Latest

Privacy in the Clouds: Consequences of Third Party Storage for Individuals and Businesses

Even when no laws or obligations block the ability of a user to disclose information to a cloud provider, disclosure may still not be free of consequences. Information stored with a third party (including a cloud computing provider) may have fewer or weaker privacy protections than information in the possession of the creator of the information. Government agencies and private litigants may be able to obtain information from a third party more easily than from the creator of the information. The expanded ability of the government and others to obtain information from a third party affects both businesses and individuals.

Privacy in the Clouds: Other Cloud Computing Issues

Several other aspects of cloud computing affect privacy and confidentiality interests. The most important of these are the terms of service and privacy policy established by a cloud provider. The location of data, ownership of the cloud provider, use of transactional information, and other issues are considered here.

Privacy in the Clouds: Policy Observations

Cloud computing is well underway and appears to be expanding rapidly. There has been a good deal of public discussion of the technical architecture of cloud computing and the business models that could support it. Debate about the legal and policy issues regarding privacy and confidentiality raised by cloud computing has not kept pace. The findings set out at the beginning of this document are a contribution to the debate, as are the following policy observations.

CVS Caremark pharmacy chain agrees to pay $2.25 million to settle charges of HIPAA violations; also settles with the FTC

Medical privacy | HIPAA | FTC -- According to a legal complaint, CVS pharmacies -- the largest pharmacy chain in the United States -- did not take appropriate steps to protect its customers' and employees' sensitive information when it improperly disposed of documents, labels, prescription bottles, and other items with clearly identifiable and highly sensitive personal information such as SSNs, prescription information, driver's license numbers, and other information still on those materials. CVS agreed to pay $2.25 million to settle its violations of HIPAA as part of a Resolution Agreement with the Department of Health and Human Services. CVS has also signed a consent agreement with the FTC; the public can comment on this agreement until March 20, 2009. The World Privacy Forum will be filing comments with the FTC on the consent agreement with CVS, which we will post here.

World Privacy Forum opposes California DMV plan

Biometrics and ID -- The California DMV (Division of Motor Vehicles) has proposed, through an expedited 30- day process, that it begin taking detailed facial scans of drivers and storing the scans in a state-wide database. This change, among other proposed DMV changes, represents a substantial policy shift for the state of California. The World Privacy Forum has urged that this process goes through normal legislative procedures so that there is adequate time for public input and for formal hearings.

Public Comments: February 2009 - DMV proposes a major policy shift to biometric systems

On January 14, 2009, the DMV issued a Section 11 (2008 Budget Act) letter to the Legislature stating its intent to change the terms of its driver license and id card contract – including the use of biometric systems including facial recognition scans and biometric thumbprints on people seeking driver’s licenses and ID cards. Unless the Joint Legislative Budget Committee objects within 30 days, the contract with the vendor will take effect.

Consumer Tips: Job Seekers' Guide to Resumes - Twelve Resume Posting Truths

It is important to circulate a resume when looking for work, but these days criminals and identity thieves are all too interested in finding and using resumes for all the wrong reasons. In the information economy, your resume has a “street value.” It's sad to say, but unfortunately your name, home address, telephone number, even your detailed work history can have value to identity thieves and fraudsters. It is also important to protect your resume from people and businesses who want to use it primarily to make a profit instead of primarily to help you find employment.

World Privacy Forum celebrates International Privacy Day

International Privacy Day -- The World Privacy Forum celebrated International Privacy Day by joining other privacy and civil liberties organizations in encouraging the U.S. Senate to adopt the Council of Europe Privacy Convention. The U.S. has already ratified the Council of Europe Convention on Cybercrime. International Privacy Day was founded three years ago by the Council of Europe, and is celebrated by privacy, civil liberties, and consumer groups in Europe, North America and elsewhere.

Consumer Alert: Monster.com announces another big data breach

Monster.com | Consumer Alert | Job search privacy -- According to the job site Monster.com, its users' IDs and passwords, email addresses, names, phone numbers, and some "basic demographic data" were compromised in a data breach. Monster notified victims of the security breach through its web site on Friday, January 23, 2009. It is unclear how many people this notice impacts, as Monster.com did not give an estimate. In press reports, however, Monster has admitted that the breach is global, with Asia Pacific and Eastern Europe being spared. Job seekers' information can be used like a road map for criminal ventures, including identity theft, phishing and spamming. User passwords, which Monster.com says were compromised in this breach, are especially valuable as they can potentially be used to access other sites or email accounts, especially if a person regularly uses the same passwords. The World Privacy Forum has published a consumer alert about this data breach with tips for victims. This data breach also impacts USAjobs.com, the government job search site affiliated wiith Monster.com.

New privacy rules for schools released; World Privacy Forum comments had positive impact for student and parent privacy

School privacy | FERPA -- In May 2008 the World Privacy Forum submitted detailed comments on proposed changes to the Family Educational Rights and Privacy Act regulations (FERPA). The FERPA regulations are the rules that control how schools treat and release student information. The final FERPA regulations have now been published and reveal that the World Privacy Forum comments had a positive impact. The new regulations agreed with WPF's comment that if a school requests a Federal tax return from a parent, that the parent has the right to redact all financial information from the form, and affirmed that the school does not have a requirement to ask for the tax form in the first place. The regulations also agreed with the WPF comment that the risk of re-identification of published student information is cumulative, and made recommendations that educational institutions take into account all releases of student information it has made, not just new releases.

World Privacy Forum urges more clarification and privacy protection regarding "incidental collection" of genetic information in GINA

GINA - Genetic Information Nondiscrimination Act -- In comments regarding the recently passed GINA (Genetic Information Nondiscrimination Act), the World Privacy Forum said that some aspects of GINA need clarification to enhance privacy. The comments focus on a number of privacy issues the RFI raised, including model privacy notices and the issue of what the GINA statute calls "incidental collection" of genetic information. Currently, GINA states that some kinds of information are exempted from being considered as regulated for medical underwriting purposes. For example, medical information gleaned about patients for underwriting purposes from medical databases is regulated. But medical information gleaned about patients for underwriting purposes from, for example, marketing lists containing robust patient information may be unregulated if the law is not clarified in the regulatory process. The World Privacy Forum urged HHS and the Department of Labor to substantially clarify what constitutes "incidental collection," and urged the agencies to consider lists containing identifiable patient information to be considered in the same category as a "medical database."

Keep my genes private: World Congress panel presentation

Genetic privacy -- The World Privacy Forum presented a talk at the World Congress in Washington D.C. today on the intersection between genetic privacy and marketing, and on genetic issues and medical identity theft. The presentation exposed the list marketing activities surrounding health care data, and examined how the current loopholes in the recently passed Genetic Information Nondiscrimination Act (GINA) would not necessarily ease issues with incidental collection and use of genetic information.

Public Comments: December 2008 - GINA – Genetic Information Nondiscrimination Act

In response to a Request for Information (RFI) from U.S. federal agencies regarding the recently passed GINA (Genetic Information Nondiscrimination Act), the World Privacy Forum filed a detailed response with suggestions on what aspects of GINA need clarification. The comments focus on a number of privacy issues the RFI raised, including model privacy notices and the issue of what the GINA statute calls "incidental collection" of genetic information. Currently, GINA states that some kinds of information are exempted from being considered as regulated for medical underwriting purposes. For example, medical information gleaned about patients for underwriting purposes from medical databases is regulated. But medical information gleaned about patients for underwriting purposes from, for example, marketing lists containing robust patient information may be unregulated if the law is not clarified in the regulatory process. The World Privacy Forum urged HHS and the Department of Labor to substantially clarify what constitutes "incidental collection," and urged the agencies to consider lists containing identifiable patient information to be considered in the same category as a "medical database."

World Privacy Forum elected to HITSP board

HITSP -- World Privacy Forum executive director Pam Dixon was elected to be the consumer representative on the HITSP board (Health Information Technology Standards Panel). HITSP is a national standards-setting body that is part of ANSI (The American National Standards Institute) and is working on specifications and standards for the National Health Information Network. The term will begin in January of 2009.

New telemarketing rules take effect today: more power over pre-recorded telemarketing calls

Telemarketing | Top Ten Opt Out List -- Beginning today, pre-recorded telemarketing phone calls must come with an easy opt-out for consumers. If a pre-recorded telemarketing call is left on an answering machine, it must also include opt-out information. These rules will apply to telemarketers already subject to the Federal Trade Commission's Telemarketing Sales Rule and Do Not Call List. There are some exemptions to the rule. For more details about the changes, see our Top Ten Opt Out List, which has been updated with the new information.

Job Application Kiosks: The Role of Unicru in the Kiosk and Retail Job Sector

Unicru, a Beaverton, Oregon company dominates the kiosk space. Unicru says it processes approximately one job application per second during the average U.S. workday. All totalled, Unicru processes about 6 million job applicants per year, and has processed a total of more than 19.5 million candidate applications. In 2002, Unicru achieved record revenues of $21.1 million and was recognized as one of the fastest- growing companies in the U.S. It says that it is the leading provider of hiring management systems.

Job Application Kiosks: Consumer Tips for Using Employment Kiosks and their Related Web sites

Do not submit your SSN or date of birth to a kiosk or a Web site that does not have a privacy policy posted prominently prior to the time this information is requested of you. If you do, you truly lose control of this information. If you have any arrests or suspended convictions in your background, you may want to think twice about agreeing to an “instant” or “national” background check online. Some (but not all) of these national credit checks that are conducted through accessing proprietary databases online pick up and report information that should not be reported, such as suspended convictions.

First International Privacy and Security Conference (IPSC2008) in Tokyo Nov. 11-12 Brings Together World Experts to Share Solutions and Information on the Privacy and Security Impact of the World Economic Crisis, Data Leakages, New Global Data Issues, and

The conference, the first of its kind to be held in Japan, bring together the world's leading privacy and security experts from Japan, the European Union, and the United States to discuss issues in common from a global perspective. Conference experts will share their best information, policies, practices, and ideas on how to solve the pressing privacy and security issues of today and those we willface in the future, including the impact of the economic crisis on data security and privacy.

World Privacy Forum Publishes Red Flag Rule Suggestions for Hospitals and Providers; new FTC-enforced rules go into effect Nov. 1, can apply to health care providers

SAN DIEGO, Ca., Sept. 24 -- The World Privacy Forum’s latest report, Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers, discusses the applicability of the new FTC regulations to the health care sector along with suggestions for providers. The report addresses newly issued regulations by the Federal Trade Commission that require financial institutions and creditors to develop and implement written identity theft prevention programs. Health care providers – whether they are for-profit, non-profit, or governmental entities – may have obligations under the new rules.