CA – B.C. Studying Use of Biometrics for Next Generation of Driver’s Licenses

B.C.’s Solicitor-General John Les said driver’s licenses that use biometrics could strengthen efforts to prevent ID theft and bolster arguments against a U.S. requirement that Canadians must obtain a passport when visiting the U.S., starting in 2009. Officials are studying the potential use of biometrics in the next generation of driver’s licenses. The province’s privacy chief, David Loukidelis, said he has an “open mind” when it comes to biometrics. He added that biometrics could protect a person’s privacy by making it more difficult for ID thieves to forge identification. [Source]

EU – Germany to Add Fingerprints to Passports

Germany’s Cabinet said this week it would propose a new law requiring passports to store two fingerprint images starting in November 2007. Since 2005, Germany has been issuing passports with contactless smart card chips that store a digital photo of the bearer along with biographical information. The EU has mandated that member states start adding fingerprint data to their passports by 2009, to provide a more reliable way to verify an individual’s identity. [Source]

CA – Canadian Insurance Companies Offer Consumers ID Theft Coverage

Canadian consumers have the option of buying ID theft insurance from most insurance companies, which have brought the policies to the market within the past few years. The policies typically are added to house, condo or apartment insurance for $30 to $40 a year. One company is planning to offer a separate ID theft policy sometime in 2007. [Source]

CA – Stoddart: Retailers to Mask Card Numbers; Holiday Shoppers Should Protect PII

Jennifer Stoddart, Canada’s Privacy Commissioner, said retailers have reassured her that they will use technology in 2007 that will mask credit-card numbers on receipts. Stoddart said her office will monitor the issue in the New Year. Stoddart also warned consumers to do their part to protect their privacy. She reminded them that rewards programs or warranty cards often are used to collect personal information and for marketing efforts. Holiday shoppers should protect their personal information to reduce the risk of becoming victims of fraud and to avoid unwanted telemarketing calls and junk mail. The Commissioner offered several privacy tips to holiday shoppers. [Source] [Source] [Source]

US – FTC to Host Workshop on Negative Option Marketing

The FTC will host a workshop on January 25 in Washington, D.C. to analyze the marketing of goods and services through offers with negative option features. The workshop, which will bring together consumer representatives, academics, and industry leaders, will address the pros and cons of such offers, discuss online marketing of such offers, and explore ways to make effective disclosures when such offers are made online. The workshop is free and open to the public. [Source]

US – Government Agencies to Test Employees with Phishing Attacks

U.S. military services and several agencies will use penetration testing software to “launch diagnostic phishing attacks against their own workers.” The goal is to see how well government employees follow email security policies. The software can be used for general phishing attacks as well as spear phishing attacks, which are aimed at specific targets. Agencies planning on using the software include the National Institute of Standards and Technology, the Department of Homeland Security, the Department of Veterans Affairs, and the Departments of Labor, Energy and Agriculture. [Source]

WW – Spam Volume Up 35% to 63 Billion Per Day

Spam volume soared another 35% in November, said e-mail security vendor IronPort Systems, and the month saw spam tactics that reduced the efficiency of traditional anti-spam filters. “There’s been a huge increase in spam volume, from 31 billion spams a day on average in October 2005 to 63 billion in October 2006.” [Source]

WW – Encrypted, Yet Searchable, Archiving

Unstructured business content is increasingly considered one of the most valuable assets in the enterprise. At the same time, however, organizations are forced to balance two seemingly conflicting objectives regarding this content. They must meet their fiduciary responsibility by protecting content from unauthorized access and use through encryption and rights management. They must also preserve content for future search and disclosure through archiving. Until now, this has been an impossible challenge. Organizations had to choose one or the other. Today, however, organizations are adopting new secure archiving and retrieval tools that support encryption as well as enterprise rights management (ERM). Encryption enables companies to control who can see content such as email and documents, particularly when it is in transit. ERM enables organizations to control what can be done with that content, and by whom, on a granular basis. With these tools, organizations can keep their unstructured content secure, archived, and searchable. [Source]

EU – One-Third of Top UK Companies Do Not Comply with EU Privacy Directive

According to reports of a survey of 200 top UK companies, 31% are not in compliance with the EU’s Directive on Privacy and Electronic Communications. The directive requires that companies send unsolicited email to non-customers only if they have opted-in to receiving the email. Businesses that provide only an opt-out choice or that pre-select the opt-in choice are not considered to be in compliance. The survey looked at organizations from a variety of business sectors, including banking, credit card, publishing and travel. A similar study in 2005 found a noncompliance rate of 34%. [Source] [Source]

UK – APACS Declines to Name Banks with Poor Online Security

The UK’s payments association APACS says it will not release information about banks’ relative online security as members of the House of Lords Science and Technology Committee have requested. The committee is looking into Internet security and was told last week that phishing incidents had risen 8,000 percent over the last two years. [Source]

CA – Amendments to "General" Regulation under PHIPA

Regulation 537/06 made under PHIPA, which amends Regulation 329/04 (the "General" Regulation under PHIPA), has now been published in the December 23, 2006 Ontario Gazette. The amendments came into force on December 8, 2006. [Gazette]

AU – E-Health Officials Seek Comment on Plan to Create New Central Database

The Australian National E-Health Transition Authority has released a plan that calls for the establishment of a new central database to store the identifying details of every person accessing healthcare and all medical providers. The plan calls for the assignment of unique healthcare numbers for doctors and patients. The authority would enroll patients and manage the collection of data. Clinical information would not be stored on the database. However, doctors would be able to search for files using the patient’s assigned number as a way to identify previous care-givers. The authority’s chief executive, Ian Reinecke, said the system’s success depends on a strong privacy foundation. [Source] [NEHTA website]

WW – Nissan Customer Database Leak

Nissan has acknowledged that information from its customer database may have been leaked. The auto manufacturer plans to notify the approximately 5.38 million affected customers. Nissan plans to implement additional security measures in 2007, including physical security monitoring of secure areas and software to monitor databases and track all access to the databases. [Source] [Source]

US – Utah Valley State College Data Breach

The names, SSNs and other PII of approximately 15,000 Utah Valley State College (UVSC) students and faculty were inadvertently made available on Yahoo for about six weeks in November and December of last year. The data belong to students and faculty who participated in the college’s distance education program between January 2002 and January 2005. UVSC removed the files from its servers as soon as it became aware of the situation. The school plans to notify all individuals affected by the data security breach. [Source]

US – Indiana Hospital Notifies Patients of Data Theft

A Hospital in Indiana has sent letters to 128 patients, notifying them that their personal information was contained in a laptop computer that has been missing since late November. There is no evidence the information has been misused; the data include SSNs. The hospital is mulling over security improvements, including encryption software and providing places to lock up computers. [Source]

US – Stolen Computer Tapes Hold Insurance Records

Computer tapes stolen during a burglary in Massachusetts are believed to hold personally identifiable information of approximately 42,000 New York City employees. The data include names and SSNs. The burglary took place at the offices of Concentra Preferred Systems, a vendor working with Group Health Insurance. Concentra also provides auditing for Aetna, who acknowledged approximately 130,000 customers across the country were affected by the breach as well. [Source]

US – Texas Woman’s University Notifies Students of Data Compromise

Texas Woman’s University (TWU) has sent letters to approximately 15,000 students notifying them that their personally identifiable information was exposed when an IRS tuition data document was sent to a vendor over a non-secure connection. The breach affected all TWU students who were enrolled at the school in the 2005 calendar year. [Source] [Source]

US – State Prints Names, SSNs On Tax Forms

The state of Wisconsin’s Department of Revenue mailed 170,000 tax forms to taxpayers with labels that also contained their Social Security numbers. The state contacted post offices to attempt to halt the mailing of the forms. The Department of Revenue acknowledged that printing the information on the labels was a mistake. [Source]

UK – UK Government Changes Plan on ID Card Database

The U.K. government has made changes on its controversial plans for a single ID card database. Instead of one huge, new National Identity Register (NIR) database, it will now be spread across three existing systems. John Reid, the Home Secretary, said it was “a sensible decision” but denied the government is taking a U-turn from its original plan. The change is needed to make the plan – now estimated at £5.4 billion over 10 years – more affordable. Some of the cost is expected to be met by individuals paying for the card. Another cost-cutting change is the removal of iris scan data from the system. Fingerprints and facial scans are the two remaining biometric data types. [Source] [Source]

UK – Public Online Authentication Plan Criticised

UK Government plans for a single authentication system for citizens accessing public services online may be derailed by procurement issues branded by one industry insider as ‘rank bad practice’. The GC Register component of the £27m Government Connects (GC) scheme will allow citizens to identify themselves once at login, and then be recognised by all public sector bodies that subscribe to the scheme. But council and industry groups are warning that the Department for Communities and Local Government (DCLG) is creating a de facto monopoly by endorsing a single product - CGI Excelsior. They are also concerned that the central GC team has not been clear about how such decisions are being made. [Source]

US – Sony BMG Settles with 39 More States

Days after reaching settlements with California and Texas regarding the use of a rootkit to hide digital rights management (DRM) software, Sony BMG has settled a suit with 39 other states that will see the company paying out more than US$4.25 million. According to the terms of the settlement, Sony will pay individuals who spent money to remove the software from their computers up to US$175 each. [Source]

EU – French Court Favors Personal Privacy Over Piracy Searches

A French court has ruled that copyright holders do not have free reign to monitor the Internet for people violating their copyrights. The case involved a man whose IP address was traced while he was using peer-to-peer software. In France, entities wishing to uncover the identities of individuals they believe are pirating content must obtain authorization from the National Commission for Information Technology and Liberty. Violating French citizens’ privacy could result in fines of up to 300,000 Euros. [Source]

WW – Cyber Criminals Got More Sophisticated in 2006

Computer security experts say 2006 saw an unprecedented spike in junk e-mail and sophisticated online attacks from increasingly organized cyber crooks. These attacks were made possible, in part, by a huge increase in the number of security holes identified in widely used software products. [Source]

WW – MySpace Increasingly Facing Unfriendly Attacks

MySpace bills itself as a “place for friends.” Increasingly, it is also a place for unfriendly attacks from digital miscreants on the prowl, luring users to sexually explicit Web sites, clogging mailboxes with spam messages and playing on the trust users have when speaking to “friends” to obtain passwords that could lead to identity theft. [Source]

US – Suit Could Set Boundaries for Privacy in Online Diaries

Lurid testimony about spanking, handcuffs and prostitution aside, a pending lawsuit could help establish whether people who keep online diaries are obligated to protect the privacy of the people they interact with offline. The case involves a Capitol Hill staffer who discovered his girlfriend had discussed intimate details about their sex life in her online diary. [Source]

WW – Google’s Blogger Adds Privacy Options

Google has released a new version of its Blogger service, adding privacy settings that restrict readership to a predetermined audience. Users can choose to have blogs accessible to anyone or just to themselves. [Source]

US – Data Security Breaches Top Execs’ List of Concerns

According to a Harris Interactive poll conducted in September, corporate executives at large companies place data security breaches and terrorism at the top of their list of concerns. Just 9% of the 197 senior executives surveyed said they are not concerned about data security. Executives say they are also worried about corporate malfeasance. [Source]

WW – IBM Introduces RFID Tag Middleware To Promote Real Time, Secure Data Sharing

IBM’s new middleware is based on the draft Electronic Product Code (EPC) Information Service standards, in order to better manage data. The RFID Information Center aggregates, cleans and analyzes information gleaned from RFID data feeds. IBM said the middleware will benefit the pharmaceutical industry by allowing manufacturers, distributors, hospitals and pharmacies to securely share data. The standards are set to be approved later this month, according to this Computerworld story. [Source]

WW – 3M Deploys RFID Specimen Tracking at Mayo Clinic

3M has announced the successful pilot of an RFID-based track and trace solution for Mayo Clinic, the well-known medical practice with diagnosis and treatment facilities scattered across the US. The RFID system will allow medical practitioners to better manage the specimens of patient tissue. The samples are tagged and tracked from the moment they are collected through until they are delivered to the pathology laboratory for analysis, a series of steps characterized as "crucial". The pilot lasted five months, and the results were praised by Mayo, which cited accurate data communication and verification, as well as improved efficiencies in specimen management as a few of the benefits. The plan now is to rapidly phase in an expansion of the pilot, aiming for completion in the early part of this year. [Source]

US – DHS Sets Rules For Port ID Cards

The Homeland Security Department this week issued a rule for credentials for seaport and maritime workers to undergo background checks and be credentialed before they are granted unescorted access to secure areas of vessels and facilities. The much-anticipated rule defines the enrollment process, disqualifying crimes, usage procedures, fees and other requirements for workers, port owners and port operators. More than 750,000 employees, union workers, mariners and truckers will have to get credentialed, paying up to $159 each. The credential will be a "smart card" containing a photograph and name of each worker, expiration date and serial number. An integrated circuit chip will store the holder's fingerprint template, a personal identification number and a unique identifier. [Source] [Source]

US – State Fusion Centers Pose Privacy, Other Concerns

Privacy advocates question the vast amounts of personal information federally funded state fusion centers are collecting and whether strong enough protections are in place to limit data use and storage. The intelligence centers are located in 37 states. They were established in the aftermath of 9/11. Supporters say the information-gathering centers are a key element of state efforts to detect and disrupt terrorist plots. They also say agencies have improved in the area of information-sharing. However, after several years of operation, questions are emerging about the centers, including concerns about privacy. [Source]

US – These Shoes Are Made For (GPS) Tracking

Miami entrepreneur Sayo Isaac Daniel has designed sneakers that contain GPS technology. He hopes the shoes will catch on as a way to track the whereabouts of the person wearing them. The shoes have a hidden button near the laces that allows the wearer to send a distress signal. The use of GPS technology to track people offers much promise, analysts say. But the industry’s growth has been slowed by consumer privacy concerns, leaving many companies to tread lightly. [Source] [Current uses of GPS technology in Canada] [GPS Devices Let Parents Keep Tabs on Kids]

US – TSA’s Secure Flight Program Violated Privacy Act

A report from the Department of Homeland Security’s (DHS) privacy office says the Transportation Security Administration’s (TSA) Secure Flight program violated federal law during the program’s testing phase that ran from fall 2004 through spring 2005. The program obtained passenger data from data brokers without properly informing passengers, in violation of “a 1974 Privacy Act requirement that the public be made aware of any changes in a federal program that affects the privacy of US citizens.” The implementation of the test differed from TSA’s initial description. TSA said it would maintain a firewall between government systems and passenger data obtained from commercial sources. However, it appears that TSA may have accessed and stored such information. The program has been halted until privacy and security concerns are adequately addressed. TSA did revise the “public notice about the program to reflect more closely the program itself;” however, according to the report, the program is likely to run into more problems unless it adheres to a set of recommendations that include transparency regarding

passenger data collection and use. [Source] [Source] [Source] [Source]

EU – EU Leader Seeks Answers From DHS About Border Security Program

European Commissioner Franco Frattini is questioning whether the DHS program, known as the Automated Targeting System, (ATS) is in conflict with a recent agreement between the U.S. and the EU over the handling of passenger name records. Published information about the ATS program “reveals significant differences” between the handling of passenger name records “on the one hand and the stricter regime for European PNR data according to the (agreement).” The agreement with the EU expires in July and the European Commission is expected to seek a revised pact with a “high level of data protection.”

[Source]

US – OneDOJ Database Raises Privacy Concerns

The US Justice Department’s OneDOJ database is raising concerns among privacy and civil rights advocacy groups. The database will allow law enforcement officials at the state and local level to have access to “millions of case files from the FBI, the DEA and other federal law enforcement agencies.” The database poses concerns because police officers would have access to the personal information of suspects who have not been arrested or charged with a crime. OneDOJ has been under development for a year-and-a-half and holds approximately 1 million case records. That number is expected to triple over the next three years. [Source] [Source]

US – Bill Aims to Enhance VA Data Security

The Veterans Benefits, Health Care and Information Technology Act of 2006, signed into law by President Bush, addresses data security concerns raised by the theft last spring of equipment that held sensitive PII of millions of veterans and active duty members. The new law requires the VA to inform veterans when their data are exposed and to make available fraud alerts, credit monitoring and identity theft insurance. The VA must also provide Congress with reports regarding any security breaches. In addition, the law provides an incentive for the VA to recruit employees with IT skills commensurate with the department’s needs. The bill also increases funding for certain veterans’ health benefits. [Source]

US – Cyber Legislation Before Congress in ’07

A substantial article on upcoming legislation before Congress including data breach, patent reform, broadband networking and expanding the cap on H-1B visas for high-skilled immigrant workers from 65,000 to 115,000. [Source]

US – New Law Takes Effect In Illinois

Consumers in Illinois can place a security freeze on their credit under a new law that took effect Jan. 1. Requests to freeze a consumer’s credit must be made in writing. Consumers who obtain the credit freeze will no longer be able to obtain instant credit. [Source]

US – Credit Freeze Bill Takes Effect Jan. 1 In N.H.

New Hampshire’s Attorney General is touting the state’s new credit freeze law as a new tool to help consumers recover from the damaging aftermath of identity theft. Beginning Jan. 1, residents will be able to place a security freeze on their credit to prevent creditors from accessing their information. ID theft victims who obtain a copy of their police report can get the freeze for free. Other residents also will have the opportunity to freeze their credit for a $10 fee. [Source]

US – Lawmakers File Security Freeze Bill In Arkansas

A security freeze bill in Arkansas would require credit reporting agencies to freeze a consumer’s credit if requested by the consumer. The bill would allow a security freeze to be lifted temporarily to allow a specific company or person to access the credit history. The temporary suspension of the freeze would be accomplished by the credit agency’s issuance of a password or ID number that would authorize the release of the information. The bill would not charge ID theft victims, but other consumers would be subject to fees. [Source]

US – Three New Laws to Combat ID Theft Take Effect In Hawaii

Under a new law, businesses and government agencies are required to notify consumers in Hawaii when their personal information is compromised in a breach. Another new law allows ID theft victims to place a security freeze on their credit. A third new law requires businesses and governments to “take reasonable measures” when they throw away records containing personal information. [Source]

US – Credit Freeze Law Takes Effect in Pennsylvania

The state’s new security freeze laws allow consumers to freeze their credit. Credit-reporting agencies may charge a maximum $10 fee for the freeze. However, people older than 65 and ID theft victims will be exempt from the fee. [Source]

--------