July 17th, 2014
The Hill reports that businesses are making moves now on data security and privacy rather than waiting for Congress to act:
Data breaches were thrust in the spotlight after hackers broke into the networks of retailers during last year’s holiday season. Lawmakers held a slew of hearings in the aftermath and many proposed legislation intended to ensure that consumers are warned promptly when their information is put at risk.
But a legislative solution has a long way to go, as bill dealing with privacy must travel through several committees with jurisdiction, including three in the House alone. [...]
With action in Congress unlikely to happen soon, the nation’s largest retailers and financial groups are taking it upon themselves to increase safeguards for consumer information. With their reputations and business on the line, both industries are determined to make progress. Read more »
July 16th, 2014
We’ve discussed the pitfalls of various anonymization or “de-identification” techniques and how the information can be “deanonymized” or re-identified, leading to privacy problems for individuals. In 2009, University of Colorado law professor Paul Ohm discussed “the surprising failure of anonymization,” and said, “Data can either be useful or perfectly anonymous but never both.” He said anonymization’s failure “should trigger a sea change in the law, because nearly every information privacy law or regulation grants a get-out-of-jail-free card to those who anonymize their data.”
Now, IT News reports on a research paper, “No silver bullet: De-identification still doesn’t work” (pdf), by Princeton’s Arvind Narayanan and Edward W. Felten concerning the continued privacy problems with de-identification of personal information. (Felten was chief technologist for the Federal Trade Commission and has been a consultant for various federal agencies.) The new paper is a response to one recently published by ITIF researcher Daniel Castro and Ontario privacy commissioner Ann Cavoukian, “Big Data and Innovation, Setting the Record Straight: De-identification Does Work” (pdf).
IT News reports:
Scholars at Princeton University have delivered a stinging rebuke to the ‘big data’ movement, insisting that today’s data de-identification tools are not sufficient to ensure privacy. [...] Read more »
July 15th, 2014
Information Age reports on a new survey from Voltage Security concerning the encryption of sensitive information:
Despite headline-making breaches that have called attention to the importance of data encryption, nearly 36% of IT security professionals admit to sending sensitive data outside of their organisations without using any form of encryption to protect it, a new survey from Voltage Security reveals. [...] Read more »
July 14th, 2014
Forbes reports that Sen. Mark R. Warner (D-Va.) has asked the Federal Trade Commission to investigate Facebook’s controversial decision to manipulate its users’ news feeds for research purposes:
Senator Mark R. Warner (D-Va.) has asked the Federal Trade Commission (FTC) to provide more information about recent reports that Facebook manipulated user news feeds during an emotional manipulation experiment. In a letter today to the FTC, Warner asked the agency to determine if Facebook broke the law or violated their consent agreement with the FTC.
Warner also asked the agency to explore the potential ramifications of the experiment, and to consider questions about what, if any, oversight would be appropriate for behavioral studies conducted by social media platforms. Warner’s inquiry comes on the heels of a legal complaint against Facebook that was filed with the FTC last week. That complaint alleged that Facebook engaged in deceptive trade practices and violated a 2012 Consent Order entered into with the FTC. [...]
The full text of Warner’s letter is available here.
July 14th, 2014
Vermont Attorney General William H. Sorrell announced that his office has fined (pdf) Shelburne Country Store in Shelburne, Vermont, because of a security breach that affected customers’ privacy:
Shelburne Country Store in Shelburne, Vermont will pay a $3,000 civil penalty for failing to inform 721 internet buyers of a security breach of their credit card information. In late 2013, the company’s website was hacked and credit card information stolen. Upon being informed of the breach in January 2014, the company quickly fixed the problem, but did not notify consumers until it was contacted by the Attorney General’s Office. [...]
Under Vermont’s Security Breach Notice Act, businesses are required to send the Attorney General a confidential notice within 14 business days of discovery of a data breach. The business must also send notice to consumers in the most expedient time possible, but no later than 45 days.
July 11th, 2014
InformationWeek reports on a new law in Florida that concerns information privacy and security:
A new law designed to protect Floridians from identity theft could have far-reaching repercussions on healthcare organizations that reside or do business in the Sunshine State. Under the Florida Information Protection Act of 2014 (FIPA), any covered entity or third-party agent must now report breaches to the Florida Department of Legal Affairs and to consumers within 30 days (compared with the prior law’s 45 days). If they show good cause, organizations may get a 15-day extension or receive a law enforcement extension. Violators can be fined $1,000 per day for the first 30 days and $50,000 for each subsequent 30-day period under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA); the fine is not to exceed $500,000.
The state also expanded ”personal information” to include individuals’ first name or first initial and last name, in combination with any one of the following: passport number; medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional; or health insurance policy number, subscriber identification number, or any unique identifier health insurers use to classify individuals. [...]
The act, which passed unanimously, should slow the flood of data breaches, advocates said. Faster reporting times, an expanded collection of relevant data, and increased law enforcement involvement will encourage organizations to be more proactive and give law enforcement more opportunities to catch cybercriminals.