UK: St Albans laptop saga 'gets worse and worse'

SENSITIVE data for a further 1,000 people was stored on a laptop thought to have been stolen from St Albans District Council, it has been revealed.

A review of data stored on the council’s missing electoral services computer revealed a file containing the confidential details of an additional 1,000 people, kept to verify postal votes in 2007 and 2008.

The district council’s chief executive Daniel Goodwin revealed the problem to a meeting of the audit committee last night, insisting the loss of further data had only come to light in the last three days.

via St Albans & Harpenden Review. Click link to read more.

Flurry of HIPAA Activity Expected Over Next Three Months

As for enforcement, Congress promised in ARRA “periodic audits” to ensure HIPAA compliance. Government officials told HealthLeaders Media in September they weren’t sure what that meant, and Apgar says OCR still does not have a definitive plan. Likely, they will not publish a plan until second quarter 2010.

“If you’ve got a headline [because of a major breach], they’re likely going to come and investigate you,” Apgar says. “But they’re wavering on how they will conduct compliance audits. Not because they’re not going to do it, but because they don’t know when yet. The House version of the healthcare reform bill calls for more strict enforcement than ARRA, so they want to wait to see what comes out in healthcare reform.”

via Health Leaders Media.  Click link to read more.

Major news outlets' coverage of the FTC Privacy Roundtable

The FTC’s Roundtable discussion on privacy and the debate garnered a fair bit of attention from major news outlets yesterday.  For your (and my) convenience, I have listed some of the articles covering the event below.  They are in no particular order.

New York Times: Groups Far Apart on Online Privacy Oversight

CNN Money: UPDATE: FTC Hears Opinions On Online-Privacy Protection

Media Post News: FTC Grapples With Privacy At Roundtable With Industry Professionals, Privacy Advocates, Academics

Broadcasting and Cable: Chester Pushes For Under-the-Hood Privacy Check-Up

Forbes.com: Does Using The Internet Mean Giving Up Privacy?

Wall Street Journal: FTC Takes On Online Privacy

PCWorld: FTC to Consider Stricter Online Privacy Rules

Reuters: U.S. regulators look at privacy of consumer data

MinOnline: FTC Takes On Privacy as Industry Struggles to Respond

Chester Pushes For Under-the-Hood Privacy Check-Up

Jeff Chester, Executive Director, Center for Digital Democracy, challenged the Online Behavioral Advertising panel at the FTC Privacy Round table today, taking issue with other panel member’s pro-advertising stand.  John Eggerton reviewed the session in Broadcasting and Cable.

Online surfers may not always know who is delivering those targeted ads, but there was no such confusion about where behavioral advertising critic Jeff Chester was coming from. The passionate advocate for government oversight of online marketing spoke out at an FTC workshop on consumer privacy Monday, importuning the commission to look holistically and seriously at an expansive data collection system.

Chester took issue with fellow panelist Berin Szoka, of the Progress & Freedom Foundation, who talked about the importance of online advertising to the health of journalism and said that rather than a privacy crisis, there was a crisis about how to fund the media.  He said that meant supporting content with online advertising that could be adversely affected by regulations.

Chester conceded that funding journalism was an important conversation, just not the operative one in a discussion of behavioral advertising. He called a false dichotomy the suggestion that there had to be a tradeoff of privacy protection for saving journalism. There is no reason why there can’t be a “citizen-friendly” system.

via Broadcasting & Cable. Click link to read more.

US District Court Explains Ruling that Red Flags Rule Doesn't Apply to Lawyers

On December 1, Judge Reggie Walton of the U.S. District Court for the District of Columbia issued a memorandum opinion in a lawsuit by the American Bar Association against the Federal Trade Commission, explaining his October 29 ruling from the bench that the FTC’s Red Flags Rule does not apply to lawyers.  Holding that “[e]ven a cursory review of the language of [the Fair and Accurate Transactions Act (FACT Act), through which Congress authorized the creation of the Red Flags Rule, and other legislation defining relevant terms] and the purposes underlying their enactment leads the Court to the conclusion that it was not ‘the unambiguously expressed intent of Congress’ to bring attorneys within the purview of the FACT Act and thus subject them to regulation by the Commission’s Red Flags Rule,” Judge Walton rejected almost every argument put forth by the FTC and indicated that the court would similarly condemn any FTC attempt to apply the Rule to other professionals outside of the banking, lending, and financial sectors who bill periodically for services previously rendered.

Specifically, Judge Walton rejected the Rule’s applicability to lawyers under both prongs of the Chevron test regarding judicial deference to agency interpretation, finding that no evidence indicated that Congress intended that rules promulgated under the FACT Act would apply to lawyers, but even if Congressional intent could be considered ambiguous, that the FTC’s interpretation of the FACT Act and its resulting application of the Rule to lawyers was unreasonable and therefore undeserving of deference.

via H&H Chronicle of Data Protection. Click link to read more.

Do we need a baseline law to safeguard privacy protections?

Given the potential hazards, “I think we need a baseline law” to safeguard privacy protections, said Leslie Harris, who is President and Chief Executive Officer at the Center for Democracy and Technology, a nonprofit that focuses on technology policy.

Harris also suggested the FTC use all its powers, including its subpoena power, to find out what companies are doing with the data they collect, saying ” it’s not just consumers who don’t understand the practices.”

“Regulating too strictly too early would be a mistake,” countered Jim Harper, director of information-policy studies at the Cato Institute, a free-market libertarian think tank.

Industry officials acknowledged that there are significant privacy issues raised by digital technologies but called for a measured approach that relies in part on consumer education and self-regulation.

“I think it comes down to responsible practices versus irresponsible practices,” said Microsoft Corp. (MSFT) associate general counsel Michael Hintze.

Google Inc. (GOOG) director of U.S. public policy and government affairs Alan Davidson said online consumers are a savvy bunch and understand the tradeoff that’s being made–they divulge some information about themselves in exchange for free online content and applications supported by advertising.

via CNNMoney.com. Click link to read more.

Google CEO On Privacy: 'If You Have Something You Don't Want Anyone To Know, Maybe You Shouldn't Be Doing It'

Yahoo, Verizon, Sprint, and others have recently come under fire for sharing customer data with the authorities, and admitting to “spying” abilities that would “shock” and “confuse” customers.

A CNBC interview with Google CEO Eric Schmidt suggests the search giant Google shouldn’t get off easy, and users should be wary of what Google knows about them — and with whom they can share that information.

CNBC’s Mario Bartiromo asked CEO Schmidt in her December 3, 2009 interview: “People are treating Google like their most trusted friend. Should they?”

Schmidt’s reply hints that if there’s scandalous information out there about you, it’s your problem, not Google’s.

Schmidt tells Baritoromo:

“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”

He expands on his answer, adding that the your information could be made available not only to curious searchers or prying friends, but also to the authorities, and that there’s little recourse for people worried about unintentionally “oversharing” online:

“But if you really need that kind of privacy, the reality is that search engines, including Google, do retain this information for some time. And [...] we’re all subject, in the US, to the Patriot Act, and it is possible that that information could be made available to the authorities.”

via Huffington Post. Click link to read more.

Maybe Google is evil . . .

Data breach by Anglo Irish Bank affects UK clients

The Belfast office of Anglo Irish Bank is at the centre of an investigation after it accidentally released information on 500 UK customers.

A bank executive emailed a Northern Ireland client a spreadsheet containing details of derivatives transactions carried out on behalf of the customers.

The bank has informed financial regulators in Dublin and London and is contacting the 504 customers involved.

It said there is no security risk to any client’s accounts.

The mistake happened when a customer asked for a quotation on a derivative product on October 29th.

The banker sent the quotation but also attached confidential information on 803 transactions carried out for 454 corporate clients and 50 individuals.

via BBC News. Click link to read more.

MI: Does HIPAA preempt state law in medical malpractice discovery?

Michigan’s Supreme Court is set to decide whether the Health Insurance Portability and Accountability Act preempts a state law allowing defendants in medical liability lawsuits to informally interview plaintiffs’ other treating physicians — a move that doctors say could put them at a disadvantage in defending such cases.

At issue is whether cardiologist Mark Rasak, DO, can seek a court order allowing his attorney to interview another physician who had treated the patient in the case, Linda Clippert. Her guardian, Andrea L. Holman, sued Dr. Rasak, alleging his failure to timely diagnose Clippert’s heart condition led to a heart attack and ultimately her death. The doctor denied any negligence.

Holman refused to disclose anything other than Clippert’s medical records and successfully argued to a trial court that HIPAA permitted the disclosure of only written, not oral, communications on plaintiffs’ medical histories.

The Court of Appeals of Michigan in 2008 reversed the trial court ruling, however, saying HIPAA did allow for such meetings, as long as the patient was notified through one of several mechanisms, including the kind of court order Dr. Rasak sought.

via American Medical News. Click link to read more.

CT: AG suspects HealthNet disk was stolen not lost

Attorney General Richard Blumenthal says a missing disk containing confidential data on almost 450,000 Health Net patients in Connecticut may have been stolen, rather than lost.

Blumenthal said today he is notifying federal criminal investigators, asking that they take a closer look into the matter.

Health Net got into hot water with AG’s office in mid-November when it belatedly disclosed the data breach six months after it first discovered the disk was missing. The missing disk contained health, personal and financial information.

via Hartford Business. Click link to read more.