CA – PEI Commissioner: Name Tags Breach Privacy

The province will draft a new name tag policy for nurses in continuing care facilities after a ruling by P.E.I.’s acting freedom of information and privacy commissioner, Karen Rose. In the past some nurses were required to have their first and last names on their tag. A year and a half ago, a nurse at a continuing care facility filed a privacy complaint. She had security concerns arising from having her full name on her name tag. Nurses repeatedly have difficulty with former patients who stalk them or specifically seek them out when they return to the hospital. In a recent order, Karen Rose agreed that the name tags could pose an immediate personal risk. Nurses in PEI are hoping to extend the ruling to cover all nurses, not just long-term care nurses. [Source]

CA – Alberta Commissioner Reprimands Firm for Disclosing Employee Information

Alberta’s privacy commissioner has reprimanded a onetime Edmonton-based computer firm for giving out personal e-mail addresses and the home phone numbers of former technicians, without consent, to their co-workers, websites and customers. The two former employees of Doctor Dave Computer Remedies Inc. alleged the information was used to encourage employees to initiate legal action against them and to make unwanted contact with them. The reprimand is the first order issued under the Personal Information Protection Act since its inception in early 2004. [Source]

CA – Liberal Website Gaffe Reveals Donations, Home Numbers

The fundraising activities of the Liberal leadership candidates - as well as their home phone numbers and addresses - were released on Wednesday. The party posted lists of donations received by each candidate on its website in the late afternoon, which were supposed to cover the period ending July 31. However, that portion of the site was soon made inaccessible after the privacy gaffe was discovered. [Source]

CA – Survey: One in Five Victims of Identity Theft

A recent survey found that one in five Canadians either have, or know someone who has, been a victim of identity theft. The study, carried out by Leger Marketing on behalf of uni-ball, a pen manufacturer, also found that Canadians could be doing more to protect themselves against fraud. Although four out of five Canadians claim to regularly destroy sensitive documents relatively few secure their signature or other information on documents with permanent ink. [Source]

US – ID Security Company Finds Snags in Credit Fraud Alert System

Consumer advocates have long complained that the fraud alert system mandated by Congress in 2003 as a consumer’s first line of defense against identity theft does not always work properly. So Debix, a company seeking to enter the market for ID theft prevention services, recently recruited 54 data security and privacy experts to test the system. They claim to have found some kinks. The Debix study said that in 40% of the cases she examined, it appeared that fraud alerts had failed to put all the reporting agencies on notice to prevent new credit accounts, loans and other debts from being opened in a consumer’s name without a verifying phone call from the creditor. The implication is that “you’ve got millions of people who think that they have fraud protection in place when actually they don’t.” [Source]

UK – Gov't Data Sharing Plan Sinks Fundamental Privacy Principle

A UK government plan for data sharing between public bodies threatens to further undermine civil liberties in the wake of the ID cards debacle. The Guardian reports that Ministers are preparing to announce next month that public bodies can assume they are free to share citizens' personal data with other arms of the state, so long as it is in the public interest. The policy was agreed upon by a cabinet committee set up by the prime minister, and reverses the current default position - which requires public bodies to find a legal justification each time they want to share data about individuals. The officials behind the "transformational government" scheme say data sharing could present a more consumer-friendly face to government, and help tackle social problems such as prisoners re-offending. For example, officials say, when moving house, a citizen would register the change online once with their local authority's "one stop shop". It would update its own records, that of the new local authority, and then of central government, including the electoral register, DVLA and Inland Revenue. [Source]

US – Privacy Activists Question Use of CIA-Backed Medical Data Software

Privacy advocates have expressed concern about venture capital firm. In-Q-Tel’s investment in Initiate Systems, which sells software used to manage electronic health records. In-Q-Tel is backed by the CIA. Health care providers in the U.S. and in Canada use Initiate Systems indexing software, which locates patients’ medical records at various locations with the use of an identifier created from names, birthdates, addresses and other demographic data. Initiate does not have access to the providers’ clients’ health data. “There’s a smell test that happens here, and it doesn’t smell right,” said David Fewer, general counsel for the Canadian Internet Policy and Public Interest Clinic. “The optics require that foreign intelligence services stay well away from the delivery of health care services in Canada.” [Source] [BC NDP worry over In-Q-Tel software][Source] [Source]

EU – European Leaders Agree to Share Data on Air Passengers

Ministers from six EU nations have agreed to seek closer police co-operation and better ways to detect explosives while moving to combat Muslim radicalization, government ministers said this week. Intelligence officials will increase exchange of passenger information and find means to censor Internet sites that teach bomb-making, they promised. [Source] [Every airport traveller ‘will be fingerprinted’]

EU – Germany Has Doubts Over Legality Of EU Data Retention Directive

In an expert opinion the Scientific Services of the lower chamber of Germany’s federal parliament, the Bundestag, have voiced serious doubts about the implementability into German national law of the controversial EU directive on the retention of telephone and Internet data. “There are serious doubts about whether the directive in the form adopted is compatible with the law of the European Communities,” it says in the study which heise online has seen. These doubts on the one hand touched upon the choice of legal basis and on the other upon the compatibility of the directive with the fundamental rights recognized in European Community law, the study notes. Should the Bundestag nonetheless pass a law on the retention of telecommunications data the scientists engaged to advise parliament on such matters fear that such an Act would inevitably in addition raise the issue of incompatibility with the basic rights to informational self-determination and the privacy of telecommunications. [Source]

UK – Royal Bank of Scotland Accused of Dumping Customer Data

NATWEST and the Royal Bank of Scotland are being investigated for allegedly dumping customers’ financial details in bins. The Information Commissioner’s Office is looking into claims that both banks breached data protection rules. It follows a complaint from the campaign group Scamsdirect which apparently found customers’ financial details in bins near two banks in Hampshire. [Source]

CA – Ontario Psych-Patient Files Held by Police as Doctor Investigated

Hundreds of patients of an Ontario psychiatrist charged with possession of child pornography are unaware that confidential records containing their most intimate thoughts have been in the possession of the Peel Regional police force for the past three years, the Toronto Star has learned. The confidential records, stored on the hard drive of a computer seized by the police, include detailed notes on all of the psychoanalysis sessions he conducted at his Hamilton office between about 1994 and 2004. [Source]

US – 10 Stolen Computers Contained Patient, Doctor Records

HCA Inc. says 10 computers containing Medicare and Medicaid billing information and records of employees and physicians were stolen from one of the company’s regional offices. HCA officials will not say where or when the theft occurred because they believe that might help the thieves, who authorities believe were after computer hardware, not personal identity information. [Source]

US – Michigan Laptop Theft puts 28,000 Home Patients at Risk

The theft of a nurse’s laptop has exposed more than 28,000 Beaumont Hospital Home Care patients to possible identity theft and release of sensitive information about their health. The security lapse, disclosed Tuesday by Beaumont officials in Troy, is not an isolated occurrence in these days of portable technology and information sharing, but it underscores the need for greater enforcement of laws intended to protect patients’ privacy, advocates said. [Source]

US – Laptop from Georgia Health Firm Stolen: 51,000 People at Risk

In another national case of data theft, a Georgia health care company reported a laptop containing 51,000 patients’ personal information was stolen. PSA HealthCare said a laptop computer was stolen from an employee’s car on July 15. The computer contained personal information on current and former patients, including their names, addresses, Social Security numbers and medical case information. It did not include banking information or credit card numbers, and the computer was password-protected, the company said. The company quietly announced the data theft in an Aug. 4 press release titled “PSA HealthCare Announces Data Security Update.” [Source]

US – New Hampshire Governor and EC Doubt Real ID

The governor and Executive Council yesterday said they had serious questions about Real ID that could keep New Hampshire from participating in the national driver's-license law. The Real ID Act of 2005 called for all states to conform to a multitude of national requirements by 2008. The Department of Homeland Security chose New Hampshire as one of two test sites, offering the state $3 million to be a Real ID pioneer. To accept the grant, the state Department of Safety needs approval from the Legislature and from the governor and council. Although many lawmakers opposed Real ID this past session, the Legislature's joint fiscal committee - which controls the purse strings and acts on behalf of the Legislature when lawmakers are out of session - voted 8-2 earlier this month to approve the Real ID request. Lynch and the councilors, though, said they have major qualms with Real ID. [Source] [Source] [New Hampshire Lawmakers argue pros and cons of Real ID program]

US – Gilmore Wants His ID Case Heard By Supreme Court

John Gilmore has waged a long legal battle against the government in an attempt to make them produce the regulation that requires airline passengers to show identification before boarding a plane.[Link] Because Gilmore refuses to do so, he does not fly, and has not since 2002. He also does not ride Amtrak or stay in most hotels. His stance even makes it difficult for him to enter the courthouses where his cases have been heard. His court battle now goes before the highest court in the country, where a petition was filed by lawyers at Akin Gump. [Link] Supreme Court cases present a larger question that will be argued before the justices. In this case, the question is: “May the government keep secret a directive that is generally applicable to millions of passengers every day notwithstanding that it (i) has acknowledged both the directive’s existence and its contents, and moreover (ii) has identified no special circumstance that nonetheless justifies secrecy.” [Source]

US – Qwest Supports Law Mandating ISPs Retain Data

Broadband company Qwest Communications strongly endorsed federal legislation requiring Internet providers to keep records of their customers’ behavior, a move that could accelerate efforts in Congress to enact new laws. [Source] [ACLU assails Qwest move to stop telling customers of data release] [Qwest denies calling for data retention laws] [Qwest says Oops]

AU – Australia Authorities Tap More than 1000 Phones in Victoria

Police and spy agencies have secretly bugged the telephones of more than 1000 Victorians suspected of committing crimes, a new report shows. Australia-wide, police and other authorities listened to and recorded the private conversations of 7000 people in the past three years, according to the Telecommunications (Interception) Act annual report. In total, warrants allowing telephone intercepts were issued to Victoria Police 1033 times in the past three financial years, at a total cost of $10.3 million. The secret bugs were used to help Victoria Police to investigate drug trafficking operations 486 times, murder 255 times, bribery or corruption 70 times, organized crime 34 times, and kidnapping cases 23 times. Some of the bugs were in place for as long as 180 days. [Source]

JP – Internet-Related Crime Climbs to New High in Japan

Statistics from Japan’s National Police Agency show Internet-related crime has reached a new high during the first half of 2006; the 1,802 reported cases mark a 12% increase over the same period last year. Fraud accounted for the largest portion (40%) of reported Internet crime. Illegal access of computer networks accounted for 265 of the reported cases, a 34% increase over last year’s figure. These crimes include phishing attacks and illegally accessing people’s banking accounts. [Source] [Source]

US – A.G. Announces Ad Campaign on Internet Safety

Attorney General Alberto Gonzales announced a new public service campaign that will warn teenage girls against posting information on the Internet that could put them at risk of attack by child predators. According to a Justice Department study, one in seven children using the Internet has been sexually solicited and one in three has been exposed to unwanted sexual material. [Source]

WW – Windows Chat Software to Feature “Report Abuse” Icon

Users of Windows Messenger can now report suspected sexual predators of children with a mouse click. A "report abuse" icon will soon appear on the chat software as a result of work by the UK's Child Exploitation and Online Protection Centre. [Source]

EU – German Justice Minister Calls for Limits to Net Anonymizer

The Minister of Justice of the German federal state of Schleswig-Holstein Uwe Döring has called for limits to be set - in the interest of combating terrorism - on anonymization on the Internet. The Minister said that the Independent State Center for Data Protection of Schleswig-Holstein should take the anonymization program it offers as a free download off the Internet immediately. [Source]

US – AOL’s Free Virus Software Raises Privacy Concerns

AOL is in hot water again with consumer advocates, this time over the company’s Active Virus Shield anti-virus software. At issue is the software’s licensing agreement, which authorizes AOL to gather and share data on how the software is being used and permits AOL and its affiliates to send e-mail to users. AOL security tools raise adware questions – Active Virus Shield’s license agreement would allow AOL to send spam or serve up adware. [Source]

US – Yahoo Testing Anti-Phishing Security Service

Yahoo web sign-in pages from phishing sites designed to look like Yahoo sign-in pages. Users have to install the Yahoo sign-in seal on their computers; once installed, the seal will appear on legitimate sign-in screens. The service currently works only with US Yahoo sites and has not yet been officially announced. [Source] [Source] [Source]

AU – Australian Organization Fires More than 100 Workers Over Privacy Breach

Australia’s Centrelink has dismissed or forced out more than 100 workers, and disciplined hundreds more, for privacy breaches such as snooping on the records of neighbors and former lovers. A two-year dragnet of 25,000 Centrelink staff uncovered 790 cases of “inappropriate access” to the records of welfare recipients since 2004. [Source] [Smartcard concern after Centrelink breaches] [Most welfare snoops were 'helping relatives']

AU – Australia Victoria Privacy Commissioner Warns Police to Boost Data Security

In a report tabled in Parliament this week, the state's privacy watchdog has placed the Chief Commissioner on notice over the mistaken release of 7000 pages of confidential police files, leaked last year in Victoria's biggest privacy breach. Privacy Commissioner Paul Chadwick issued a compliance notice to Victoria Police, warning that it must improve security for its LEAP police files database. The Victorian Justice Department - which was implicated in the bungle – has also been issued with a compliance notice and told to lift its game. A LEAP management unit in Victoria Police mistakenly emailed confidential police files to two people in July last year: a Justice Department senior bureaucrat, and a corrections officer who had complained about his own files being accessed inappropriately. [Source]

US – Three AOL Employees Leave in Search Data Fallout

AOL’s chief technology officer left the company and two other workers were fired in the aftermath of a privacy breach that involved the intentional release of more than 650,000 subscribers’ Internet search terms, as part of a program to assist academic researchers. [Source] [AOL Pledges To Review Its Privacy Practices] [AOL’s screw-up should be more than just a wake-up call] [AOL Moves to Increase Privacy on Search Queries] [Top 10 Consequences of AOL’s Data Breach]

US – University CIO Resigns and Two IT Executives Fired After Data Breaches

The director of network communications services and the manager of Internet Systems for Ohio University were fired in the wake of five cases of data theft exposing up to 173,000 social security numbers. The CIO also resigned. In their letter of termination, the employees were told, “you clearly should have foreseen the risks and consequences of IT security breaches, and also should have taken a much more responsible role in securing the wide area and local area networks under your responsibility.” [Source] [Source]

US – Study Turns Up Problems with eVoting System in Ohio

A report based on a study of a May 2006 primary election in Ohio indicates that the electronic voting system used in the election presents significant concerns about accuracy. Close to 10% of the paper versions of the votes, or the voter-verifiable paper audit trail, generated by Diebold Election System’s AccuVote TSx touch-screen voting equipment were “either destroyed, blank, illegible, missing, taped together or otherwise compromised.” According to the report, 72% of polling places showed a discrepancy between the voting record on the machine’s memory card and the paper ballots the system generated. The report also indicated that printer problems including jamming and improperly loaded paper rolls could present serious accuracy concerns. The report strongly recommended that election workers be trained in the use of the machines, that the printers be tested and that contingency plans be developed. A Diebold spokesperson has questioned the methods used in the study; he maintained the discrepancies were the result of matching memory cards with the wrong sets of paper ballots. [Source] [Maryland Governor Not Convinced eVoting Machines Are Accurate]

US – RFID Vendors Form Group to Counter RFID Privacy Concerns

Five smart card industry vendors have formed an interest group to counter the increasing flow of stories in the mainstream press in the U.S. questioning the security and privacy of chip-based ID documents. Card makers Gemalto and Oberthur Card Systems and chip manufacturers Infineon Technologies, Philips Semiconductors and Texas Instruments announced the formation of the “SecureID Coalition,” which will seek to “promote the understanding and appropriate use of smart card technology” and how the technology can help in “maintaining user privacy.” The founding members, most based in Europe but which have significant U.S. operations, announced the new group today during the first day of the meeting of the National Conference of State Legislators, which represents lawmakers from the 50 U.S. states. Wiley says vendors formed the group specifically in response to a proposed law in California barring use of contactless or RFID chips in government-issued ID documents and a controversial border-crossing card planned by the U.S. Department of Homeland Security. [Source]

US – Report: RFID Chip Leave Visa Data Unsecured

Foreign visas and information on U.S. aircraft protection are vulnerable to unauthorized access because of shortcomings in the Homeland Security Department’s use of technology, according to a report released by the department’s inspector general. The report says the security issues involve the use of radio frequency identification chips (RFID) and databases at three Homeland Security agencies. “These security-related concerns, if not addressed, increase the potential for unauthorized access to DHS resources and data,” the report said. “We identified vulnerabilities on databases that could be exploited to gain unauthorized or undetected access to sensitive data.” The report was only able to focus on Customs and Border Protection (CBP), Transportation Security Administration (TSA), and the U.S. Visitor and Immigrant Status Indicator Technology program (US-VISIT) because the department lacks “an accurate inventory of systems using RFID technology.” [Source] “The flexibility and portability of RFID technology and devices, as well as the information that resides on the tags, increases the need for security and privacy controls,” the report said. The report found security concerns in password management, user access permission and a lack of auditing in the systems that CBP uses to track foreign visitors upon entry at the two U.S. land borders. Homeland officials agreed with the inspector general’s findings and say additional security measures will be taken and guidelines developed to secure databases.

US – Survey: Laptops, Handhelds Pose Significant Data Security Risk

A recent survey of 484 technology professionals, carried out by the Ponemon Institute, indicates that 81% of U.S. companies lost laptop computers that held sensitive data last year. Handhelds and laptops posed the greatest risk to sensitive data, followed by USB sticks, desktops and shared file servers. More than half of the respondents said data on USB drives are not protected; 20% said at least one USB drive holding data is lost each month at their workplaces. More than half of the companies surveyed said they would not be able to determine what information was contained on missing USB drives and nearly half of respondents said they would not be able to determine the info contained on handheld devices. 64% said they had never compiled an inventory of sensitive consumer or employee data. [Source] [Source] [Source]

CA – BC Unveils New Information Security Policy

British Columbia embarked on a project 2 years ago to redevelop its policy concerning information security. The new CIO policy is based on the ISO standard ISO/IEC 17799:2005 and includes material from other best practice guidance such as the Information Security Forum’s Standard of Good Practice for Information Security, documents from the NIST in the U.S. and COBiT from the IT Governance Institute. British Columbia is the first jurisdiction in Canada to develop policy at this level of detail and among the very few jurisdictions internationally to have policy of this nature. [Information Security Policy]

US – Judge Finds NSA Warrantless Surveillance Program Unconstitutional

A federal judge last week struck down President Bush’s warrantless surveillance program, saying it violated the rights to free speech and privacy, as well as the separation of powers enshrined in the Constitution. U.S. District Judge Anna Diggs Taylor in Detroit is the first judge to rule on the legality of the National Security Agency’s program, which the White House says is a key tool for fighting terrorism that has already stopped attacks. “Plaintiffs have prevailed, and the public interest is clear, in this matter. It is the upholding of our Constitution,” Taylor wrote in her 43-page opinion. [Source] [Source] [Source] [Source] [White House vows fight for wiretaps] [Wiretap Ruling Could Give Telcoms Legal Headaches]

[Judge’s ruling may provide grounds to impeach Bush]

US – Officials Seek Greater Access to Airline Data

U.S. and European authorities, looking for more tools to detect terrorist plots, want to expand the screening of international airline passengers by digging deep into a vast repository of airline itineraries, personal information and payment data. A proposal by Homeland Security Secretary Michael Chertoff would allow the U.S. government not only to look for known terrorists on watch lists, but also to search broadly through the passenger itinerary data to identify people who may be linked to terrorists. Chertoff told reporters that law enforcement agencies will take care not to overstep privacy bounds as intelligence gathering and sharing is increased. [Source] [EU Security services will be given passenger data on all European flights] [Privacy Safeguards Promised]

US – AT&T Claims Data Brokers Fraudulently Obtained Customer Info

AT&T has filed suit to identify 25 data brokers who it claims fraudulently obtained phone-calling records for about 2,500 customers without their approval. AT&T said the data brokers posed as customers to get the records, which are often used in legal or domestic disputes. [Source]

US – ACLU Seeks Phone-Record Inquiry

Petition asks regulators to investigate whether firms gave data to NSA: ACLU members delivered a petition to the Colorado Public Utilities Commission this week pushing for an inquiry on whether state phone companies shared customer call information with the National Security Agency. [Source]

US – Government: Automakers Must Disclose ‘Black Boxes’ By 2011

The National Highway Traffic Safety Administration said this week automakers must disclose that cars have event data recorders that collect information about the driver’s operation of the car. The disclosure will take effect beginning with the 2011 model year vehicles. Supporters say the devices, known as “black boxes,” provide critical information that helps to improve safety features. However, privacy experts have raised concerns about how the information could be used against a driver. In many cases, privacy advocates have said that drivers were unaware that the vehicles contained the devices. [Source] [Australia - Auto “black boxes” arrive down under]

US – IRS Outsourcing Plan Heading For a Fight

As the Internal Revenue Service prepares to implement a new program that sends private debt collection agencies after delinquent taxpayers, critics - including several lawmakers and the employee union at the Treasury Department - are gearing up to protest it. Opponents say that the IRS will pay private debt collectors more to do what government-paid employees could do and that the agency is not doing enough to let the public know about the new program, set to launch in early September. [Source]

US – Privacy Concerns Continue to Bedevil Livestock ID Program

U.S. Agriculture Secretary Mike Johanns assured livestock owners Wednesday that information collected in a planned animal identification program will be kept confidential and used only in the event of a disease outbreak. [Source] [Vermont Privacy Concerns Put Animal ID on Hold]

US – Education Dept. Offers Free Credit Monitoring for 21,000 Students

The Education Department said this week it would arrange for free credit monitoring for as many as 21,000 student loan borrowers after their personal data appeared on its Web site. The department's chief operating officer for federal student aid, said the people involved are holders of federal direct student loans who used the department's loan Web site between Sunday and Tuesday. [Source]

--------