ABC News: Pennsylvania Walmart Sued for Videotaping Employees, Customers in Bathroom
ABC News reports on a lawsuit against Walmart over surveillance cameras installed in its bathrooms.
Seven former and current employees from the Tire and Lube department at the Walmart in Easton, Pa., filed a lawsuit in county court against the Arkansas-based corporation and four local managers Dec. 21.
Several employees discovered an “off-the-shelf” video camera in a store bathroom March 31, 2008, according to the court filing. The unisex bathroom, which also served as a changing room, was used by employees and customers. Customers and employees were not notifed of the surveillance, according to the court filing. […]
“Two associates were terminated for placing a camera in an associate dressing room bathroom,” Walmart spokesman Greg Rossiter said. “When store management learned of the camera, it was immediately removed.” […]
The camera was used to monitor employees for possible theft and it is unclear how long the surveillance took place, McLain said. None of the plaintiffs, however, were accused of stealing from the store.
A store manager acknowledged the existence of the surveillance camera only after employees produced a photo of the camera, McLain said.
RockYou Security Breached; Customers File Class-Action Lawsuit Over Data Revealed
TechCrunch reports that RockYou, a company that makes applications for social networking (including Facebook), “had suffered a data breached that resulted in the exposure of over 32 Million user accounts. To compound the severity of the security breach, it was found that RockYou are storing all user account data in plain text in their database, exposing all that information to attackers.”
Wired News reports that RockYou faces a class-action lawsuit over the security breach.
The suit accuses the maker of apps like “Slideshow” for MySpace and “Superwall” for Facebook of making its unencrypted customer data “available to even the least capable hacker.”
“RockYou failed to use hashing, salting or any other common and reasonable method of data protection and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of web security,” according to the Monday complaint in San Francisco federal court. […]
Redwood City, California-based RockYou admits the data was “breached.” The lawsuit claims a hacker known by the moniker “igigi” exploited an SQL injection flaw and “and removed the e-mails and passwords of approximately 32 million registered RockYou users.” (.pdf)
The suit also accuses the company of failing to promptly notify consumers of the Dec. 4 breach. […]
The plaintiffs are seeking a court order requiring RockYou to increase its security, as well as unspecified damages.
Associated Press: Texas to destroy baby blood taken without consent
Texas health authorities will destroy more than five million blood samples taken from babies without parental consent and stored indefinitely for scientific research.
The Texas Department of State Health Services announced Tuesday it would destroy the samples after settling a federal lawsuit filed by the Texas Civil Rights Project. The project, acting on behalf of five plaintiffs, had sued the Texas Department of State Health Services and the Texas A&M University System.
The lawsuit alleged that the state’s failure to ask parents for permission to store and possibly use the blood — originally collected to screen for birth defects — violated constitutional protections against unlawful search and seizure. The plaintiffs cited fears their children’s private health data could be misused.
Under the settlement overseen by a San Antonio federal court, the blood samples collected without parental consent must be destroyed by early next year. It also requires the department to publish a list of all research projects that used the blood specimens.
New York Times: Google Rests Its Defense of Executives in Italian Privacy Case
The New York Times has an update to the Google case in Milan, Italy. Last year, Italian authorities charged four Google executives with “criminal charges of defamation and failure to exercise control over personal data.” The case concerns a video showing a disabled boy being harassed by classmates that was uploaded to Google Video’s Italian site. Google removed the video within 24 hours of a removal request being made.
The Times reports, “Lawyers for Google rested their case in defense of four executives charged in Italy with failing to comply with privacy laws, telling a judge that the company has a mechanism in place to rapidly remove objectionable video from its site.”
Italian prosecutors had argued at a hearing last month that Google, based in Mountain View, California, was negligent because the video remained on Google’s Italian-language video service for two months in 2006. Google did not dispute that in court. Mr. Pisapia and Mr. Vaciago argued that the company should not be held liable for not having known earlier that the video was on its site.
The attorneys said user complaints about a video are routed to a Google employee in Ireland who speaks Italian; the employee views the video and has the power to remove it if necessary. […]
None of the four executives named in the suit had any direct involvement with the video. If found guilty, none would not serve time in jail because sentences of under three years are commuted in Italy for those without a criminal record.
The prosecutors will respond to Google’s defense on Jan. 27. If only limited new material is presented, a ruling could come that day or soon after.
San Diego Business Journal: Genetic Privacy Raises Questions About Insurers
The San Diego Business Journal discusses possible problems with the Genetic Information Nondiscrimination Act of 2008 (Pub. L. 110-233). GINA, which was signed in May 2008 by President Bush, restricts the collection and use of genetic information in a number of ways.
But left out of the federal Genetic Information Nondiscrimination Act, commonly known as GINA, were privacy protections for individuals seeking long-term care, disability and life insurance coverage.
Each of those areas was left up to the individual states. At least 10 states regulate the use of genetic information in long-term care insurance. But in California, privacy protections were left to expire by lawmakers in January 2008.
Mark Billingsley, spokesman for state insurance commissioner Steve Poizner, said in an e-mail that there “appears to be a giant loophole” in California’s insurance code regarding long-term care insurance and genetic privacy protections. He said he couldn’t identify a single provision in the state code that would preclude a private insurer from requesting such a test for underwriting purposes.
Brian Liang, a law professor at California Western School of Law who specializes in health law and policy, said the missing protections could lead long-term care insurers to deny coverage based on findings of a genetic test, without a consumer ever knowing they peeked at their results. […]
The implications have the ability to affect millions of aging Americans seeking long-term care insurance, which protects against the cost of services including medical care, psychological support or assistance with daily living.
Post-Bulletin: Mayo CEO fires two for privacy violation
The Post-Bulletin in Rochester, Minnesota, reports on a privacy breach at the Mayo Clinic.
Dr. John Noseworthy, Mayo Clinic’s national CEO, has fired two employees who violated privacy policies.
“I authorized the termination of employment of a Mayo physician and a member of our allied health staff, each for inappropriately accessing and looking through a patient’s confidential record,” Noseworthy tells Mayo employees in a newsletter. He said it was one of the most difficult decisions he will ever make. He doesn’t name the individuals. […]
In the newsletter, Noseworthy warns that “whether our patients are family members, neighbors or celebrities, they deserve our best efforts on their behalf.”
This is the latest in a series of cases where insiders have been accused of or found to be misusing their access to data to violate individual privacy. Other cases include: a U.S. Customs and Border Protection officer giving confidential police data to a member of a motorcycle gang; Metro employees in Las Vegas were found “to be improperly accessing and disseminating criminal history information for reasons unrelated to police work”; and a former detective sergeant in Australia pleaded guilty to repeatedly using a police computer “to get the details of women he had seen in public.”
New York Times: A Data Explosion Remakes Retailing
The New York Times reports on collection and use by businesses of consumer data.
To be sure, major retailers like Wal-Mart Stores have long been sifting through in-store sales and demographic information to aim goods at different stores and to tightly manage supplies.
But what is changing, experts say, is the rapid surge in the amount and types of digital data that retailers can now tap, and the improved computing tools to try to make sense of it. The data explosion spans internal sources including point-of-sale and shipment-tracking information, as well as census data and syndicated services. Companies also track online visitors to Web commerce sites, members of social networks like Facebook and browsers using smartphones. […]
Retailers are increasingly mining vast troves of digital information to improve the decisions they make about pricing, shelf-stocking and product offerings.
HealthDay: Studies: Docs like electronic health records but privacy a concern
HealthDay reports on two studies concerning privacy and medical data.
One study of more than 1,000 family practice and specialist doctors in Massachusetts found that 86% believed electronic health information exchange (HIE) would improve patient quality of care, 70% thought it would reduce costs and 76% said it would save time.
However, 16% said they were “very concerned” about possible privacy breaches, while a further 55% were “somewhat concerned.” The study also found that none of the doctors wanted to pay the suggested $150 monthly fee for HIE and about half said they weren’t willing to pay any fee.
The second study, which included 56 psychiatrists, psychologists, nurses and therapists at an academic medical center […] 63% said they were less willing to record highly confidential information in a patient’s electronic health record than on a paper record. And 83% said if they were a patient, they wouldn’t want their mental health records to be routinely accessed by other health-care providers.