July 13, 2018

Greetings from Portsmouth, NH!

Usually, summer means a bit of relaxation, but not in 2018. Privacy developments are emerging without any regard for our need to sunbathe and enjoy cookouts.

Of course, California’s new and sweeping privacy law is top of mind for many privacy pros, and rightly so. It’s a major privacy law that will affect, according to our estimates, as many as 500,000 U.S. businesses — and most of those are small to medium-sized organizations. No doubt it was rushed and is filled with ambiguities. For example, as Sam Pfeifle recently pointed out, it’s not even clear if non-profits are covered. And Phil Gordon notes that it’s not clear whether it covers employees. Others have likened the law to ... well, that description is NSFW.

It’s hardly surprising, then, to see industry groups are already taking action in the hopes of amending the law, and, according to a report in MediaPost, the concerns raised by the California News Publishers Association have apparently prompted the state’s Assembly Committee on Privacy and Consumer Protection to vote on issuing “technical corrections.” Lawmakers have characterized the proposed changes as “technical, non-substantive, and non-controversial drafting errors.” Regardless, and undoubtedly, the CNPA is not alone. The Association of National Advertisers has weighed in, arguing that businesses should be granted more time to “digest the bill” before rushing to correct any technical corrections.

The California Consumer Privacy Act of 2018 may have even bigger implications, however. Could it be an impetus for other states to draft their own versions? Or could it mean future federal privacy legislation?

Dean Garfield, who is with the Information Technology Industry Council, a trade group that represents several large tech companies, expressed concern that CaCPA could serve as a template for other states. “You don’t want fragmentations among states,” he noted. Instead, he’s lobbying for a framework that is made up of broadly applicable standards and norms. Rep. John Delaney, D-MD, said, “Inevitably, what will happen is there’ll kind of be a patchwork of state regulations. … Then it feels like there’s going to be a role for the federal government to try to synchronize these things.”

Even former Bush-era Department of Homeland Security Secretary Michael Chertoff thinks it’s time for the U.S. to consider some form of federal privacy legislation. Currently on a book tour, Chertoff said, though the EU General Data Protection Regulation is “somewhat over-bureaucratic and complicated,” the U.S. should think about enacting the regulation’s core logic. “The principle that people ought to have some right to control their data is a principle we need to adopt ourselves,” he added.

Though, in today’s messy political climate, it’s next to impossible to imagine that Congress will get anything passed, perhaps CaCPA will be enough, after the midterms, at least, to prompt some form of federal privacy law.

In the meantime, don’t expect Alastair Mactaggart, one of the architects who helped start the California ballot initiative that was used to create the quick passage of CaCPA, to sit on his hands. He fears “tech will now sneakily come in and eviscerate this law. … I want to stay involved to make sure we keep the gains we made.” Notably, he plans to work with the state attorney general by assembling a group of engineers and technical experts to help implement and enforce CaCPA.

These are busy times for privacy pros.

Jedidiah Bracy
Publications Editor
IAPP

Insert alt text here
Privacy settings: How people's home addresses were found through photos of their cat.
Video of the Week
A local news affiliate in Tampa Bay, Fla., reports on a website, IKnowWhereYourCatLives, which has compiled the location of people's homes based on the metadata attached to public photos of their pet cats.
View →
Exploring CaCPA
CALIFORNIA PRIVACY ACT GETS FULL DAY AT P.S.R.
Only recently signed into law, the California Consumer Privacy Act (CaCPA) will have far reaching impacts. The IAPP will address this hot, new topic during a full day workshop at the upcoming Privacy. Security. Risk. 2018. Keep checking the event website and IAPP communications for details.
CaCPA Workshop at P.S.R. 2018
October 17 | Austin, TX
Learn More →
Upcoming Events

July 15-18
Educational Data Mining 2018

July 17
Women in Security and Privacy — DEFCON Prep - CMD+CTRL Hackathon SF

U.S. House Judiciary Committee — Hearing: Facebook, Google and Twitter: Examining the Content Filtering Practices of Social Media Giants

July 18
U.S. House Subcommittee on Digital Commerce and Consumer Protection — Hearing: Oversight of the Federal Trade Commission

July 24-28
Patient Privacy Rights — 8th International Data Privacy Summit

September 13-14
The Privacy Law Salon — Policymaker Roundtable

September 24-25
NAD Annual Conference 2018: The Truth About Advertising

PRIVACY LAW
Vermont's first-of-its-kind data broker law

Following the Equifax data breach and motivated by a December 2017 report from the Vermont attorney general and Department of Financial Regulation, the Vermont state legislature enacted a law to provide consumers with more information about data brokers and their practices. The new law narrowly defines data brokers, which notably excludes businesses that collect information from their own customers, employees, users or donors. It requires covered entities to register annually and put in place comprehensive security programs, offering specific elements to be included in such programs. University of Maine School of Law Student and IAPP Extern Hawah Ahmad, CIPP/E, writes about the new law in this Privacy Tracker post.
Full Story

CLOUD COMPUTING
What the CLOUD Act means for cloud providers

The passage earlier this year in the U.S. of the Clarifying Lawful Overseas Use of Data Act has not gone unnoticed by many in the privacy and law enforcement communities. Though the stakeholders who crafted the law intended it to simplify the process for the U.S. government to access data stored overseas while aiming to protect the privacy of individuals, the law poses as a major issue for cloud service providers. In this post for Privacy Perspectives, Calligo Founder and Chief Executive Officer Julian Box details what the CLOUD Act means for CSPs and how they must adapt to a changing ecosystem, one that forges ahead with innovation while protecting the privacy rights of customers.
Full Story

PRIVACY SCHOLARSHIP
What the end of the CIPP/G certification will mean for US government privacy professionals

Starting Sept. 30, the IAPP will deactivate the CIPP/G certification program. Before you panic: Anyone holding a CIPP/G certification in good standing as of Sept. 30, 2018, will find themselves CIPP/G-certified in perpetuity. Affected members were notified of the change by email last week. While some may view this as an end to a focus on privacy in the U.S. public sector, those within the IAPP are taking this moment as an opportunity to reimagine how government content is best delivered to those who need it. In this article for The Privacy Advisor, Molly Hulefeld has the scoop on what U.S. government privacy professionals need to know about the end of the CIPP/G certification.
Full Story

PERSONAL PRIVACY
Podcast: How can we combat the spread of viral hate online?

Anyone using the internet today is surely aware of the viral hate that displays itself everywhere, from social media platforms to newspaper-comment sections to group-chat forums. It is in such forums that marginalized groups face the kind of cyberbullying that surely exists on our streets but seemingly not to the extremes we see when users can hide behind a screen. In this live event, hosted by Hogan Lovells in Washington to commemorate Pride Month, Chris Wolf talks to host Angelique Carson, CIPP/US, about strategies to combat viral hate online in the name of protecting those who are especially targeted, including the LGBTQ community. 
Full Story

PRIVACY LAW
Web con recap: 'Understanding Harms in Privacy and Data Protection'

In an article for The Privacy Advisor, IAPP Westin Fellow Müge Fazlioglu, CIPP/E, CIPP/US, recaps the IAPP’s recent webinar titled “Understanding Harms in Privacy and Data Protection.” Panelists Ryan Calo, law professor at the University of Washington School of Law, former FTC Commissioner Terrell McSweeny, and Future of Privacy Forum Policy Counsel Gabriela Zanfir-Fortuna looked at the classification of privacy harms, why courts — at least, in the U.S. — have been reluctant to recognize them, as well as how the U.S. Federal Trade Commission conceptualizes harms in its enforcement actions against unfair and deceptive practices. A free recording of this June 21 web conference is available.
Full Story

PRIVACY OPINION
Moraes calls for US, EU to work together on privacy

In an op-ed for The Hill, EU Civil Liberties, Justice and Home Affairs Committee Chair Claude Moraes calls for the U.S. and EU to work together to address the Facebook-Cambridge Analytica revelations. Moraes cites U.S. federal agencies intent to investigate the incident, noting the EU will conduct similar efforts, as well as the U.K. Information Commissioner’s Office intent to fine Facebook as reasons why collaboration between the two nations is needed. “Lawmakers in the U.S. and the EU must respond to our shared challenge of providing an effective policy response to the multiple threats our citizens face in terms of data protection, privacy, cybersecurity and electoral processes,” writes Moraes, who added he will be leading a delegation to Washington to discuss Facebook and the EU-U.S. Privacy Shield agreement. Editor's Note: Angelique Carson, CIPP/US, writes about the ICO's decision to fine Facebook in this piece for The Privacy Advisor.
Full Story

ENFORCEMENT
SEC investigates Facebook's knowledge of Cambridge Analytica

The U.S. Securities and Exchange Commission is requesting information from Facebook as it examines whether the social media company properly warned investors of developers obtaining user data without consent, The Wall Street Journal reports. The SEC seeks the data from Facebook as it attempts to determine how much the tech company knew about Cambridge Analytica’s data practices, while also figuring out if Facebook weighed the risk of developers sharing the information with other parties in violation of its policies. Meanwhile, Facebook closed a vulnerability on its platform allowing third parties to see the names of members in private groups after a complaint was made by users of a breast cancer awareness page. (Registration may be required to access this story.) 
Full Story

BIG DATA
House Republicans seek data privacy answers from Apple, Alphabet

A group of Republicans from the U.S. House Committee on Energy and Commerce and its subcommittees is asking Alphabet and Apple about their privacy practices, Bloomberg reports. Alphabet Chief Executive Officer Larry Page received a letter asking about reports that software developers have been scanning Gmail users’ messages, while Apple CEO Tim Cook also got a letter inquiring about third parties having access to user data through the App Store. The lawmakers also requested information on whether the companies’ smartphones collect audio data, even when the devices are not in use. Meanwhile, a class-action activist is asking the U.S. Supreme Court to vacate Google’s $8.5 million settlement, as it does not give any of the financial reward to the tech company’s users.
Full Story

PRIVACY LAW
Hearst reaches $50M settlement in privacy case

Reuters reports Hearst Communications reached a $50 million settlement in a case in which it was accused of violating the Michigan Video Rental Privacy Act. Hearst was accused of selling customer information to data-mining companies and offering “enhanced” user profiles to third parties containing information produced by the data miners. The data included customers’ ages, races, religions, income levels, charitable donations, medication conditions and shopping habits. Hearst continues to deny it violated the Michigan privacy law but agreed to the settlement in order to avoid future litigation. The $50 million settlement is the largest of its kind according to lawyers of the plaintiffs, as it eclipsed the $16.375 million settlement reached by Consumers Union.
Full Story

PRIVACY-ENHANCING TECHNOLOGY
Solution helps companies simplify privacy notice creation

PrivacyCheq Co-Founders Roy Smith and Dale Smith, CIPT, found themselves running into a recurring problem. While conducting demos of their ConsentCheq solution, clients would tell the Smiths they liked the tool's ability to develop privacy notices, but due to conflicts with other systems they had in place, ConsentCheq was not a feasible option. The Smiths decided to use a subset of their ConsentCheq technology to create PrivacyUX, a tool that allows clients to create simple, easy-to-digest privacy notices. IAPP Associate Editor Ryan Chiavetta, CIPP/US, spoke with the Smiths about the development of the tool and how it can help companies comply with the EU General Data Protection Regulation.
Full Story

PRIVACY OPERATIONS MANAGEMENT
OneTrust adds CaCPA assessment to PIA platform

Recognizing the impact the California Consumer Privacy Act 2018 may have on organizations handling the data of Californians, OneTrust has added a new California Consumer Privacy Act of 2018 Initial Planning Assessment to its PIA & Data Mapping Platform. The new template aims to help organizations understand the potential impacts of the law and plan for compliance. The IAPP-OneTrust tool automates accountability through readiness and privacy impact assessments with a questionnaire and risk-tracking workflows, as well as builds and maintains data flows and inventories. Get access to the full tool, including the California Consumer Privacy Act Initial Planning Assessment, at the Full Story link. (IAPP member login required.)
Full Story

PRIVACY LAW
Groups pushing for changes to California privacy law

Following the passage of the California Consumer Privacy Act of 2018, opponents of the law are getting ready to push for changes to the rule, MediaPost reports. The California News Publishers Association has argued the bill’s wording is too broad and could stop news organizations’ from publishing articles that include personal information, a complaint that may have motivated California’s Assembly Committee on Privacy and Consumer Protection to make some “technical corrections” to the law. The Association of National Advertisers also plans to lobby lawmakers for revisions but said it is not in opposition of the privacy law.
Full Story

PRIVACY LAW
ITIC president calls for national privacy rules

Information Technology Industry Council President Dean Garfield called for national privacy legislation following the passing of the California Consumer Privacy Act of 2018, Bloomberg reports. The president of the group representing Google, Microsoft and other tech companies said federal privacy laws will help avoid issues with states having their own differing rules. "You don’t want fragmentations among states," Garfield said. "What I would suggest is moving quicker and trying to come up with certain standards and norms that are broadly applicable." Garfield said the ITIC will speak with the U.S. Department of Commerce to discuss a "paradigm around data and data privacy."
Full Story

PRIVACY LAW
Mactaggart plans to continue fighting for California privacy law

Real estate developer Alastair Mactaggart plans to continue working to ensure the California Consumer Privacy Act of 2018 is not weakened before it goes into effect in 2020, Bloomberg reports. Mactaggart said he is considering assembling a group of engineers and technical professionals to help California’s attorney general put the law into effect. The developer added he will put another initiative forward if the current bill is changed too dramatically while saying he believes more states will put forth similar laws in the future. Editor's Note: The IAPP will be hosting a California Consumer Privacy Act Workshop Day during the Privacy. Security. Risk. Conference Oct. 16–19 in Austin, Texas.
Full Story

PRIVACY LAW
Ex-DHS secretary supports GDPR-style law in US

Former Department of Homeland Security Secretary Michael Chertoff said he supports the idea of having a privacy law similar to the EU General Data Protection Regulation in the U.S., Yahoo Finance reports. While Chertoff said the GDPR is “somewhat over-bureaucratic and complicated,” he would install the core ideals of the rule into U.S. law, including requiring opt-in for data use and incorporating a limited version of the right to be forgotten. While promoting his book “Exploding Data,” Chertoff said he supports strong encryption and for the government to hold onto more communications metadata.
Full Story

ENFORCEMENT
FTC testifies before Senate Banking Committee

The U.S. Federal Trade Commission testified before the Senate Banking, Housing and Urban Affairs Committee on the Fair Credit Reporting Act, affirming that it remains a top priority and outlining steps the agency takes to educate consumers and businesses about FCRA requirements. The FTC also testified on efforts made to protect consumer privacy and promote data security. In the testimony, the FTC explained that more than 60 law enforcement actions were taken to address companies that allegedly engaged in unreasonable data security practices.
Full Story

PRIVACY RESEARCH
Help benchmark industry practices

Yes, it's that time of year again: The IAPP and EY launched the 4th Annual Privacy Governance Survey, which produces annually the most authoritative benchmarking data anywhere for the privacy industry. With your help, we have created a vast storehouse of information on budgeting, staffing, priorities, practices, reporting structure and responses to the EU General Data Protection Regulation over the past three years (see last year's report here), all freely available. And we need your help yet again. Click on the Full Story link to take this year's survey, which focuses on the operational impact of the GDPR going forward, along with core questions you'll remember from years past. Yes, the survey can be long, but you can save your work, and the payoff is a rich data set that helps move the industry forward. 
Full Story

PRIVACY LAW
Looking at Brett Kavanaugh's privacy track record

Bloomberg BNA reports on the privacy track record of U.S. President Donald Trump’s Supreme Court nominee Brett Kavanaugh. In the United States v. Jones case, Kavanaugh determined an individual’s Fourth Amendment rights were not violated when law enforcement installed a GPS device on a suspect’s car without a warrant, an opinion the Supreme Court disagreed with. The nominee was part of a majority overturning a rule requiring drone users to register their devices with the government. If Kavanaugh is approved to join the court, his first privacy case could involve determining whether cy pres settlements are legal when class-action plaintiffs are not afforded monetary relief.
Full Story

PRIVACY LAW
Federal court sides with Main Line Health in HIPAA violation dismissal case

A Pennsylvania federal court sided with Main Line Health in a case where an employee was fired for a Health Insurance Portability and Accountability Act violation, Health IT Security reports. The health care organization fired Gloria Terrell for illicitly accessing the personal information of a coworker. The former employee responded by filing a lawsuit claiming she was let go due to age discrimination. The court ultimately determined Terrell failed to produce evidence supporting her stance she was fired because of her age. Meanwhile, a survey conducted by Igloo Software looked at the data hygiene practices of health care employees in the U.S.
Full Story

TELECOMMUNICATIONS
House subcommittee debates best way to protect consumer privacy

The U.S. House Energy and Commerce Subcommittee on Communications and Technology debated on the best way to protect consumer privacy while safeguarding the Customer Proprietary Network Information, Multichannel News reports. Subcommittee Republicans called for uniform data protection authority over edge providers and networks to be enforced by the Federal Trade Commission, while Democrats argued the FTC does not have the rule-making authority or the resources to be a proper regulator at this time. Rep. Marsha Blackburn, R-Tenn., used the hearing to tout her Balancing the Rights of Web Surfers Equally and Responsibly Act.
Full Story

ENFORCEMENT
UK ICO investigation leads to potential 500,000 GBP fine against Facebook

Following an investigation launched in 2017 over the use of political campaigns' use of data, the U.K. Information Commissioner's Office has taken several actions against various parties, including warning letters, audit notices and a notice of intent to levy a 500,000 GBP fine against Facebook. Specifically, the investigation — which the ICO reports is the largest to date of its kind — looked at whether data used in the U.K.'s Brexit reform, as well as the U.S. 2016 presidential election, was used illegally. In addition to the Facebook fine, the ICO has taken several additional actions related to data sharing and its influence in the EU referendum and has published a secondary report offering policy recommendations. The investigation is ongoing, and the ICO anticipates its conclusion in October. Angelique Carson, CIPP/US, has the story for The Privacy Advisor. 
Full Story

ENFORCEMENT
Oversight hearing scheduled for FTC

The U.S. House Digital Subcommittee scheduled an oversight hearing on the Federal Trade Commission for July 18, Multichannel News reports. The hearing will provide an opportunity to hear from the new slate of FTC commissioners and former Acting Chairman Maureen Ohlhausen. Previously, new FTC Chairman Joe Simons stated the FTC would enforce its authority in the broadband oversight space. Bob Latta, R-Ohio, chair of the subcommittee, said, “The FTC has long been known as the ‘cop on the beat’ for consumer protection, and in today’s fast-moving internet age, the commission is tackling a new set of challenges when it comes to keeping consumers — and their information — safe.” 
Full Story

CHILDREN’S PRIVACY
Professionals differ on how FERPA impacts mental health services

While those who testified before the U.S. Federal Commission on School Safety agreed that students were not getting enough access to mental health services, they differed on whether they thought privacy laws made it more difficult for schools to share information to prevent school violence, Education Week reports. Sonja Trainor, the managing director of legal advocacy at the National School Boards Association, suggested changes to the Family Educational Rights and Privacy Act to help schools collaborate and share information that could prevent violence. John Verdi, the vice president of policy at the Future of Privacy Forum, warned against significant changes to FERPA. He said, "Mentally ill students can be disincentivized from seeking help if they fear that their privacy is not protected."
Full Story

PRIVACY-ENHANCING TECHNOLOGY
Startup raises $45M for 'privacy-first' blockchain cloud service

A startup has raised $45 million in its effort to create a “privacy-first” cloud-computing platform incorporating blockchain technology, VentureBeat reports. Oasis Labs’ solution seeks to eliminate privacy limitations affecting blockchain adoption by adding protections that have not been seen with the technology. The company hopes its work can result in services such as machine learning to take place on the blockchain. “The Oasis platform aims to give users control over their data, and at the same time deliver superior performance and privacy capabilities. Our goal is to build the scalable and secure decentralized internet that puts users first,” Oasis Labs Chief Executive Officer Dawn Song said in a statement.
Full Story

HEALTH CARE PRIVACY
Amazon's push into health-care sector raises privacy concerns

As Amazon positions itself to have a greater stake in the health-care sector, some have argued that the company’s approach to patient privacy could use a revamp if it wants to stay in compliance with the Health Insurance Portability and Accountability Act and keep consumer trust intact, HealthITSecurity reports. Concern lies in the gray area of HIPAA, what is or is not considered a covered entity, and how Amazon handles mobile health apps and third-party companies. The American Hospital Association noted, “Commercial app companies generally are not HIPAA-covered entities. Therefore, when information flows from a hospital’s information system to an app, it likely no longer will be protected by HIPAA.” The AHA cautioned of the potential misunderstanding among consumers concerning HIPAA protections.
Full Story

BIG DATA
HBO to focus on cultivating viewership data

To respond to the disturbance of streaming media companies, John Stankey, a longtime AT&T executive who now oversees HBO in his new role as chief executive of Warner Media, said HBO must transform itself into a company driven to capture more viewer data, The New York Times reports. Marking a divergence on business operations, Stankey said prioritizing an increase in daily engagement is important because with it, “you get more data and information about a customer that then allows you to do things like monetize through alternate models of advertising as well as subscriptions, which I think is very important to play in tomorrow’s world.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE
New iOS update includes security feature

Apple’s release of iOS 11.4.1 serves to boost user privacy by introducing a security feature, the USB Restricted Mode, that prevents a USB device from connecting and deciphering an iPhone’s passcode, The Verge reports. The feature makes it so that any phone locked for an hour will be unresponsive to USB accessories looking to connect. In a statement, Apple said, “We’re constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves, and intrusions into their personal data,” adding, “We have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs.” 
Full Story

INTERNET OF THINGS
Resource list published for abuse victims targeted through IoT devices

Researchers at the University College London published a resource list for domestic abuse victims targeted through internet-of-things devices, Gizmodo reports. After an emerging trend showed domestic abusers have turned to IoT devices to target and abuse victims, the university’s Gender and Internet of Things team partnered with other organizations to create a resource list of tools and advice to help victims of IoT abuse. In addition to outreach organizations, the guide helps victims understand the IoT landscape and how to deal with IoT devices, hoping to close a potential knowledge gap and prevent the technology from being exploited.
Full Story

PRIVACY LAW
Roundup: Brazil, India, EU, US and more

In this week's Privacy Tracker legislative roundup, read about Brazil's new data protection legislation that would require organizations to obtain consent before personal information is used and would establish a government entity tasked with monitoring data protection efforts and enforcement and India's DNA Technology Regulation bill, which would allow law enforcement to collect DNA samples for criminal investigations. In Europe, Parliament voted to suspend the EU-U.S. Privacy Shield “unless the U.S. is fully compliant” by Sept. 1, and the European Data Protection Board rejected ICANN's attempt to require domain registrars to submit personal information. In California, state senators and assemblymembers added provisions to the state's net neutrality bill that would restore the measure and require net neutrality in government contracts for communications services. (IAPP member login required.) 
Full Story

DATA LOSS
Timehop suffers data breach affecting 21M users

Social media service Timehop suffered a data breach affecting 21 million users, ZDNet reports. Compromised information included usernames and email addresses, as well as 4.7 million phone numbers. The company said financial information and social media content was not included in the breach. "The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication," Timehop said. The company said in a statement it informed law enforcement officials of the breach while outlining its plan to inform compromised users. Meanwhile, Macy’s suffered a data breach exposing users’ email addresses and payment card information.
Full Story

LOCATION PRIVACY
Another fitness app in trouble for revealing locations of military personnel

For the second time this year, a fitness app faced privacy concerns after a vulnerability was exploited to track the location of personnel working at military bases, ZDNet reports. Polar Flow allowed anyone to discover a user’s fitness activities by modifying web addresses. Reporters from a pair of news sites were able to use coordinates over government facilities to see the names of the individuals working there, going back as far as 2014. The reporters found more than 6,400 users working at the White House, MI6 and Guantanamo Bay. In response to the investigation, Polar suspended the feature.
Full Story

PRIVACY LAW
Google sued over allowing software developers to scan emails

Following reports Google allowed outside software developers to scan Gmail inboxes of users who signed up for email services, an Ohio man has filed a class-action lawsuit against the tech company, Courthouse News Service reports. James Coyne is seeking damages and an injunction to prohibit Google from allowing the practice to continue. In his complaint, Coyne states Google never received consent for the scanning, adding if the tech company informed users of what was happening, they would have been able to alter their privacy settings or choose another email service altogether. Meanwhile, a pair of insurance companies is seeking $30 million from data security firm Trustwave Holdings for its role in a data breach affecting Heartland Payment Systems in 2009.
Full Story

PRIVACY LAW
Nahra: California privacy law 'a whole new ballgame'

Wiley Rein Partner Kirk Nahra, CIPP/US, explains why the California Consumer Privacy Act of 2018 "is a whole new ballgame," BankInfoSecurity reports. Nahra said the California bill is the first of its kind in the U.S. and is notably important as it covers all types of personal data. Nahra explains previous privacy regulations in the U.S. either focus on a specific industry, such as the Health Insurance Portability and Accountability Act, or are laws that only cover a particular activity. In the interview, Nahra discusses the ways the bill differs from the EU General Data Protection Regulation and whether other states will produce similar laws in the future. Editor's Note: The IAPP will be hosting a web conference titled "Understanding the California Consumer Privacy Act of 2018" July 10.
Full Story

INFOSECURITY
Report finds vulnerabilities with DC's transit system

A classified inspector general’s report found that Washington’s transit system remains vulnerable to hacks and cyberattacks that would endanger safety and operations, The Washington Post reports. Due to the vulnerabilities disclosed in the report, Metro Inspector General Geoffrey Cherrington said in a statement, “we have made an exception to our standard practice of posting audits to our website, and this one will be withheld from release.” The Metro has increased its attention on security, including advertising for a new director of security position, but as new technologies are incorporated, the potential for cyberattacks increases. Srini Subramanian, a state and local security principal at Deloitte, said, “Keeping security at the forefront of your strategy as you explore and adopt those technologies is much more beneficial than doing something after the fact.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE
New smart technology tracks and identifies movement through walls

Researchers and students at MIT developed technology that makes it possible to see through walls to track and identify individuals, NBC News reports. The technology, known as RF-Pose, uses artificial intelligence to interpret radio wave data and is being touted as something that will prove useful for law enforcement, search and rescue operations, and health care. Although some have raised privacy concerns, pointing to the fact that it is possible subjects are unaware they are being monitored, Dina Katabi, leader of the MIT group behind RF-Pose, said, "We have developed mechanisms to block the use of the technology, and it anonymizes and encrypts the data."
Full Story

BIOMETRICS
US use of DNA analysis for reunification raises privacy concerns

Politico reports on the growing concern over the Trump administration’s decision to use DNA analysis to reunite family members who were previously separated at the U.S. border. While the government can require detainees to undergo genetic testing, many have voiced concern at the ethics surrounding such a request. Arthur Caplan, a bioethics professor at New York University’s Langone Medical Center, said the government should take steps to understand the risks involved and destroy samples after they are used to identify individuals. Others have called for the details of the analysis to be disclosed.
Full Story

DATA LOSS
Data says human errors make up majority of breaches, incidents

Ransomware. Malware. Phishing. Given the types of high-profile cyberthreats that carry the most coverage in the news, there is a tendency to assume incidents exposing sensitive, regulated data occur as a result of an organization being “under attack.” Seasoned privacy professionals, however, know that, in reality, the majority of incidents are inadvertent and unintentional and can be classified as human error. In this ongoing series on benchmarking data for The Privacy Advisor, Radar Chief Executive Officer and President Mahmood Sher-Jan looks into both incidents and data breaches to learn the nature of a typical disclosure.
Full Story

PRIVACY COMMUNITY
IAPP adds French, German textbooks to library

This month, the IAPP has released four new textbooks, two each in French and German, representing our first foray into non-English textbook support for our certification programs. "La protection des données personnelles en Europe" and "Europäischer Datenschutz" support the CIPP/E program, and "Gestion du programme de protection des données personnelles" and "Management von Datenschutzprogrammen" support the CIPM program. Both are available in physical and electronic form, and both exams are also available in-language for French and German. Visit the IAPP bookstore to grab them now. 
Full Story

CHILDREN’S PRIVACY
New bills could jeopardize student privacy

The Daily Beast reports that proposals in Ohio and Delaware that effectively work to out transgender students to their parents place student privacy and mental health in jeopardy. In Ohio, a bill was introduced to require any government agent or entity to notify a child’s parents if that child shows “symptoms of gender dysphoria or otherwise demonstrates a desire to be treated in a manner opposite of the child’s biological sex.” In Delaware, the state Department of Education added proposed language that would require parental permission before processing a request to “recognize a change in any Protected Characteristic.”
Full Story

SURVEILLANCE
Report links mall security surveillance to ICE contractor

report from the Electronic Frontier Foundation found that certain malls across southeastern Los Angeles have been sharing data to a national license-plate reader network that has been linked to the U.S. Immigration and Customs Enforcement, The Verge reports. An active client of surveillance technology vendor Vigilant Solutions, a string of open-air malls operated by Irvine Company Retail Properties, stated, “Vigilant is required by contract, and have assured us, that ALPR data collected at these locations is only shared with local police departments as part of their efforts to keep the local community safe.” Vigilant’s network has a data-sharing agreement with approximately 3,000 law enforcement agencies across the U.S. and receives an estimated 100 million license plates each month. While Vigilant disputed the report, the company did not elaborate on what it considered specific inaccuracies. 
Full Story

PRIVACY LAW
On the potential risks of using public clinical trial data under GDPR

Regulatory agencies around the world have established or are piloting policies and regulations for the public sharing of clinical trial documents. Given that clinical trial documents contain personally identifying health information about trial participants, it is necessary to anonymize these documents. While there are efforts among the agencies to harmonize their anonymization guidance and practices, they are governed by different privacy laws and, especially in the case of the U.S. Federal Drug Administration, are implementing quite a different anonymization methodology. This raises the question of what the risks would be to the users of these public clinical trial documents if the anonymization performed for a public data release was not adequate and the public documents still have a high risk of re-identification. In this piece for The Privacy Advisor, Khaled El Emam and Mike Hintze, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, explore the risks of using public clinical trial data under the EU General Data Protection Regulation. 
Full Story

PRIVACY LAW
English translation of Israel's Privacy Protection Regulations

An English translation of Israel’s Privacy Protection Regulations (Data Security), 5777-2017 is now available. The law, which came into force May 8, 2018, implements the data security requirements put forth by the Privacy Protection Act, 5741-1981. The translation states it is "intended solely for the convenience of the reader" and encourages that the original authoritative Hebrew text be consulted. Find it in the IAPP Resource Center at the Full Story link.
Full Story

DATA LOSS
Ticketmaster breach may be 'tip of the iceberg'

Security firm RiskIQ believes the recent data breach suffered by Ticketmaster is just “the tip of the iceberg,” ZDNet reports. Ticketmaster initially stated its U.K. site suffered a breach after hackers compromised code developed by customer support software company Inbenta. RiskIQ said several of Ticketmaster’s global sites, as well as 800 other e-commerce sites, may be at risk of having credit card information stolen after it was discovered malicious actors had compromised a different code set created by the social analysis company SociaPlus. Hackers were able to manipulate the code to skim credit cards used at any site’s checkout section where the code was used.
Full Story

PRIVACY RESEARCH
Study: 'Mega breaches' cost up to $350M

A study conducted by IBM Security and the Ponemon Institute found the average data breach cost companies $3.86 million, up 6.4 percent from last year’s analysis, VentureBeat reports. For the first time, the study covered the costs of “mega breaches” — incidents involving between 1 million to 50 million records. The costs of those breaches ranged from $40 million to $350 million. The study polled 500 companies that suffered a breach, looking at various factors impacting costs, such as lost business, loss of reputation, notifications, legal and regulatory requirements, and technical investigations and recovery.
Full Story

PRIVACY OPERATIONS MANAGEMENT
New: Model data-processing agreement

Article 28 of the EU General Data Protection Regulation requires data controllers to include in their contracts with processors certain terms and requirements. Sometimes these terms are included in the body of product and service contracts, but frequently they are added to new or existing agreements as an addendum. The IAPP’s Privacy Bar Section will publish a book this fall called “Negotiating Data Processing Agreements,” which will discuss many aspects of these new types of contracts. The book will include a model data-processing agreement, and many of the authors’ chapters will discuss and refer to the model DPA. Today, the IAPP is publishing the model DPA for its members to use and share. IAPP members can find it at the Full Story link. (IAPP member login required.)
Full Story

BIOMETRICS
Orlando moves ahead with second round of Rekognition pilot program

Despite protests surrounding Amazon’s facial-recognition software, Rekognition, Florida’s Orlando Police Department and the city of Orlando announced plans to launch a second round of testing for the software, Government Technology reports. In a memo to the city mayor, Orlando Police Chief John Mina, Deputy Police Chief Mark Canty, Orlando Chief Administrative Officer Byron Brooks, and Orlando Chief Information Officer Rosa Akhtarkhavari requested Orlando continue with the pilot program, noting that it provided valuable information. In the second round of testing, the city will work with Amazon Web Services to refine their statement of work. If successful, the Orlando Police Department’s legal team and the city attorney’s office would draft a proposal for the city council to review.
Full Story

SURVEILLANCE
Audio tech patent designed to measure employee performance

Walmart just secured a patent that shows how audio sensor technology could be used to measure workers’ performance, BuzzFeed News reports. The “listening to the frontend” technology operates through a system of audio sensors in a store's cashier area that collects audio data, analyzes the information and then calculates performance metrics. The system would apply to a range of audio points, including “beeps,” “rustling noises” and “conversations between guests and an employee stationed at the terminal.” Ifeoma Ajunwa, an assistant professor at Cornell’s Industrial and Labor Relations School, said there is a misconception of required consent, adding, “as long as the employer can make an argument for why the surveillance is necessary for a business purpose as opposed to a discriminatory purpose, there’s no law that says consent is required.”
Full Story

PRIVACY OPERATIONS MANAGEMENT
Web con: 'Compliance and Marketing Collaboration'

Since its implementation date, several U.S. businesses have stopped serving customers in the European Union in order to avoid General Data Protection Regulation penalties. In order for businesses to continue their presence in the EU while avoiding infractions, a close collaboration between marketing, security and compliance professionals needs to be established. Join the IAPP Aug. 2 for this web conference to learn how to create the right team approach to ensure business goals are met while staying in compliance with the GDPR. Speakers for the web conference include IAPP Knowledge Manager Dave Cohen, CIPP/E, CIPP/US, SAP Customer Data Cloud Senior Product Marketing Manager Ratul Shah, Shopify Associate General Counsel & Data Protection Officer Vivek Narayanadas, CIPP/E, CIPP/US, and IAPP Data Protection Officer and Research Director Rita Heimes, CIPP/E, CIPP/US, CIPM.
Full Story

DATA LOSS
FTP server compromises more than 200K patient details

Practice management software provider MedEvolve confirmed that an FTP server containing an unsecured file with data on patients was made accessible and may have impacted more than 200,000 current and former patients of Premier Immediate Medical Care. In a notice, MedEvolve said the data was accessible on the internet from March 29 to May 4 and that an unauthorized third party accessed the file March 29. Meanwhile, Virginia-based VCU Health System said an employee “inappropriately accessed” the health information of approximately 4,700 people or their children, and Arkansas Children’s Hospital said a former employee is being investigated for misuse of information on 4,500 patients.
Full Story

Copyright© 2000–2018 International Association of Privacy Professionals.
The views in this eNewsletter, if any, are those of the authors and are not necessarily those of the IAPP.

This email was sent by: INTERNATIONAL ASSOCIATION OF PRIVACY PROFESSIONALS
75 Rochester Ave., Suite 4, Portsmouth, NH 03801 USA +1 603.427.9200

This email was sent to you at jadams@infogix.com. We respect your right to privacy; view our privacy statement.

Manage Email Subscriptions

Unsubscribe

You cannot unsubscribe from IAPP listserv emails via this link. To unsubscribe from the IAPP Privacy List or IAPP Women Leading Privacy List, please use the unsubscribe links at the bottom of those emails.