After a quiet winter there has been significant activity in state legislatures to enact, strengthen or clarify their data breach notification statutes. The latest happenings are summarized below and we have updated our “Mintz Matrix” to reflect these new and pending laws. Continue Reading States Take Action! New Mexico, Tennessee and Virginia Pass New Data Breach Legislation
Our Friday afternoon feature —
Virginia Adds Medical Information Breach Law – The Commonwealth of Virginia has amended its data breach notification law to include breaches of medical information. For the text of the amendment, link here. Even if the data is encrypted, the law requires notice if the breach involved a person with access to the encryption key. The law requires notice to affected individuals (residents of Virginia) as well as Virginia’s Office of Attorney General. The Attorney General can bring an action for violations of the law and impose civil penalties up to $150,000 per breach (or a series of similar breaches of a similar nature that are discovered in a single investigation). The law does not apply to persons or entities that must report the breach under the HITECH Act.
“Data Security – It’s a Responsibility, Not an Option” – interesting point of view from InfoSecIsland.
FTC Complaint Focuses on Tracking, Profiling of Consumers. — Yesterday, the Center for Digital Democracy, the US Public Interest Research Group, and the World Privacy Forum filed a complaint with the FTC regarding two emerging trends in online advertising that they say pose growing threats to consumer privacy: auctioning of individual Internet users for targeted advertising opportunities and the combination of online and offline data about Internet users. The complaint describes what the group feels is a growing trend in online behavioral advertising that involves the real-time sale and trade of the right to target individual users with online ads through the use of data compiled about users via their Web surfing habits. The groups have asked the FTC to investigate the data and advertising exchanges operated by Google, Microsoft and Yahoo, as well as several firms that support the auctioning and data collection/targeting system, including AppNexus, BlueKai and Rubicon Project. Furthermore, the group has asked the FTC to require the firms involved in real-time online tracking and auction bidding to allow consumers to opt-in to participate in such activities; require firms to update their privacy policies so consumers are aware of these activities; and ensure consumers are compensated for the use of their data. Stay tuned.
Large UK Data Breach Penalty Takes Effect — As we warned you in this space last month, this week marks the effective date of the new, substantially higher fines in the UK for data loss. Reports are that up to 65 percent of workers are unaware of the new penalties – which can quickly hit £500K for large scale breaches. If you’re operating in the UK, check out Data loss fines hit £500K from today • The Register or ICO vows to impose heavy fines for major data breaches – 07 Apr 2010 – Computing.
And Finally —
This item from Wired Magazine proves yet again that identity theft is not limited to computer hacking or interception of electronic messages. A 74-count indictment unsealed yesterday in Arizona details charges that a group of sophisticated identity thieves managed to steal millions of dollars by filing bogus tax returns using the names and Social Security numbers of other people, many of them deceased.
Disabling cookies may not be the answer to controlling your online identity. Regardless of whether you have cookies enabled or not, Web sites collect certain amounts of operational information about your browser. The Electronic Frontier Foundation has detailed how companies can use browser-configuration information to identify users, and also launched a new project, Panopticlick, aimed at testing just how useful this type of data is for tracking people.
Once the sites collect these browser “fingerprints,” then according to the EFF, those sites can theoretically recognize some visitors upon their return regardless of whether they still have their cookies. Additionally, a technology expert with EFF says that sites that identify a returning browser based on the configuration data — or, perhaps, a combination of configuration data and IP address — can then restore any cookies previously associated with that browser.
Utilization of technologies that effectively overrides the end user’s choice of what, and how much, information to make available is inviting future regulation and may be violating some existing privacy regulations.
MediaPost – Flash Cookies Could Become Hot-Button Privacy Issue