Privacy and Data Protection

Top Monthly Privacy and Data Protection Stories

by Monique Altheim on February 23, 2014

 

 

Conferences

 

 

COPPA

 

Data Breaches

       

 

Data Brokers/FCRA

 

 

Data Security

 

  • The White House released the National Institute of Standards and Technology’s (NIST) Final Cybersecurity Framework: a set of industry best practices and standards to help owners and operators of critical infrastructure develop better cybersecurity programs.
  • Senate Democrats Introduce the Data Security and Breach Notification Act of 2014. The bill would require the Federal Trade Commission (FTC) to promulgate federal data security standards, establish federal data breach notification requirements, criminalize concealing breaches of security involving personal information, provide potentially harsh civil penalties, and preempt state data security and breach notification laws. 

 

 

Drones

 

EU Data Protection

 

  • Facebook must comply with German data protection law, the Higher Court of Berlin rules. The High Court of Berlin finds that Facebook’s data processing is handled by US parent company, not FB Ireland. If the court had found that the user data was processed by Facebook Ireland and not by Facebook US, the Irish Data Protection law would have applied; According to the EU Directive, the law of the EU Member State applies, where the company has an establishment and where the processing is carried out in the context of the activities of the establishment.(EU Directive 95/46/EC, Art.4,1(a)); In the absence of this condition (as was the case here, since the court decided that no processing was occurring in Ireland, but instead the processing happened through data centers in the US), the second rule of applicable law applies: the Member State on whose resident’s computers or other devices the data controller (FB here) sets cookies EU Directive 95/46/EC, Art.4,1(c)), in this case Germany;

 

 

 

 

 

 

EU Data Protection Reform

 

 

 

EU-US Safe Harbor

 


 

FCC

 

 

 

FCRA

 

 

 

FERPA

 

 

 

FTC

 

 

 

 

HIPAA

 

Q: Is a mental healthcare provider allowed to share psychotherapy notes with anyone?

A: NO, not even with another healthcare provider for treatment purposes, unless patient gives consent. As for sharing the notes with the patient, HIPAA leaves it to the discretion of the mental healthcare provider.

Q: What if patient threatens to blow up a school?

A: Yes, this is an imminent safety threat. Depending on the applicable State Law, there may even be a “duty to warn”.

Remember that in a State with stricter laws, the stricter State law prevails.

 

 

 

 

IoT (Internet of Things)

 

 

NSA

 

 

 

 

 

 

 

 

 

Technology and Lifestyles, New Developments in

 

  • Dropbox’s new Privacy Policy, effective March 24, includes a Government Surveillance “Manifesto”. Its new Terms of Service include an arbitration clause, which you have 30 days to opt out of.
  • Dutch telecom operator KPN has struck a deal with encrypted communications provider Silent Circle to start offering its Dutch, German and Belgian customers encrypted phone calls and text messages.

 

  •  Apple promises fix “very soon” for Macs with failed encryption.

 

  • Cryptolocker scrambles US law firm’s entire cache of legal files.

·

 

  • Facebook Unveils New Tool to Read Posts and News, via @nytimes

 

 

 

 

 

Destruction of Private Data: Pushing the “Delete” Button is Not Enough

by Monique Altheim on February 22, 2014

url

 

A study commissioned in Australia by the National Association for Information Destruction (NAID), published on Feb.19, has found significant amounts of sensitive personal information left on recycled computers. The researchers purchased  52 computers randomly  on sites such as eBay, and hired a reputable forensic investigator to find out whether any personal information was left on the drives. Out of the 52 devices, 15 still contained highly confidential personal information, including health and financial information, as well as personal photos and videos. Those devices had been “recycled” by individuals, law firms and government agencies and the forensic evidence showed that all the files in question had been subjected to attempted deletion.

Clearly, many still believe that pressing the “delete” button will permanently delete a file and/or have never heard of forensic retrieval of digital data. Whether one operates in a jurisdiction that mandates secure disposal of personal data or not, improper removal of personal data on computers, smartphones or tablets is certainly bad practice. It is not only bad practice in the case of recycling of a device, as was the case in this study, but also when disposing of a device. Even when simply deleting personal files that have reached the end of their lifecycle, one needs to ensure their professional and final disappearance. Otherwise, these files may easily come back to life through a simple forensic examination of the computer in question, as was the case with the famous incriminating documents in the Enron case. The incriminating files, the needles in the haystack, had all been “deleted” by Enron employees and later retrieved by forensic experts during the investigation of the Enron scandal.

At the 34th International Conference of Data Protection and Privacy Professionals  in Punta del Este, Uruguay (2012), a panel I moderated dealt in depth with the issue of deletion of digital data and forensic retrieval of personal information. You can watch the entire panel here: (Some of the presentations are in Spanish).

My panel consisted of, from left to right,  Oscar Puccinelli, an attorney and professor of Constitutional Law at the National University of Rosario in Argentina, Jeimy Cano, CIS at Ecopetrol and professor at the Univesidad de Los Andes in Bogota, Colombia, Gustavo Betarte, CTO at Tilsor and researcher and professor at the Engineering School of the Univesidad de la Republica in Montevideo, Uruguay, Yoram Hacohen, at the time, head of the Israeli Law, Information and Technology Authority (ILITA), and William C. Barker, associate director and chief cyber security advisor at the National Institute of Standards and Technology (NIST).

 

 

William Barker’s Slides:

Gustavo Betarte’s Slides:

Dissection of a Twitter Chat on Privacy and Data Protection with @JulieBrillFTC

Unknown-2

FTC Comissioner Julie Brill recently held her first Twitter chat on the topic of privacy and the FTC.

TWITTER LINGO FOR BEGINNERS:

Those who are regular twiteratti can skip the following paragraph, but for those still not familiar with Twitter lingo, I have included a short introduction to Twitter shorthand:

  • @JulieBrillFTC: This is Julie Brill’s twitter handle, or twitter user name. Tweeters need to create a twitter handle in order to tweet.
  • RT: Re Tweet; When @JulieBrillFTC tweets: RT@soandso, she re-tweets @soandso’s tweet; in other words, she repeats that person’s tweet.
  • MT: Modified Tweet; When @JulieBrill tweets: MT@soandso, she retweets @soandso’s tweet, but with a slight modification, usually in order to remain within the 140 character limit.
  • In the Twitter chat, @JulieBrillFTC RT’d or MT’d participant’s questions (Q). She preceeded her answers with an A.
  • #: Hashtag. A hashtag on Twitter is the pound sign, followed by an acronym or word to group all tweets related to a particular topic. If you click on that particular hashtag link, you will see all tweets that were posted with that hashtag included in their tweets. In @JulieBrillFTC’s Twitter chat, the chosen hashtag was #FTCpriv
  • Tweets have a limit of 140 characters. A lot more can be crammed into a tweet by the use of a link to an article, something which @JukieBrillFTC avails herself of in her answers to tweeters’ questions. There are even several ways of shortening the links, to leave more characters free for use in the tweet.

I reposted @JulieBrill’s Twitter chat in a user friendly way. Tweets that were not directly relevant to the Q&A were omitted. Tweets by those who posted the questions were omitted as well to avoid unnecessary duplication of the questions, since @JuliBrillFTC re-tweeted them anyway. Since Twitter operates as a live feed, later tweets appear before earlier tweets. Therefore, for someone not used to Twitter, it might be disconcerting to read the answers before the questions. I therefore reversed the order of the tweets, and posted the earlier ones before the older ones.

@JULIEBRILLFTC’s TWITTER CHAT:

  • JulieBrillFTC ‏@JulieBrillFTC  Feb 5 Welcome to my 1st Twitter chat! Happy to answer your questions about big data, data security, internet of things, & privacy. #FTCpriv
  • I’ll try to answer as many questions as I can in the next 60 minutes. So, what do you want to know? #FTCpriv
  • Q1 MT @alexanderhanff can u explain why links to so many privacy papers on FTC web site are broken? Hard 2 cite studies that vanish #FTCPriv
  • A1 FTC recently went through redesign of its website to improve functionality. Please send problematic links to ftcgovweb@ftc.gov. #FTCpriv
  • Q2 RT @hfienberg What is the definition of a data broker, according to the @FTC ? #FTCpriv
  • A2 We set out definition of data broker in its 2012 Privacy Report http://go.usa.gov/BKNk  . 3 categories: FCRA, eligibility, or marketing.
  • Q3 RT @PaulNemitz #ftcpriv How important is the US – EU #Safeharbour arrangment for the protection of #privacy of americans?
  • A3 Our enforcement of Safe Harbor protects both U.S. & EU consumers through our casework. #FTCpriv
  • Q4 MT @JeramieScott Do u have thoughts on how to ensure integrity of big data algorithms that make decisions that impact people? #FTCpriv
  • A4 Consumers need more access to data sets to see impact of these decisions, and to reclaim their names http://go.usa.gov/BKjh  #FTCpriv
  • Q5 MT @ lexanderhanff In Jan 2013, Brussels ou stated FTC ready to work w/EU on mutual enforcement prog. has discussion evolved? #FTCPriv
  • A5 The FTC remains committed to improving mutual enforcement cooperation with EU partners. #FTCpriv
  • Q6 MT @CWLiedtke #FTCpriv EU Comm. Reding threatens to end US-EU safe harbor if US doesn’t implement legislation until summer. Thoughts?
  • A6 VP Reding acknowledged imprtnce of cntining U.S.-EU Safe Harbor. USG & EU Commission discussing helpful ways to improve SH. #FTCpriv
  • Q7 RT @TouroLawIBLT How does the FTC differentiate between cos that sell #bigdata and those that use and amass it? #FTCpriv
  • A7 Same principles apply: PBD, effective transparency, simplified choice. Co.’s shd give careful thought to data collection & use. #FTCpriv
  • Q8 MT @MHJCarlson Does @FTC see proliferation of mobile devices in hospitals as a threat to patient data security? Solutions? #FTCpriv
  • A8 Doc-controlled mobile devices present opps for innovation in HC; but patient #datasecurity & #privacy must be protected. #FTCpriv
  • Q9 MT @PogoWasRightQ Does FTC rec national #datasecurity standard that incl encryption 4 data at rest 4 all entities storing SSN? #FTQ9 
  • A9 1/2 We support fed leg on data security & breach notice. Stds for security should require reasonable and appropriate practices. #FTCpriv
  • Q10 RT @StuartLevi Dont recent FTC actions discourage companies from saying anything about their security practices to the public? #FTCPriv
  • A10 FTC examines co statements & underlying data security practices. We consider both potentially deceptive and unfair activity. #FTCpriv
  • Q11 RT @ajamietalbot Among all the data issues facing FTC, which do you think are the most pressing and deserve FTC focus? #FTCpriv
  • A11 Pressing issues: health, financial, & other sensitive data; data broker practices; #IoT; mobile; facial recognition & #COPPA#FTCpriv
  • Q12 RT @sharemindfully #ftcpriv - What steps is the #FTC taking to increase consumer awareness of #privacy issues?
  • A12 1/2 FTC has very robust consumer education program, including blogs, publications, staff outreach. See http://consumer.ftc.gov  #FTCpriv
  • A12 2/2 Also, lots of Commission outreach on emerging issues. I speak a lot too. :>) #FTCpriv
  • We are at 60 minutes. You all have asked lots of great questions. I’ll take a few more minutes to answer a few more. #FTCpriv
  • Q13 RT @Vitiell0 When will the data standards outlined in the 2012 consumer privacy BOR be enforceable? #FTCpriv
  • A13 I support baseline consumer privacy legislation and am eager to work with Congress, the Administration, and others to that end. #FTCPriv
  • Q14 MT @Abine Has FTC been in communication w/FB, Google, the DAA, on their plans for post-cookie consumer tracking tech? #FTCpriv
  • A14 We all need to focus on tracking that will take place in post-cookie world. Talking with lots of stakeholders. Welcome input. #FTCpriv
  • Q15 RT @Cellular1988 Do u think that the Safe Harbor give to all EU citizens good protection of their fundamental rights (redress)? #FTCpriv
  • A15 Safe Harbor gives FTC effective tool for protecting privacy of EU consumers. On redress, I support reducing ADR fees. #FTCpriv
  • I’m going to answer one final question. #FTCpriv
  • Q16 RT @Cellular1988 How many processor[s] can process data for one Safe Harbor certified company? #FTCpriv
  • A16 1/2 There’s no set number of permissible processors, but all agents have to apply privacy protections. #FTCpriv
  • A16 2/2 Mechanisms for agents incl. being in SH, being subject to the directive or under adequacy finding, or by contract. #FTCpriv
  • JulieBrillFTC ‏@JulieBrillFTC  Feb 5 Thanks so much for participating in my Twitter chat. Sorry I couldn’t answer all of your great ?s. Let’s do this again soon. #FTCpriv

 

IS TWITTER CHAT AN EFFECTIVE WAY OF COMMUNICATION ON IMPORTANT ISSUES SUCH AS PRIVACY?

This Twitter chat is a perfect example to illustrate the advantages, as well as the pitfalls of communication through Twitter.

A few examples where Twitter works well:

 

  • The practical question:
  •  Q1 MT @alexanderhanff can u explain why links to so many privacy papers on FTC web site are broken? Hard 2 cite studies that vanish #FTCPriv
  • A1 FTC recently went through redesign of its website to improve functionality. Please send problematic links to ftcgovweb@ftc.gov. #FTCpriv
  • Practical solution to a concrete question. Bravo!

 

  •  The clarification question:
  •  Q9 MT @PogoWasRightQ Does FTC rec national #datasecurity standard that incl encryption 4 data at rest 4 all entities storing SSN? #FTQ9 
  • A9 1/2 We support fed leg on data security & breach notice. Stds for security should require reasonable and appropriate practices. #FTCpriv
  • The FTC, as well as many other U.S. regulatory and enforcing agencies have always stayed away from imposing specific technologies for ensuring data security, since technology changes at the speed of light and the type of technology to be applied is always contextual and depending on the type of data handled and the type of company handling the data. “Reasonable and appropriate practices” it is. And @JulieBrillFTC managed to squeeze in the FTC’s opinion on the need for FEDERAL legislation on data security and data breach notification, since the U.S. doesn’t have one yet. (Most of the States have data security and data breach notification laws, but they are all different from each other and create an impossible patchwork of laws). All this in 140 characters. Hats off! On the other hand, in order to make any sense of those <140 characters, one does need to have some background knowledge of the topic.

 

  • The policy question:
    • Q6 MT @CWLiedtke #FTCpriv EU Comm. Reding threatens to end US-EU safe harbor if US doesn’t implement legislation until summer. Thoughts?
    • A6 VP Reding acknowledged imprtnce of cntining U.S.-EU Safe Harbor. USG & EU Commission discussing helpful ways to improve SH. #FTCpriv
    • The future of U.S.-EU Safe Harbor is on every privacy professional’s mind these days. Here, with a tweet, @JulieBrillFTC has indicated that Safe Harbor is the subject of negotiations between the US Government and the EU Commission in order to tweak it into a viable solution. The end of Safe Harbor? Not.
    • Another good policy exchange was the following one, assuming one knows that IoT stands for “Internet of Things”:
      • Q11 RT @ajamietalbot Among all the data issues facing FTC, which do you think are the most pressing and deserve FTC focus? #FTCpriv
      • A11 Pressing issues: health, financial, & other sensitive data; data broker practices; #IoT; mobile; facial recognition & #COPPA#FTCpriv
    • This is a clear question, with a very clear answer.

 

A few examples where Twitter doesn’t work as well:

  • The avoiding the question answer:
    • Q14 MT @Abine Has FTC been in communication w/FB, Google, the DAA, on their plans for post-cookie consumer tracking tech? #FTCpriv
    • A14 We all need to focus on tracking that will take place in post-cookie world. Talking with lots of stakeholders. Welcome input. #FTCpriv
    • So, has the FTC been in communication with FB, Google and the DAA?

 

  • The diplomatic answer:
    • Q13 RT @Vitiell0 When will the data standards outlined in the 2012 consumer privacy BOR be enforceable? #FTCpriv
    • A13 I support baseline consumer privacy legislation and am eager to work with Congress, the Administration, and others to that end. #FTCPriv
    • Ah, we all know that the FTC supports legislation to implement the 2012 Privacy Bill of Rights, but when will it become law? When?

 

  • The simplistic answer:
  •              Q4 MT @JeramieScott Do u have thoughts on how to ensure integrity of big data algorithms that make decisions that impact people?   #FTCpriv
    • A4 Consumers need more access to data sets to see impact of these decisions, and to reclaim their names http://go.usa.gov/BKjh  #FTCpriv
    • Well, yes, having access to one’s data and having the ability to correct wrong information is a very good start, but it is far from sufficient to ensure the integrity of the algorithms that are used to make important decisions about an individual. For example, how do we ensure that the algorithm itself is not based on some illegal discriminatory premises? Clearly, Twitter is not an adequate channel to discuss such deep and granular issues.

 

 

  • The incorrect answer?
    • Q3 RT @PaulNemitz #ftcpriv How important is the US – EU #Safeharbour arrangment for the protection of #privacy of americans?
    • A3 Our enforcement of Safe Harbor protects both U.S. & EU consumers through our casework. #FTCpriv
    • Safe Harbor protects U.S. consumers? Really? And I thought that it only protected personal data originating from the EU. Who knew? Maybe the lightning speed at which one must react on Twitter can be faulted for such seemingly erroneous statements. I have no doubt that @JulieBrillFTC did not make a mistake in her area of expertise, but short tweets are conducive to ambiguous meanings and maybe incorrect interpretations.

 

CONCLUSION

A Twitter chat is the democratic communication tool par excellence. Every Jo/Jean Shmo with a twitter handle can instantly communicate with an authority figure, regardless of where in the world he/she resides, as long as he/she has an internet connection.

The format works well for simple, concrete questions that require simple and concrete answers.

As soon as the question requires a more granular response, Twitter fails to deliver. It is simply impossible to convey nuance, cover grey areas and explain complex matters with a 140 character tweet. Inserting a link to an article that deals with the issue at hand is a good way of introducing more nuance and information in a tweet or Twitter chat.

 

Please follow me on Twitter at @AltheimLaw and at @MoniqueAltheim!

 

 

 

 

 

The FTC’s Data Security Guidelines

 

Data_Security

On the occasion of the Federal Trade Commission’s (FTC) 50th data security settlement, it issued a statement, giving businesses guidelines for their data security practices.

Under Section 5 of the Federal Trade Commission Act (FTCA), the FTC must protect consumers from “deceptive and unfair” commercial practices in the economic sectors under its jurisdiction. One of those deceptive or unfair practices is the lack of data security to protect a wide variety of sensitive consumer data, such as social security numbers, health data etc… Over the years since its first settlement in 2002, the FTC has developed certain principles.

 

The FTC’s standard for appropriate data security is “reasonableness”, which is a flexible standard that varies according to a.o. the sensitivity of  the data or the size and complexity of the business. In other words, the security requirements of a large financial institution will be greater than the security requirements of a small grocery store.

Despite the fact that the FTC allows for such elasticity in the application of appropriate security standards, it proposes five basic data security practices that should be followed by every business:

  1. Data Mapping: Know what data the company has, where it is and who has access to it. This knowledge will help expose possible vulnerabilities.
  2. Data Minimization: A company should only collect and retain data that it really needs for its legitimate business purposes. (eg. no need to retain pin numbers of payment cards after the payment has been made).
  3. Risk assessment and remediation in key areas: physical security, electronic security, employee training, and vendor oversight.
  4. Secure Disposal: Once data is not needed anymore, make sure to dispose of it in a secure fashion. (eg. once paper files are not needed anymore, don’t throw them in a garbage dump. Shred them instead).
  5. Security Breach Preparedness: Companies should have a plan in place to respond to security incidents.

 

 

Top Weekly Privacy Stories

Apps

 

 

 

Conferences

 

 

 

 

Data Breaches

 

 

 

Drones

 

 

 

EU Data Protection Reform

 

 

FCRA

 

 

 

FERPA

 

 

 

IoT (Internet of Things)

 

    

 

Mobile Payments

 

 

Net Neutrality

   

 

NSA

 

 

Practical Tips

 

 

Privacy Management

 

 

TCPA (Telephone Consumer Protection Act)

 

 

Technology and Lifestyle s, New Developments in

 

 

 

  2014

 

 

 

 

 

The TCPA, Robocalls and a Meaningful Definition of Consent

Under the Telephone Consumer Protection Act (TCPA), in order for marketers to call or text a telephone subscriber via autodialer or prerecorded messages (robocalls), the subscriber must have given the robocaller “prior express consent” to do so.

What constitutes “express consent” under the TCPA?

The TCPA does not define “express consent.” Congress delegated to the FCC  the authority to make rules and regulations to implement the TCPA.

The FCC has defined “express consent” as follows:

“any telephone subscriber who releases his or her telephone number has, in effect, given prior express consent to be called by the entity to which the number was released. “

and “persons who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instructions to the contrary.”

 

A recent case, (Murphy v. DCI Biologicals Orlando, LLC) decided on 12/31/2013, illustrates this type of consent requirement.

Plaintiff, a blood donor gave his cell phone number on a new donor information sheet to the defendants, a blood bank. He subsequently got a few automated, telemarketing text messages from the defendants in 2012, suggesting he give more blood, which he found quite offensive. Plaintiff claimed he had not given defendant, the blood bank, express consent to “robocall” him, as required under the TCPA. He only shared his cell phone number as a contact number for the blood bank to reach him. The US District Court for the Middle District of Florida ruled that giving his cell phone on the new donor information constituted his express consent to the defendants to robocall him at that number through marketers. The Court granted defendant’s motion to dismiss the case. The Court followed the definition of “express consent”, as defined by the FCC. (see above).

The Court decided that when the blood donor shared his cell phone number with the blood bank, he thereby gave “express consent” to the blood bank to share his sensitive health data with marketers and to have those marketers “robocall” him.

 

Most courts have followed this interpretation of “express consent” under TCPA, while other courts have argued that If consent is not manifested by explicit and direct words, it is not express consent. Rather, it is merely “implied consent.”.

 

On February 15, 2012, the FCC adopted additional protections for consumers concerning unwanted robocalls. One of the changes concerned the “consent” issue.

Effective October 16, 2013, in order for marketers to call or text a telephone subscriber via autodialer or prerecorded messages (robocalls), the subscriber must have given the robocaller “prior UNAMBIGUOUS written express consent” to do so.

Gone is the “implied-express consent” as previously defined by the FCC.

Unambiguous consent means that the consumer must receive a “clear and conspicuous disclosure” that he will receive future calls that deliver autodialed and/or pre-recorded telemarketing messages on behalf of a specific marketer.

In other words, the consent form to be signed by the consumer should look something like this:

“ I hereby consent to receive autodialed and/or pre-recorded telemarketing calls and/or texts from or on behalf of [marketer] at the telephone number provided above. “

Under this new definition of consent, our blood donor might have won his case.

Or, if the blood bank had given him a clear and informed choice, he might very well have agreed to share his cell phone number with marketers in order to be notified of future blood donor opportunities. He would have made an informed choice and the overburdened justice system might have had  fewer time-wasting and costly class-action law suits to deal with.

This new consent requirement resembles very closely the requirement of “unambiguous consent” of the data subject that forms one of the most important legal grounds for processing personal data by data controllers under the EU Data Protection Directive. (Article 7. (a) Directive 95/46/EC).

Article 2 (h) of Directive 95/46/EC defines consent as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”

The validity of consent as a mechanism to regulate privacy in our era of big data, predictive algorithms and internet of things has been a subject of debate for a while now, and more recently, the cause of a heated polemic in privacy circles.(see: “I Never Said That”—A Response to Cavoukian et al. by Viktor Mayer-Schönberger)

The latest FCC implementation of the TCPA is one example of how the concept of consent is still alive and well.  Whether consent by the consumer is meaningful often depends on whether the term “consent” is defined in a meaningful way or not.

Top Weekly Privacy Stories

 

 

Apps

 

 

 

Conferences

 

 

 

 

COPPA

 

 

Data Breaches

 

 

EU Data Protection

 

 

 

EU Data Protection Reform

 

 

 

 

 

First Amendment

 

  • Virginia Court Scales Back Right to Online Anonymity: A Virginia company filed a defamation lawsuit against seven anonymous Yelp users who wrote critical reviews about it. After filing the suit, the company subpoenaed Yelp for information that would identify the seven reviewers. A Virginia statute requires a subpoena for the identity of an anonymous Internet users’ identity to identify communications “that are or may be tortious or illegal.”

 

 

 

FCRA

 

 

 

 

FTC

 

  • FTC Commissioner @MOhlhausenFTC  hosted a Twitter chat on 1/6/14 about #privacy and #IoT – see #FTCpriv

 

 

 

IoT (Internet of Things)

 

 

 

 

NSA

 

 

 

 

 

Practical Tips

 

 

 

Technology and Lifestyles, New Developments in

 

 

 

  

Year in Review

 

  2014

 

 

@AltheimLaw’s Privacy and Data Protection Week in Review

Big Data

 

 

 

Children Online Privacy

 

Conferences

·      Watch All ‪#30c3 talks, without data retention or Google spyware ‪https://media.ccc.de/browse/congress/2013/ …

 

 

Data Breaches

·      WA: Sumner fires temporary court clerk for sending herself city data on 3,600 people ‪http://ow.ly/2Cu5Vo 

·      

The Briar Group discloses security breach affecting eight Boston bars and restaurants (updated) ‪http://ow.ly/2Cugb7 

·      South Carolina Health Insurance Pool reports breach after laptop stolen from independent auditor’s car ‪http://ow.ly/2CuDkc 

·      Social Security Customer Service Employee Indicted For Stealing Information And Money From Agency ‪http://ow.ly/2CuIyi 

·      Data breach cost $3.7m, claims report ‪http://ow.ly/2Cwxx9 

·      

Following hack, RegistratioNation discovers some customer data was inadvertently being stored on its server ‪http://ow.ly/2Cxs3e 

·      

T-Mobile USA customers to be notified of security breach at supplier’s ‪http://ow.ly/2CxyGw 

·      Actelis Networks reports theft of safes with Human Resources files ‪http://ow.ly/2Cycy8 

·      PA: Waiter skimmed customers’ cards ‪http://ow.ly/2CCyVK 

·      Office backup drive stored at home,stolen‪http://ow.ly/2CxbZO 

·      Senators Call for Hearing on Data Security in Wake of Target Data Breach ‪http://ow.ly/2CyN3S 

·      House Republicans Signal Push for Data Breach Legislation ‪http://ow.ly/2CBT6U 

·      Hackers Leaked 4.6 Million Snapchat Usernames and Phone Numbers http://ow.ly/sfL3K

·      Alleged Snapchat hackers explain how and why they leaked data on 4.6 million accounts ‪http://ow.ly/2CALVk 

·      

Omniquad Surf Wall Remote injects string into the browser user agent that identifies users – claim ‪http://ow.ly/2CymAG 

  • Sandwich chain ‘wichcraft had two-months worth of its customers’ card information hacked http://ow.ly/sfKS7

 

 

 

ECPA

·      Facebook Sued For Scanning ‘Private’ Messages http://ow.ly/sfLE0

 

EU Data Protection

 

·      

Cookie harmonisation? Forget  it ‪http://www.mondaq.com/x/283672/Data+Protection+Privacy/How+The+Cookie+Crumbles …

·      French DPA Issues Guidance on Cookie Consent Allowing Flexibility ‪http://ow.ly/2CCPIh 

·      Privacy group reveals more than 1m pupils are fingerprinted – thousands without their parent’s consent ‪http://news.techworld.com/security/3495388/privacy-group-reveals-more-than-one-million-pupils-are-fingerprinted/ …

 

EU Data Protection Reform

 

·      The decisions on ‪#EUDataP will be made by Spring 2014. Get active now! says ‪@JanAlbrecht‪#30c3

·      

VIDEO Jan Phillip Albrecht at ‪#30C3 ‪#EUDataP: State of the Union ‪http://media.ccc.de/browse/congress/2013/30C3_-_5601_-_en_-_saal_2_-_201312281400_-_eudatap_state_of_the_union_-_jan_philipp_albrecht.html …

 

 

Fourth Amendment 

 

 

FCRA

 

 

FTC, Section 5

 

·      Accretive Health Settles FTC Charges That It Failed to Adequately Protect Consumers’ Personal Information ‪http://ow.ly/2Cz5c4 

FOIA (Freedom of Information Act)

 

HIPAA

 

·      Clinic Hit With $150,000 ‪#HIPAA Penalty ‪http://ow.ly/s9rk5 

·      ‪@MedPractices stories of 2013 ‪http://ow.ly/s9Isw 

·      HHS Announces First HIPAA Settlement Based on Lack of Breach Notification Policies and Procedures ‪http://ow.ly/2CxvOy 

·      

4-year long HIPAA breach uncovered ‪http://goo.gl/a6MQEM 

 

IoT (Internet of Things)

 

·      The Internet of Sharks sends tweets to alert swimmers of approaching sharks: ‪http://buzz.mw/b51ij_f 

 

NSA

 

·      MetaPhone: The NSA’s Got Your Number ‪http://ow.ly/2CuiKi 

·      Minnesota librarians push to curb NSA snooping ‪http://ow.ly/2CveC1 

·      

Documents Reveal Top NSA Hacking Unit, TAO ‪http://ow.ly/2CvlhG 

·      Snowden: “A child born today will grow up with no conception of ‪#privacy at all.” VIDEO ‪http://www.channel4.com/programmes/alternative-christmas-message/4od#3631700 …

·      

ACLU Appeals Decision Upholding NSA’s Mass Surveillance ‪http://ow.ly/2CCuqh 

·      NSA building quantum computer to crack all forms of encryption  ‪http://www.washingtonpost.com/world/national-security/nsa-seeks-to-build-quantum-computer-that-could-crack-most-types-of-encryption/2014/01/02/8fff297e-7195-11e3-8def-a33011492df2_story.html …

 

 

Social Media

 

·      3 Social Media Trends You Should Know About ‪http://ow.ly/2CAckY 

 

Technology and Lifestyles, New Developments in

 

·      Bitcoin’s Incredible Year ‪http://ow.ly/2CyNTJ 

·      Amazon.com  Drones Raise Red Flags Regarding Privacy Rights ‪http://ow.ly/2CzuqE 

·      Bob Greenberg on advertising in 2014: Prepare to be disrupted. ‪http://economictimes.indiatimes.com/features/brand-equity/2014-advertising-industry-to-see-massive-disruptions/articleshow/28193622.cms …

·      9 technologies that can be game changers in 2014‪http://timesofindia.indiatimes.com/tech/slideshow/tech2014/9-technologies-that-can-be-game-changers-in-2014/itslideshow/28242184.cms …

·      Not sure what to expect at ‪#CES2014? Here’s a handy preview from ‪@verge: ‪http://ow.ly/sfq5B 

·       

Video Privacy Protection Act (VPPA)

 

·      Video Privacy Protection Act Plaintiffs Can Proceed Against Hulu Absent Showing of Actual Injury ‪http://ow.ly/2CzGVK 

 

 

Year in Review

 

·      The Year in Privacy 2013 and the Year to Come ‪http://lnkd.in/dS7H6Br 

 

  2014

 

@AltheimLaw’s Privacy and Data Protection Week in Review

Big Data

 

 

 

California Privacy

 

  • California’s New Do-Not-Track Law Goes Into Effect January 1, 2014, Remember To Check Your Privacy Policy For … http://ow.ly/2Clqu3 

 

CAN-SPAM

 

  • Court Accepts Narrow View of CAN-SPAM Preemption but Ultimately Dismisses Claims – Davison Design v. Riley http://ow.ly/2CjRsh 

 

 

COPPA

 

 

 

Data Breaches

 

 

 

Data Brokers/FCRA

 

EU Data Protection

 

 

Fourth Amendment 

 

IoT (Internet of Things)

 

 

NSA

 

 

 

Social Media

 

  • Financial Regulators Finalize Social Media Guidance and Address Industry Questions http://ow.ly/2CmT68 
  • AAUP Says Kansas Regents’ New Faculty Social Media Use Policy Violates Academic Freedom (Guest Blog Post) http://ow.ly/2Cmz2D 

 

Technology and Lifestyles, New Developments in

 

 

 

Video Privacy Protection Act (VPPA)

 

 

 

Year in Review

 

 

 

  2014

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

@AltheimLaw’s Privacy and Data Protection Week in Review

California Privacy

 

  • Should We Cheer The California Attorney General’s Revenge Porn Arrest Or Find It Alarming? (Forbes Cross-Post) http://ow.ly/2CgHsk 
  • California’s New Do-Not-Track Law Goes Into Effect January 1, 2014, Remember To Check Your Privacy Policy For … ow.ly/2CimTG

    Conferences

 

    Data Breaches

 

    Data Brokers/Big Data/FCRA

 

    EU Data Protection

 

    EU Data Protection Reform

 

    EU-US Safe Harbor

 

    Facebook posts and Free Speech 

 

  • Police Officer’s Facebook Post Criticizing Her Boss Isn’t Protected Speech Graziosi v. Greenville http://ow.ly/2C7WXa 

    FTC, Section 5, Deceptive Practice

 

  • FTC Settlement with Flashlight App Developer Sheds Light on Expanded Notice Requirements and the Status of Geoloca… http://ow.ly/2C6A6g 

    NSA

 

    Practical Tips

 

    Technology and Lifestyles, New Developments in

 

    Year in Review

 

    2014