UK – School Fingerprinting Guide Due; UK Commissioner Says It’s “Too Late”

New guidelines for schools on fingerprinting pupils are to be issued by the U.K. government, following MPs and parents’ concerns surrounding privacy. The move comes after it emerged some primaries had stored children’s thumb prints for computerized class registers and libraries without parental consent. One MP said: “It’s outrageous that ministers have allowed schools to continue this potentially illegal behaviour for so long without stepping in. So many schools are taking the fingerprints of their pupils that it’s too late to do anything about it, according to the Information Commissioner (ICO). Yet the privacy guardian doesn’t know how many schools are taking children’s fingerprints when they take registration, issue books from the library, or dish food out in the canteen (one supplier, at last count, had installed 3,500 systems). And the guidelines the ICO promised nearly three months ago, which would reassure parents and instruct schools in the fine art of civil liberties, are still on the drawing board. David Smith, deputy information commissioner, said: “For us to come out now and say fingerprinting isn’t allowed would be very difficult because these systems have come in over the last four years. We were asked about them and we said it was okay.” The ICO guidelines might now be written in collaboration with the Department for Education and Skills, he said, which is drawing up its own rulebook for school dabbers. The preview of the ICO guidelines in September suggested that parents could not even ask schools to seek their consent before fingerprinting their children. Yet this is the least parents expect – as well as some consultation. [Source] See also: [Background] [Source] [Source]

US – New Mexico - Albuquerque to Fingerprint All School Volunteers

The City of Albuquerque has set aside $100,000 to pay for fingerprinting and background checks for volunteers in Albuquerque Public Schools. In a joint announcement this week, city and school officials were optimistic about collaboration rather than conflict. [Source]

UK – Concern as Innocent People’s DNA on File

The UK Government has defended its policy on retaining the DNA profiles of innocent people after it came under criticism from an Essex MP, who claimed keeping genetic data from people who had been arrested by police but then cleared of wrongdoing was a breach of their civil liberties. But this week the Home Office claimed that, nationally, the practice of keeping hold of genetic information from people who had been arrested but not convicted, cautioned or reprimanded had allowed matches with more than 3,000 crime scenes - including 37 murders, 16 attempted murders and 90 rapes. It came after Home Office Minister Joan Ryan revealed that as of November last year, Essex Police had submitted the profiles of 86,385 people to the National DNA Database. Of these, 12,641 had not been convicted of any crime. However, this figure also included those who had been arrested and charged but were still awaiting trial, she added. “I am concerned that there are up to 12,641 people registered with their DNA on the database in Essex who have had no conviction, caution, reprimand or final warning,” the MP said. [Source]

CA – Canada Mum On Giving U.S. No-Fly Names

The federal government refuses to say whether it plans to share names and information from Transport Canada's new no-fly list with U.S. authorities. "These are high security questions," explained Catherine Loubier, an aide to Transport Minister Lawrence Cannon. "Answering that question is a sort of security breach for us." But security experts say there's little doubt Canada will share no-fly information with its allies, including the U.S., when the list is activated in March for all domestic flights. It will be extended to international flights to and from Canada in June. [Source] [Source] [Source] [Source] [TSA to cut number of names on 'no-fly' list]

CA – Prime Minister Harper Welcomes New Federal Information Commissioner

Prime Minister Stephen Harper this week welcomed Canada’s new Information Commissioner, Mr. Robert Marleau, whose appointment was recently approved by the Senate and the House of Commons. This appointment is effective January 15, 2007. The P.M. also commended Mr. John Reid, who had been serving as Information Commissioner since August 1, 1999 and whose term expired on September 30, 2006, for the commitment, diligence, and professionalism he demonstrated during his tenure. [Source]

CA – Privacy Commissioner’s Office Launches Fourth Annual Privacy Research Program

The Privacy Commissioner of Canada, Jennifer Stoddart, announced the renewal of funding for privacy research through her Office’s 2007-2008 Contributions Program. This year, the Program will have three separate streams for which the OPC is encouraging the submission of separate proposals: Stream 1: Research proposals: In line with its plans and priorities for 2007-08, the OPC is interested in funding research in three core areas: the protection of personal information on the Internet; the challenges inherent in secure identification or authentication of individuals and entities; and the intersection of the public and private sectors with regard to use and protection of personal information. Stream 2: Research results workshop. Stream 3: Coordination and planning of a civil society workshop. [Source] [Source] [Program Summary] [Applicant’s Guide]

CA – CIPPIC Releases White Paper on Data Security Breach Notification

CIPPIC released a White Paper last week on data security breach notification. They are calling for a California-type law that requires organizations to notify individuals when certain security breach criteria (e.g., type of information exposed, reasonable belief of unauthorized acquisition, can be read by unauthorized acquirer) are met. [Source] [Experts welcome call for security breach notification law]

US – Survey: Consumers are Concerned About Health Privacy and Protection

Risk to Life and Health, Altered Medical Records and Loss of Confidentiality Rank Among Top Fears Related to Medical Identity Theft: A robust 98% of consumers believe that healthcare organizations have a responsibility to protect patient medical records however, only 40% of consumers feel confident that their healthcare providers are able to secure their medical records. This is according to a survey report released today by EpicTide, a provider of security solutions for the healthcare industry. [Source] [Report]

US – Survey: U.S. Consumers Taking Steps to Stymie ID Theft

More than 7 in 10 Americans have taken steps to protect their identities, a poll released Friday noted, indicating that although consumers may be worried about ID theft, they're not waiting to be targeted. According to the Wall Street Journal/Harris Interactive poll, 73% of 2,100 U.S. adults surveyed said that they now monitor their bank and/or credit card accounts for suspicious activity, while 72% claim they shred mail that contains account numbers. Other steps consumers have taken include limiting access to their SSNs (69%), checking credit reports regularly (41%), limiting online buying (30%), and cutting back on online banking (24%). That last move – to stop using or limit online banking – has been the subject of several consumer surveys, most recently one released by research firm eMarketer that claimed security worries were slowing online banking adoption. [Source] [Survey]

WW – Survey: Online Consumers Growing Less Concerned About Privacy

Consumers are seemingly becoming more comfortable with information they provide to online retailers in exchange for improved service and personalization. In a new “Personalization Survey” from ChoiceStream there has been a 24% increase in the number of people willing to share demographic information over the past year bringing the total to 57% of all respondents. The survey also revealed that consumers are willing to allow Web sites to track their clicks and purchases showing a 34% increase over last year. “Consumers are overwhelmed with the vast array of content and choices coming at them every day online. They want guidance, even though they want the freedom to make their own choices and to explore the data if they want to,” said Esther Dyson, an advisor to ChoiceStream. Concern over security and privacy still exist among online consumers. The survey showed a one percent decline in 2006 with 62% saying they were concerned about their personal information online. [Source] [Survey]

UK – UK Proposes Sharing Data Among Government Agencies

The U.K. government wants to relax data protection laws so it can share people’s personal data across different government agencies, but critics are decrying the proposal as another move toward a “big brother” state. Under the proposal, citizens would be asked to give their permission before their data is shared. In most instances, U.K. government agencies by law can’t share people’s personal information. The goal is to improve government services and avoid citizens having to give the same personal information to multiple agencies. The issue of data privacy is highly sensitive in the U.K., where the government has several massive IT projects under way involving the national health service, border controls and national ID cards. All have raised issues over how data will be stored and accessed in databases. Government officials were quick to say they do not plan a central database to hold the information, widely regarded as a potential security problem. Members of the public are to be tested on their attitudes towards data sharing by government as part of a policy review. The review, which takes in a wide range of question on the role of government, was launched on 15 January 2007. It includes questions about whether people believe it is acceptable for different departments to share their personal data in order to provide more efficient services. A Cabinet Office spokesperson said: “We’re taking a long, hard strategic look at the challenges facing the UK. One of the questions is how much personal information are you prepared to give up for better public services. [Source] [Source] [Source] [Source] [Source] [Source] [Critics brand super-database ‘frightening and intrusive’] [Serious Crime Bill Expands Data Sharing Powers]

UK – Information Commissioner Warns Against Data Sharing Plan

The Information Commissioner’s Office, the UK’s privacy guardian, has warned that the government’s new data-sharing proposals could damage privacy. On Monday, Prime Minister Tony Blair hosted a seminar at Number 10 Downing Street to discuss areas of government policy including the “impact of data-sharing and privacy laws on [government] customer service” as part of an ongoing governmental policy review. The review has recommended a relaxation of the data-sharing laws that govern how civil servants access and share citizens’ personal data. Responding to the policy review, the Information Commissioner’s Office warned that relaxing these rules could cause excessive surveillance and data-sharing, leading to loss of public trust and confidence in the government. [Source]

US – Vast Data Collection Plan Faces Big Delay

The Treasury Department reported to Congress this week that a data-collection program to give counterterrorism analysts routine access to as many as 500 million cross-border financial transactions a year could not be implemented until 2010. The department had hoped to implement it by the end of this year. The Cross-Border Electronic Funds Transfer Program was part of the 2004 Intelligence Reform Act, and Congress directed the Treasury secretary to determine if the program would be effective in tracking terrorist financing. In a report to Congress to be released today, the Treasury Department concluded that the program was technologically feasible and has value, but said it needs to determine whether the counterterrorism benefit outweighs banks’ costs of compliance and to address privacy concerns. The program is opposed by bankers, who view it as burdensome and invasive. [Source] [FINCEN Report]

UK – MI5 Takes Steps to Improve Security Alert eMail System

MI5’s recently launched email alert service to keep people informed of changes in the national security threat level has come under fire in recent days for information privacy concerns. The service was apparently sending unencrypted registration information to a US contractor. The service is no longer using the US company; now information is sent to servers in the UK over SSL links. The information being sent to the US raised concerns that it would be subject to government inspection. [Source] [Source]

EU – 30 Percent of Large UK Companies Still Sending Spam: Study

A study of EU Directive on Privacy and Electronic Communications compliance among large UK companies found that 31% of those companies do not provide “non-customers the opportunity to actively opt-in or otherwise consent to further marketing emails when their details were recorded as the result of a promotion or enquiry.” The survey notes a three percentage point improvement over the 2005 survey. The directive has been in place since the end of 2003. [Source]

US – Federal Government Pushes Full-Disk Encryption

Businesses need to follow the federal government’s lead in reducing data breaches by holding employees responsible and examining full-disk encryption (FDE) products. It’s not often that anyone points to the federal government as a role model for security. Government employees in the last 18 months have shown an alarming talent for finding new and creative ways to disclose personal information about active-duty military personnel, veterans and everyday citizens. They leave laptops and desktops lying around for thieves to pilfer, they take home massive amounts of sensitive data in order to work on side projects and they fail to fix software flaws that make easy targets for attackers. But all of those problems, as messy as they are, have actually led to something good. As a result of a mandate from President Bush, the federal government is in the middle of a massive evaluation of FDE products. At the end of the process, all government-owned laptops and mobile devices will have their entire hard drives encrypted. [Source]

EU – EU Satisfied With Passenger Data Sharing Program

EU officials said late last week that the U.S. government had allayed their concerns about a homeland security program that creates and retains risk assessments on millions of air travelers to the U.S. However, privacy advocates in the U.S. and in Europe sent a letter to EU privacy commissioners charging that the Department of Homeland Security’s Automated Targeting System “directly contravenes” a European-U.S. agreement on air-passenger data sharing. [Source]

EU – EU Officials Accept US Data Collection Program; Privacy Groups Don’t

Although EU officials say they are satisfied that the US Department of Homeland Security’s Automated Targeting System (ATS) is in accord with an agreement reached between the EU and the US in October 2006, privacy rights groups say the program violates that agreement. The agreement allows for up to 34 specific pieces of information to be collected on each traveler; there are restrictions on sharing and using data. The American Civil Liberties Union (ACLU) and Privacy International say that the ATallows collected data to be stored for up to 40 years and makes no provisions for passengers to see, modify or correct the information. [Source]

EU – January 28 is EU Data Protection Day

The Council of Europe, with the support of the European Commission, will be celebrating Data Protection Day on January 28, 2007. The aim of Data Protection Day is to give European citizens the chance to understand what personal data is collected and processed about them and why, and what their rights are with respect to this processing. The day also aims to educate individuals on the risks associated with the illegal mishandling and unfair processing of their personal data. Each interested member state, international and national body is organizing events at a local level, such as panel discussions, media campaigns and education programs. [Council of Europe Data Protection Day Page] [The Public Voice Page]

UK – UK’s New Fraud Act Takes Effect

The UK’s new Fraud Act could spell trouble for data controllers who fail to provide proper data protection notices but collect personal information for a business use, according to experts familiar with the new act. Under the act, legal experts say that anyone who fails to issue a valid data protection notice potentially faces a maximum 10-year jail sentence. [Source]

WW – Report Released on Online Identity Theft Trends

McAfee announced the availability of a white paper titled “Identity Theft” highlighting global identity theft trends, including a dramatic increase in online and computer-based identity theft. According to the report, the number of keyloggers – malicious software code that tracks typing activity to capture passwords and other private information – has increased by 250% between January 2004 and May 2006. The number of phishing alerts tracked by the Anti-Phishing Working Group has multiplied 100-fold over the same period of time. The report also provides practical guidelines that minimize the risk of identity theft to help readers protect themselves and prevent this increasingly common crime. [Source] [Report]

US – Data Collection Program Faces Big Delay

The U.S. Treasury Department reported to Congress this week that a data-collection program to give counterterrorism analysts routine access to as many as 500 million cross-border financial transactions a year could not be implemented until 2010, due in part to privacy concerns. The department had hoped to implement it by the end of this year. [Source]

AU – Australia FOI Requests Costs Hit $24.9 Million

The Australian Department of Immigration and Multicultural Affairs received more calls from the public trying to access information than any other agency in 2005/06, a government report showed today. The annual report of the Freedom of Information Act 1986 showed that government agencies received a total 41,430 requests in 2005/06, of which 94% were granted. The processing of these requests cost the Government $24.9 million at an average of $601 per request. Only 2% of the total was recovered in fees and charges. The immigration department received 14,627 requests, followed by Centrelink with 13,817 and the Department of Veterans’ Affairs at 8330. Attorney-General Philip Ruddock said in releasing the report that the Act was achieving its intended purpose. [Source]

CA – WikiLeaks Website for Whistleblowers Promises An Encrypted Data Trail

If Canadian politicians have any skeletons in their political closets, a new website for whistleblowers could make it easier to expose them. WikiLeaks promises to create a forum for anonymous sources to post sensitive documents on the Internet without fear of being identified. The site, wikileaks.org, is the collaborative brainchild of an international group of mathematicians, political dissidents and cryptographers from various backgrounds -- many of them Chinese expatriates. According to a statement on the site, the group believes “transparency in government activities leads to reduced corruption, better government and stronger democracies.” “We believe that it is not only the people of one country that keep their government honest, but also the people of other countries who are watching that government,” the site says. “That is why the time has come for an anonymous global avenue for disseminating documents the public should see.” The website claims it will use cryptography to allow people to post untraceable documents. Through WikiLeaks, bureaucrats in a sensitive department such as Foreign Affairs or National Defence could post internal documents and memos without concern of reprisal from their superiors. Allan Cutler, the Public Works Department employee who blew the whistle on the Liberal sponsorship program to internal auditors in 1996, claimed the move cost him assignments and promotions. The Accountability Act, a centrepiece of the Conservative Party’s 2005 election platform, contains provisions to help protect whistleblowers. While WikiLeaks may offer whistleblowers another tool, media experts say that the site -- if successful -- will face credibility problems and could be hijacked by those out to push their own agendas or to backstab colleagues. “The Internet is notorious for fraudulent information,” said Chris Waddell, a media analyst and journalism professor at Carleton University. “I don’t see how any journalist could print anything from this site without doing an extensive investigation to find out if it’s true.” [Source]

US – President Bush Urges Congress to Approve Genetic Privacy Bill

During a visit to the National Institutes of Health, President Bush plugged stalled legislation that would safeguard genetic privacy. The bill would prevent employers and insurance companies from using results of genetic tests to discriminate against employees or customers. The bill, which died in the House in 2003, was reintroduced in the House this week. [Source] [DNA Databases May Be Growing Too Quickly]

AU – Privacy Blueprint Released for e-Health; One Month to Submit Feedback

The Australian government’s plan to create a single, national system of identifying individuals and healthcare providers has been delayed by privacy concerns. In a bid to address ongoing concerns surrounding the protection of confidential health records, the National E-Health Transition Authority (NeHTA) has released a privacy blueprint which is open for public comment until the end of February, 2007. The privacy plan seeks comments on four key points: identifying the privacy issues and risks; developing strategies for privacy management; conducting privacy impact assessments; and developing ongoing privacy management tools, such as policies and information notices. [Source] [NEHTA Privacy Blueprint] [Source]

CA – CIBC Loses Info on 470,000 Canadians; OPC Investigates

The personal information of nearly half-a-million customers at a CIBC mutual fund subsidiary has gone missing, prompting fears of a potential security breach and inciting an investigation from Canada’s federal privacy commissioner. A backup computer file containing application data for 470,000 investors at Montreal-based Talvest Mutual Funds disappeared in transit on the way to Toronto recently, the bank said in a news release this week. The file contained everything from client names and addresses to signatures, birth dates, bank account numbers and Social Insurance Numbers. Officials at CIBC Asset Management said there is no evidence of fraud, nor is there any indication that any data on this hard drive has been accessed. The company did not explain how it lost the drive. Privacy Commissioner Jennifer Stoddart said she has determined there are grounds for an investigation in the Talvest matter, even though the bank brought the problem to her attention. [Source] [Privacy Commissioner launches investigation] [Source] [Source] [Source] [Source] [Source] [Source]

US – Discount Retail Giant TJX Announces Data Breach

TJX, the parent company of T.J. Maxx and Marshalls, announced this week that hackers have stolen customer information after accessing its computer systems. The breach, which was discovered in mid-December and reported to law enforcement, was not disclosed until now at the request of the authorities. The breach affected a network that handles credit card, debit card, check and merchandise returns for T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico. In Canada, Winners and HomeSense stores were affected by the breach. The company said in a statement that it will provide customers with more information as it becomes available. [Source] [Source]

US – Florida Woman Pleads Guilty to ID Theft, Other Charges

A 23-year-old Miami woman has pleaded guilty in U.S. District Court to conspiracy to commit computer fraud, identity theft and wrongful disclosure of individual health information. A second defendant is scheduled for trial later this month in connection with the case. The woman, a former front desk clerk, downloaded the medical information of more than 1,100 patients from a hospital in Weston and then sold them to the second defendant, who allegedly used the information to make false Medicare claims, according to the court records. [Source]

US – Missing Laptop Roundup

The North Carolina Department of Revenue has sent letters to 30,000 taxpayers notifying them that their personal information was held on a laptop computer stolen from a NC Dept. of Revenue employee’s car. The data include SSNs; law enforcement officials are investigating the theft. [Source]

The University of Idaho Advancement Services Office reported three laptop computers missing from the University of Idaho’s Advancement Services Office hold personally identifiable information of more than 331,000 alumni, students, employees and donors. The apparent theft took place over the Thanksgiving weekend. [Source]

CA – Children 12 and Older Need ID for Flights

Children who appear to be 12 years of age or older will have to present government-issued ID to board an airplane once Transport Canada’s new no-fly list comes into force in March. The new rules mean children as young as 10 or 11 could be denied the right to board domestic flights if they can’t produce government photo ID or present two pieces of non-photo ID issued by government. Since the Sept. 11, 2001, terrorist attacks, Canadian airlines have required passengers over age 16 to show ID before boarding flights. But until now, that hasn’t applied to younger passengers. At present, Air Canada suggests that those under 16 carry an original birth certificate or non-governmental ID such as a student’s card when flying domestically, but it does not insist that they do so. Westjet doesn’t even ask under-16 passengers to present ID. [Source]

EU – eGovernment and Electronic ID Are German EU Presidency Priorities

Germany, which now holds the EU presidency, is calling for stronger administrative co-operation across Europe. A joint 18-month programme by the current and next two EU presidencies (Germany, Portugal and Slovenia) strongly supports the Commission’s work to promote eGovernment, and advocates a review of the EU Data Protection Directive. ‘Living Europe Safely’, the domestic policy work programme for the German EU presidency, states that “In addition to creating a European framework for secure electronic identification, we will especially focus on promoting open and standard document formats for file-sharing in Europe.” The German presidency also “hopes to simplify the application of the EU Data Protection Directive and will examine its provisions on reporting requirements and the independence of the supervisory authorities.” [Source]

WW – PayPal to Roll Out Another Layer of Authentication

PayPal plans to bolster security by providing users with a second layer of authentication. The eBay-owned company will provide its customers with a PayPal Security Key device that generates a new numeric password every 30 seconds. Users conducting transactions will be required to enter their regular passwords as well as the randomly-generated password provided by the key. The addition of this layer of security should help thwart phishers because without a current Security Key password, other account information will not allow them access to users’ accounts. Users will be asked to pay US$5 for the devices; business customers will not have to pay for the Security Keys. The use of the keys is being tested right now and will eventually be phased in for all users. [Source] [EBay Heightens Security Precautions]

WW – MySpace to Offer Parental Notification Software

MySpace.com has been quietly developing software, code-named ‘Zephyr’, designed to give parents the bare-bones of what their kids are doing on the site. The tool, which will alert parents of the username, age, and location a child lists on personal MySpace pages known as profiles, is designed to spark conversations about Internet safety. [Source] [Source] [Families Sue Myspace After Children Abused By Adult Users]

AU – Privacy Fears over Australian Plan to Share Taxpayers’ Details

The Australian Tax Office could soon have sweeping powers to release people’s tax details in cases of money laundering, terrorism and large-scale avoidance. The Federal Government wants to introduce legislation when Parliament resumes next month to allow the Tax Office to release information in cases where the public interest exceeds personal privacy considerations. But there are concerns about the potential misuse of power and privacy breaches, particularly by third parties that may be able to obtain personal information, such as tax file numbers. Acting Treasurer Peter Dutton announced the plan following a recent review of taxation secrecy and disclosure provisions. [Source]

US – Virginia Gov. Floats Do-Not-Sell (Personal Data) List

Gov. Tim Kaine has brought together a panel to study the concept of a Do-Not-Sell list modeled after the Do-Not-Call registry. The governor’s idea is to give consumers the option of not allowing companies to sell their personal data. The governor says that oftentimes, people are unaware that companies are selling their private data. The panel is tasked with reporting back to the governor by the end of 2007. [Source]

US – HP Spy Probe Investigator Pleads Guilty

Federal prosecutors scored their first victory in the investigation of HP’s ill-fated boardroom spying probe last week, when a low-level private investigator pleaded guilty to identity theft and conspiracy charges. As part of the plea deal, the investigator admitted to illegally obtaining SSNs and other personal data to snoop on the private phone records of journalists, former HP directors, and their family members as part of HP’s crusade to ferret out the source of boardroom leaks to the media. [Source] [Source] [California offers former hp chairman plea deal]

WW – E-Pedigree Standard Ratified, Supports RFID

Standards organization EPCglobal has ratified a new global standard that supports the use of RFID and other technologies for creating electronic pedigrees to securely track the authenticity and chain-of-custody of pharmaceuticals and other items. The standard meets the U.S. federal pharmaceutical pedigree requirements established in the FDA Prescription Drug Marketing Act (PDMA). The national pedigree requirement was to take effect in December 2006, but was blocked by a court order (see Injunction May Slow Momentum for RFID E-Pedigrees). The standard creates a structure for identifying goods and embedding and updating chain-of-custody information associated with the item. Electronic Product Code (EPC) numbers can be used to uniquely identify the object. EPC numbering is not required, nor is the use of RFID for creating, storing, or communicating pedigree data. Bar code and other methods, including paper documents, can also be used. The standard includes security provisions to indicate if documentation has been tampered. The standard is available for free download from the EPCglobal website. EPCglobal’s announcement of the new standard said the organization hopes to release a complete track-and-trace system later this quarter. The larger system would incorporate the new e-pedigree standard and the forthcoming EPC Information Services (EPCIS) standard. [Source]

WW – Human Tracking Experiment Generates Discussion at Berlin Conference

Nine hundred attendees of last month’s Chaos Communication Conference agreed to submit to tracking by way of an RFID tag. A computer engineer created a badge that allowed attendees to experience tracking at the conference. Attendees who bought the tags were given the choice of what type of personal information would be linked to their tags’ unique ID numbers. Many chose to use a nickname that was not associated with any personal information. The project sparked conversation about the pos and cons of using RFID to track individuals. One key take-away was the need to give people the power to decide how the technology will be used. [Source]

WW – Companies Should Consider How to Handle Employee Blogging

As more employees become involved in blogging, companies have to consider the legal risks, which include harassment, disclosure of confidential information, disparagement and privacy issues. Companies have two choices: prohibit all blogging at work or create and enforce a blogging policy, they say. Employee training on the blogging policy and other company expectations are essential, they add. [Source] [Canadian Workers Fired After Postings On Facebook] [Blogging Guidelines For Employees]

WW – Corporate Security Hole: Employees Forwarding eMail to Personal Accounts

Employees forwarding their work email to “web-accessible personal accounts” is a growing problem. When away from the corporate network accessing email from these accounts is usually faster and easier than going through the corporate remote email solution. Accessing email from these accounts is usually faster and easier than going through corporate networks. However, because email sent from these services does not “pass through the corporate mail system, companies could run afoul of federal laws that require them to archive corporate email and turn it over during litigation.” One Medical Center began using systems to monitor outbound email after it became aware of the growing problem of “doctors and nurses routinely forward[ing] confidential medical records to their personal Web mail accounts.” [Source] [Source]

US – NIST Releases Updated Security Controls for Federal Information Systems.

NIST has released an updated Database Application for Special Publication 800-53, Revision 1, Recommended Security Controls for Federal Information Systems. The database application will allow users to browse the catalog of security controls, display the security controls in selected views or groups by control family, class, or baseline (e.g., management controls, moderate baseline controls, or contingency planning controls), search the catalog of controls for keywords, and export information from the database into a variety of popular data formats that may be needed for automated tool support. [Source]

AU – Privacy Concerns Raised Over Australias’ Social Services Card

Grassroots opposition to the federal Government’s welfare services access card is building, with campaigners saying Joe Hockey’s proposal, despite Government reassurances, is “indistinguishable from a national identity scheme”. About 120 individuals and groups have made submissions on the draft access card bill, released on December 13. The Human Services minister plans to introduce the bill into federal parliament next month, but the draft has been slammed as “seriously inadequate”, with many key issues to be decided later and included in a second round of legislation. Tim Warner, convenor of Access Card No Way, said “We believe that any national ID scheme is a tragic mistake.” “The inadequacies in this draft are deeply disturbing, given the enormous shift this legislation represents. “No inquiry, no debate and certainly no parliamentary discussion has occurred on whether anti-fraud measures require a national register. Instead, the debate is over what sort of register should be introduced.” [Source] [Source] [Strong response to access card consultations: Over a hundred submissions received]

US – White House Agrees To Submit Wiretapping To Panel Review

The Bush administration said this week that it has decided to begin seeking court approval for its electronic surveillance program, effectively ensuring court oversight for the formerly warrantless program that has provoked a firestorm of criticism for more than a year. The Justice Department disclosed in a letter to Senate Judiciary Cttee Chairman Patrick Leahy (D-Vt.) that it had obtained approval from the Foreign Intelligence Surveillance Court to target international phone calls into or out of the United States involving persons affiliated with Al Qaeda or associated terrorist groups. The letter, from U.S. Atty. Gen. Alberto R. Gonzales, said that as a result of the approval, Bush would not be reauthorizing the terrorist surveillance program that the U.S. had been secretly using since shortly after the attacks of Sept. 11. Bush acknowledged the existence of that program after it was revealed in newspaper reports in December 2005. [Source] [Source] [Source] [Source] [Source] [Source] [Source] [Source]

US – Arizona Police Using Automatic License-Plate Recognition Technology

Tucson police have a new law-enforcement tool: a car-mounted license-plate scanner. Similar to a radar gun, it reads the license plates of moving or parked cars - 250 or more per hour - and links with remote police databases, immediately providing information about the car and owner. [Source]

US – Senators Want Federal Use of Data Disclosed

Key U.S. senators have introduced legislation that would require the government to disclose data-mining programs to Congress in an effort to protect Americans’ privacy and prevent misuse of personal information. The bill, introduced by Sens. Russell Feingold and John E. Sununu requires federal agencies to report the development and use of data-analysis technologies to “discover predictive or anomalous patterns indicating criminal or terrorist activity.” [Source] [Source] [Source]

US – “National Security Letters” Used To Examine Americans’ Financial Records

Besides wiretapping civilians’ phones and going through Americans’ mail, now the Pentagon and CIA can demand access to your bank transactions and credit reports at any time, in the name of “national security.” The New York Times reported this week that both agencies were using powers granted them by the PATRIOT Act to request investigations into financial transactions or activities they deem “suspicious.” Both agencies are barred by law from any domestic law enforcement activity. Vice-President Dick Cheney defended the practice as necessary to fight terrorism, but critics said the letters violate civil liberties and could be used to keep tabs on individuals with no connections to terrorist groups. Caroline Frederickson, director of the ACLU legislative office in Washington, said the practice “raises a host of questions that need to be answered.” “What is the legal basis for the government’s action?” Fredrickson asked in a statement. “What safeguards are in place to protect basic privacy rights? How often have the Pentagon and CIA used this claimed authority ... and was compliance truly “voluntary” or effectively coerced?” [Source] [Source] [Solove Commentary]

US – War Protesters Listed in Defense Department Database

A Defense Department database devoted to gathering information on potential threats to military facilities and personnel, known as Talon, had 13,000 entries as of a year ago – including 2,821 reports involving American citizens, according to an internal Pentagon memo to be released today by the ACLU. The Pentagon memo says an examination of the system led to the deletion of 1,131 reports involving Americans, 186 of which dealt with “anti-military protests or demonstrations in the U.S.” Titled “Review of the TALON Reporting System,” the four-page memo produced in February 2006 summarizes some interim results from an inquiry ordered by then-Defense Secretary Rumsfeld after disclosure in December 2005 that the system had collected and circulated data on anti-military protests and other peaceful demonstrations. The ACLU said in its own report that past disclosures about Talon “cried out for congressional oversight yet Congress was silent.” It said the new memo indicated there “may be even more disturbing” information to discover and declared “it is time for Congress to act.” The ACLU noted the memo showed that Talon reports had a much wider circulation than previously disclosed, with about 28 organizations and 3,589 individuals authorized to submit reports or have access to the database. [Source] [ACLU Report Shows Widespread Pentagon Surveillance of Peace Activists: Pentagon Tracked at Least 186 Anti-Military Protests]

US – Bush Signs Bill to Ban Deception (“Pretexting”) to Obtain Phone Records

President Bush signed a bill into law last week that would make it a crime to lie to obtain the telephone records of private citizens. The legislation outlaws the practice of getting confidential phone records by “making false or fraudulent statements” to a phone company employee, by “obtaining false or fraudulent documents to access accounts” or by “accessing customer accounts through the Internet” without authorization. The new federal law carries a maximum 10-year state prison sentence - a punishment that can be doubled if a violation involves more than $100,000 or more than 50 victims. [Source] [Source]

US – U.S. Senators Introduce Legislation to Protect Consumers From ID Theft

U.S. Sen. Ted Stevens, R-Ala., has filed the Protecting Consumer Phone Records Act, a bill that would require written consent from a customer before a telephone company could sell personal information. Currently, some telephone companies sell customers’ personal information to marketers unless a consumer has opted-out. U.S. Sen. Dianne Feinstein reintroduced a pair of bills that would attempt to set national requirements for consumer notification in the event of data security breaches, and to restrict the sale, purchase and display of Social Security numbers. One of her legislative efforts, the Notification of Risk to Personal Data Act, is billed as a reincarnation of an earlier proposal that was approved as part of a broader data breach package in November 2005 but received no further attention. The Social Security Number Misuse Prevention Act would prohibit organizations, including federal, state and local government agencies, from displaying or selling individuals’ Social Security numbers (SSNs) without express consent. [Source] [Source] [Source] [Source]

US – Oklahoma Residents Have New Security Freeze Law

Under a bill that took effect Jan. 1, Oklahoma residents can pay a fee to place a security freeze on their credit. Credit bureaus charge $10 to start or lift a security freeze. ID theft victims who have a police report and seniors 65 and older are exempt from paying the fee. [Source]

US – Massachusetts Lawmakers Continue to Push for Security Breach Notification

Consumer advocates and some lawmakers held a news conference late last week to mount pressure for legislative action on ID theft-related bills that died last year. A consumer advocate with MassPIRG said that 26 states have passed security freeze laws, while 34 now have security breach notification laws. Supporters of breach notification and security freeze legislation are looking for the Legislature to approve both measures this session. [Source]

US – Virginia Lawmakers Introduce Privacy Bills

This story in The Free Lance-Star indicates that lawmakers have filed 64 bills related in some way to privacy, many of them focused on ways to prevent identity theft. Many of the bills are intended to address the availability of Social Security numbers in public documents. Lawmakers say the number of bills related to privacy is directly the result of feedback they are receiving from constituents, who are concerned about ID theft. [Source]

--------