Thursday, August 27, 2009

Some Social Networking Developments

If you are a regular user of online social networks such as Facebook, LinkedIn, Twitter and others, you want to check out a new research paper by a couple of researchers at AT&T Labs and Worcester Polytech that points to some disturbing evidence of the “leakage” of personally identifiable information from the social networking sites to third party advertisers through cookies. The study is reportedly the first of its kind to describe a way by which tracking sites could directly link browsing habits to specific individuals. Privacy advocates have certainly taken notice: Electronic Frontier Foundation calls social networking privacy study alarming.

Also, if you are a Facebook user, be on the lookout for some changes to the Privacy Policy. Canada’s Privacy Commissioner held a press conference this morning to announce that Facebook has agreed to implement a host of changes responding to an investigation by Canadian regulators, including changes that will give users more control over third-party applications.

Speech: Remarks at a Press Conference on the Facebook Investigation by the Privacy Commissioner of Canada – August 27, 2009
Facebook Tweaks Privacy Policy in Face of Inquiry - InternetNews.com

Lawsuit Filed to Block New Maine Marketing Law

As expected, a lawsuit was filed yesterday in U.S. District Court for the District of Maine seeking to block enforcement of the controversial new Maine marketing law we discussed in this blog last month. The plaintiffs are the Maine Independent Colleges Association, Maine Press Association, NetChoice, and publisher Reed Elsevier, Inc. NetChoice is a coalition of trade associations and e-commerce businesses, including AOL/TimeWarner, Yahoo! and eBay. The law takes effect September 12, 2009.

Friday, August 21, 2009

Privacy and Security Bits and Bytes

Our Friday afternoon feature -

No Anonymity -- This week’s ruling by the New York State Supreme Court that resulted in the “outing” of a blogger who made unfavorable comments about a Canadian model has online privacy groups reacting to the “skank” case

No Sale of Data for Clear - To update earlier posts here about the now-defunct biometric airline passenger data company, Clear, Wired reports that a federal judge in Manhattan has ordered Clear not to sell the biometric data of its customers. The judge said that doing so would be breach of Clear’s contracts with customers.

Radisson Reports Breach - ComputerWorld reports on the latest data breach, this one at the Radisson Hotels site. Radisson posts an Open Letter to its guests, but doesn’t give much information. Check your accounts…..

Changes to the Massachusetts Data Security Regulations: What do they really mean?

Now that the dust has settled after this week’s “Breaking News” regarding the proposed changes to the Massachusetts data security regulations, here is an analysis of what the changes actually mean to the business community.

Some other interesting commentary is linked below:

Evan Schuman - Storefront Backtalk

Monday, August 17, 2009

Long-Awaited California Decision on Cameras in the Workplace

California Supreme Court has finally issued its decision in a workplace privacy case finding that an employer's placement of a hidden camera in an office used by two employees did not violate the employees' right to privacy. This case has drawn much attention as it worked its way through the appellate courts.

My colleagues in the Mintz Levin Employment and Benefits Group have written a great Client Alert on the case.

BREAKING NEWS - Changes to 201 CMR 17.00

Just released - proposed amendments to the Massachusetts data security regulations -- and a three-month extension of time to comply. Stay tuned for a full analysis.

Friday, August 14, 2009

Privacy and Security Bits and Bytes

Just some nuggets to wrap up the week:

Think about this as you speed through the E-Z Pass lanes this weekend…..
Report Warns of Losing "Locational Privacy" Security Management - The Electronic Frontier Foundation (EFF) has a new report out, as discussed in Security Management, about the issues of locational privacy.

An interesting piece at Information Security Resources -- A Guide to Identity Theft and the Recession : Information Security Resources

More on the real cost of data breaches…
Heartland Payment Systems said it spent $32 million this year paying for costs related to the major data breach it disclosed in January, including $22.1 million to cover fines from key payment card brands and a settlement offer. Read more on StoreFront Backtalk

And finally…. (SATIRE ALERT)
Would you like to move where NO ONE knows your name? The intrepid reporters at The Onion tell us about The “Opt-Out Village” at Google. Google Opt Out Feature Lets Users Protect Privacy By Moving To Remote Village The Onion - America's Finest News Source

Have a great (and private) weekend!

To Encrypt or Not To Encrypt…….An Incentive Rather than a Mandate From Michigan

Add Michigan to the list of states that are proposing that adoption of comprehensive data security safeguards will provide a safe harbor for data breaches.

The Information Security Program Standards Act introduced last week differs a bit from Massachusetts and Nevada (and other pending legislation) in that it would not require the implementation of detailed security measures --- the Michigan act provides a carrot to those who do: Breach liability immunity.

Data Breach du Jour ….

The Associated Press reports that American Express has notified some card-holders that their information may have been compromised. According to an American Express spokesperson, the breach resulted from an employee’s recent theft of data.

In this tough economy, outside threats to personal information held by companies is not the end of the story. The possibility of “insider” data misuse and misappropriation needs to be considered and factored into your risk assessments and data protection security planning. Don't think it can't happen to you......

Friday, August 7, 2009

Massachusetts Data Security Standards vs. New HIPAA Guidelines

Here's a link to an article (by the author of this blog...) comparing the Massachusetts data security standards (effective January 1, 2010) to the Department of Health & Human Services Guidelines promulgated under the new HITECH Act (effective in mid-September).   Compliance challenges are coming on all fronts -- and it's best not to duplicate efforts. 

Monday, August 3, 2009

Privacy and Security Bits and Bytes

Coming back from vacation and catching up on what’s been going on ….

In case you are looking for something security-related to do in the month of August -- check out the Internet Security Alliance Calendar of Events

According to an InternetNews.com article, cookies may be back on the menu for U.S. Government web sites. Back in 2000, all U.S. government web sites stopped using cookies for visitor web tracking and it looks as though the policy is about to change.


Mike Spinney at Information Security Resources does a great commentary piece about the importance of top-down example when establishing internal privacy and security programs. Personal ethics, and the emphasis by management that personal ethics is the key to compliance at your company, can be a very cost-effective addition to an overall information security program.


And, while I was gone, the Breach of the Month - a hack into the Network Solutions web server compromised more than 573,000 debit and credit cards, according to Security Fix in the Washington Post. Brian Krebs is one of the best on the beat.