EU – Brussels Unveils Plan to Use Fingerprints on EU Passports

The European Commission last week unveiled technical details of a new type of biometric data to be used in EU citizens' passports. Along with facial features that must be part of newly issued travel documents by late August, member states will be obliged to issue passports with two fingerprints by 2009. Brussels points out that these data (fingerprints) are more sensitive and so decided to protect them by a more advanced system, with the EU set to be the very first bloc worldwide to apply this technology. [Source]

UK – Fury Over Fingerprinting 700,000 School Children

Fury erupted last week after it emerged an estimated 700,000 children are being fingerprinted at school. Systems in 3,500 primary school libraries allow pupils to take out books by scanning their thumb prints instead of using a card. But campaigners warn the technology is a massive invasion of privacy and a step towards a "database state". With an average primary school size of 200 pupils, pressure group No2ID says at least 700,000 pupils are regularly having their fingerprints scanned. And there are fears schools having children's fingerprints could lead to the information being stored on government computers with DNA records and personal details. [Source]

CA – Ottawa Takes ‘Big Step’ to Biometric ID

The federal government has moved a major step closer to making all Canadian passports contain biometric technology, similar to the ID information to be contained in the new U.S. passcard system. Citizenship and Immigration Canada (CIC) has selected Unisys Canada to supply, install and support a solution that will allow CIC to conduct a six-month biometrics field trial. The trial will test the impact of introducing two biometric technologies - fingerprint and facial recognition - on CIC operations. [Source] [Source]

CA – Harper Warns U.S. Against Border Plan

Prime Minister Stephen Harper urged the U.S. to rethink a plan to introduce tougher checks at border crossings after talks with President Bush last week. “I would hate to see a law go into place that has the effect of not just limiting or endangering trade or tourism, but endangering all those thousands of social interactions that occur across our border,” Harper told reporters after the 40-minute meeting with Bush in the Oval Office. “I would just urge the Congress to think carefully, [for] if the fight for security ends up meaning the U.S. becomes more closed to its friends, then the terrorists have won,” Harper said. Bush described Harper as “impatient” on the issue and tried to reassure him that the plan would not hurt trade with Canada. The president said it’s up to the Congress to make the initiative easy to follow. [Source]

CA – Ontario Privacy Commissioner Releases Annual Report:

Government spending must be open to the public: Commissioner Cavoukian says greater transparency needed. While considerable gains have been made, government organizations nonetheless continue to use the Freedom of Information and Protection of Privacy Act as a shield to block the release of consultants' contracts and the financial arrangements made with suppliers of goods and services, said Information and Privacy Commissioner Ann Cavoukian. [Source] [Privacy watchdog blasts Liberals over fiscal secrecy] [Law urged to disclose theft of information] [Acquittal won't erase records, privacy chief warns]

CA – Privacy Watchdog Sniffs Around Banks for Signs of U.S. Snooping

Canada’s privacy watchdog has cast a wide net in its efforts to uncover whether the U.S. has gained improper access to Canadians’ banking records. The commissioner’s office has contacted the Bank of Canada, private financial institutions, the Canadian Bankers Association, the Office of the Superintendent of Financial Institutions (OSFI), the Financial Transactions and Reports Analysis Centre of Canada (Fintrac) and a number of federal government departments including Finance. The Commissioner’s primary goal in its inquiry is to ask the organizations whether they have any knowledge or evidence of U.S. prying into Canadians’ records. The office spokesperson said she couldn’t comment further on what was asked, or what was revealed. [Source] [SWIFT scandal, A Test Of P.Commish Potency?] [

CA – MPs Urge Lifetime Unique Identity Number for all Voters

MPs who conducted a special inquiry into voter fraud in Canada are calling for a lifetime "unique identifier" for all electors that would follow them everywhere. Despite cautions from privacy commissioner Jennifer Stoddard, the Commons procedure and House affairs committee on Thursday called for the measure along with other strict identification requirements to prevent fraud in federal elections. [Source]

CA – Alberta Committee Seeks Public Input on Review of PIPA

An Alberta Legislative Assembly all-party committee is currently set to review the Personal Information Protection Act starting this Fall. “We want to consult with as many people as we can who are governed by this legislation” said the Chair of the Select Special Personal Information Protection Act Review Committee. “We want to ensure that there is an appropriate balance of the right of an individual to have personal information protected and the organization’s need to collect, use and disclose personal information.” The committee will actively consult with Albertans throughout the review and encourage those with an interest to download the discussion guide at www.pipareview.ab.ca [Source]

CA – Driveway Not a Private Place, Ontario Court Rules

In a 3-0 ruling, the Ontario Court of Appeal overturned an acquittal and ordered a new impaired driving trial for a Toronto man who was charged in 2001 after two police officers walked up his driveway and arrested him in his car. William Lotozky's driveway did not qualify as a location where he had a reasonable expectation of privacy, the appeal court concluded. [Source]

CA – Poll: Canadians Want Personal Information Treated More Responsibly

According to an EKOS poll released by the Privacy Commissioner of Canada, most Canadians believe that neither the government nor businesses take their responsibility to protect personal information very seriously. Only 14% of Canadians believe that the federal government takes its responsibility to protect personal information very seriously and only 11% are confident that businesses take this responsibility very seriously. 71% of respondents feel they have less protection now than they did 10 years ago. “The current government has pledged to make accountability a trademark of government operations, and I can’t think of a better way to demonstrate this principle, than by holding it to account for the way in which it treats the personal information,” said Commissioner Stoddart. [Source] [Source]

UK – UK Guidance Issued on Transferring Personal Information Overseas

The U.K. Information Commissioner’s Office has published updated guidance to companies and other organisations on transferring personal information outside Europe. The two pieces of guidance offer data controllers an overview of the 8th data protection principle and the options for transferring information outside the EEA. [Source]

AU – Australia Issues Spam Act Review Report

An Australian Senator has released a report on the review of the Spam Act 2003, stating that “the review found that the legislation, as part of the Government’s multilayered strategy against spam, enabled active enforcement, productive industry partnerships and, most importantly, international cooperation against the global problem that is spam.” The report on the Spam Act review and the submissions received can be accessed at www.dcita.gov.au/spam [Source]

UK - LINX Guidelines Let ISPs Share Spam Data with Cambridge

New guidelines may pave the way for dozens of UK ISPs to participate in a University of Cambridge research project on spam. The guidelines concern how ISPs should deal with sensitive issues such as customer privacy and data-protections laws, while cooperating to shut down machines propagating spam, said Martin Hutty, head of public relations for the London Internet Exchange (LINX), a group of around 220 ISPs and network providers. [Source]

CA – Canadian Bar Association Speaks Outs Against ISP Snooping

The Canadian Bar Association has spoken out publicly against a growing trend of ISPs to monitor or investigate their customers’ communications. The CBA notes that the activities are more intrusive than prior legislative proposals and that the actions raise solicitor-client confidentiality concerns. [Letter]

US – Army Close to Full PKI Implementation

The U.S. Army is ahead of schedule in implementing the public-key infrastructure mandates of Homeland Security Presidential Directive 12, according to the Army’s CIO. More than 70% of Army personnel now log on to Army networks using the common access card and a personal-identification number. [Source]

UK – Widespread Abuse of Data Protection Act

According to a study published this week, 44% of the 100 UK IT directors polled used genuine customer data for application development and testing. Breaching the second principle of the Data Protection Act (DPA), this data was used for purposes other than that for which it was collected. [Source]

UK – Information Commissioner Issues First Website Enforcement Order

The operator of a website designed to allow searches for people’s contact details has been issued with an enforcement order by the Information Commissioner’s Office (ICO). It is the first time that the ICO has issued an order over a website. [Source] [Source]

EU – EU Fines Microsoft $357 million

The EU fined Microsoft $357 million for failing to obey its 2004 antitrust order to share program code with rivals and threatened new fines of €3 million a day beginning July 31. The new fines will take effect unless the company supplies “complete and accurate” technical information to developers to help them make software that works smoothly with its ubiquitous Windows operating system. [Source] [European Regulators Vote in Favor of Daily Fines for Microsoft] [EU Ready to Issue Daily Microsoft Fines] [SEC Official Expects Heavy Fines Against Microsoft] [EC to Debate Sanctions]

US – Survey: Employees Are Biggest Threat to Data Security

An audit finds that the biggest risk of data breach or theft comes from careless employees or consultants who don't properly secure the data they are entrusted with. The audit, conducted by the Palisade Systems network and data security company, surveyed companies that had reported data breaches or thefts in the past year to the nonprofit Privacy Rights Clearinghouse, and reviewed their security policies and procedures. According to Palisade Systems' audit report of the 126 companies surveyed, over 54% lost data or suffered a breach due to employee error, with 34% being due to outside hackers or other intrusion attempts, and the rest due to other causes. [Source] [Survey]

WW – Technology Coalition Announces New Plans for Email Scanning

Companies such as AOL, Yahoo, Microsoft, Earthlink, and United Online have joined to create a “Technology Coalition” to find ways to safeguard children online. The coalition plans to scan emails for illegal images of children that are traded over peer-to-peer networks and other messaging services. [Source]

WW – Group Urges 32 Nations to Block Bank Records Disclosure

A civil liberties group urged 32 governments to block the release of confidential banking records to U.S. authorities as part of American anti-terrorist probes. The London-based watchdog Privacy International demanded a halt to the "completely unacceptable" monitoring of millions of transactions as part of a CIA-U.S. Treasury program. [Source] [P.Int'nal Asks 6 More Countries to Hold Financial Data Back]

EU – Data Protection Laws Do Not Apply to International Banking Consortium

EU data protection laws do not apply to the transfer of banking information to a non-EU country because of a national security exception, according to a commission spokesman. Some Belgian officials reportedly were aware of the transfer of personal financial data to U.S. authorities, but the country’s leader said he was unaware of the secret program. Last week, it was revealed that since shortly after Sept. 11, U.S. authorities have been monitoring financial data handled by the Society for Worldwide Interbank Financial Telecommunications, a banking consortium that does international transactions for 8,000 banks in more than 200 countries. [Source] [EU Parliament demands to know more about Secret U.S. Program] [Canadian and Belgian governments concerned over CIA Banking Data Program].

WW – MasterCard, VISA Announce Updates to PCI Standard

The year-old Payment Card Industry data security standard will evolve with the release of new security rules for entities that handle credit card data. Merchants who don’t follow the rules are subject to fines or exclusion from processing credit card transactions. The goals of the changes are to protect credit card information from Web application security threats and to ensure that companies require third parties to have proper safeguards to protect credit card data. [Source]

CA – Supreme Court Ruling: Freedom of Information V. Solicitor-Client Privilege

Goodis v. Ontario (Ministry of Correctional Services): The Supreme Court of Canada released an appeal judgment this week on the issue of counsel access to the record at issue where a claim for solicitor-client privilege has been made. The Court reversed the decision of the Ontario Court of Appeal. [Source]

US – Florida Moves to Putting Court Records Online

The Florida Supreme Court inched closer to toward implementing Internet access to state court records while extending its nearly three-year moratorium on such access for another year. In an administrative order, the justices approved a court committee’s controversial recommendation that the Florida courts should move to a statewide system of easily accessible online court records. [Source]

US – Consultant Hacks Into FBI’s Computers

A US government consultant, using computer programs easily found on the Internet, managed to crack the FBI’s classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. [Source] [Source]

US – University Notifies 180,000 of Personal Data Loss

Western Illinois University is notifying more than 180,000 people that their personal data is at risk after hackers entered its networks. The university said it mailed the last of its notifications to people whose social security number, credit card account number and other sensitive information were on the student service servers in the security breach. [Source]

US – Naval Safety Center Leaks Personal Information of 100,000 Sailors, Marines

A probe is under way to determine how the personal information of more than 100,000 Navy and Marine aviators and air crew was available on the Naval Safety Center’s Web site since December. The information was removed last week. [Source]

UK – Identity Card Scheme Faces Delay

The UK’s ID card scheme may have to be delayed, the government has admitted. The Home Office said the 2008 launch date may change, following a review of the department ordered by the new Home Secretary John Reid. The process of putting contracts to establish the scheme out to tender - which software suppliers expected in March - has been put back indefinitely. [Source] [Source] [Source]

US – Experts Form Research Center to Battle Identity Fraud

An alliance of businesses, colleges, and federal crime fighters will combine their expertise at a new research center that will study the problems of identity theft and fraud. The Center for Identity Management and Information Protection will be established in upstate New York at Utica College and research will focus on critical issues in identity management, information sharing policy, and data protection. [Source]

US – Judge Bars U.S. from Publicizing Its Credit Monitoring Offer

A U.S. federal judge has temporarily barred the government from publicizing its free credit-monitoring offer to veterans whose personal data was stolen and wants to see if they might get a better federal offer. Lawyers who have filed a class-action lawsuit on behalf of the 26.5 million veterans and active-duty troops affected contend that accepting the government’s offer could jeopardize their chance of winning more money in the privacy suit. [Source]

UK – U.K. Creates ‘Public Private Forum on Identity Management’

The UK Government has appointed a chair for new the Public Private Forum on Identity Management. The Forum will examine the evolving technologies used for identity management and consider how public and private sectors can work together to maximise efficiency and effectiveness. [Source]

US – Class-Action Lawsuit Calls Microsoft Windows Feature “Spyware”

Microsoft has been named in a second lawsuit over its antipiracy Windows Genuine Advantage program, which plaintiffs allege acts as “spyware” on their systems. Engineered Process Controls, Univex and several other parties filed a class action lawsuit in U.S. District Court in Seattle, alleging Microsoft installed “spyware” on their computers as a “critical security update.” [Source] [Source]

WW – Microsoft to Publish Its Privacy Rules

Microsoft plans in August to publicly release the privacy rules its employees have to follow when developing products. Microsoft says the move, which offers a look behind the scenes at the company, is meant to give the industry an example of what the software giant sees as best practices in customer privacy. [Source]

US – FTC “Concerned” About MySpace & Other Networking Sites

The FTC has told Congress it is concerned about potential danger to children who visit social networking Web sites, such as MySpace.com. In testimony before a House Committee, FTC Commissioner Pamela Jones Harbour said there is a "need for social networking Web sites -- individually, collectively, and, most importantly, expeditiously -- to develop and implement safety features to protect children who visit their sites and empower parents to protect their children when they do so." Last month, the FTC provided advice for parents and children about safely using social networking sites such as MySpace, Facebook, and others. The tips are featured on one of the most popular sections of OnGuard Online, an online education resource covering safe and secure computing. [Source]

US – Five Arrested In Theft of LexisNexis Data

US federal authorities have arrested five men in connection with a 2005 network breach at LexisNexis Group that the database giant said led to the theft of personal records on more than 310,000 individuals. The government charges that the men, who range in age from 19 to 24, used stolen database accounts to look up sensitive data on a number of individuals. [Source]

CA – New CIPS Designation Boosts Academics, IT Pros

The Canadian Information Processing Society (CIPS) is making improvements to its Information Systems Professional (ISP) designation program by creating a body of knowledge all IT practitioners should attain. The Mississauga, Ont.-based society is also updating its code of ethics to reflect changes in the compliance and privacy landscape in Canada, and extending the ISP designation to groups that have not been eligible in the past such as academics and experienced IT professionals without computer science degrees. [Source]

WW – International Bank HSBC Hit by Bangalore Breach

A security breach at international bank HSBC’s offshore data-processing unit in Bangalore has led to funds being stolen from the accounts of a small number of UK customers. A 24-year-old worker at the HSBC operation has been suspended after being accused of accessing confidential account information and passing it on to criminal associates in the UK. [Source]

WW – Search Engine Promises Complete User Privacy

A Dutch search firm said that it will stop recording details of its users' online activity in response to growing concerns over internet privacy. The company behind the Ixquick metasearch engine claimed that the move makes it the only search engine permanently to delete all personal search details gleaned from user log files. "This new feature of our search engine ensures optimal privacy protection and maximum search performance for our customers, since they will be able to search using the 12 best search engines without their personal data being recorded," said an Ixquick spokesman. [Source]

US – Two OU Grads Sue Over Data Breaches

A lawsuit filed by two Ohio University graduates asks the school to pay for credit monitoring for more than 173,000 people who were affected after hackers breached the university’s computer system five times. The suit seeks class-action status for all of the people affected and compensation for anyone who may incur financial harm from identity theft resulting from the breaches. The lawsuit came on the same day that the school’s Board of Trustees voted to spend $4 million on computer security upgrades. [Source]

EU – Unisys, Microsoft Team up on EU Cross-Border Police Data System

Microsoft announced last week that it was teaming up with Unisys to create the technology platform for a cross-border system to share police data in the European Union. The system, which is used by police and border guards on the Schengen area's external borders, stores data about people who should not be allowed into the area, terrorist suspects and people who should be under surveillance. [Source]

US – Report: Range of Laws Used in Fight Against Spyware

State and federal law enforcers are increasingly cracking down on distributors of malicious spyware and adware using an array of laws aimed at fraud, deception and snooping, CDT finds in a new report. Led at the federal level by the FTC and Justice Department, and in the states by the attorneys general, law enforcers have been able to apply a broad range of statutes against those who distribute dangerous and unwanted software by surreptitious means. CDT's report charts the important cases against spyware distributors and identifies the statutes applied. [Source] [Report]

HK – Privacy Campaign Aims to Protect Hotel Guests' Data

Hotel staff should not photocopy customers' passports when checking them in or use their personal data for unsolicited marketing, industry professionals will be taught over the next three months. Privacy Commissioner Roderick Woo Bun yesterday launched a hotel privacy campaign with the Hong Kong Hotels Association in a bid to train workers in handling the large amount of personal data to which they have access. [Source]

US – Data Brokers and Buyers Anger Congress

Congress learned last week during a series of hearings aimed at exposing peddlers of personal data that almost every piece of personal information that Americans try to keep secret is semi-public and available for sale. A House Committee subpoenaed representatives from 11 companies that use the Internet and phone calls to obtain, market, and sell personal data, but they refused to talk. All invoked their constitutional right to not incriminate themselves when asked whether they sold “personal, non-public information” that had been obtained by lying or impersonating someone. [Source]

US – AT&T to Pay $550,000 to End Two Privacy Regulatory Matters

AT&T will pay $550,000 to resolve two separate regulatory matters. Of note, the agreement resolves an issue that was publicized earlier this year, when the FCC had proposed fining AT&T $100,000 for failing to prepare and maintain an annual certification of procedures for protecting the privacy of consumer records. [Source]

US – White House Orders New Data Security Standards

The Office of Management and Budget has sent department heads an order to implement new data security standards, which must be in effect in 45 days. The new standards - which come after a series of government security breaches that exposed the personal information on millions of veterans and other Americans - require encryption for most laptops and mobile devices. In addition, the order calls for two

forms of authentication for a user to access the data. [Source] [Source] [Analysis: Government Data Security Guidelines Could Lack Teeth]

US – New Report Says e-Voting Systems Flawed

Researchers have concluded that the most widely used electronic-voting systems all have flaws that can be addressed relatively easily, but few states and counties have actually implemented recommended security measures. The researchers also found that even the printing of paper records, which are widely seen as a countermeasure to hacking and other attacks on ATM-like touchscreen machines, does little good if audits are not routinely and automatically performed. [Source]

EU – Public RFID Discussion Opened in Europe

The EU has begun a public forum, “Your Voice in Europe,” to encourage citizens to discuss RFID technology. This follows a series of workshops from March through June with governmental agencies and the private sector to examine RFID. Various topics were discussed in these workshops, including RFID security, data protection and privacy, and the economic and societal rationale for RFID use. “Your Voice in Europe” is the campaign to bring the public into the debate. [Source] [Survey Site] [Consultation Site]

US – US-VISIT RFID Trial Shows Security Holes

A report from the DHS Office of Inspector General highlights data security issues and recommends US-VISIT develop and follow policy and procedures for its RFID system. The US-VISIT program is failing to adequately protect personal data being stored in databases and collected via RFID inlays embedded in its I-94 visa forms, and it should design and follow policies and procedures regarding the use of RFID technology and protections around personal information linked to RFID tags, according to the report. [Source] [Skinner: US Visit program RFID needs better security controls] [

KR – Grocery Store Chain Employs RFID to Profile Shoppers’ Buying Habits

The second largest grocery store chain in Korea has installed its shopping carts and baskets with RFID chips to track shoppers’ movements. The data gathered by the RFID system will allow the chain’s 69 stores to place products “according to their profiles and habits,” the spokesman said. Notices are posted around the store informing customers that technology is in use that is tracking their habits. There have been no privacy complaints to date, according to the spokesman. [Source]

US – NASCIO Releases Brief on Evolving State Chief Information Security Officer Role

The National Association of State Chief Information Officers (NASCIO), which represents the chief information officers (CIOs) of the states, released a brief on the evolving role of the state Chief Information Security Officer (CISO). Entitled “Born of Necessity: The CISO Evolution – Bringing the Technical and the Policy Together,” the research brief examines the role of the state CISO as it has evolved in response to the growing complexities of the IT threat environment, homeland security concerns, and the increasing demands for enhanced citizen services. Specific points this brief addresses include: critical state CISO success factors, security governance and reporting structures, the breadth and depth of CISO authority, the range of CISO responsibilities, the importance of a CISO’s relationships with internal and external stakeholders, the CISO and information privacy, typical CISO education, experience, certification, and compensation, what state CISOs really need to do their jobs, and a few predictions on the future evolution of the state CISO. [Source]

WW – Study: Who Are You? Can You Prove It?

A recent study sponsored by RSA Security looking at trends in access and authentication, and revealed that despite advances in authentication technologies, the majority of organizations still rely primarily on user names and passwords for application access. The study also confirms the proliferation of systems requiring secure access, typically tens in small and mid-size organizations and hundreds in larger enterprises. [Source] [Report: Managing Access Securely]

WW – Study: Organizations Facing Unnecessary IT Security and Financial Risks

A report released last week finds that North American organizations are exposing themselves to significant security and financial risks because of the inability to properly manage their IT assets. High instances of missing anti-virus software, un-patched software, the prevalence of malware and poorly managed hardware lifecycles are negatively impacting the effectiveness of the average information worker. Some stats:

- 1 in 16 corporate PCs missing anti-virus software entirely

- 23% of PCs missing major operating system service packs

- 49% of PCs show moderate to severe infestations of ‘malware’

- 39% of PCs beyond stated system retirement age

- 64% of corporations violating own operating system deployment policies [Report]

See also Deloitte & Touche report “Protecting the Digital Assets: the 2006 Technology, Media & Telecommunications Security Survey.”

AU – Government Releases Smart Card Interoperability Framework Documents

The Australian government has unveiled framework documents for the development of the smart card for government employees and contractors. The documents include guidelines on data and privacy management. The documents were released for public comment. Special minister of state Gary Nairn said that interoperability among agencies “shouldn’t be seen as being at the expense of citizens’ privacy, rather it should be seen as strengthening it.” [Source]

US – FBI Seeks New Law Requiring ISPs to Allow Wiretapping

The White House is nearing an agreement with Congress on legislation that would write President Bush’s warrantless surveillance program into law. The FBI has drafted sweeping legislation that would require ISPs to create wiretapping hubs for police surveillance and force makers of networking gear to build in backdoors for eavesdropping. The draft bill would place the FBI’s Net-surveillance push on solid legal footing. Now, it is ensnared in a legal challenge from universities and some technology companies that claim the FCC’s broadband surveillance directives exceed what Congress has authorized. [Source] [Source]

CA – Bell Sympatico Intends to “Monitor or Investigate Content”

Bell Sympatico has informed its customers that it intends to “monitor or investigate content or your use of your service provider’s networks and to disclose any information necessary to satisfy any laws, regulations or other governmental request.” According to Michael Geist, Bell’s new customer service agreement, which took effect June 15, is a clear signal the telecommunications industry expects the government to revive the lawful access surveillance law. [Source] [Bell: We're not spying]

CA – Drivers Sought to Test Black Boxes for ICBC

The Insurance Corp. of B.C. is looking for 400 drivers willing to let a black box spy on when, where and how safely they drive. If a pilot project finds that people using the devices drive more safely, it could lead to rate discounts of up to 2%, said an ICBC spokesma. But the research director for Safety by Education Not Speed Enforcement, warned the move is part of the "insidious creep of technology" that allows auto insurers to look for liability loopholes. [Source]

US – Privacy Advocates Wary Of AT&T’s Privacy Policy Changes

Some observers say AT&T’s decision to change its privacy policy to specifically state that it owns the information of its Internet and video customers may lead other companies to lay claim to their customers’ data. [Source] [Source]

US – Survey: 62% Oppose Database for Tracking of College Students

Citing concerns about privacy and cost, a majority of Americans said they oppose the idea of the federal government collecting vast amounts of information about individual college students in order to monitor their progress, according to survey results released Thursday by a group representing private universities The group conducted the survey after the database was proposed last month in a draft report by the Bush administration's Commission of the Future of Higher Education. Under the proposal, colleges and universities would be required to submit individual academic, enrollment and financial aid data, which could be used to track every college student. [Source] [Source] [Source]

US – DHS Privacy Chief Leaves to Join Hunton & Williams

Maureen Cooney, acting chief privacy officer at the Department of Homeland Security, has announced that she will leave to join Hunton & Williams LLP as Counsel to the law firm and Senior Policy Advisor for Global Privacy Strategies for the firm’s Center for Information Policy Leadership. Cooney, who will join the firm in September, has served as the top privacy officer for DHS since her appointment in September 2005. [Source]

US – Identity Theft Bill Would Create National Standard for Banks, Other Entities

Sens. Robert Bennett (R-Utah) and Tom Carper (D-Del.) have introduced a bill that would require companies and government agencies to notify consumers of security breaches if the incident could lead to identity theft or account fraud. The bill would not require businesses to notify consumers of every security breach. The American Bankers Association supports the bill, which a spokesman said takes into account that “it’s not necessary to design a completely new system to address data breaches.” [Source]

US – Consumer Groups Oppose Federal Data Security Bill

A bill sponsored by Rep. Darlene Hooley (D-Ore) which may pass the House this week, has been dubbed by consumer groups as the “worst data security bill ever.” A longtime advocate of legislation to better protect Americans from identity theft, Hooley acknowledged that the measure has some flaws. The bill, known as the Financial Data Protection Act, would set a national standard for protecting personal and financial data. The bill would override laws in 18 states that allow any consumer to freeze his or her credit. Instead, only consumers who had been ID theft victims would be allowed to freeze their credit. Hooley said she would seek to change that aspect of the bill this week to allow the states to “do whatever they want in that area.” [Source]

US – Illinois Governor Signs Identity Theft Bill

Governor Blagojevich signed a bill outlawing the practice of “pretexting.” The law makes it illegal for someone to obtain personal information by posing as another person. The law was prompted by concerns over the illegal sale of personal information online. [Source]

CA – Canadian Study Finds Widespread Workplace Monitoring

A new study from Ryerson University, entitled Under the Radar,” reports that Canadian employers engage in widespread employee surveillance. Canadian companies have the capacity to monitor the movements of employees using an increasing variety of sophisticated techniques. Said lead author and Ryerson professor Avner Levin: “I would definitely say that the technology is in place for pretty much every employer... to monitor the activities and the messages that their employees are putting out.” In most cases, employees don’t start out with the plan to spy on their employees. “Often the technology is introduced for one purpose and then just because it is there and the costs associated with continuing to use it for other purposes are not that expensive, employers just go continue to use it for a variety of purposes.” Levin was taken aback by employers’ attitudes toward employee privacy; many respondents to the survey expressed little concern for the privacy implications of such activity. [Source] [Source] [Source]

US – Employees Sue Railroad Over Social Security Number Theft

Concerns about identity theft prompted a group of nine Union Pacific Corp. employees to sue the nation's largest railroad over its use of Social Security numbers to identify employees. The Omaha-based company said in May that a computer with names and Social Security numbers of 30,000 current or retired Union Pacific employees had been stolen from a personnel employee April 29. The lawsuit claims that Union Pacific acted negligently by failing to protect the data. [Source]

--------