Report Author:
Robert Gellman, Privacy and Information Policy Consultant, .

Contributor:
Pam Dixon, Executive director, World Privacy Forum, read and commented on the report drafts and also edited the document.

Medical privacy | HIPAA | FTC — According to a legal complaint, CVS pharmacies — the largest pharmacy chain in the United States — did not take appropriate steps to protect its customers’ and employees’ sensitive information when it improperly disposed of documents, labels, prescription bottles, and other items with clearly identifiable and highly sensitive personal information such as SSNs, prescription information, driver’s license numbers, and other information still on those materials. CVS agreed to pay $2.25 million to settle its violations of HIPAA as part of a Resolution Agreement with the Department of Health and Human Services. CVS has also signed a consent agreement with the FTC; the public can comment on this agreement until March 20, 2009. The World Privacy Forum will be filing comments with the FTC on the consent agreement with CVS, which we will post here.

Internet privacy — The Federal Trade Commission released its self-regulatory principles for behaviorally-targeted advertising today. The World Privacy Forum will be holding a press conference responding to the principles at 12:30 p.m. Eastern.

Biometrics and ID — The California DMV (Division of Motor Vehicles) has proposed, through an expedited 30- day process, that it begin taking detailed facial scans of drivers and storing the scans in a state-wide database. This change, among other proposed DMV changes, represents a substantial policy shift for the state of California. The World Privacy Forum has urged that this process goes through normal legislative procedures so that there is adequate time for public input and for formal hearings.

On January 14, 2009, the DMV issued a Section 11 (2008 Budget Act) letter to the Legislature stating its intent to change the terms of its driver license and id card contract – including the use of biometric systems including facial recognition scans and biometric thumbprints on people seeking driver’s licenses and ID cards. Unless the Joint Legislative Budget Committee objects within 30 days, the contract with the vendor will take effect.