It s hard to imagine managing information

Size: px
Start display at page:

Download "It s hard to imagine managing information"

Transcription

1 December 2007 Volume 7 Number 12 Editor: Kirk J. Nahra IAPP Privacy Academy 2007 Opens With a Look at Privacy s Past, Present and Future IAPP Staff It s hard to imagine managing information in a time before written language had even been invented, but New York Times information architect Alex Wright, author of the book Glut, opened the IAPP Privacy Academy 2007 with a keynote that took a packed plenary back a few millennia to describe the history of the struggle to manage information. Wright s journey went back to before the invention of alphabets, to the first recorded transactions on clay tablets, to the use of symbolic jewelry to communicate status and community, through the emergence of the U.S. as a document nation and the subsequent explosion of digital knowledge worldwide. Wright characterized the ascension of online media, such as blogging and social networks, as the re-emergence of an oral tradition within our modern culture, suggesting that this is more a sign of how information use has fundamentally remained the same, even if the Left: Author and information architect Alex Wright kicks off the Academy keynotes at the opening plenary session. See, Privacy Academy 2007, page 3 VIEWPOINT The Consequences to Citizen Privacy and National Security in Adopting RFID Technology for Identity Documents Neville Pattinson, CIPP, CISSP Neville Pattinson is the Vice President for Government Affairs at Gemalto, Inc. based in Austin, Texas. Pattinson serves as a Board member of the Smart Card Alliance and is Chairman of its Identity Council. He is a founding member of the Secure ID Coalition. Neville presently is serving a 3-year appointment as a Special Government Employee to the Department of Homeland Security s (DHS) Data Privacy and Integrity Advisory Committee (DPIAC). As a disclaimer, the article does not reflect the opinion of DHS or the DPIAC Committee. Simple lowcost electronic tracking devices are positioned to revolutionize the supply chain by providing up-tothe-minute information about the location of the products Neville Pattinson to which they are attached. It may therefore come as a surprise to learn that Radio Frequency See, RFID Technology, page 6 This Month J. Trevor Hughes on the UK s Data Breach Notification...Page 2 Global Privacy Dispatches...Page 8 Moody s Offers New Vendor Risk Ratings...Page 11 Privacy in Israel...Page 12 New Faces at the IAPP...Page 15 Privacy Classifieds...Page 15 Recruiting s Balancing Act...Page 16 Q & A: Microsoft s Scott Charney...Page 20 The Lighter Side of Privacy...Page 21 Privacy News...Page 22 Certification Graduates...Page 24 IAPP in the News...Page 25 Calendar of Events...Page 27

2 December 2007 THE PRIVACY ADVISOR Editor Kirk J. Nahra, CIPP, Wiley Rein LLP Managing Editor Ann E. Donlan, CIPP X109 Publications Manager Ali Forman, CIPP The Privacy Advisor (ISSN: ) is published monthly by the International Association of Privacy Professionals and distributed only to IAPP members. ADVISORY BOARD Elise Berkower, CIPP, Executive Vice President of Privacy Strategy, Chapell & Associates Keith P. Enright, Senior Attorney & Director, Enterprise Information Policy, Limited Brands, Inc. Philip L. Gordon, Shareholder, Littler Mendelson, P.C. Brian Hengesbaugh, CIPP, Partner, Privacy/Information Technology/E-Commerce, Baker & McKenzie LLP Todd A. Hood, CIPP, Director, Regional Privacy, The Americas, Pitney Bowes Inc. Ben Isaacson, CIPP, Privacy & Compliance Leader, Experian & CheetahMail Jacqueline Klosek, CIPP, Senior Associate in the Business Law Department and member of Intellectual Property Group, Goodwin Procter LLP Lydia E. Payne-Johnson, CIPP, Financial Services Privacy Consultant, PricewaterhouseCoopers, LLP Billy J. Spears, CIPP/G, Global Privacy Officer, Dell, Inc. Harry A. Valetk, CIPP, Corporate Privacy Director, MetLife To Join the IAPP, call: Advertising and Sales, call: Postmaster Send address changes to: IAPP 170 Cider Hill Road York, Maine Subscription Price The The Privacy Advisor is a benefit of membership to the IAPP. Nonmember subscriptions are available at $199 per year. Requests to Reprint Ann E. Donlan X109 Copyright 2007 by the International Association of Privacy Professionals. All rights reserved. Facsimile reproduction, including photocopy or xerographic reproduction, is strictly prohibited under copyright laws. Notes From the Executive Director UK Hurtles Toward Data Breach Notification In the same month that the UK government rejected well-researched recommendations for a security breach notification law, the world learned the details of what certainly appears to be the largest breach to date of personal information. And while calls for security breach notification laws typically focus on reporting requirements for privatesector organizations, the UK breach is the result of reckless data protection practices within the government s HM Revenue & Customs agency. The stubborn position taken by the government which came after an influential legislative committee s careful study of the threats that have the potential to undermine consumer confidence in the Internet is all the more stunning in the face of a subsequent government security breach that has exposed personal information for half of the UK s population. While there is no indication yet that fraud related to the data leak has affected any child benefit recipients, the damage is evident in sagging citizen confidence in the government, and data protection in general. For example, a Populus survey taken in the wake of last month s breach indicates that just 25 percent of voters now view the government as competent and capable, which is a 30-point slide in less than three months. Predictably, pressure and momentum are building in favor of security breach notification after the loss of government password-protected discs that contain names, birth dates, addresses, bank account and national insurance numbers for 25 million individuals. So, too, are calls for increased regulation, a scenario that is all-too-familiar for private-sector organizations that fail to self-regulate only to face the regulators wrath. UK Information Commissioner Richard Thomas had launched a public bid prior to the breach for enhanced regulatory powers, a position that took on immediate new urgency and relevancy in the incident s aftermath. Thomas is ratcheting up his public strategy to obtain enhanced powers to conduct spot checks on government and corporate offices. He also is seeking new criminal penalties for reckless disregard of information security procedures. His clout is growing, and he likely will emerge as a more influential and powerful public official in the UK authority that will endure long after he leaves his post. Experts also are predicting that the breach could doom plans already under way for development of a national ID card plan. Each breach confirms the lessons of previous data leaks: Public trust plummets in the ability of public- and private-sector organizations to secure personal data and calls for enhanced regulatory powers are swift and certain. As officials and the public continue to explore and debate security breach notification in Canada, the UK and New Zealand in the coming year, companies and government agencies would be well-served to act now to shore up data protection protocols or instead await the regulator s predictable knock on the board room s door. However, this time, the regulator may pay a surprise visit under newly acquired powers. J. Trevor Hughes, CIPP Executive Director, IAPP 2

3 THE PRIVACY ADVISOR Privacy Academy 2007 continued from page 1 tools have evolved far beyond what the earliest Mesopotamian scribes could have imagined. Wright s provocative keynote before a standing-room only audience in San Francisco s Westin St. Francis hotel was followed by a keynote presented by Scott Charney, Vice President of Microsoft s Trustworthy Computing Group. Charney entertained the audience with anecdotes from his long career in information security, including time spent in the early days addressing According to Saffo, there is a shift from mass media to personal media, and the implications of that shift will have serious ramifications for the development and applications of technology. Microsoft s Scott Charney announces the results of Microsoft s latest security intelligence report, Microsoft Study on Data Protection and Role Collaboration Within Organizations during his keynote address. Futurist Paul Saffo speaks before conference attendees during the opening keynotes. cybercrime with the U.S. Department of Justice s Computer Crime and Intellectual Property Section. Stories of bumbling hackers inadvertently shutting down telephone networks and the nascent efforts of Eastern European computer criminals evoked laughter from the audience before turning serious with a reference to Sept. 11, Described by Charney as a watershed moment in the evolution of data security, the tragic events of 9/11 exposed the global economy s Achilles heel: a reliance on telecommunications networks protected by little more than hope. On that morning, Charney said, a craven act of terror targeting a symbol of Western economic might inflicted collateral damage on nearly $1 billion worth of nearby telecommunications equipment, temporarily crippling Wall Street s ability to conduct vital financial transactions and showing what might well happen as a result of a sophisticated, successful cyber attack. Charney capped his keynote by announcing the results of Microsoft s latest security intelligence report, Microsoft Study on Data Protection and Role Collaboration Within Organizations, which revealed that marketers rarely consult with their organization s security and privacy functions regarding data use, even though the majority of securi- See, Privacy Academy 2007, page Cider Hill Road York, Maine Phone: or Fax: The Privacy Advisor is the official monthly newsletter of the International Association of Privacy Professionals. All active association members automatically receive a subscription to The Privacy Advisor as a membership benefit. For details about joining IAPP, please use the above contact information. BOARD OF DIRECTORS President Kirk M. Herath, CIPP/G, Associate Vice President, Chief Privacy Officer, Associate General Counsel, Nationwide Insurance Companies, Columbus, Ohio Vice President Sandra R. Hughes, CIPP, Global Ethics, Compliance and Privacy Executive, Procter & Gamble, Cincinnati, Ohio Treasurer/Past President Chris Zoladz, CIPP, Vice President, Information Protection & Privacy, Marriott International, Bethesda, Md. Assistant Treasurer David Hoffman, CIPP, Group Counsel and Director of Privacy & Security, Intel Corp., Germany Secretary Jonathan D. Avila, CIPP, Vice President - Counsel, Chief Privacy Officer, The Walt Disney Company, Burbank, Calif. Executive Director J. Trevor Hughes, CIPP, York, Maine John Berard, CIPP, Managing Director, Zeno Group, San Francisco, Calif. Malcolm Crompton, Managing Director, Information Integrity Solutions Pty Ltd., Chippendale, Australia Peter Cullen, CIPP, Chief Privacy Strategist, Microsoft Corp., Redmond, Wash. Dean Forbes, CIPP, Senior Director Global Privacy, Schering-Plough Corp., Kenilworth, N.J. D. Reed Freeman, Jr., CIPP, Partner, Kelley Drye Collier Shannon, Washington, D.C. Kimberly Gray, CIPP, Chief Privacy Officer, Highmark, Inc., Pittsburgh, Pa. Jean-Paul Hepp, CIPP Jane Horvath, Senior Privacy Counsel, Google Barbara Lawler, CIPP, Chief Privacy Officer, Intuit, Mountain View, Calif. Kirk Nahra, CIPP, Partner, Wiley Rein LLP, Washington, D.C. Nuala O Connor Kelly, CIPP/G, Chief Privacy Leader and Senior Counsel, General Electric Company, Washington, D.C. Harriet Pearson, CIPP, Vice President, Regulatory Policy and Chief Privacy Officer, IBM Corporation, Armonk, N.Y. Lauren Steinfeld, CIPP, Chief Privacy Officer, University of Pennsylvania, Philadelphia, Pa. Zoe Strickland, CIPP/G, Vice President, Chief Privacy Officer, Wal-Mart Amy Yates, CIPP, Chief Privacy Officer, Hewitt Associates, Lincolnshire, Ill International Association of Privacy Professionals 3

4 December 2007 Privacy Academy 2007 continued from page 3 ty and privacy professionals believe they do. The result, he said, is that this lack of coordination between disciplines leads to data breaches. In keeping with the plenary s theme of Privacy: Past, Present and Future, Paul Saffo of Stanford University and the Institute for the Future, next took the stage to talk about privacy s future, and of uncertain times for the profession, saying, The information revolution is over. This is a media revolution. According to Saffo, there is a shift from mass media to personal media, and the implications of that shift will have serious ramifications for the development and application of technology. In such an environment, Saffo argued, successful companies will be those that understand how to harness the actions of individuals, pointing to Google as an example of that model. Of course, for privacy professionals, the trick will be in balancing the interaction of the individual, along with the sharing of demographic data, with the need to protect personal privacy. The things privacy pros are doing today will shape the events of the next 40 years, he said. In the healthcare/pharma session, the group talked about the use of non-personal, statistical healthcare information and the misconceptions the public has about how the industry markets to consumers. Record Number of Privacy Pros Flock to San Francisco More than 1,000 privacy professionals the highest attendance ever for the Academy gathered in San Francisco to listen to more than 110 speakers share the latest news and information with sessions focused on topics as wideranging as data privacy in Latin America to the role of the Works Councils in European privacy, and from surviving internal audits to transparency in RFID deployment. IAPP Executive Director J. Trevor Hughes, CIPP, welcomed the crowd at the conference s opening plenary session in the Grand Ballroom, telling the gathering of privacy professionals that we ve arrived as a profession and are now recognized as guardians of trust in an information economy. According to Hughes, the rising importance of privacy as a global business imperative has had a positive effect on the association, which now boasts more than 4,000 members in 32 countries, 1,500 of which have earned their CIPP certification, and that each month, on average, 100 new members are added to the association s rolls. That influx of new members means increased networking and educational opportunities as fresh perspectives and new thinking come into the fold, strengthening the association and the profession. Those expanding opportunities are illustrated by a number of new initiatives available to IAPP members, including Privacy After Hours networking events and the Practical Privacy Series of seminars being held across the country programs Hughes said are building the social fabric of our profession. Networking a Highlight of Day 2 KnowledgeLink networking sessions kicked off the second day of the conference, with groups of privacy pros gathering with industry colleagues to Below: IAPP Board member Nuala O'Connor Kelly, CIPP/G, Chief Privacy Leader and Senior Counsel, General Electric Company; Ed McNicholas, Partner, Sidley Austin; and IAPP Board member Jonathan D. Avila, CIPP, Vice President - Counsel, Chief Privacy Officer, The Walt Disney Company enjoy the Academy celebration. Above: Incoming IAPP Board President Sandra R. Hughes, CIPP, Global Ethics, Compliance and Privacy Executive, Procter & Gamble, with outgoing President Kirk M. Herath, CIPP/G, Associate Vice President, Chief Privacy Officer, Associate General Counsel, Nationwide Insurance Companies. 4

5 THE PRIVACY ADVISOR focus on best practices in consumer marketing, financial services, government, healthcare/pharmaceutical, higher education, human resources and international privacy. In the human resources KnowledgeLink session, the discussion started with the implications of employee background checks an issue very much in the formative stages as companies grapple with how to structure processes for determining risk among employees while not running afoul of Equal Employment Opportunity law. Five percent of background checks uncover criminal records, 20 percent return negative credit information, while 40 percent reveal credentialing issues. Given those statistics, one can surmise that the impact employment privacy will have on business worldwide is just beginning to become clear. In the healthcare/pharma session, the group talked about the use of nonpersonal, statistical healthcare information and the misconceptions the public has about how the industry markets to consumers. The question of how physicians see themselves in the information chain also came up: Do they conduct themselves in the traditional manner, or are they operating as a small business with an understanding of how the use of business data can benefit their business? The atmosphere in the marketing KnowledgeLink session was spirited. Discussions ran the gamut, covering preference management, how pornographic spam impacts perceptions, the Federal Trade Commission s behavioral marketing forum, third party liability, and consumer management of personal marketing profiles. Meanwhile, in the financial services room, the topic of data breaches was top-of-mind, with the different implications of internal and external breaches dominating the conversation. Above: Camille McQuay and Terry McQuay, CIPP, CIPP/C, President, Nymity; network with Andreas Faruki, CIPP/C, Partner, Deloitte and Touche; and Steven Poh Heng Lee, CIPP, Director, Deloitte and Touche, at the Academy celebration. This year s winners were Eli Lilly and Company in the Large Organization category; the California Office of Privacy Protection in the Small Organization category; and Novell took home the Innovation Technology Award. Academy Closes With Awards, Advice From Advocates The day s activities closed with a midday luncheon in the Westin s Grand Ballroom, which began with Hughes presenting the 2007 HP-IAPP Privacy Innovation Awards, which recognize leadership in the development and delivery of privacy programs. This year s winners were Eli Lilly and Company in the Large Organization category; the California Office of Privacy Protection in the Small Organization category; and Novell took home the Innovation Technology Award. (See Page 26 for more coverage.) The closing keynote was a Meet the Advocates panel discussion moderated by Center for Democracy & Technology Executive Director Jim Dempsey, and including Chris Jay Hoofnagle, Senior Staff Attorney to the Samuelson Law, Technology, and Public Policy Clinic; Ken McEldowney, Executive Director at San Francisco-based consumer advocacy group Consumer Action; and Nicole Ozer, Technology and Civil Liberties Policy Director with the ACLU of Northern California. Each panel member offered advice to attendees on do s and don ts for working with advocacy groups. The common themes were to engage advocates early and incorporate privacy into the design of products and services from the beginning. See You in D.C.! With the close of yet another successful Academy, planning is already well under way for the annual Privacy Summit, being held once again at the Renaissance Washington DC Hotel on March Stay tuned to the Daily Dashboard and our Web site, for registration and programming details. International Association of Privacy Professionals 5

6 December 2007 RFID Technology continued from page 1 Identification Devices (RFID) also are under consideration for use to identify our citizens as they attempt to cross our land borders. Both the proposed State Department-issued PASS cards, a lowcost alternative to U.S. passports, and now the newly emerging border stateissued Enhanced Driver s licenses, are to incorporate a technology devoid of sufficient security features for use as a border document. Furthermore, the lack of security features within the tags and the system implementation architecture create several new national security vulnerabilities at our borders. There also are issues related with real-time access by DHS border patrol officers to multiple border-state driving license databases, along with access to the State Department s PASS card database. So How Did We Get Here? As RFID tags make their way through the product manufacturing and supply chain distribution system, readers at key locations can interrogate the tag and then follow the associated products progression. Each tag is created with one mission in mind: to faithfully transmit the tag s unique serial number to the surrounding vicinity each and every time the tag is stimulated by a suitable radio frequency source. During the design of this simple architecture there was no need to give significant thought to the security, privacy or confidentiality of the tag s ID number, nor was consideration given to what the tag was going to be attached to. After all, the tag merely provides basic identification information to a specific tracking system. In order to be meaningful, the back-end system must contain the information which ties each specific tag to whatever it has been attached to and where it is now located. This is the basis of a fundamental architectural problem if RFID technology is applied to applications outside the original design. Consider the following evolution of the system design. This time, the same RFID tag is given to a human for identification purposes. The tag is able to Another privacy issue concerns the ability to steal a genuine identity by cloning the person s RFID tag. If this is done, then it is possible to make an entire set of movements posing as somebody else without that person s knowledge. faithfully transmit its unique number each time it is stimulated, in some cases up to a design distance of 30 feet. An identification system would register the presence of the RFID tag s number and uses it to index directly into a central database containing the enrolled identities of the tag holders. By using only the tag s unique number, a corresponding row in the database would be accessed giving some personal identifying information of the tag holder. On the face of it, this design seems reasonable: A unique tag for each identity; present the tag and the corresponding identity record is retrieved. No actual personal identification information is contained in the storage-restricted tag. Without automation for identity-verification, the system obviously will rely on a visual and potentially verbal human verification process between the tag holder presenting the tag and the person attempting to adjudicate identity. Unfortunately there are several privacy shortcomings to this approach. One such vulnerability arising from this technology is directly related to the fundamental RFID architecture which specifies transmission of the tag number in the clear, exposing the tag number to interception during the wireless communications. Once the tag number is intercepted, it is relatively easy to directly associate it with an individual and to subsequently track an individual surreptitiously. Another privacy issue concerns the ability to steal a genuine identity by cloning the person s RFID tag. If this is done, then it is possible to make an entire set of movements posing as somebody else without that person s knowledge. A further privacy concern is associated with maintaining all the identity information within a centralized database and assuming it will remain accessible to only authorized individuals (Ref: alerts.trustedid.com/?cat=191). Under the Western Hemisphere Travel Initiative (WHTI), U.S. citizens will be required, when returning to the U.S., to present one of a small set of specific documents to verify their citizenship. One of these new documents is known as a PASS card or Passport card. Equally important under the REAL ID Act of 2005, states are required to meet minimum standards established by DHS in order for state driver s licenses to be accepted for federal purposes. Although the DHS final rule for REAL ID has not yet been published at the time of the writing of this article, it is unlikely to specify any significant automated human real time or electronic document authentication technology. In an effort to consolidate identification programs, DHS proposed that several states conduct pilot programs for something being termed an Enhanced Driver s License (EDL). In border states, such an identity card would serve as both a land border crossing document (substituting for the proposed PASS card) and a state issued-driver s license under Real ID. DHS is currently promoting the incorporation of RFID tags for several of these citizen identification programs (Ref: shtm). The PASS card, which will serve as an alternative to a Department of State-issued passport, intends to incorporate RFID technology. A second program, the proposed Enhanced Driver s License, also is slated to incorporate the same RFID technology (Ref:www.associatedcontent.com/article/ /washington_to_offer_enhanced_ drivers.html). RFID Is Not the Answer for Border Security Quite frankly, RFID technology cannot provide the necessary security to 6

7 THE PRIVACY ADVISOR The long-range nature of the RFID tag introduces exploitable system vulnerabilities: border entry points, adding significant, unnecessary cost to the programs. The readers can be rendered useless by a commercially available RFID transceiver being pointed at the CBP antennas, making the system inoperable. Such a denial-of-service attack will wreak havoc by slowing the processing of returning citizens, and could facilitate the movement of individuals with forged RFID tokens across the border. Many car windshields are covered with metallic films to reduce visual glare or electrical heating wires for de-icing. Both of these features attenuate the radio signals from being able to reach the RFID tag(s) inside the vehicle. In this situation the failure to read the RFID tag will force the Customs and Border Patrol (CBP) officer to manually enter the driver s license data into the workstation before the watch list data and other databases can be consulted. UHF radiation is subject to reflections, making it possible to confuse the CBP system as RFID numbers from adjacent vehicle lanes confuse the system, slowing the work of border patrol officers as they match biographic/biometric data to the citizen in the expected vehicle lane. protect our borders. Furthermore, the proposed RFID technology will not include appropriate or adequate privacy safeguards for U.S. citizens. RFID technology has been designed for warehouse supply chain and inventory management applications (Ref: files.intermec.com/eps_files/eps_wp/ SupplyChainRFID_wp_web.pdf), for example, tracking toilet paper and dog food, and not for human identification card applications (Ref: xlibrary/assets/ privacy/privacy_advcom_ _rpt_ RFID.pdf). The RFID proposed for the enhanced driver s license does not have any security features that protect the transmitted information. Because there is no security designed in the chosen RFID tags, they can easily be copied and duplicated (as demonstrated by the Smart Card Alliance & Secure ID Coalition recently on Capitol Hill (Ref: cardalliance.org/articles/2007/07/18/smart - card-alliance-and-secure-id-coalitionhost-briefing-to-educate-congress-onthe-importance-of-securing-identity) to create fraudulent driver s licenses and border crossing documents. Adding external paraphernalia to the card (i.e. a protective RF sleeves) will not solve the national security threat that RFID technology poses when used for human identification purposes. As proposed by DHS, the simple RFID-enabled land border identity cards have many vulnerabilities and will be open to attacks from hackers, identity thieves and possibly even terrorists. Such attacks include skimming, cloning and denial of service. DHS is aware of these potential attacks and corresponding vulnerabilities but is proceeding with the program without addressing them. There are some further issues in specifying this technology in the current environment. Implementing an RFID technology would essentially duplicate the reader infrastructures as they would be incompatible with the new epassport infrastructure being deployed at all U.S. So far, there has been limited, if any, practical testing of this technology at the border and, in fact, the one test that was conducted as part of a Government Accountability Office (GAO) review (GAO ) reports numerous performance and reliability problems, including failure of RFID readers to detect a majority of travelers tags during testing. One possible consequence of the inherent unreliability of RFID read-rates is that it will force DHS s border patrol officer to fall back to visual/manual inspection and use of outdated printed machine-reading technologies, adding significant delays to border processing times. There are several other areas where testing might be expected to reveal that: The lack of strong cryptographic features in the proposed RFID tags makes it impossible to effectively authenticate the enhanced driver s license or PASS card. As a result, more time will be required by the Customs and Border Protection (CBP) officer to manually authenticate the driver s license using the other security features on the card. This will mean that the officer has to See, RFID Technology, page 28 Possible attacks enabled by the vulnerabilities inherent in the RFID technology: A denial-of-service attack is possible by flooding the local reader system with multiple forged cards all with the same (identical) valid RFID number. Manually performed card reads by a CBP officer may pull up the same or different record, adding to the confusion. A variation of the denial-of-service attack also is possible by flooding the local system with multiple forged cards all with valid but different RFID numbers. Again, manual card reads by a border patrol officer may pull up the same or different identity records. Another subtle attack is the presentation of a single forged card that looks genuine (with printed photo of imposter, etc.) using a valid (cloned) RFID number that points to the record of an enrolled person in the database. If presented at the same time as the cards of multiple travelers in the same vehicle, the discrepancy may be overlooked. International Association of Privacy Professionals 7

8 December 2007 Global Privacy Dispatches ARGENTINA By Pablo Palazzi Commissioners Release Report on TJX Companies Inc./Winners Merchant International L.P. Breach The Supreme Court of Argentina recently ruled that those who facilitate identity theft are liable for losses and emotional distress. In the case, a citizen requested the issuance of a new Pablo Palazzi national identity card (cards which are mandatory in Argentina). The card was lost in the bureaucracy of the federal government and the individual never received it. The identity card was then used to open credit at several banks and to order goods from retail companies, which were never paid. As a consequence the credit status of the plaintiff was ruined, his bank accounts were closed and he lost his job. The court held that both the province of Mendoza and the federal government (which blamed each other during the trial) were responsible for failing to adopt the necessary measures to avoid the damage to the individual. Emotional distress damages were awarded to the plaintiff. The Supreme Court of Argentina recently ruled that those who facilitate identity theft are liable for losses and emotional distress. The case is Serradilla v. Province of Mendoza (CSJN, S.2790, docket 2007). Pablo Palazzi is Of Counsel at the law firm CABANELLAS, ETCHEBARNE & KELLY (Buenos Aires, Argentina) where he specializes in privacy and computer law. He is licensed to practice in the State of New York and in Argentina. He may be reached at or at GLOBAL PRIVACY By John W. Kropf, CIPP Calls for International Standards for Airlines, Science and Technology and General Cooperation The Privacy Commissioner s Office of Canada hosted the 29th International Conference of Data Protection and Privacy Commissioners in Montreal September John W. Kropf This international group is composed of national and sub-national representatives, mainly from European and Canadian data protection authorities. Countries such as the U.S. and Japan are permitted to attend as observers. During the conference s closed sessions, the commissioners issued three resolutions. While there is no voting record of how each representative voted, the resolutions provide the name of the proposing authority and its cosponsors. The Canadian privacy commissioner proposed a Resolution on International Co-operation that was co-sponsored by the data authorities of the UK, New Zealand, Alberta and Saskatchewan. The measure recognizes the cross-border enforcement work being conducted in regional bodies such as OECD and APEC. As a potentially helpful development for countries that do not follow the European model of an independent data protection authority, the commissioners first recognize that countries have adopted different approaches to protecting personal information and enhancing privacy rights. In a second measure, Germany proposed a Resolution on the urgent need for global standards for safeguarding passenger data to be used by governments for law enforcement and border security purposes. The document reaffirms the data protection and privacy rights, as enshrined in Article 12 of the Universal Declaration of Human Rights and other legal instruments. The language is unusual since privacy is mentioned in Article 12 of the UN Declaration but not data protection, which must therefore be referenced in the unspecified legal instruments. The resolution applies the standard fair information practice principles to the collection of passenger data, but also calls on industry groups and commissioners to seek binding global solutions. In what may be the most unusual of the three resolutions, the Canadian commissioner s office proposed a Resolution on the Development of International Standards. The document, which was co-sponsored by the data protection authorities of Germany, Belgium, Berlin, Ontario, Spain and Switzerland, is unlike the other measures in structure. It provides a significant narrative and then offers six subresolutions that call upon data protection authorities to actively become more involved in the International Organization for Standardization (ISO). 8

9 November 2007 THE PRIVACY ADVISOR ISO is a non-governmental organization made up of a network of the national standards institutes of 157, mostly European countries, which has generally set technical specifications for industry. The resolutions can be viewed at: Terra_Incognita_home_E.html. The resolutions have no binding legal effect. The next conference will be co-hosted by the data protection authorities of France and Germany in October John Kropf is the Deputy Chief Privacy Officer and Senior Adviser for the U.S. Department of Homeland Security s Privacy Office. The views expressed here are his and not those of the Department of Homeland Security or the U.S. Government. He may be reached at ISRAEL By Dan Or-Hof Monitoring Decision Under Appeal Last July, the District Labor Court of Tel-Aviv ruled that an employer must comply with the provisions of the Israeli Wiretap and Protection of Privacy laws, prior to accessing employee s s. The Dan Or-Hof decision was delivered in a legal suit brought by Tali Isacov against her former employer and was the first in Israel to address the issue of workplace monitoring. The court further held that Isacov implicitly gave her employer permission to read her messages because the mailbox was provided to her by her employer for work purposes and the employer provided the employees with a prior notice on occasional monitoring. The judge noted that In what may be the most unusual of the three resolutions, the Canadian commissioner s office proposed a Resolution on the Development of International Standards. the employee mixed personal content with professional content in her box, thus waiving her right to privacy in her personal messages. The court has therefore ruled in favor of the employer. Isacov recently has appealed the decision to the National Labor Court, claiming that the decision unreasonably affected her rights to freedom and privacy. The appellate court s decision has not been delivered yet. Dan Or-Hof is a senior counsel at Pearl Cohen Zedek and Latzer LLP, with specific expertise in data protetion and privacy law. He may be reached at NETHERLANDS By Richard van Staden ten Brink Dutch Supreme Court Allows Instant Dismissal Because of Offduty Drug Use On Sept. 14, the Dutch Supreme Court ruled that the Hyatt Hotel and Casino in Aruba was allowed to instantly dismiss a waitress because of off-duty drug use. Hyatt had implemented a drug-free workplace policy, which provided for random employee Richard van Staden ten Brink drug tests. After the waitress was selected randomly for a drug test and tested positive for use of cocaine, she was offered the opportunity to go into rehabilitation. She refused, after which she was fired. The waitress contested the dismissal and argued, inter alia, that Hyatt had unlawfully infringed on her fundamental right to privacy (article 8 European Convention on Human Rights) by implementing a drug policy in which her off-duty drug use could lead to a positive drug test and to dismissal, while an adverse effect on her work performance had not been established. The Supreme Court ruled that Hyatt s drug policy was lawful because it passed the tests of legitimate purpose, proportionality and subsidiarity. The legitimacy of Hyatt s purposes to maintain a good reputation and to attract guests was not contested. The Supreme Court ruled that the drug policy was proportional. Finally, the Supreme Court ruled that the drug policy passed the test of subsidiarity. Richard van Staden ten Brink is advocaat at De Brauw Blackstone Westboek in Amsterdam. He may be reached at See, Global Privacy Dispatches, page 10 The court further held that that Isacov implicitly gave her employer permission to read her messages because the mailbox was provided to her by her employer for work purposes and the employer provided the employees with a prior notice on occasional monitoring. International Association of Privacy Professionals 9

10 December 2007 Global Privacy Dispatches continued from page 9 UK By Eduardo Ustaran Foreign Office in Breach of the Data Protection Act The Information Commissioner s Office (ICO) has found the Foreign and Commonwealth Office (FCO) in breach of the Data Protection Act following an investigation into the online Eduardo Ustaran application facility for UK visas. The ICO was alerted to a potential security breach at the Web site by Channel 4 News, prompting the ICO to immediately launch an investigation into the site. The security breach meant that the personal data of people applying for visas to enter the UK was visible to others visiting the Web site. The FCO cooperated fully with the ICO during the course of the investigation and provided the ICO with an independent report into the breach. However, the ICO has now required the FCO to sign a formal undertaking to comply with the principles of the Data Protection Act. Failure to meet the terms of the undertaking is likely to lead to further enforcement action by the ICO. Police Told to Delete Old Criminal Conviction Records The ICO has ordered four police forces to delete old criminal convictions from the Police National Computer (PNC). The ICO is concerned that the old conviction information is held contrary to the principles of the Data Protection Act because the information is no longer relevant and is excessive for policing purposes. According to ICO reports, each case relates to individuals who have been convicted or cautioned on one occasion and have not been convicted of any other offences. Some of the incidents date back almost 30 years. Since the offences were non-custodial, the ICO takes the view that there is no justification in terms of policing purposes for retaining the information. Therefore, after investigating complaints from four individuals, the ICO has issued Enforcement Notices to Humberside, Northumbria, Staffordshire and West Midlands Police. The police are appealing each case to the Information Tribunal, which means the information in question does not need to be deleted until after the appeal is determined. Eduardo Ustaran is a Partner at Field Fisher Waterhouse LLP, based in London. He may be reached at UK By Michael T. Spadea The Data Protection Act Is No Scrooge Just in time to prevent a ba-humbug holiday, the ICO has released guidance dispelling any confusion about Michael T. Spadea whether family and friends may take pictures of children at school activities. Family and friends invited to school activities such as holiday plays may take pictures and videotape such events under the Domestic Purposes exception (section 36 of the Data Protection Act). The act, however, may apply to pictures taken by school officials for building passes and school prospectuses. EU Seeks Data on U.S. Airline Passengers Under a proposal by the European Commissioner for Freedom, Security and Justice, airlines or computerized reservation systems would send at least 19 pieces of data on each passenger flying in or out of the EU to data-analysis units set by each EU state. All EU members must approve the proposal before it becomes law. The data includes names, credit card information, and telephone numbers. UK Mobile Workers Exhibit Poor Security Practices In a recent survey of 1,200 UK workers, 35 percent said that IT security is the responsibility of the individual user when outside the workplace. Eighteen percent said they share their work password with another person; 32 percent share their work PC with a member of their household; 51 percent access company information from home and 33 percent do the same from public hotspots. Twenty-six percent copy work data onto mobile devises at least once a week with USB flash drives being the preferred tool. Consulting firm YouGov conducted the survey. UK School Uses RFID to Monitor Student Attendance Ten students at Hungerhill School in Edenthorpe are having their class attendance monitored by RFID chips embedded in their school badge in a pilot program. The program may be expanded if successful. The manufacturer plans to market the product countrywide. The program has drawn some opposition from civil rights groups. 15,000 Pension Records Exposed Unencrypted data on a CD relating to pension information for 15,000 people disappeared on Nov. 9 while in transit from Her Majesty s Revenue and Customs Service and the financial services company Standard Life. The victims have been notified. The exposed personal data includes surnames and initials, as well as National Insurance numbers, birth dates and pension plan numbers. Michael Spadea is a London-based privacy attorney. He may be reached at or at +44 (077)

11 THE PRIVACY ADVISOR Moody s Risk Services Corporation Now Offers Vendor Information Risk Ratings Clare Dever, CIPP, Executive Director of Compliance & Strategic Consulting Services, recently interviewed Edward Leppert, Director of Moody s Risk Services, to learn more about Moody s new Vendor Information Risk (VIR) Ratings. Clare Dever: Ed, I understand that, in response to the periodic data breaches that have occurred, a number of key financial, investment and insurance companies have been working with Moody s to develop a more streamlined approach to assessing the potential information risk that may be associated with service providers, rather than each organization completing its own due diligence. Could you share more information with the IAPP and its members? Ed Leppert: Yes, you are correct. A number of major financial services firms contacted Moody s earlier this year to discuss this concept given our independence and strong reputation for helping financial organizations evaluate risk. We subsequently formed an advisory council to ensure the service would meet the needs of a number of leading international financial and insurance institutions and others who helped us determine the areas to evaluate. The primary areas of evaluation include: Information Security Policy Organization Information Classification Physical Security Communications and Operations Management Access Control Application Security Incident Management Business Continuity Data Security Privacy For each, we assign a risk/quality rating, along with key findings which will help alleviate (or, at least, minimize) the amount of due diligence that each of the companies currently conducts individually and permit the companies to leverage the VIR Rating assigned by Moody s. Clare Dever: This certainly appears to be an efficient and cost-effective manner to assess the risk of key service providers. Is it Moody s intention to testmarket this first with a particular industry segment, such as financial services? Ed Leppert: Yes, Moody s would like to determine the success of this new service within the financial services (FSI) and insurance sectors prior to pursuing other industries, though I should point out that firms we have spoken with in other industries see value in the service, as managing risks of service providers is universal really for any firm that uses vendors to support their technology and business processes. In terms of process, the rating report will be distributed to the service provider rated and then to FSI subscribers to the service, with distribution being at the rated firm s discretion. Clare Dever: There are so many questionnaires, surveys and certification programs that vendors are currently struggling with is there any incentive for the service provider to proceed with a VIR Rating by Moody s? Ed Leppert: Within the areas we evaluate, we have identified approximately 80 areas of analysis. Of course, not all will be applicable to a service provider and which ones we look at depends on the services that the service provider offers to the market. The questionnaire we have developed is an information-gathering tool for us, which we combine with vendor discussion sessions and an onsite visit. If a firm has completed Clare Dever other surveys or questionnaires, we can accept that in lieu of ours, so long as it covers a reasonable number of the areas we need to analyze. Then, we can cover the gaps through our discussion and onsite sessions. For instance, an International Organization for Standardization assessment, the Financial Institution Shared Assessments Program (FISAP) made utilizing the Agreed Upon Procedures (AUP) and the Standardized Information Gathering (SIG) questionnaire, and the Payment Card Industry (PCI) Report on Compliance (ROC) cover most of the areas we evaluate. In terms of incentives to get rated, we like to use the phrase rate once, use many, meaning that our rating report can be leveraged by the service providers to respond to their FSI client s (or prospect s) due diligence requests. It is also a good way for service providers to identify if there are any significant risks they need to address before they are in front of their prospects or clients. And lastly, it is an opportunity for service providers to show proactive management of risk and differentiate themselves from their competition. Clare Dever: Ed, I understand you are currently conducting some initial evaluations of service vendors under this new program and that you plan to escalate the number of service providers being evaluated in early Can you tell us about the nature of the rating classifications that Moody s will be using? Ed Leppert: Each of the primary evaluation areas we discussed earlier will be rated according to the following rating definitions and then a single overall rat- See, Moody s Risk Services, page 12 International Association of Privacy Professionals 11

12 December 2007 Moody s Risk Services continued from page 11 ing for the service provider will be assigned. These include: VIR1: Excellent - The service provider has superior, well-established and thorough security and privacy practices throughout its organization. VIR2: Strong - The service provider has well-established security and privacy controls in most of the evaluation areas, but may require supplementary oversight or mitigation in some specific areas. VIR3: Good - The service provider is judged to have generally good security and privacy practices in several areas; however, some remediation or oversight may be warranted, depending on the scope of the proposed work to be performed by the service provider. VIR4: Needs Improvement - The service provider is judged to have some key areas requiring improvement to meet financial industry security and privacy standards. VIR5: Poor - Service provider is judged to have poor quality in most areas of the review. Clare Dever: Ed, if companies are interested in learning more about this new service offered by Moody s, how might they obtain that information? Ed Leppert: Service Providers or FSI firms can send us an to get more information about getting a rating, or call myself or Bryan Johnson. Contact information is as follows: General Bryan Johnson: ( ) Ed Leppert: ( ) Privacy in Israel Current Status and Recent Developments Dan Or-Hof, CIPP As of 1992, the right of privacy in Israel maintains a constitutional status. Section 7 of the Human Dignity Or-Hof and Liberty Basic Law (the basic law) provides that all persons have a right to privacy and to intimacy. The basic law further stipulates that no entry shall be made into a person s private premises without that person s consent; no search shall be conducted on the private premises of a person, nor in a person s body or personal effects; and there shall be no violation of the confidentiality of conversation, or of the writings or records of a person. Under the Basic Law, no violations of these rights are allowed, except by a law conforming to the values of the State of Israel that was enacted for an appropriate purpose and to the extent no greater than is required. All governmental authorities are bound to respect the rights under the basic law. Eleven years earlier, the Knesset (the Israeli Parliament) enacted the Protection of Privacy Law (the privacy law). It is a comprehensive piece of legislation on privacy issues, governing basic principles of privacy protection, regulation of data processing and security, rules for direct marketing and the exchange of information between public entities. Alongside the privacy law, certain areas of law such as protection of patients privacy, confidentiality of bank reports, processing of genetic data, transfer of personal information outside Israel, and workplace privacy are subject to specific laws, regulations and court decisions. Like other countries, Israel did not define the right of privacy under the law. Instead, the privacy law sets out the fundamental principle of consent, i.e., the privacy of a person must not be infringed without that person s consent. Failure to comply with the provisions of the privacy law constitutes a civil tort and in certain cases criminal liability as well. The privacy law provides an array of privacy principles, the most important of which, are the following: Tracking, monitoring, harassing and eavesdropping, as well as the use, or transfer of personal information otherwise than for a purpose for which it was given, constitute privacy infringement; Processing of personal information in a database must be preceded with a proper written notification to the information s subject. A database is defined under the privacy law as a collection of data stored on a magnetic, or optic medium, and intended for commercial and computerized processing (with specific exceptions defined therein). Every person is entitled access to information stored in a database and to information that pertains to that person, and has a further right to rectify and delete such inaccurate information; and Personal information must be kept confidential and undisclosed. Like other countries, Israel did not define the right of privacy under the law. 12

13 THE PRIVACY ADVISOR Recent Developments A national authority called the Registrar of Databases supervises and monitors the protection of privacy in Israel. Until recently, enforcement of information privacy was predominantly carried out through the registration of databases containing personal information. However, In January 2006, the Israeli Government ordered the formation of the Legal Authority for Information Technology and the Protection of Privacy, under the Ministry of Justice. The new authority s objectives were set out to be the enforcement of privacy protection, the coordination of government activities in its fields of operation (IT, privacy and computer crimes) and the promotion of legislation in these issues. The authority has merged under its auspices three previously independent authorities, one of which was the Registrar of Databases. While still in its infancy and operating under limited budget and human resources, the authority clearly aims to make its mark on privacy protection in Israel. For example, the authority has: Investigated a breach in EL-AL s (Israel s national airline carrier) system; Toughened procedures for registering databases; Placed strict restrictions on the transfer and use of personal information held by pension funds following recent mergers and acquisitions in Israel s financial sector; and Ordered the Defense Ministry to halt the processing of information in a sensitive database as a result of information misuse. In June 2007, a second substantial change occurred in the privacy environment in Israel, when an amendment to the privacy law was enacted to include two important provisions: The first provides that a person s consent must be mindful. Whether consent would A national authority called the Registrar of Databases supervises and monitors the protection of privacy in Israel. Until recently, enforcement of information privacy was predominantly carried out through the registration of databases containing personal information. require an informed indication of wishes, similar to the provisions of the EU Data Protection Directive, or a different level of assurance, is something for Israeli courts to decide in future case law. Nevertheless, this requirement clearly confines the permissible consent into much narrower boundaries than before. The second amendment to the privacy law provides courts with the authority to award statutory damages of up to NIS 50,000 (approximately $12,000) per privacy infringement and twice as much if the infringement is found to be the result of a willful act. A court may also fine infringers in criminal cases with similar sums. As a result, the extent of privacy litigation in Israel is likely to increase substantially. Looking Ahead A two-year review of the legal aspects pertaining to the protection of privacy in databases was finished in February 2007, when a government committee report was submitted to the Minister of Justice. Led by the Deputy Attorney General of the State of Israel, Joshua Schoffman, the committee consisted of government officials, scholars, members of the Public Council for the Protection of Privacy, representatives of the Association for Civil Rights in Israel, and private practitioners. The committee s recommendations urged a shift toward more efficient enforcement of privacy protection and security of personal information. The committee recommended the following: The database registration requirement must be limited to databases that store sensitive data such as genetic data; The Registrar of Databases must have an independent discretion to take part in legal proceedings and obtain enforcement measures to investigate complaints. The registrar must also have discretion to form and publish best practice codes; Unlawful cross-border data transfer must be deemed a criminal offense; Provisions similar to the California SB1386 Security Breach Information Act must be enacted; and Class actions must be enabled to confront mass privacy infringements incidents. As of July 2007, the Authority for Law, Technology and Information is drafting a bill based upon the Schoffman Committee s findings. Dan Or-Hof is a Senior Counsel and the manager of the IT and Internet group at Pearl Cohen Zedek and Latzer LLP. Currently based in Israel, Or-Hof is an attorney (LLM) and a CIPP. His fields of expertise are computer and Internet law, communications law, copyright law, and Data Protection and Privacy law. He publishes articles and lectures on privacy and other legal issues, participates in bills discussions and hearings held by the Justice Department and the Knesset and co-contributes to his firm s first Israeli legal Web site at: He can be contacted at and at International Association of Privacy Professionals 13

14

15 THE PRIVACY ADVISOR New Faces at the IAPP The IAPP is pleased to welcome two new staff members. Andrea Fountain, Receptionist Andrea joined the IAPP in July as the IAPP s new receptionist. In this role, she provides general administrative support, as well as answering phones, ordering supplies, and handling mail sorting and shipping. Andrea comes to the IAPP with a background in administrative support and customer service. Most recently, she worked as a legal assistant for a local attorney. Andrea has a degree in Business Management from Granite State College in New Hampshire. Mindy Moore, Events Manager Mindy joined the IAPP in August. As the Events Manager, Mindy works closely with the Events Director to plan and manage the IAPP s annual conferences. Her responsibilities also include serving as project manager for new, upcoming IAPP events and seminars. Mindy has an extensive background in corporate marketing, customer relationship management and special events. She has held management positions with AT&T Wireless, Brink s Home Security and Virtuality Entertainment, as well as two Dallas, Texas based advertising agencies. Most recently she was co-owner and operator of a café and catering business in Newburyport, Mass. Mindy holds a degree in Journalism from the University of Kansas. Privacy Classifieds The Privacy Advisor is an excellent resource for privacy professionals researching career opportunities. For more information on a specific position, or to view all the listings, visit the IAPP s Web site, ANSS - PRIVACY COMPLIANCE ANALYST Accenture Reston, Va. VP, COMPLIANCE Countrywide Financial Plano, Texas PRIVACY PROGRAM DIRECTOR Blue Cross Blue Shield of Massachusetts Boston, Mass. ASSOCIATE DIRECTOR, DATA PROTECTION & PRIVACY Graduate Management Admission Council McLean, Va. SENIOR DIRECTOR, PRIVACY OFFICER State Street Corporation Boston, Mass. HEALTH PRIVACY PROJECT The Center for Democracy and Technology Washington, D.C. DATA PRIVACY & LEGISLATIVE AFFAIRS ANALYST Deluxe Corporation Shoreview, Minn. SENIOR PROJECT MANAGER T-Mobile Bellevue, Wash. PRIVACY ANALYST SRA International Washington, D.C. metro area PRIVACY SPECIALIST Comptroller of the Currency Washington, D.C. International Association of Privacy Professionals 15

16 December 2007 PERSPECTIVE Advocate or Adversary: Recruiting s Balancing Act Van Allen The myriad issues facing employers working to fill a vacancy and the desires of a prospective employee seeking to find gainful employment rarely match perfectly. At the workplace, budget constraints, personality conflicts, equipment obsolescence, office politics and community shortfalls may give pause to a candidate perfectly suited for an empty position. Conversely, a seemingly qualified candidate may possess personality traits, a lack of specific experience, or personal interests that, in time, may strain relationships on the job. The interview process may expose some of each party s deficiencies, but since self-interest naturally results in accentuation of the positive and an avoidance or minimization of the negative, the peculiarities that add up to a strained relationship worker/workplace incompatibility may not be fully understood during the interview process, and will only become manifest after a hire is made. For the candidate, maintaining personal privacy provides a hedge against bias based on the disclosure of potentially controversial information. Traditionally, an employment recruiter has filled the role of mediator in this delicate balance. Earning the trust of both parties, and with a clearer understanding of both the positive and negative characteristics of each, a skilled and objective recruiter is in the ideal position to identify employer-candidate matches that are most likely to result in long-term success. Recent changes to the employment and recruiting landscape have introduced new complexity to the process, however. However, few employers, employees, or recruiters have noticed the change, much less Van Allen given serious thought to their impact. The emergence of online social networking utilities and the array of simple self publishing tools available to anyone with access to the Internet has resulted in a flood of personal information on the Web. Bloggers share their experiences, thoughts and feelings with the world; subscribers to social networking sites publish highly personal details and photos with friends (and the merely curious); and with just a few button pushes, ubiquitous camera phone paparazzi seem ever ready to capture and share their images with the world. The problem for a new generation of workers completing an education and preparing to embark on a professional journey is that decisions made at the spur of an indiscriminate, carefree moment may not seem so wise with additional perspective. Chronicling an out-of-control spring break vacation and sharing with friends via the Internet during one s sophomore year could become a regrettable decision once a diploma is in hand. At one time these glitches of personal history were the near-exclusive bane of politicians and celebrities who used the term youthful indiscretion to explain away embarrassing decisions made before a career in public eye was a consideration. Depending on an individual s personal tolerance for shame, the term youthful indiscretion might describe anything from an unfortunate hair style or a matter of immoral even criminal activity. Fortunately for most people, memories of these youthful indiscretions are easily and conveniently suppressed, discussed only in quiet, trusted circles as a source of guilty amusement, and often preceded by the phrase, Remember that time back in college when we. At least it was that way before the advent of the Internet and the proliferation of the social networking phenomenon. Today, the indelibility of digital history means that wild oats sown yesterday may well live on in perpetuity courtesy a page on MySpace, or via an image and narrative posted to a Web site, archived for rediscovery years later courtesy of a few keystrokes on Google or some other search engine. The well-publicized case of Miss New Jersey Amy Polumbo serves as a compelling case study of the very real potential for what can go wrong with social networking when personal privacy is compromised. Supposedly salacious photographs of Polumbo were used in an attempt to blackmail the beauty queen. The case made headlines, and even though the photos captured what amounted to little more than Polumbo engaged in silly hijinks, the implications were clear: Personal privacy in the age of online social networking has become a high-maintenance pursuit. As more and more employers conduct background searches on prospective employees, and as the Internet becomes an increasingly important component of such checks, the reality is that potential employees and employers both need to be Chronicling an out-ofcontrol spring break vacation and sharing with friends via the Internet during one s sophomore year could become a regrettable decision once a diploma is in hand. 16

17 THE PRIVACY ADVISOR cognizant of the ways in which social networking can affect the candidate screening and decision-making process. Once hired, continued participation in online social networking also may have implications for both employee and employer. Poor judgment recorded on the Internet could be the difference between launching headlong into a promising new career, or settling for a position somewhat lower on the list because, for some reason, offers just weren t coming in from choice one (or two, three, four ). Survey: Workers Want Online Privacy According to a recent study by privacy and information management research firm Ponemon Institute, commissioned by national employment and labor law firm Littler Mendelson, workers are growing increasingly aware of the potential workplace ramifications of their online activities. More than three quarters of younger workers (ages 18-30) feel that a review of social networking Web pages by a potential employer would constitute a violation of their personal privacy, and 78 percent of all workers believe that an employer should not monitor social networking sites on which they are active. Blogging, even when unrelated to work, also was found to be an area of sensitivity among employees. Eighty-four percent of older workers (older than 50) and 71 percent of younger workers felt that being disciplined for blogs unrelated to their work would be an inappropriate violation of personal privacy. What do these findings, and the legal rights and obligations of individuals and employers, mean within the context of the various healthcare professions, where the desire to minimize potentially high liability risks is strong? As a recruiter working with both physician candidates and healthcare employers, the potential presence of embarrassing online residue has introduced a nuance to the process of matching qualified candidates with organizations in need. These online influences hold true across the healthcare industry, applying to nursing and administration as well. The first Ponemon Institute/Littler Mendelson Study: Workplace Survey on the Privacy Age Gap (April 2007) 76 percent of adults aged agreed or strongly agreed that a review of online social networking activities by a potential employer would constitute a violation of their personal privacy. 65 percent of adults aged 50 or older agreed or strongly agreed that a review of online social networking activities by a potential employer would constitute a violation of their personal privacy. Nine percent of adults aged did not believe that a review of online social networking activities by a potential employer would constitute a violation of their personal privacy. 17 percent of adults aged 50 or older did not believe that a review of online social networking activities by a potential employer would constitute a violation of their personal privacy. 67 percent of adults aged felt that the protection of their employee information was important or very important. 75 percent of adults aged 50 or older felt that the protection of their employee information was important or very important. Ponemon Institute HR Special Analysis, May percent of companies surveyed recently performed Google searches on job candidates, while 65 percent of professional services and law firms had performed Google searches on job candidates. 23 percent of companies surveyed scanned social networking sites such as MySpace and Facebook to obtain additional information about a job candidate, while 52 percent of professional services and law firms had scanned social networking sites. and best advice I give to a candidate is to not put themselves in such a position in the first place. An instance of questionable judgment may well have a reasonable explanation, but it s best to not have to address such an issue at all. If there is something online that may require an answer, however, don t pretend it doesn t exist. In most cases it is unlikely that information available online will disqualify a candidate from a desired position, but it may be that a candidate profile derived from information harvested online could help in determining if one candidate is a better fit for an opportunity. Not long ago we were working to fill a vacancy for a Midwestern hospital in a conservative rural community. One candidate we had seemed like an ideal fit; she was anxious to pursue the position, but after conducting a simple background check including a review of publicly available purchasing patterns on a popular retail Web site we realized there were incompatibilities that might put the employer and employee at odds in the future. After discussing the situation the candidate agreed that, in spite of the position s appeal and her obvious qualifications, she would probably not be happy there. The experience for both parties underscored the advantages of having an objective advocate involved in the screening process. Privacy Considerations in the Hiring Process For employers, the vetting process is one that is relatively well-established, but there are guidelines to follow, especially when including the Internet in a screening. The first and most important thing to remember is that policies must be consistent and applied equally for all candidates. Even unintentional deviation from an established pattern can be construed as discriminatory or otherwise unfair. But more likely when screening potential employees is the potential for encountering inaccurate information associated with an individual. See, Recruiting s Balancing Act, page 19 International Association of Privacy Professionals 17

18 December 2007 SAVE THE DATE March 26-28, 2008 Renaissance Washington DC Hotel Don t miss the largest gathering of privacy professionals in the world! Experience all the networking, education and excitement the IAPP has to offer. Keynotes include perspectives on privacy and the judicial system from: Jeffrey Rosen, acclaimed author and George Washington University law professor Nina Totenberg, NPR s award-winning legal affairs correspondent Panel discussion on the future of global privacy regulation, featuring: Martin Abrams, Executive Director, Center for Information Policy Leadership Peter Cullen, Chief Privacy Strategist, Microsoft Peter Fleischer, Global Privacy Counsel, Google Richard Thomas, Information Commissioner, Office of the Information Commissioner, UK Eduardo Ustaran, Partner, Field Fisher Waterhouse Nancy Volesky, Director of E-commerce, Government of Bermuda Alan Westin, Emeritus Professor, Columbia University Registration opens on January

19 THE PRIVACY ADVISOR Recruiting s Balancing Act continued from page 17 Reporter Bob Sullivan, author of the Red Tape Chronicles on MSNBC.com, provided a stunning account of the potential for wildly erroneous data, including damaging criminal and financial information, in a May 3, 2007 report. Conducting a background check on himself, Sullivan found a number of false and potentially damaging associations. If you use the Internet today to conduct a background search on me, you might get the idea that I have been convicted of child molestation, and I have a close male relative who s been convicted of manslaughter, Sullivan wrote of the situation. Let me assure you, neither is true. But let me try to convince you that there is a crisis at hand. Once again, we encountered a situation illustrative of this pitfall. Representing an individual with a relatively common name, one hospital contacted us wondering why we would send them a candidate with a criminal record. Initially disappointed in ourselves for overlooking an obvious red flag, we dug deeper and found that our candidate was indeed clean, but another person with the same name and a similar professional background had committed the offenses. We presented the new information to the hospital and the candidate was able to continue with the process and land the position. The message for both candidate and employer is clear: Whether engaging the Internet for business or pleasure, it is important to understand the potential for an unintended result. An awareness of both the short- and long-term implications is essential to avoid the broadcast of so-called youthful indiscretions, and of making a wrong decision based on wrong information. Van Allen is President and Founder of TimeLine Recruiting, a physician recruitment firm in Columbia, Missouri, and a part of the Maxim Healthcare network. Visit TimeLine Recruiting at or call The IAPP Welcomes Our Newest Corporate Members Federal Highway Administration First Data Corporation National City Pillsbury Winthrop Shaw Pittman Winston & Strawn LLP Oracle Safecount International Association of Privacy Professionals 19

20 December 2007 The Privacy Advisor Interviews Scott Charney of Microsoft The Privacy Advisor recently interviewed Scott Charney, Corporate Vice President of Microsoft Corp s Trustworthy Computing (TwC) Group about the company s efforts to protect its critical infrastructure, improve its engineering practices, secure its networks, and reach out to the rest of the technology industry on today s most important privacy and security issues. Q: What does privacy mean for Microsoft? A: As an industry, we all need to set a high bar for respecting customer privacy and helping to build greater trust in the Internet and e-commerce. To realize the full benefits of the information age, people should be able to trust their computers and feel certain that their personal data is being used appropriately. We are committed to making sure customers feel confident about their safety when using our products and services, and we believe the best way to do that is to empower our customers and place them in control of their personal information. Consumers can feel certain that their data is being used in appropriate ways that they consent to. Our Trustworthy Computing group works to accomplish this through a combination of effective business practices, privacy-enabling technologies, and broad collaboration with industry partners, government regulators and customers toward improving privacy and potection. But it doesn t begin and end with Microsoft. The entire industry needs to work together to address the continued challenges and evolving threats to people s privacy. We hope that security and privacy professionals can come together and participate in an open dialogue about how to develop common industry best practices. We have already started and will continue to work with our industry partners to develop a common framework to protecting user privacy. Q: What has Microsoft done to ensure the privacy of its users? A: We have developed companywide privacy principles that help put our customers in control of their personal information while using our products. Our principles focus on providing appropriate notice when collecting personal information, obtaining consent when using that information, transferring Scott Charney information to third parties only when appropriate, and giving users access to their personal information to ensure accuracy. Microsoft also has established and implemented internal guidelines that ensure customer privacy is taken into consideration in the development of our products and services. We have developed and implemented new technologies, educated consumers about ways to protect themselves while online, and put into place best practices to ensure privacy and security. This multi-faceted approach continues to be one of our highest priorities. We are committed to helping protect our customers personal information and maintaining its integrity, and this is only going to get more important as more information is shared and used online. Our privacy efforts are not just internal to Microsoft. To help create a more Trustworthy ecosystem we believe in sharing our practices so that others may benefit from what we have learned. Microsoft recently published a public set of Privacy Guidelines for Developing Software Products and Services. These guidelines draw from Microsoft's experience incorporating privacy into the development process and reflect customer expectations as well as global privacy laws. Q: What are some current threats to online privacy? A: Cybercriminals are now launching more targeted attacks that look to gather personal information from users and businesses. According to the 2007 ecrime Watch Survey and the Microsoft Security Intelligence Report, social engineering schemes such as phishing have become the greatest threat to enterprise data. So protection of that data continues to be a top concern for organizations as the threat of security breaches continues to evolve. In essence, data has become the new currency of crime, and is increasingly valuable to online criminals. Along with security threats, the lack of strong organizational policies can increase the risk of compromising personal data. Companies need to enact strong and clear data handling policies, and educate their employees on how to properly handle personal information. Now more than ever, companies need to implement comprehensive privacy practices. Q: How has the relationship between privacy and security evolved? We are committed to helping protect our customers personal information and maintaining its integrity, and this is only going to get more important as more information is shared and used online. 20

Best Practices for the Use of RF-Enabled Technology in Identity Management. January 2007. Developed by: Smart Card Alliance Identity Council

Best Practices for the Use of RF-Enabled Technology in Identity Management. January 2007. Developed by: Smart Card Alliance Identity Council Best Practices for the Use of RF-Enabled Technology in Identity Management January 2007 Developed by: Smart Card Alliance Identity Council Best Practices for the Use of RF-Enabled Technology in Identity

More information

Cyber Security - What Would a Breach Really Mean for your Business?

Cyber Security - What Would a Breach Really Mean for your Business? Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber

More information

Cyber Security Recommendations October 29, 2002

Cyber Security Recommendations October 29, 2002 Cyber Security Recommendations October 29, 2002 Leading Co-Chair (Asia/Oceania) Co-Chair (Americas) Co-Chair (Europe/Africa) Dr. Hiroki Arakawa Executive Vice President NTT Data Corporation Richard Brown

More information

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards January 2007 Developed by: Smart Card Alliance Identity Council RF-Enabled Applications and Technology:

More information

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009 MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009 Current Laws: Identity Crime: A person is guilty of identity

More information

THE CHANGING FACE OF IDENTITY THEFT THE CURRENT AND FUTURE LANDSCAPE

THE CHANGING FACE OF IDENTITY THEFT THE CURRENT AND FUTURE LANDSCAPE THE CHANGING FACE OF IDENTITY THEFT THE CURRENT AND FUTURE LANDSCAPE Identity is the unique set of characteristics that define an entity or individual. Identity theft is the unauthorized use of an individual

More information

Anatomy of a Hotel Breach

Anatomy of a Hotel Breach Page 1 of 6 Anatomy of a Hotel Breach Written by Sandy B. Garfinkel Monday, 09 June 2014 15:22 Like 0 Tweet 0 0 Data breach incidents have dominated the news in 2014, and they are only becoming more frequent

More information

ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773

ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773 ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773 March 17, 2010 BACKGROUND & WHY THIS LEGISLATION IS IMPORTANT: Our nation is at risk. The networks that American families and businesses

More information

WHISTLE BLOWING POLICY & PROCEDURES

WHISTLE BLOWING POLICY & PROCEDURES Management Circular No: GCSL/01.2013 Revised: 01/2014 WHISTLE BLOWING POLICY & PROCEDURES All rights reserved. No part contained in this Policy may be reproduced or copied in any form without the written

More information

Fraud Prevention Checklist for Small Businesses

Fraud Prevention Checklist for Small Businesses Fraud Prevention Checklist for Small Businesses 11 Ways to Minimize the Risk and Impact PAYMENT SOLUTIONS Fraud can have a devastating impact on small businesses. Prevention and mitigation strategies can

More information

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, 2006. Developed by: Smart Card Alliance Identity Council

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, 2006. Developed by: Smart Card Alliance Identity Council Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions July, 2006 Developed by: Smart Card Alliance Identity Council Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked

More information

Cyber Security: Not if, but when...

Cyber Security: Not if, but when... Cyber Security: Not if, but when... Gerry Stegmaier Partner, Privacy and Data Security, Goodwin Procter Paul Luehr Managing Director & Chief Privacy Officer, Stroz Friedberg June 2015 Costs of Data Breaches

More information

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

Privacy Policy. January 2014

Privacy Policy. January 2014 Privacy Policy January 2014 Privacy Policy Introduction This policy explains your rights as an individual when using services provided by Her Majesty s Passport Office. Our commitment to you Her Majesty

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

Securing safe, clean drinking water for all

Securing safe, clean drinking water for all Securing safe, clean drinking water for all Enforcement policy Introduction The Drinking Water Inspectorate (DWI) is the independent regulator of drinking water in England and Wales set up in 1990 by Parliament

More information

QUESTIONS & ANSWERS. How did the Department decide on the cost of the Passport Card?

QUESTIONS & ANSWERS. How did the Department decide on the cost of the Passport Card? 1 Front U.S.PASSPORT CARD APPLICATIONS ACCEPTED BEGINNING FEBRUARY 1 Back U.S. citizens may begin applying in advance for the new U.S. Passport Card beginning February 1, 2008, in anticipation of land

More information

RezScore SM Privacy Policy

RezScore SM Privacy Policy RezScore SM Privacy Policy Last updated: August 19, 2011 Thank you for using RezScore.com. We are committed to protecting your privacy and, for that reason, we have adopted this Privacy Policy to memorialize

More information

Who s next after TalkTalk?

Who s next after TalkTalk? Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many

More information

Troy Cablevision, Inc. Subscriber Privacy Policy

Troy Cablevision, Inc. Subscriber Privacy Policy Troy Cablevision, Inc. Subscriber Privacy Policy Troy Cablevision, Inc. ( Troy Cable ) is committed to protecting and securely maintaining our customers privacy. The following privacy policy applies to

More information

Cybercrime: risks, penalties and prevention

Cybercrime: risks, penalties and prevention Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,

More information

ACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia 30303 (404)522-5022 (404)525-2477 www.accg.

ACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia 30303 (404)522-5022 (404)525-2477 www.accg. ACCG Identity Theft Prevention Program ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia 30303 (404)522-5022 (404)525-2477 www.accg.org July 2009 Contents Summary of ACCG Identity Theft Prevention Program...

More information

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc. JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President

More information

Best Practices for DLP Implementation in Healthcare Organizations

Best Practices for DLP Implementation in Healthcare Organizations Best Practices for DLP Implementation in Healthcare Organizations Healthcare organizations should follow 4 key stages when deploying data loss prevention solutions: 1) Understand Regulations and Technology

More information

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: March 2013 Ponemon Institute Research Report

More information

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. PRIVACY POLICY 1. Introduction Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. We will only collect information that

More information

Passenger Protect Program Transport Canada

Passenger Protect Program Transport Canada AUDIT REPORT OF THE PRIVACY COMMISSIONER OF CANADA Passenger Protect Program Transport Canada Section 37 of the Privacy Act 2009 AUDIT OF PASSENGER PROTECT PROGRAM, TRANSPORT CANADA The audit work reported

More information

Cyber Risks in the Boardroom

Cyber Risks in the Boardroom Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing

More information

INTERNATIONAL SOS. Data Protection Policy. Version 1.05

INTERNATIONAL SOS. Data Protection Policy. Version 1.05 INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 Revised: 2015 All copyright in these materials are reserved to AEA

More information

FTC IDENTITY THEFT RED FLAGS RULE PROGRAM MANUAL. A How-To Guide for Your Medical Practice. provided by

FTC IDENTITY THEFT RED FLAGS RULE PROGRAM MANUAL. A How-To Guide for Your Medical Practice. provided by FTC IDENTITY THEFT RED FLAGS RULE PROGRAM MANUAL A How-To Guide for Your Medical Practice provided by the American College of Obstetricians and Gynecologists This manual has been prepared to provide the

More information

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report

More information

Healthcare Professionals Crossing Borders Agreement

Healthcare Professionals Crossing Borders Agreement Healthcare Professionals Crossing Borders Agreement Contents 1. Healthcare Professionals Crossing Borders Agreement (the Agreement) 2 2. Background 5 2.1 EU Directives and Project Aims 5 2.2 Developing

More information

In an age where so many businesses and systems are reliant on computer systems,

In an age where so many businesses and systems are reliant on computer systems, Cyber Security Laws and Policy Implications of these Laws In an age where so many businesses and systems are reliant on computer systems, there is a large incentive for maintaining the security of their

More information

Presidential Summit Reveals Cybersecurity Concerns, Trends

Presidential Summit Reveals Cybersecurity Concerns, Trends Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com Presidential Summit Reveals Cybersecurity Concerns,

More information

Texas Security Freeze Law

Texas Security Freeze Law Texas Security Freeze Law BUSINESS & COMMERCE CODE CHAPTER 20. REGULATION OF CONSUMER CREDIT REPORTING AGENCIES 20.01. DEFINITIONS. In this chapter: (1) "Adverse action" includes: (A) the denial of, increase

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

Response to the European Commission consultation on. European Data Protection Legal Framework

Response to the European Commission consultation on. European Data Protection Legal Framework Response to the European Commission consultation on European Data Protection Legal Framework A submission by Acxiom (ID number 02737212854-67) Correspondence Address: Martin-Behaim-Straße 12, 63263 Neu-Isenburg,

More information

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008 CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008 Current Laws: A person commits identity theft when he intentionally

More information

Business Opportunity Enablement through Information Security Compliance

Business Opportunity Enablement through Information Security Compliance Level 3, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 Business Opportunity Enablement through Information Security Compliance Page No.1 Business Opportunity Enablement

More information

Aftermath of a Data Breach Study

Aftermath of a Data Breach Study Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath

More information

Fighting Identity Fraud with Data Mining. Groundbreaking means to prevent fraud in identity management solutions

Fighting Identity Fraud with Data Mining. Groundbreaking means to prevent fraud in identity management solutions Fighting Identity Fraud with Data Mining Groundbreaking means to prevent fraud in identity management solutions Contents Executive summary Executive summary 3 The impact of identity fraud? 4 The forgery

More information

The Legal Pitfalls of Failing to Develop Secure Cloud Services

The Legal Pitfalls of Failing to Develop Secure Cloud Services SESSION ID: CSV-R03 The Legal Pitfalls of Failing to Develop Secure Cloud Services Cristin Goodwin Senior Attorney, Trustworthy Computing & Regulatory Affairs Microsoft Corporation Edward McNicholas Global

More information

Employee Surveillance and the Law

Employee Surveillance and the Law One day conference Employee Surveillance and the Law Understanding the challenges posed by surveillance and monitoring in the workplace Supported by 4 November 2015 Central London Book online at www.regonline.com/employeesurveillance

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

The Directors Cut. The power of data: What directors need to know about Big Data, analytics and the evolution of information. www.pwc.

The Directors Cut. The power of data: What directors need to know about Big Data, analytics and the evolution of information. www.pwc. www.pwc.com/ca/acconnect The Directors Cut The power of data: What directors need to know about Big Data, analytics and the evolution of information December 201 This newsletter is brought to you by PwC

More information

what your business needs to do about the new HIPAA rules

what your business needs to do about the new HIPAA rules what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or

More information

Terms and Conditions for Tax Services

Terms and Conditions for Tax Services Terms and Conditions for Tax Services In the course of delivering services relating to tax return preparation, tax advisory, and assistance in tax controversy matters, Brady, Martz & Associates, P.C. (we

More information

Virginia Commonwealth University Police Department

Virginia Commonwealth University Police Department Virginia Commonwealth University Police Department NUMBER SECTION CHIEF OF POLICE EFFECTIVE REVIEW DATE 2 9 1/2013 2/2013 SUBJECT SOCIAL MEDIA GENERAL The department endorses the secure use of social media

More information

nationalcarestandards

nationalcarestandards nationalcarestandards dignity privacy choice safety realising potential equality and diversity SCOTTISH EXECUTIVE Making it work together nationalcarestandards dignity privacy choice safety realising potential

More information

A Best Practice Guide

A Best Practice Guide A Best Practice Guide Contents Introduction [2] The Benefits of Implementing a Privacy Management Programme [3] Developing a Comprehensive Privacy Management Programme [3] Part A Baseline Fundamentals

More information

White Paper #6. Privacy and Security

White Paper #6. Privacy and Security The Complexity of America s Health Care Industry White Paper #6 Privacy and Security www.nextwavehealthadvisors.com 2015 Next Wave Health Advisors and Lynn Harold Vogel, Ph.D. The Complexity of America

More information

27 July 2006 No.152-FZ RUSSIAN FEDERATION FEDERAL LAW PERSONAL DATA. (as amended by Federal Law of 25.11.2009 No.266-FZ) Chapter 1.

27 July 2006 No.152-FZ RUSSIAN FEDERATION FEDERAL LAW PERSONAL DATA. (as amended by Federal Law of 25.11.2009 No.266-FZ) Chapter 1. 27 July 2006 No.152-FZ RUSSIAN FEDERATION FEDERAL LAW PERSONAL DATA (as amended by Federal Law of 25.11.2009 No.266-FZ) Article 1. Scope of This Federal Law Chapter 1. GENERAL Adopted by The State Duma

More information

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES This special report examines the cyber risk disclosures made by the retail sector of the Fortune 1000.

More information

CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES

CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES The information provided in this document is presented as a courtesy to be used for informational purposes only. This information

More information

Standard: Information Security Incident Management

Standard: Information Security Incident Management Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of

More information

Matthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation Matthew.Howes@inVentivHealth.com

Matthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation Matthew.Howes@inVentivHealth.com WHITE PAPER Global Digital Security: The Human Element March 2014 Written by: Matthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation Matthew.Howes@inVentivHealth.com TABLE

More information

The Home Depot Provides Update on Breach Investigation

The Home Depot Provides Update on Breach Investigation The Home Depot Provides Update on Breach Investigation Breach confirmed Investigation focused on April forward No evidence of debit PIN numbers compromised No customers liable for fraudulent charges Customers

More information

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013 Regulatory Updates Eric M. Wright, CPA, CITP Schneider Downs & Co., Inc. December 5, 2013 Eric M. Wright, CPA, CITP Eric has been involved with Information Technology with Schneider Downs since 1983. He

More information

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June

More information

Client Alert December 2011

Client Alert December 2011 Client Alert December 2011 In This Issue: Global Recruitment and Social Media Hiring Traps Global Trends The Americas Canada United States Latin America Europe France Germany United Kingdom Asia Pacific

More information

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches

More information

PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009

PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009 PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009 Current Laws: A person commits the offense of identity theft

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

Is Your Company Ready for a Big Data Breach?

Is Your Company Ready for a Big Data Breach? Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication

More information

Vanessa Batters-Thompson, Staff Attorney, Bread for the City Ashley McDowell, Staff Attorney, Legal Aid Society of the District of Columbia

Vanessa Batters-Thompson, Staff Attorney, Bread for the City Ashley McDowell, Staff Attorney, Legal Aid Society of the District of Columbia Testimony before the District of Columbia Council Committee on the Judiciary and Public Safety Child Support Services Division of the Office of Attorney General Agency Performance Oversight Hearing Fiscal

More information

Privacy and Information Protection Bulletin

Privacy and Information Protection Bulletin Privacy and Information Protection Bulletin March 2005 Fasken Martineau DuMoulin LLP Identity Theft Sara Levine and Joanna Erdman (student-at-law), Toronto Vancouver Calgary Toronto Montréal Québec City

More information

Allwin Initiative for Corporate Citizenship Dartmouth Center for the Advancement of Learning Dickey Center Ethics Institute Institute for Security

Allwin Initiative for Corporate Citizenship Dartmouth Center for the Advancement of Learning Dickey Center Ethics Institute Institute for Security Allwin Initiative for Corporate Citizenship Dartmouth Center for the Advancement of Learning Dickey Center Ethics Institute Institute for Security Technology Studies Leslie Center Rockefeller Center Tucker

More information

SUBSCRIBER PRIVACY NOTICE

SUBSCRIBER PRIVACY NOTICE PRIVACY AND SECURITY NewWave will provide you with a copy of its privacy notice at the time Service is installed, and annually afterwards, or as otherwise permitted by law. Customer can view the most current

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

E-PRIVACY DIRECTIVE: Personal Data Breach Notification

E-PRIVACY DIRECTIVE: Personal Data Breach Notification E-PRIVACY DIRECTIVE: Personal Data Breach Notification PUBLIC CONSULTATION BEUC Response Contact: Kostas Rossoglou digital@beuc.eu Ref.: X/2011/092-13/09/11 EC register for interest representatives: identification

More information

PRIVACY POLICY. Mil y Un Consejos Network. Mil y Un Consejos Network ( Company or we or us or our ) respects the privacy of

PRIVACY POLICY. Mil y Un Consejos Network. Mil y Un Consejos Network ( Company or we or us or our ) respects the privacy of PRIVACY POLICY Mil y Un Consejos Network Version Date: April 15th 2010 GENERAL Mil y Un Consejos Network ( Company or we or us or our ) respects the privacy of its users ( user or you ) whether they use

More information

Applying the legislation

Applying the legislation Applying the legislation GUIDELINE Information Privacy Act 2009 Privacy breach management and notification A privacy breach occurs when there is a failure to comply with one or more of the privacy principles

More information

Section II. Privacy and Legislation. Sanjay Goel, School of Business, University at Albany, SUNY

Section II. Privacy and Legislation. Sanjay Goel, School of Business, University at Albany, SUNY Section II Privacy and Legislation 1 Privacy and Legislation Privacy Definition What is privacy? The Fourth Amendment: The right of the people to be secure in their persons, houses, papers, and effects,

More information

1 Billion Individual records that were hacked in 2014 3.

1 Billion Individual records that were hacked in 2014 3. 783 Major data breaches in 204 up 27% from 203 2. Billion Individual records that were hacked in 204 3. 3 Fraud has changed The way we live and manage our finances today has changed radically from just

More information

Securing Critical Information Assets: A Business Case for Managed Security Services

Securing Critical Information Assets: A Business Case for Managed Security Services White Paper Securing Critical Information Assets: A Business Case for Managed Security Services Business solutions through information technology Entire contents 2004 by CGI Group Inc. All rights reserved.

More information

UNIVERSITY OF ST ANDREWS. EMAIL POLICY November 2005

UNIVERSITY OF ST ANDREWS. EMAIL POLICY November 2005 UNIVERSITY OF ST ANDREWS EMAIL POLICY November 2005 I Introduction 1. Email is an important method of communication for University business, and carries the same weight as paper-based communications. The

More information

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37.

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37. Zip It! Feds, State Strengthen Privacy Protection Practice Management Feature July 2012 Tex Med. 2012;108(7):33-37. By Crystal Conde Associate Editor When it comes to enforcing HIPAA data security and

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

Customer Data and Reputational Risk in the Pharmaceutical Industry

Customer Data and Reputational Risk in the Pharmaceutical Industry 1 Customer Data and Reputational Risk in the Pharmaceutical Industry Sensitive Data: A Chain of Trust Organizations of all types, from banks to government agencies to healthcare providers, are taking steps

More information

II. F. Identity Theft Prevention

II. F. Identity Theft Prevention II. F. Identity Theft Prevention Effective Date: May 3, 2012 Revises Previous Effective Date: N/A, New Policy I. POLICY: This Identity Theft Prevention Policy is adopted in compliance with the Federal

More information

Issue #5 July 9, 2015

Issue #5 July 9, 2015 Issue #5 July 9, 2015 Breach Response Plans by Lyndsay A. Wasser, CIPP/C, Co-Chair Privacy Privacy breaches can occur despite an organization s best efforts to prevent them. When such incidents arise,

More information

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon UMACHA Navigating Payments 2014 October 8, 2014 Who We Are Claudia

More information

Is There Such a Thing as Internet Privacy?

Is There Such a Thing as Internet Privacy? Is There Such a Thing as Internet Privacy? April 13, 2015 Danielle Graff & Kristél Kriel Western Canada s Law Firm Click Agenda to edit Master title style What is Internet Privacy? Why does it matter?

More information

Report to the Council of Australian Governments. A Review of the National Identity Security Strategy

Report to the Council of Australian Governments. A Review of the National Identity Security Strategy Report to the Council of Australian Governments A Review of the National Identity Security Strategy 2012 Report to COAG - Review of the National Identity Security Strategy 2012 P a g e i Table of contents

More information

Data Privacy and Security: A Primer for Law Firms

Data Privacy and Security: A Primer for Law Firms Data Privacy and Security: A Primer for Law Firms All We Do Is Work. Workplace Law. In four time zones and 46 major locations coast to coast. www.jacksonlewis.com JACKSON LEWIS SERVING THE DIVERSE NEEDS

More information

Table of Contents. Acknowledgement

Table of Contents. Acknowledgement OPA Communications and Member Services Committee February 2015 Table of Contents Preamble... 3 General Information... 3 Risks of Using Email... 4 Use of Smartphones and Other Mobile Devices... 5 Guidelines...

More information

Social Media Dominance

Social Media Dominance Social Media Survival Guide: Hiring and Firing in the Era of Social Media Denise M. Visconti dvisconti@littler.com Adam Rosenthal arosenthal@littler.com Littler Mendelson, P.C. 501 W. Broadway Suite 900

More information

Cloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1

Cloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1 Cloud Computing and Privacy Toolkit Protecting Privacy Online May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1 Table of Contents ABOUT THIS TOOLKIT... 4 What is this Toolkit?... 4 Purpose of this Toolkit...

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP

More information

Privacy is the ability of an individual or group to keep their lives and

Privacy is the ability of an individual or group to keep their lives and Privacy Versus Security in the Workplace ALAN L. PEPPER AND BETHANIE F. THAU An important challenge facing employers today is balancing the security of the workplace versus the privacy rights of employees.

More information

Protection of Employees Rights in Insolvency

Protection of Employees Rights in Insolvency Protection of Employees Rights in Insolvency Introduction Since the beginning of the 21st century, the world faced many economic challenges (to be gentle), the crash of the dot-com bubble in 2000 2001,

More information

Privacy Legislation and Industry Security Standards

Privacy Legislation and Industry Security Standards Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,

More information

This is an example of a cover page. Themes in Employment Law October 2011. The Dangers of Social Networking in an Employment Context

This is an example of a cover page. Themes in Employment Law October 2011. The Dangers of Social Networking in an Employment Context This is an example of a cover page. Themes in Employment Law October 2011 The Dangers of Social Networking in an Employment Context NB: The comments included in this publication should not be read as representative

More information

PCI Security Compliance in KANA Solutions How KANA Applications Helps Companies Comply with PCI Security Standards

PCI Security Compliance in KANA Solutions How KANA Applications Helps Companies Comply with PCI Security Standards PCI Security Compliance in KANA Solutions How KANA Applications Helps Companies Comply with PCI Security Standards Table of Contents PCI Security Compliance in KANA Solutions...1 The Importance of Protecting

More information