Privacy and Security Bits and Bytes

Our Friday afternoon feature --

Virginia Adds Medical Information Breach Law - The Commonwealth of Virginia has amended its data breach notification law to include breaches of medical information. For the text of the amendment, link here. Even if the data is encrypted, the law requires notice if the breach involved a person with access to the encryption key. The law requires notice to affected individuals (residents of Virginia) as well as Virginia's Office of Attorney General. The Attorney General can bring an action for violations of the law and impose civil penalties up to $150,000 per breach (or a series of similar breaches of a similar nature that are discovered in a single investigation). The law does not apply to persons or entities that must report the breach under the HITECH Act.

“Data Security – It’s a Responsibility, Not an Option” – interesting point of view from InfoSecIsland.


FTC Complaint Focuses on Tracking, Profiling of Consumers. -- Yesterday, the Center for Digital Democracy, the US Public Interest Research Group, and the World Privacy Forum filed a complaint with the FTC regarding two emerging trends in online advertising that they say pose growing threats to consumer privacy: auctioning of individual Internet users for targeted advertising opportunities and the combination of online and offline data about Internet users. The complaint describes what the group feels is a growing trend in online behavioral advertising that involves the real-time sale and trade of the right to target individual users with online ads through the use of data compiled about users via their Web surfing habits. The groups have asked the FTC to investigate the data and advertising exchanges operated by Google, Microsoft and Yahoo, as well as several firms that support the auctioning and data collection/targeting system, including AppNexus, BlueKai and Rubicon Project. Furthermore, the group has asked the FTC to require the firms involved in real-time online tracking and auction bidding to allow consumers to opt-in to participate in such activities; require firms to update their privacy policies so consumers are aware of these activities; and ensure consumers are compensated for the use of their data. Stay tuned.

Large UK Data Breach Penalty Takes Effect -- As we warned you in this space last month, this week marks the effective date of the new, substantially higher fines in the UK for data loss. Reports are that up to 65 percent of workers are unaware of the new penalties – which can quickly hit £500K for large scale breaches. If you’re operating in the UK, check out Data loss fines hit £500K from today • The Register or ICO vows to impose heavy fines for major data breaches - 07 Apr 2010 - Computing.

And Finally --

This item from Wired Magazine proves yet again that identity theft is not limited to computer hacking or interception of electronic messages. A 74-count indictment unsealed yesterday in Arizona details charges that a group of sophisticated identity thieves managed to steal millions of dollars by filing bogus tax returns using the names and Social Security numbers of other people, many of them deceased.