The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Roll call of data breaches grows in the UK

The UK Information Commissioner has been notified of almost 100 data breaches by public and private sector organisations since the loss of 25 million people’s details by HM Revenue and Customs last November, according to figures released this week.  Half of the 28 private sector security breaches were by financial services companies.

Information that has gone missing includes unencrypted laptops and computer discs, memory sticks and paper records. Information has been stolen, gone missing in the post and whilst in transit with a courier. The material includes a wide range of personal details, including financial and health records.

The ICO is investigating the circumstances of the breaches. The Information Commissioner has now decided to use its enforcement powers to require organisations to make procedural changes to improve data security, such as encryption.


Leave a comment

Actress Sues Individuals Over Craigslist Job Posting Allegedly In Her Name

Unlike many plaintiffs in other Web site posting cases, this one is suing the users who actually posted the content as opposed to the service provider (Craigslist). The causes of action are fraudulent impersonation, appropriation invasion of privacy, false light invasion of privacy, conspiracy to invade privacy, and conspiracy to commit criminal conduct. No separate claim for violation of the right of publicity is stated, although it might be included in appropriation invasion of privacy.

Leave a comment

“Whaling” Is the Latest Phishing Craze

First there was "phishing" (sending spoofed e-mails in mass to see who would bite), then "spear phishing" (aimed at particular victims), and now "whaling" (aimed at large corporate targets).
So look before you click on that official subpoena.

Leave a comment

Australia issues draft voluntary data breach guidelines

The Australian Office of the Privacy Commissioner has released a consultation draft of data breach response guidelines.

The guidelines recommend four steps in responding to a breach:

  1. Contain the breach and do a preliminary assessment.
  2. Evaluate the risks associated with the breach, for example, what information is involved, who and what caused the breach, who is affected, and what is the risk of harm to those affected.
  3. Consider and issue notification.
    • When to notify? Most importantly, the OPC has recommended a harm-based analysis for notification: "In general, if an information security breach creates a real risk of serious harm to the individual, those affected should be notified."
    • How to notify? Notification may be sent directly to the affected individuals, for example by phone, mail, in person or (notably) email. Indirect notification, for example, in the media or posted on a website, should occur only when direct notification could cause further harm, when costs are prohibitive, or when contact details for affected individuals cannot be determined.
    • What to notify? The draft recommends type of information involved, how the company has responded, what assistance is being provided to affected individuals or other sources of information available, company contact details, whether the regulator has been notified, and how a complaint may be lodged with the Privacy Commissioner.
  4. Prevent future breaches.

While the Privacy Commissioner has issued these voluntary guidelines, she has also recommended mandatory breach notification to be included in the coming rewrite of the Privacy Act. So this draft provides insight into how Australia might incorporate such a notification requirement.

Comments have been requested by June 16, 2008 and can be sent to

Leave a comment

Working Party fires shot across the bow on search engine privacy

The Article 29 Working Party has issued its opinion on search engine privacy, the BBC and CNET report. The recommendation takes a number of shots at Google’s business practices, and indeed those of the search industry as a whole. One position the working party took was expected – that IP address is personal information. Another is a development with widespread impact – that search histories and profiles, even without additional identifiers, are personal information.

The opinion clarifies some points about jurisdiction and non-EU based providers, and outlines a number of responsibilities of search providers, including:

  • Delete or anonymize personal data (including IP addresses and search histories) after 6 months, or if retained for longer, retained for no longer than strictly necessary for declared purposes. Make data retention information should be clearly accessible from the home page.
  • Other than such information that must be collected to provide the service, do not require additional personal data from users to perform a search.
  • Minimize cookie periods to no longer than demonstrably necessary. Use Flash cookies only with transparent information about their use and control.
  • Do not add data from third parties to existing profiles without consent.  
  • Give users rights to access, correction and deletion of data held about them, including profiles and search histories.
  • Do not correlate data across services without informed consent.

The opinion also discusses a number of issues relevant to the indexing and caching of websites, and search providers’ responsibilities with respect to personal data that might be contained therein. The working party notes that providers of caching services can at some point become data controllers (and thus reqired to provide access, correction and deletion rights) if they retain the cache for longer than to resolve the issue of temporary inaccessibility of the website. An interesting question about this interpretation is, to what extent would it apply to caching for historical purposes, like the Wayback Machine?

Leave a comment

BCR come of age

At the recent International Association of Privacy Professionals’ Summit in Washington DC, BCR was one of the frequently used buzzwords alongside data beach notification, behavioural targeting and global compliance, which shows that the BCR concept is probably the most popular EU data protection law feature outside the EU.

BCR are finally coming of age and establishing themselves as a real runner.  There are a number of factors that evidence this and much of the concern of the previous years has turned into excitement.  For starters, BCR is one of the top priorities for the Article 29 Working Party according to its Work Programme for this year.  In fact, the Working Party subgroup dealing with BCR has already met several times since the beginning of 2008, which is quite an important indicator given that last year it only met once.

At a national level, EU member states and their data protection authorities are making all the right noises to ensure that the use of BCR to legitimise personal data transfers is a workable proposition.  Some countries, like Spain, have even amended primary legislation to facilitate the external binding effect of unilateral declarations made by corporate entities.  Other jurisdictions like Italy or Greece are looking to take similar steps, but what is truly encouraging about this is that such moves have been promoted by the regulators themselves.

Leave a comment

UK Information Commissioner continues enforcement spree

The UK Information Commissioner’s Office (ICO) is not showing any signs of relaxation as far as its reinvigorated enforcement policy is concerned.  In recent weeks, the ICO has successfully prosecuted a Manchester debt recovery firm and two London lawyers for various offences under data protection law.  Following thousands of complaints from individuals and businesses to the ICO, ADC Organisation Ltd pleaded guilty to six charges under the Privacy and Electronic Communications Regulations and must pay a total of £2,500 in fines and costs.  In addition, Olubi Adejobi of Grier Olubi Solicitors and Robert Bentley of Bentley’s Solicitors, both based in London, were each fined £300 and ordered to pay costs of £500 for failing to notify as data controllers despite repeated reminders from the ICO. 

The ICO has also found Skipton Financial Services (SFS) in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 14,000 SFS customers.The laptop, which contained names, dates of birth, national insurance numbers and investment amounts, was stolen from an SFS contractor. It is the ICO’s view that SFS should have had appropriate encryption measures in place to keep the data secure.