and monitoring system and improve trace-back capabilities should a reportable animal disease event occur. The proposed plan calls for establishing a system that allows complete trace-back within 48 hours of a confirmed reportable disease event. [Source] [Source] [Source] [Source] [Source] [Source] [Source] [Source] [Source]

UK – Theme Park to Start RFID Tagging Visitors

Alton Towers, one of the U.K.’s largest theme parks, is to start tagging visitors with tiny radio frequency identification computer chips that will allow a network of cameras to track their movements throughout the park. Visitors will be given an RFID-enabled wristband on entry to the Staffordshire amusement park. It will allow them to be identified and videoed by cameras as they go on rides and attractions. The technology will help with park security - allowing parents to locate lost children, for example - but its chief publicised purpose will be to create a unique personalized DVD of the visitors’ day at the park, which can be purchased on leaving. [Source]

AU – Researchers Prove RFID Tags Vulnerable to Attacks

Academic researchers in Western Australia have demonstrated that RFID tags can be disrupted by inundating them with an overload of data. The researchers say that even the more sophisticated, next-generation RFID tags are vulnerable to the denial-of-service scenario. “The Australian researchers saturated the frequency range used by the tags, which prevented them from talking to the readers.” The attacks were conducted at the range of one meter. [Source] [Source] [Source] [RFID Zapper]

US – Data Protection: A Big Issue for Small Businesses

We’re all aware of recent security breaches that caused major banks to reissue thousands of customers’ debit and credit cards. But we’re less aware of small business security breaches, and what we don’t know can hurt us. Here are some chilling facts from the Small Business Technical Institute:

* More than half of all small businesses in the U.S. experienced a security breach in the last year.

* Almost one-fifth of small businesses don’t use virus-scanning software for e-mail.

* More than 60% don’t protect their wireless networks with encryption.

* Two-thirds of small businesses don’t have an information security plan. [Source] [BBB Toolkit]

US – Study: Data Security Spending Rises

Growing incidents of data breaches have led to companies to spend more on protecting their data. Nearly 40% of new security spending by businesses in 2007 will be directed towards protecting data, research firm Gartner said this week, indicating a shift from securing the network to shielding information. Increasing incidents of data loss, the rising costs associated with each incident, and the public disclosure that companies have to make after a data breach have led to the change, said Gartner. “The rate of data breaches has increased materially over the last two years,” said a Gartner VP. “There’s more information out there than ever and there’s actual financial value attached to that data, which has attracted the bad guys.” [Source]

US – Survey: Many Companies Placing Stock in Promise of Data Governance

A recent survey conducted by data broker Experian’s QAS division for data quality management finds that companies estimate that 6% of lost sales are the result of poor management of customer data. Many organizations are unsure which versions of their customer records are accurate and updated. A growing trend embraced by IT and security executives is the adoption of data governance - a recipe for managing information across an organization based on a set of business processes and policies designed to ensure that data is handled accordingly and by trained data handlers. IBM formed a data governance council in 2004, which includes members from about 50 IT and security experts who are IBM customers. [Source]

EU – France Launches Electronic Passports

France has begun issuing electronic passports that will allow its citizens to travel to the U.S. without a visa, according to Amsterdam-based Axalto. The smart-card vendor is providing France’s printing office, the Imprimerie Nationale, with approximately 2 million electronic covers for the new passports this year. The e-passports include smart cards containing the holders personal information and a biometric identifier, and will first be issued in a district of Paris. Their use will be extended to citizens in the rest of France by the end of May.[Source]

US – Medical Smart Cards Proposed For California Migrant Workers

A California politician wants to give migrant workers medical smart cards that could improve the quality of the worker’s health care. The idea is to improve the quality of health services workers receive, but there are concerns the cards will get in the wrong hands. Every ailment you’ve ever had could be encoded on a chip – your blood type; your insurance information. One state senator thinks this is the wave of the future and wants the state of California to try it out. [Source]

US – AT&T Seeks to Hide Documents Implicating Collusion with NSA

AT&T is seeking the return of technical documents presented in a lawsuit that allegedly detail how the telecom giant helped the government set up a massive internet wiretap operation in its San Francisco facilities. In papers filed late Monday, AT&T argued that confidential technical documents provided by an ex-AT&T technician to the Electronic Frontier Foundation shouldn’t be used as evidence in the case and should be returned. The documents, which the EFF filed under a temporary seal last Wednesday, purportedly detail how AT&T diverts internet traffic to the National Security Agency via a secret room in San Francisco and allege that such rooms exist in other AT&T switching centers. [Source] [NYT: Documents Show Link Between AT&T and Agency in Eavesdropping Case]

US – Law Enforcement Wiretaps Vulnerable to Phreaking

Graduate students at the University of Pennsylvania, with the help of a National Foundation grant, have been analyzing the reliability of wiretaps used by law enforcement to investigate criminal wrongdoing. Professor Matt Blaze, speaking at the 2006 International Conference on Network Security, said either party can disrupt a wiretap or “introduce misleading information into the legal record.” [Source]

KR – Korea Gov’t to Monitor Online Communities Monthly

The South Korean government plans to monitor the nation’s online communities every month, to crack down on an increasing number of personal information dealers within the virtual world. The Ministry of Information and Communication on Sunday said the targets of the monthly surveillance plan would be cyber cafes, and peer-to-peer (P2P) file-sharing sites. [Source]

US – Pennsylvania DA Offers Guidelines for School Bus Taping

The use of microphones on school bus surveillance cameras takes bus companies and schools into an “unsettled legal area,” but does not violate the state’s wiretap laws, Allegheny County District Attorney Stephen A. Zappala Jr. said last week. Zappala issued guidelines to school districts on how to keep surveillance legal and called on lawmakers to amend the law after state police raised questions about one bus company’s practice of taping students’ actions and voices on buses. “I hope a public debate plays out on this issue,” Zappala said during a news conference. [Source]

US – Mandatory ISP Data Retention: U.S. to follow E.U. example?

New requirements for ISPs to retain customer data are being explored in the US, inspired by Europe’s recent Directive. But that Directive must be implemented with care, warns an EU Working Party on Data Protection. The explosive idea of forcing Internet providers to record their customers’ online activities for future police access is gaining ground in state capitols and in Washington, D.C. Top Bush administration officials have endorsed the concept, and some members of the U.S. Congress have said federal legislation is needed to aid law enforcement investigations into child pornography. Privacy advocates are concerned that data retention requirements would give police the power to obtain online records that typically are not available after a few months. [Source] [Source][Source]

AU – Private Data Is Up For Grabs

The national telecommunications watchdog is yet to protect a massive database containing personal information on every Australian with a phone number. It is 2 1/2 years since the Australian Communications and Media Authority first raised concerns about misuse of the data. An industry standard to restrict business use of the Integrated Public Number Database was expected to be in force by the second half of 2004, but it has been delayed. Instead of releasing a final standard, as expected, ACMA will release a further draft that will then be subject to further public consultation. [Source]

US – TSA Appoints New Privacy Chief

The Transportation Security Administration (TSA) has announced the appointment of Peter Pietra to serve as the agency’s director of privacy policy and compliance. The Homeland Security Department said in a news release that Pietra’s appointment, as well as increased staffing in TSA’s privacy office, demonstrates the department’s commitment to privacy. Pietra most recently served as TSA’s assistant chief counsel for information law. [Source]

US – GAO: Feds Must Standardize Info-Sharing Policies

More than four years after the 2001 terrorist attacks, the federal government still lacks processes and policies to improve how agencies share terrorism-related and sensitive-but-unclassified (SBU) information, the Government Accountability Office said today in a new report. “Until government wide policies and processes on sharing are in place, the federal government will lack a comprehensive road map to improve the exchange of critical information needed to protect the homeland,” the report states. GAO found that the 26 agencies it reviewed have 56 different SBU designations. No government wide rules, however, determine how they are applied or how they differ. More than half of the 26 agencies reported they have problems sharing information, the report states. The Homeland Security Department, for instance, told GAO that it had posted SBU information for state and local partners to public Internet sites. [Source] [Report] [Report Highlights]

US – Time Running Out On Federal Data Breach Notification Law

Congress has yet to sort out the differences that are stalling the passage of a single national standard that would make it easier for companies to comply with one law rather than individual state laws. With the recent passage of bills in Utah, Wisconsin and Indiana, companies must be mindful of 23 different state laws when it comes to notifying consumers after a security breach. Consumer groups are staking out their ground by urging lawmakers to approve a federal law that is as strict as California’s notification law. Observers are predicting that time is running short to reach a compromise and still get the bill approved before November’s mid-term elections. [Source]

US – Privacy Advocates Oppose Employment Verification in Federal Immigration Bill

Legislation that would require all employers to use a system to screen job applicants against federal databases to determine whether they are eligible to work in the U.S. has drawn fire from the ACLU. The employment verification system has operated as a voluntary pilot program for employers. Last year, the GAO criticized the program for its inability to detect identity fraud. [Source] [Source]

US – Arizona House Approves Notification Bill

The Arizona House has unanimously approved a bill (HB2484) that would require companies to notify Arizona residents if a security breach exposes unencrypted personal information, including Social Security and driver’s license numbers. The notification would have to include details about the breach and the steps the company took afterward. Lawmakers are eager to address identity theft after the FTC identified Arizona as the state with the highest per-capita rate of ID theft-related to consumer complaints. The bill also prohibits businesses from knowingly discarding paper records or documents with sensitive identifying data without first redacting the data or shredding or otherwise destroying the documents. If the bill becomes law, it would take effect Oct. 1. [Source] [Source]

US – California’s Senate Public Safety Committee Hears ID Theft, Phishing Bills

California Sen. Chuck Poochigian has introduced a package of bills designed to address ID theft and phishing crimes. A bill to combat “High-Tech Phishing Scams,” passed the committee unanimously yesterday. Noting that the 15% of all phishing scams originate from California, Poochigian’s bill would make phishing a crime punishable as a felony or misdemeanor. Another bill approved unanimously by the committee was a measure to track ID theft on the California crime index, which would add ID theft to the list of crimes tracked and reported annually by the attorney general as a way to improve statistical analysis of the escalating offense. Two other bills, “Enhancements for ID Theft Traffickers” and “Criminal Identity Theft,” will be taken up by the committee on April 25. [Source]

US – Maine Sale of Wireless Phone Records Now Outlawed

It’s now illegal in Maine to sell personal cell phone records. Gov. John Baldacci has signed into law a bill making it a crime and a civil violation to sell wireless phone records. Records are lifted by people by posing as customers, hacking into wireless-company records, using spyware to get them or buying the records from unscrupulous employees. Landline records are already protected under federal law. [Source]

US – New York (Westchester County) Enacts ID Theft Law

Westchester County this week enacted a law that is designed to limit identity theft by forcing local businesses to install basic security measures for any wireless network that stores customers’ credit card numbers or other financial information. The law also requires that businesses offering Internet access – coffeehouses and hotels, for example – post signs warning that users should have firewalls or other security measures. [Source]

US – Privacy Concerns Surround Use of Devices to Help Keep Truckers Alert

A device that tracks how often and how long truckers blink is intended to help prevent crashes in cases of driver fatigue. But in cases of lawsuits and employee discipline, drivers are asking questions about their privacy and who controls the data the devices collect. [Source]

--------