According to Ostergren and other privacy advocates, county government Web sites in Virginia and elsewhere around the U.S. have become veritable treasure troves of sensitive data for identity thieves and fraudsters.

As part of her strategy to highlight the seriousness of the is sue, Ostergren has routinely posted on her Web site the Social Security numbers of public figures that she accessed via government sites.

The Electronic Privacy Information Center filed a friend of the court brief asking the U.S. Court of Appeals for the Fourth Circuit to uphold privacy advocate Betty Ostergren’s First Amendment right to publish the numbers.

Thanks and go get gainfully employed.

The exemption would apply for:

(A) a health care practice with 20 or fewer employees;

(B) an accounting practice with 20 or fewer employees;

(C) a legal practice with 20 or fewer employees; or

(D) any other business, if the Commission determines, following an application for exclusion by such business, that such business–

(i) knows all of its customers or clients individually;

(ii) only performs services in or around the residences of its customers; or

(iii) has not experienced incidents of identity theft and identity theft is rare for businesses of that type

Query: Would this dilute the rule?  Should all data privacy and identity theft protection regulations have exemptions for small and local businesses like this?

The All Party Parliamentary Communications Group (ApComms) said the internet advertising industry’s self-regulation on behavioural advertising was inadequate, and that a law change was necessary.

“We do not believe that it is at all appropriate to consider the deployment of any type of behavioural advertising system without explicit, informed, ‘opt-in’ by everyone whose data is to be processed, and whose behaviour is to be monitored and whose interests are to be deduced,” said ApComms in a report on its findings.

“We do not believe that ‘opt-out’, however commercially convenient, is the way that these systems should be run. To that extent, the Good Practice Principles promoted by the Internet Advertising Bureau are insufficient to protect people,” it said.

“We recommend that the Government review the existing legislation applying to behavioural
advertising, and bring forward new rules as needed, to ensure that these systems are only operated on an explicit, informed, opt-in basis,” it said.

See full article here.

“ChoicePoint, Inc., one of the nation’s largest data brokers, has agreed to strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order. This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft. ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and requires the company to pay $275,000.”

“Iconix Brand Group, Inc. will pay a $250,000 civil penalty to settle Federal Trade Commission charges that it violated the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule by knowingly collecting, using, or disclosing personal information from children online without first obtaining their parents’ permission.”

The FTC announced yesterday the settlement with Iconix Brand Group for violation of COPPA.  Iconix collected information from children in violation of COPPA and falsely stated in their privacy policy that they would not do so without consent from the children’s parents.

We are considering a two-part series: (1)  an overview like the prior presentation (but with the updated regulations); and (2) a more practical assessment, drafting and implementation program.

I would love some feedback.  Does this sound good?  Is there something else or additional we could do?

If there is interest, I could also put together presentations geared toward for-profit organizations, and even get industry or sector-specific.

Here are links to those updated posts:

Introduction the the New Massachusetts Privacy Laws

New Massachusetts Privacy Laws – Who is Regulated?

New Massachusetts Privacy Laws – The WISP

New Massachusetts Privacy Laws – Breach Notification Requirements

New Massachusetts Privacy Laws – Data Destruction

If you prefer, here is a .pdf with a summary of all of these posts:

Comprehensive New Massachusetts Privacy Regulations Affect All Businesses with Personal Information of Massachusetts Residents

A comparison of compliance programs for HITECH, Safe Harbor and New Mass. Regs.

Wouldn’t that be nice?  I will work on it.  Perhaps we are witnessing the beginnings of a convergence due to an increase in overlapping requirements that may make  concurrent compliance programs more manageable.

Hmm.

The letter expressed that they were “deeply concerned about the high bar.”  Under the interim final rules, a notification would only be necessary if the breaching entity decides there is a significant risk of financial, reputational or other harm to the individual.”

In omitting such a harm standard, Congress intentionally eliminated any discretion on the part of the breaching entity.  If the information was leaked, the notification was required.

Part of the Congressional intent was to provide “strong safeguards that protect the privacy and security of individuals’ personal health information” in order to help promote health information technology advances.

I, for one, would be less trusting of a system which gave discretion to the offender to self-report a breach.  If the risk of harm turns out to be minimal, the impacts of the breach will be minimal.  The risk assessment, however, belongs to the owner of the PII – that is, the individual.