WW – Study: Consumers Willing to Adopt Biometric ID for Convenience

A recent study by the Ponemon Institute, sponsored by Unisys, has shown that a majority of global consumers are willing to have a unified ID that could be used to access personal information across a number of organizations. The study further suggests that consumers are comfortable with biometric mechanisms for determining identity. [Source] [Report] [Coverage]

CH – Mass Facial Scanning Surveillance For 2008 Olympics

Beijing will equip a facial recognition system in 500 big shopping malls to assist with the tighter security measures set for the 2008 Olympic Games, Beijing News reported this week. Ma Xin, a security expert for the Olympic Games, said that the facial scanning equipment can identify people as fast as 0.01 second; and its speed is determined by the system’s hardware configurations. The system has already been used in some neighborhoods and shopping malls, Ma said. It can record the faces even 10 people pass through a gate at the same time. He also said that the system recognized a suspect who had been missing for one year, looking quite different from his archive picture. The systems experts questioned its accuracy, but blood tests from the suspect proved it was correct. People couldn’t recognize him with naked eyes because the person had gained 10 kilograms within the year. The system recognizes people’s skeletal frames, so make-up or prosthetics won’t fool the equipment. [Source]

BC – Amendments to the B.C. Personal Information Amendment Act introduced

Amendments to the Personal Information Protection Act (PIPA) were introduced in the Legislative Assembly this week. The amendments to PIPA are contained in Bill 30 - 2006, the Miscellaneous Statutes Amendment Act (No. 2), 2006. In brief, the proposed amendments to PIPA will:

o Incorporate the common law right of solicitors’ liens by permitting a lawyer to refuse an individual access to his or her personal information where a solicitor’s lien has been placed on the file due to the non-payment of legal fees;

o Permit the collection, use and disclosure of thrid party personal information without the consent of the third party where it is necessary to provide a service to an individual and the individual seeking the service has provided the third party information (this is particularly necessary in cases where an individual is seeking medical, counseling or legal services); and

o Correct a typographical error

The full text of the bill is available at http://www.legis.gov.bc.ca/38th2nd/1st_read/gov30-1.htm

CA – Supreme Court of Canada Opines on Privacy and Access to Information

Michael Geist offers insight into a recent Canadian Supreme Court case involving privacy issues. While the facts of the case are compelling, the Court’s analysis of the Office of the Privacy Commissioner is highlighted by Geist. [Source]

CA – First Census Since 2001 Lets Canadians Respond Online

Canadians will count themselves on May 16 – the first census day since 2001. Census forms will be mailed or dropped off at about 12.7 million households between May 2 and May 13. Most Canadians have to fill out the short form, with eight questions, but one out of five households will get the long form, with some 61 questions pertaining to occupations, incomes, ancestries and living arrangements. For the first time ever, Canadians will be able to respond to the questionnaire online. An Internet access code will appear on every census form – and Statistics Canada expects about 20% of respondents will reply electronically. The questions are largely unchanged since the census five years ago, but this time many respondents will be asked for greater elaboration on their levels of education. [Source]

US – Who’s Complaining About Privacy?

A recent event at the Wharton School highlighted the continuing debate over online privacy. Noted writer Declan McCullough, in a panel discussion, expressed the opinion that the average consumer does not feel great concern over online privacy. In contrast, McCullough opined that privacy advocates are raising many of the issues currently debated in the marketplace. [Source]

US – Government Privacy Pros Urge a New Approach to the CPO Role

A panel of privacy pros and other experts recently discussed the need for governmental privacy professionals to move beyond the “no” culture – where privacy pros are seen as a consistent barrier – to a more positive and engaged relationship with their agencies. [Source]

WW – OECD Task Force on Spam Anti-Spam “Toolkit”

A new Recommendation on Cross-Border Co-operation in the Enforcement of Laws against Spam was adopted by the OECD Council session on 13 April 2006, completing the Anti-Spam Toolkit promoted by OECD since 2004. The recommendation admits that there is not single solution for tackling the spam issues and the international cooperation is the key in solving the problem. The OECD document urges countries to ensure that their laws enable enforcement authorities to share information with other countries and promote the establishment of a single national contact point to facilitate international cooperation. [Source] [Sophos report reveals latest ‘dirty dozen’ spam relaying countries]

UK – Patients ‘Back Personal Data Use’ Survey Finds

Most people believe it is acceptable to use individual cancer patients’ details to help research, a survey has found. Eight out 10 people backed the compulsory use of such data without first seeking consent - provided there were tight rules governing its use. The data is currently collected, but experts fear data protection legislation threatens the practice. The poll of almost 3,000 people, funded by the charity Cancer Research UK, appears in the British Medical Journal. The research was designed to find out if people would be concerned that allowing their details to be logged by the National Cancer Registry, which was set up to collect data for research, would be an invasion of their privacy. [Source]

UK – Information Commissioner Issues Guidance on Privacy Tools

The Information Commissioner’s Office has issued brief guidance to bring to a wider audience the use of privacy enhancing technologies, or PETs, to help protect people’s personal information. PETs have traditionally been considered to be software and other systems which allow individuals to withhold their true identity when using electronic systems, such as anonymous web browsers, specialist email services, and digital cash. [Source] [Coverage] [The guidance note]

EU – Peter Schaar Re-elected for Two Years as Chairman of Article 29 Working Party

On April 4, the Article 29 Working Party unanimously confirmed the German federal data protection commissioner Peter Schaar as Chair of the Article 29 Working Party and Dr. José Luis Piñar Mañas as Vice-Chair for another two years. See Press Release in German:

EU – Privacy Chief Warns Citizens to Consider Consequences of Their Digital Journey

European Data Protection Supervisor Peter Hustinx said that Europeans are too “naïve in dealing with personal data.” Internet and cell phone users leave digital tracks that could be exploited by criminals and unscrupulous businesses, he warned. The privacy chief also said the EU’s new Data Retention Directive is “unbalanced.” He stressed that retention periods must be followed and privacy safeguards are needed to protect citizens’ fundamental rights. [Source]

EU – European Data Protection Supervisor Hustinx Presents Annual Report

European Data Protection Supervisor (EDPS) 2005 annual report was presented on April 19^th. As stated by the report, following the first year of setting up the new independent authority on protecting personal data and privacy, 2005 was a year of consolidation, confirming its main activities: supervision, consultation and cooperation. The authority increased its staff and set up its own press service. Peter Hustinx, the European Data Protection Supervisor, stated that EDPS is now advising the European Commission, Council and Parliament on proposals of new legislation affecting privacy and six formal opinions were published last year in this context. Related mainly to the policy area “Justice, Freedom and Security”, these opinions included proposals such as the highly controversial one on data retention, but also for large scale IT-systems such as the second generation Schengen information system (SIS II) and the Visa information system (VIS). In 2005 efforts were made to further develop the network of Data Protection Officers (DPOs) of institutions and bodies. A paper on the role of the compulsory Data Protection Officers was published and advice and training was also provided to DPOs. Resources were used to prior checking risky operations (although most of them “ex post” as the respective systems already existed before EDPS was created). EDPS ensured a series of tools facilitating the compliance of data protection obligations by the EU administration as well as 34 opinions out of which 30 on systems existing in various institutions and bodies. It established some thematic priorities such as medical files, staff appraisal, disciplinary procedures, social services and e-monitoring. A background paper was also elaborated on how public access to documents and data protection relate in the context of EU institutions and bodies. As the supervisory authority of the central unit of Eurodac, EDPS prepared a series of activities in 2005 expressing a general satisfaction on the findings of the first stage of inspections. Peter Hustinx expressed his trust in EDPS achievements during the first two years of activity and considered progress has been made in developing a data protection culture. [EDPS Press Release] [EDPS 2005 Annual Report] [Background] [Background]

FR – CNIL Publishes Guidance on Appointment of DPOs

The French data protection authority (CNIL) has welcomed the designation of a data protection officer (in French, “correspondant à la protection des données à caractère personnel”) by some 170 organizations since October 2005. This brings the number of DPOs who have been notified to the CNIL to seventy-nine, because several organizations chose to share one DPO. The CNIL has posted on its web site updated materials in connection with this topic, including: Guidance on the appointment of a DPO; a DPO appointment form; and the list of companies that have a DPO in place. [Further information]

EU – Spain Hosts First European Data Protection Congress in Madrid

The first European Congress on data protection was held in Madrid on March 29 through 31, 2006 at the initiative of the Spanish Data Protection Agency. It was unique as the first event organized by European DPAs which was open to the public, and was attended by over 300 participants, including a number of data protection commissioners. Documentation, including the Congress presentation, program and conclusions, are available both in Spanish and English at https://www.agpd.es/index.php?idSeccion=548

US – U.S. Proposes Mandatory Web Rating, With Criminal Penalties

Web site operators posting sexually explicit information must place official government warning labels on their pages or risk being imprisoned for up to five years, the Bush administration proposed last week.

A mandatory rating system will “prevent people from inadvertently stumbling across pornographic images on the Internet,” Attorney General Alberto Gonzales said. [Source] [draft bill]

CA – Thieves Target Passport Offices

Some Passport Canada offices in Ontario and Quebec have been hit by computer and cash thefts, Le Journal de Montreal reported last weekend. The newspaper said federal Access to Information documents indicate that five portable computers were stolen from Ontario offices in Mississauga and Brampton and an office in Gatineau, Que. In most of the case, the computers were stolen after a rock was thrown threw a window but two of them were stolen from an employee’s home. It’s not clear what kind of information was on the computers but two of them didn’t contain sensitive information. A file for passport renewals was stolen from a Montreal office. The Access to Information report noted the offices’ motion detectors and alarm system weren’t working. [Source]

CA – Supreme Court Gives Thumbs-Up to DNA Databank

The Supreme Court of Canada has upheld key provisions of the national DNA databank that stores genetic profiles of sexual and dangerous offenders. In a 4-3 judgment, the court ruled that portions of the law challenged by a repeat sex offender are constitutionally sound. [Source] [Source] [Source]

US – VA wants DNA from Veterans

The Department of Veterans Affairs plans a genetic database from potentially millions of VA patients, launching into profound legal, ethical and privacy debates to claim a leading role in genetic medicine. The VA intends to collect the first 100,000 samples in fiscal 2007, which begins in October, and foresees a database as large as veterans will allow. The department also hopes to write rules for handling a person’s genetic profile while using it in research and to identify an individual’s risk of diabetes, heart problems, cancers and other conditions. [Source]

QC – Electronic Health System to Launch in Quebec by 2011

Quebec is launching a plan to enable doctors and pharmacists to share computerized information about a patient’s health. A complete electronic health-information system should be in place by 2011 at a cost of $547-million, more than half of which ($303-million) will be paid for by the federal government over the next four years. Quebec may have to import much of the knowledge it will need from Alberta, where a regional electronic registry and patient records project called NetCARE was set up 18 months ago. [Source] [Source] [Gov’t Communique][Alberta NetCare]

US – HHS Data Not Secure: Report

A U.S. Government Accountability Office (GAO) report released March 23 pointed out possible flaws in data security at the Centers for Medicare & Medicaid Services (CMS). The GAO noted current controls on government health programs may put information at risk due to several weaknesses in the way information is handled. According to the study, the U.S. Department of Health and Human Services and CMS have significant “weaknesses” and “vulnerabilities” in their data-control systems –particularly those “designed to physically secure computer resources, conduct suitable background investigations, segregate duties appropriately, and prevent unauthorized changes to application software.” [Source]

US – Survey Shows Decline in HIPAA Compliance

A recent study has shown that 85% of hospitals and health systems consider their operations to be HIPAA compliant. This represents a drop from 91% in a similar survey last year. In contrast to this drop, the study also found that patients are becoming more concerned with HIPAA related privacy issues. [Source]

US – 200,000 Records Illegally Accessed at University of Texas

Nearly 200,000 individual electronic records at the University of Texas’ Business School have been illegally accessed, officials said. It was the school’s second major breach in three years. [Source] [Source]

UK – Fraudsters Steal Details on 2,000 MasterCard Customers

Fraudsters stole the credit card details of 2,000 MasterCard holders in a major security breach last week. MasterCard refused to say how the breach occurred, whether it was limited to the UK or which issuing banks were affected. [Source] [Source]

US – Iron Mountain Apologizes for Loss of Railroad Data Tapes

Iron Mountain, a Boston data-storage firm, apologized yesterday for losing personal data, including Social Security numbers, for thousands of Long Island Rail Road employees. The railroad is an Iron Mountain customer. The loss was discovered April 6 by an Iron Mountain driver when backup tapes with employees’ personal data were being transferred between locations. At risk are as many as 17,000 current or former railroad employees. [Source].

US – Aetna Loses Data on 38,000 Members

Aetna has admitted that an employee who didn’t follow procedures managed to lose a laptop containing personal member information. But in the interest of disclosure, Aetna did issue a press release about what happened. “In this case, our employee did not follow our corporate policies, and it was coupled with a criminal theft,” said Williams. “In light of this, we are augmenting our efforts to ensure employee compliance with all Aetna security requirements.” The employee left the laptop in a personal vehicle in a public parking lot. Despite repeated incidents of laptop theft being reported in the media, and Aetna’s internal policies and code of conduct regarding laptop security, the plum prize was left where it could be stolen, and it was. A poster at the Consumerist website identified herself as an Aetna staffer, and said the company requires passwords of a minimum six characters in length with at least one letter and one number. [Source]

CA – Canadians Look for Border ID Alternative to Passport, National ID Card

Public Safety Minister Stockwell Day said Homeland Security Secretary Michael Chertoff has assured him that some other Canadian document would suffice to meet more stringent rules that take effect Jan. 1, 2007. However, he suggested that Canadians get their passports and stressed that it remains to be seen what documentation would satisfy the new rules. Jim Williams, who heads the new US-VISIT program, said that U.S. law will require identification that shows citizenship and is tied to a security database. Day stressed that Ottawa would not create a new identity card similar to the U.S. PASS card, which will serve as a passport alternative for Americans re-entering the U.S., beginning Jan. 1, 2008. [Source] [Day Hints at Longer-Lasting Passports]

US – Border Pass Plan Appears Headed For Delay

Fierce opposition in Senate, equipment difficulties are key factors: The Bush administration appears to be delaying deadlines for a new ID system to enter and leave Canada in the face of heated opposition in the Senate. A conflict within the administration itself over equipment is also complicating the government’s plan to require high-tech identification cards by Jan. 1, 2008. Calling the mandate for passports or passport-like PASS cards “a train wreck on the horizon,” Sen. Patrick J. Leahy, D-Vt., has proposed delaying the restrictions by a year and half from the original 2008 deadline. [Source]

US – Head of U.S. Visitor Tracking Program Wants Global ID System

Forget a national ID: Homeland Security proposes a global ID system! The head of the Homeland Security Department’s visitor tracking program this week called for the creation of a “global ID management system” to make travel easier while enhancing security. [Jim] Williams said he wants to join forces with several DHS agencies to develop a global identification system that would cut wait times, reduce government fees for travelers, fight illegal immigration and, perhaps paramount, better defend nations from terrorists. The US VISIT chief, who already oversees identity inquiries for nearly every visitor who enters the United States, said a worldwide identification system will better link nations in the fight against terrorism. In his speech, he likened al Qaeda operatives and sleeper cells - including the ones that attacked on 9/11 - to “submarines” that must surface to kill. [Source]

UK – New IPS Sets Out Ten Year Identity Plans

The new U.K. Identity and Passport Service (IPS) has ‘hit the ground running’, publishing plans for a major programme of anti-fraud projects that will transform people’s ability to confirm identity and protect their personal details from criminals. The IPS Corporate and Business Plans 2006 - 16 set out the key measures the Agency is to introduce over the next ten years, as it works to set up the National Identity Scheme at the same time as enhancing the security of the British Passport and the passport issuing process. IPS was created on 1 April 2006, after the Identity Cards Bill received Royal Assent. [Source]

UK – ID Card Database to be Used as Population Register

The Government has announced that data from the NIR will also be used as an adult population register for a range of novel data sharing functions. The Office of National Statistics had promoted a separate adult population register for these functions. [Source] [Blair defends Big Brother Britain] [Bruce Schneier: U.K. ID cards will worsen ID theft]

FR – Le ePasseport Bientôt Dans la Poche

La délivrance des premiers passeports électroniques s’étalera sur un mois et demi, du 22 avril au 5 juin 2006. C’est ce qu’annonce le ministère des Affaires étrangères dans un calendrier publié le 14 avril 2006 sur son site. Ce calendrier prévoit une première phase de test, au Consulat général de France à New-York, à compter du 22 avril. Pour 173 pays d’Amérique centrale et du Sud, du Moyen-Orient, d’Afrique et d’Europe, les documents seront délivrés dès le 15 mai. Il faudra attendre le 29 mai pour l’Amérique du Nord, l’Asie et l’Océanie, et le 5 juin pour les consulats de Belgique, de Grande-Bretagne, d’Irlande et de Suisse. [Source]

PH – National IDs out this year

THE government will start issuing “harmonized” ID cards that will be recognized by all public agencies by the third quarter, following a Supreme Court ruling that upheld their legality. Malacañang has given the National Economic and Development Authority 30 days to draw up the mechanics for the harmonized ID system based on Executive Order 420. [Source]

US – Congress Readies New Bill to Expand Digital Millennium Copyright Act

A proposed copyright law would expand the U.S. Digital Millennium Copyright Act’s restrictions on software that can bypass copy protections and grant federal police more wiretapping and enforcement powers. The draft legislation, created by the Bush administration and backed by Rep. Lamar Smith, already enjoys the support of large copyright holders such as the Recording Industry Association of America. [Source] [Source] [Text of draft bill] [Alternate version]

CA – Canadian Musicians Demand Voice in Copyright Reform

Some of Canada’s best known musicians, including Avril Lavigne, Sarah McLachlin, and Barenaked Ladies, have launched a new music creators coalition. The coalition argues that suing fans is destructive and that the use of TPMs (Trusted Platform Modules) are risky and counterproductive. [Source]

WW – New Version of Microsoft Internet Explorer Fights ‘Pharming’

Internet users were given a peek at a revamped version of Microsoft Corp.’s Internet Explorer, a response to criticism that the most popular tool for Web surfing and hacking made users vulnerable to the Internet’s dangers and caused them to defect to alternative browsers. The new version of Internet Explorer will provide color-coded warnings when a user tries to access a Web site that is suspicious or known as fraudulent. [Source]

WW – WHOIS Policy Reform Puts ICANN to the Test

Proposed reforms to ICANN’s Whois policy, approved recently by a group tasked with examining the issue, has put new pressure on ICANN. The changes are supported by the privacy community but opposed by business groups and the U.S. government. [Source]

WW – Surf Securely, Carrying Privacy in Your Pocket

A specialized flash drive introduced by Stealth Ideas can ensure that one’s Web travels remain secret. The StealthSurfer II ID Protect combines several programs to let users navigate the Web anonymously and create e-mail that cannot be read by others. The programs come loaded on a flash drive, available from the company’s Web site (www.stealthsurfer.com). Plug the flash drive into a PC’s U.S.B. port, and all files created when Web surfing are stored on the drive, not on the computer’s hard disk. Programs include the Firefox browser; Anonymizer, to mask the user’s Internet protocol address; RoboForm, a program that prevents keystrokes from being recorded; and Thunderbird, an e-mail program. [Source]

UK – Guidance on Outsourcing from the UK Data Protection Commissioner

The U.K. Data Protection Commissioner recently published guidance for businesses in the U.K. sending personal information outside of the country. The advice is largely directed towards smaller businesses without a privacy professional on staff, but reflects the Commissioner’s approach to outsourcing issues generally. [Source] [Guidance – Good Practices Note]

UK – First Information Security Service to Receive Government Quality Mark Award

The MessageLabs Anti-Virus Service has today become the first managed service to be awarded the CSIA Claims Tested Mark – a government quality mark initiative for information security products and services. The award was announced by the Head of the Central Sponsor for Information Assurance (CSIA), Steve Marsh, speaking at an Infosecurity Europe event. Marsh said – “Managed services are of particular interest to the public sector especially in terms of data sharing within and between organisations.” [Source]

UK – BlackBerry Wins Security Approval For Use With ‘Restricted’ Government Data

Research In Motion (RIM) and U.K. Government security experts, CESG, have announced that RIM has gained approval for Government employees to use BlackBerry devices to handle “Restricted” data. CESG is the National Technical Authority for Information Assurance and provides guidance to public and private bodies involved in secure data transmission. Following the first phase of the evaluation, CESG released guidance that allows government customers to start deploying BlackBerry devices to their mobile staff. The guidance covers email, attachment viewing and access to application data through the BlackBerry Mobile Data System. [Source]

HK – Report Into Police Data Leaks On Way

A report on the leak of a database containing the personal information of more than 20,000 complainants to the Independent Police Complaints Council and its subcontractors may be ready by the end of next month, Privacy Commissioner for Personal Data Roderick Woo Bun said. [Source] [Other news: Privacy body to probe Yahoo role in mail leak]

HK – Basic Law `permits breach of privacy’

The Hong Kong government has argued that the Basic Law gives it the “right to infringe” individual privacy rights and investigate the personal communications of Hong Kong residents. [Source]

US – Study: Colleges and Universities Not Posting Privacy Policies

Watchfire and Bentley College recently released survey results that show a large number of institutions of higher education have not yet posted online privacy policies. In the survey, performed by Professor Mary Culnan, 236 universities and colleges were examined – and only 65 were found to have privacy policies posted [Source] [Source]

US – Wisconsin Bill Would Prohibit Mandatory RFID Implants

Former Gov. Tommy Thompson was one of the first high-profile supporters of tiny microchips implanted in people’s arms that would allow doctors to access medical information. Now the state he used to lead is poised to become the first to ban governments and private businesses from forcing such implants on employees, privacy advocates say. A proposal moving through the state Legislature would prohibit anyone from requiring people to have the tiny chips embedded in them or doing so without their knowledge. Violators would face fines of up to $10,000. [Source]

CH – Chinese Government Enacts Unprecedented ID Tag Program

China is on its way to becoming one of the largest markets for radio-frequency identification tags, propelled in part by U.S. importers that want the technology to be used for tracking assets, market analysts said. The Chinese government is implementing an unprecedented program to give its citizens RFID tags to verify their identities. China bought more than 100 million resident tags in 2005 and is expected to buy about 2.9 billion by 2009, according to a market research and consulting firm. “With a population of over 1.3 billion, the issuance of RFID-tag-inlaid resident ID cards by the [Chinese] Ministry of Public Security is one of the biggest RFID projects in the world,” In-Stat concluded in a recent study. [Source]

US – Small Businesses Especially Vulnerable to Security Breaches

Help is available for small businesses needing resources to help them identify safeguards they need to employ to protect their customers’ valuable personal data. According to the Small Business Technical Institute, more than half of all small U.S. companies have suffered a data breach within the past six months. The Council of Better Business Bureaus has partnered with Privacy & American Business to provide free privacy toolkits and a downloadable Webinar. [Source] [BBB Toolkit]

WW – Study: Data Security Costs Rise

According to security research firm Gartner, in 2007 nearly 40% of new security spending by businesses is predicted to be directed towards protecting sensitive consumer data. Protecting data is essential for reducing overall costs because a security breach can cost organizations more than $90 per stolen account. [Source]

UK – Study: Computer Security Breaches Cost British Companies £10bn a Year

Security breaches from computer viruses, spyware, hacker attacks and equipment theft are costing British business billions of pounds a year, according to a survey. The estimated loss of £10 billion is 50% higher than the level calculated two years ago, according to the survey that consultancy PricewaterhouseCoopers conducted for the U.K. Department of Trade and Industry. Small companies saw a large rise in the number of attacks, with average losses of £8,000 to £17,000. [Source] [Source]

WW – Survey: Portable Storage Devices Are Serious Security Threat

The growing popularity of Portable Storage Devices (PSDs), from USB memory sticks and removable discs to mp3 players and mobile phones, pose a growing threat to data security says the Information Security Forum (ISF). In a survey of its membership the overwhelming concern was the possible theft or loss of vital or sensitive information that could cause serious business impacts. While PSDs are primarily used for transferring or sharing data and to work at home or on the move, the simple plug and play technology introduces major security vulnerabilities. This can be further compounded if personal devices are also used in a professional capacity. In the ISF PSD survey, over 90% of respondents said that they used some form of PSD for business and 43% said that the same devices were also used for personal use. Yet despite this, over 50% were not implementing encryption to protect the data. “At the moment, individual PSDs are often only equipped with limited security functions and companies rely on policy and education to prevent security breaches,” said the Head of ISF research. “With the increasing use of PSDs for both business and personal use, it is vital that these measures are tightened up and technical controls such as data encryption and audits are introduced.” [Source]

US – DHS IT Security Checklist Focuses on Consequences of Breaches

A small office of the Homeland Security Department has released a draft cybersecurity checklist intended to help enterprises focus on the real-world consequences of security breaches. The U.S. Cyber Consequences Unit was created by DHS to provide analysis of economic and strategic consequences of cyberattacks on critical infrastructure and to evaluate the cost-effectiveness of countermeasures. As part of this work, director and chief economist Scott Borg and research director John Baumgarner began on-site visits to evaluate systems in critical industry sectors. “We started seeing huge vulnerabilities,” Borg said at the GovSec conference in Washington, where the draft document was released. Most of the systems were compliant with current security checklists and best practices. “And portions of those systems were extraordinarily secure. But they were Maginot Lines,” susceptible to being outflanked. [Source]

WW – Oracle Introduces New Privacy Features in Database Products

Database administrators may find their access to data limited as new features roll out in Oracle’s popular products. To promote greater control over personal information, Oracle has created a “Database Vault” that will limit the ability of database admins to see the data held within a database. [Source]

AU – Australia to Introduce Single “Access” Smart Card

The introduction of a single “smart card” which will provide Medicare access, have welfare and tax benefits and act as a national identity card is being considered by federal cabinet. The Australian government had been contemplating plans for a separate ID card, in addition to a Medicare card, to boost national security since last year’s London bombings. But with the cost of two cards thought to be too high, it will now consider combining aspects of both. The new card, aimed at reducing welfare and ID fraud as well as protecting against terrorists, will have a computer chip and photograph. [Source] [Announcement] [Opposition to new Card] [Coverage] [Coverage] [Coverage] [Coverage] [Coverage] [Coverage] [Coverage] [Coverage]

US – Private Sector Sees Barriers to New U.S. Gov’t Employee Identification System

Federal agencies are at risk of missing an October deadline for implementing a new employee and contractor identification card system that meets requirements in a presidential directive, private sector information technology firms said in response to a recent survey. More than three-fourths of the private sector IT officials surveyed by the Bedford, Mass.-based company RSA Security Inc. said they believe that for agencies to successfully implement Homeland Security Presidential Directive 12 (HSPD-12), the Oct. 27 deadline for starting to issue badges must be extended. [Source] [Source]

US – Specter Wants More Debate on Spying; Tries to Block Program’s Funding

New expressions of frustration over how little information the administration has shared about the National Security Agency’s warrantless eavesdropping on Americans flared yesterday in the Senate, one day after House Republicans barred amendments that would have expanded oversight of the controversial program. [Source] [Source] [Source]

US – Survey: Americans Uncertain about and Uncomfortable with Surveillance

Dr. Larry Ponemon reports on a broad survey of Americans and their feelings towards issues of surveillance. The survey found that Americans feel largely uncomfortable with monitoring of behavior – whether through RFID, wiretaps, or online tracking. In contrast, Americans were more willing to accept surveillance cameras operated by law enforcement and employee monitoring of email. [Source]

US – ACLU: Secret CDC/DHS Info-Sharing Deal May Violate Privacy & EU Pact

Responding to the revelation that the Department of Homeland Security (DHS) has reached a secret agreement to share airline passenger data with the Centers for Disease Control and Prevention (CDC), the American Civil Liberties Union today said it has asked the CDC to disclose details of the deal. “The tracking of data on airline passengers, which can amount to building lifetime dossiers on Americans, has been a hotly debated issue for many years - and now we find out that two government agencies may have agreed, behind the public’s back, to share data,” said Barry Steinhardt, Director of the ACLU’s Technology and Liberty Project. “These agencies have no justification for instituting a major new data-sharing arrangement on this issue, with all of its implications for privacy, and keeping it hidden from public scrutiny and debate.” The departments of Health and Human Services and Homeland Security have a secret agreement to exchange airline passenger information as part of a Centers for Disease Control and Prevention plan to help combat pandemic flu, the Air Transport Association (ATA) said in a filing with the CDC. [Source] [Source] [Source] [Source]

US – Students at Top NY City Schools Suing Rumsfeld, Pentagon for Violating Privacy

Secretary of Defense Donald Rumsfeld has been sued by a group of students in New York City over alleged privacy violations related to the collection and use of data for recruiting purposes. The students claim that the government collected data on high school students for recruiting purposes, but retained the data beyond current statutory limits. [Source] [Source] [Source] [Source]

US – National Electronic Death Registration System Underway

In the U.S., about 2.5 million paper death certificates are issued every year. The process for creating that truckload of forms is antiquated, cumbersome and prone to errors. To improve the situation, the Social Security Administration is working with states and other jurisdictions to create a national Web-based system called E-Vital that can better handle the process. The initiative seeks to streamline the creation and management of death-registration records, significantly reduce reporting errors, better secure data and cut the time required to complete the reporting process. But overhauling a decentralized and entrenched system has proven to be difficult. Bedeviling the transition are challenges presented by a multiplicity of jurisdictions, software vendors, end users, local registrars, peripheral players and unforeseen impediments. [Source]

US – New Hampshire Gov. Lynch Says He Will Sign Bill Opposing Real ID

Democratic Gov. John Lynch said this week he will sign a bill that would bar the state from adopting strict new federal standards for drivers’ licenses, if the Legislature passes it. The bill, which bans state participation in the Real ID Act of 2005, passed the House last month and was recommended unanimously by a Senate committee this week. The bill is expected to go before the full Senate in two weeks. “The governor has serious concerns about the unanswered questions about privacy, cost and the consequences of turning motor vehicle workers into de facto agents of Homeland Security,” said a Lynch spokeswoman. The bill has put New Hampshire at the forefront of opposition to the Real ID Act, an anti-terrorism bill which critics say would effectively create a national identification card system. [Source] [Committee endorses anti-Real-ID bill] [Real ID protest is right stand for state to take] [Coverage] [Coverage] [Coverage]

US – Schneier: Proposed Federal Security Breach Notification Law

Bruce Schneier opines on the proposed federal Data Accountability and Trust Act (DATA), arguing that the law, if passed by Congress, “would make things worse, not better.” The DATA law would pre-empt 23 existing state laws – many of which provide stronger safeguards for consumers. Schneier contends that the bill should not pre-empt any state laws, but notes that while disclosure of breaches is important, it will not alone solve the identity theft problem. Schneier advocates in a Wired News piece for “laws prohibiting credit card companies and other financial institutions from granting credit to someone using your name with only a minimum of authentication.” [Source]

US – Arizona Lawmakers Approve ID Theft Bill

A bill that would require businesses to destroy documents containing sensitive identifying information is before Arizona Gov. Janet Napolitano. Under the bill, violations would be punishable by a civil penalty of $500; $1,000 for a second offense; and $5,000 for each subsequent violation. If the governor signs the measure, it would take effect Oct. 1. In other action this week, the Legislature approved a separate bill that would require companies to notify residents if unencrypted computerized data was leaked during a breach. [Source]

US – Colorado ID Theft Bill Progresses

An ID theft bill in Colorado is closer to passage as the state law enforcement officials expressed support. The bill would make ID theft a felony in certain circumstances. [Source]

US – Black Box Notice Law Proposed in Pennsylvania

A bill in Pennsylvania would require auto dealers to disclose the existence of data recorders, or “black boxes,” in vehicles. Additionally, owner’s manuals would be required to disclose the use of black boxes and the data they record. [Source]

CA – Montreal to Track Its City Workers With GPS

The city of Montreal plans to install GPS devices in some of its vehicles to monitor the whereabouts of its employees. City officials insist the plan to use a global positioning system is not to spy, but rather, a way to better utilize city resources and improve service. A pilot project is slated to begin next winter to install the devices in some snow-removal vehicles. [Source] [Source]

ON – Toronto Says Licence-Tampering on City Systems Is Impossible

A disgraced top official’s renewed allegations of tampering with city tow-truck licences were rejected this week by Toronto Mayor David Miller. “That’s not possible,” he told reporters, responding to former municipal licensing and standards executive director Pamela Coburn’s assertion, made in some news outlets yesterday, that criminal records possibly were deleted from city files to make it easier for suspected biker gang members to get tow-truck licences. “That’s just simply not possible with our computer system,” the mayor said. However, Mr. Miller now says a more frequent check of licence holders for criminal records, more often than the current standard of every four years, is “under review.” [Source]

US – Judge Gives Lightest Sentence to Man for Surfing at Work

Surfing the Web at the work is equivalent to reading a newspaper or talking on the phone, an administrative law judge said in recommending the lightest possible punishment for a city worker accused of disregarding warnings to stay off the Internet. The case involved a 14-year veteran of the Department of Education, whose office computer had been used to visit news and travel Web sites. [Source]

US – Port Workers to Undergo Background Checks

Seaport workers will undergo background checks for links to terrorism and to ensure they are legal U.S. residents, the Bush administration said Tuesday. The announcement came after months of scathing criticism about security gaps at the nation’s ports. [Source]

--------