A half-dozen HR data breaches were reported in October, each illustrative of a different way in which sensitive personal information can be compromised:  the City of Fresno (5,700 employees impacted by a break-in and theft of computer equipment from a vendor processing workers compensation claims); City of Charleston (information on 535 Administration Department employees exposed when a laptop was stolen from an auditor’s vehicle); Shell Oil (an undisclosed number of employees jeopardized by an IT contractor who used stolen data to file fake unemployment claims); Medical Mutual of Ohio (11 computer disks with information on 36,000 employees and retirees missing in the mail); NYS Labor Department (personal data of 400 applicants for unemployment insurance mistakenly mailed to other applicants); and PSS World Medical (an undisclosed number of job applicants impacted by unauthorized access to private information associated with an online job board).

The Massachusetts Office of Consumer Affairs and Business Regulation issued regulations, effective January 1, 2009, that require businesses to develop and implement a comprehensive, written information security program for handling ID theft-related personal information in either paper or electronic form.  The security program must contain more than a dozen components that collectively are more rigorous than those normally imposed by the FTC in its enforcement actions, including:  designation of responsible individuals; risk assessments; security policies; employee training; disciplinary sanctions; personal information inventories; passage of security program requirements on to vendors; documentation of breach-related activities and responses; and encryption of personal information on portable devices and in transmission.  The regulations, promulgated on September 22, were authorized by a data breach law passed in August 2007.

September was a relatively quiet month for HR data breaches, with losses reported by Intuit (22,000 employees impacted by a previously reported break-in at an HR outsourcing vendor, Colt Express, that also affected 19 other companies); Orbitz Worldwide (loss of an undisclosed number of employees’ information on a laptop stolen from a car); and U.S. Foodservice (a significant but undisclosed expansion in the number of employees impacted by a previously reported laptop theft).

A new Cyber-Ark Software survey of 300 IT security professionals reveals that 88 percent of IT administrators, if laid off tomorrow, would take valuable and sensitive company information with them, including the CEO's passwords, customer databases, R&D plans, financial reports, M&A plans, and the company's list of privileged passwords.

In a major advance in corporate privacy, the Justice Department announced it would no longer pressure companies to wave attorney-client privilege and not pay the legal fees of employees accused of crimes.  The announcement came on the same day as a federal court ruling dismissing charges against 13 employees in the KPMG tax fraud case, in which the government used these tactics.  Under the new policy, the Department will evaluate corporate cooperation based upon information provided by a company, rather than whether it was willing to waive attorney-client privilege.

Pressure mounted against seizures of laptops at border crossings following the Dept. of Homeland Security’s release of policy guidelines governing such actions.  The government is claiming expansive powers to randomly search laptops, decrypt and translate any information on the machine, and even retain the laptop for an indeterminate amount of time. Several legislators have promised to introduce bills prohibiting such open-ended, suspicion-less searches when Congress returns after its summer recess.  The Canada Border Services Agency was reported to be following a similar policy at its border crossings.

Following the record-setting 11 data breaches reported by employers in July, only four were noted in August, by Charter Communications (a dozen laptops containing detailed personal information on 9,000 current and former workers nationwide stolen from a South Carolina office); Delphi (a flash drive with SSNS and other personal data about 2,600 former Dayton-area workers removed from the unattended laptop of a state employee); Ohio Police & Fire Pension Fund (data of 13,000 retirees improperly taken by a former fund employee); and the US Army (data of 50,000 noncommissioned officers on promotion lists compromised by inadvertent posting on the Internet).

The Australian Law Reform Commission released its final report on its multi-year review of Australian privacy laws.  The 2,700 page report contains some 295 recommendations, including removal of exemptions for employee records and small businesses, institution of a statutory cause of action for privacy invasions, a mandatory data breach notification requirement and tighter controls on cross-border data transfers.  Observers expect a year or more to pass before any of the recommendations are adopted and enacted into law.

The Privacy Commissioner of Canada released new guidance and checklists to help businesses evaluate their privacy practices and compliance with Canada’s private sector privacy law. The release coincided with Privacy Awareness Week, which ran from August 24 to 30 and was organized by the Asia Pacific Privacy Authorities (APPA).

Two years after enacting a comprehensive data protection law, implementation efforts are finally reported to be underway in Russia.  The Federal Service for Oversight of Mass Media, Communications and Protection of Cultural Heritage, the agency emerging as responsible for overseeing compliance with the law, has launched a website and begun registering data controllers.  Although there are a number of exemptions to the registration requirement, more than 11,500 businesses have registered to date, with 300 signing up during the last week of July alone. 

The Certification Commission for Healthcare Information Technology (CCHIT) launched an industry working group in June that will create a certification plan to protect the privacy of consumers who use personal health record (PHR) technologies.  CCHIT, which hopes to begin certifying personal health record providers and services in July 2009, has adopted a “big tent” definition of PHRs as any product or service that performs either or both of the following activities: (1) collecting, receiving, storing, or using personal health information (PHI) as part of a consumer data stream or PHR services; and (2) transmitting or disclosing to a third party any PHI gathered through or derived from a consumer data stream or PHR services. 

CNIL, the French data protection authority, announced in late June that it had carried out audits of the HR functions of 50 unnamed French companies, with the audits leading in several cases to enforcement actions. The most frequent problems the CNIL encountered were failure to inform employees about their data protection rights; failure to adequately protect employee personal data, particularly in cross-border data transfers; and the absence of policies for the disposal of data.  CNIL also reported that anonymous whistleblower hotlines required by SOX are rarely used by French employees, and that many employers failed to notify the CNIL before putting them in place.  Over the past several years the CNIL, under the leadership of Alex Türk, who also chairs the influential Article 29 Working Party, has emerged as one of the most vigorous data protection regulators in Europe.

Google, Microsoft, Cisco Systems, Intuit, Aetna, Blue Cross Blue Shield and 25 other organizations announced support for a privacy guideline framework for protecting the data people keep in their online personal health records (PHRs).  The privacy framework, hundreds of pages in length, is the outcome of a Markle Foundation initiative that supported an industry working group over the past 18 months.  The guidelines, known as the Common Framework, are based upon the idea that information in a PHR should be under the control of the individual.  They consist of a set of 17 mutually-reinforcing technical documents and specifications, testing interfaces, code, privacy and security policies, and model contract language. About 9 in 10 Americans call privacy-related factors essential or significant to their use of an online PHR, according to a recent Markle survey. 

President Bush signed House Bill 493, the Genetic Information Nondiscrimination Act, into law on May 21. The bill, which prohibits employers and insurers from discrimination on the basis of genetic information, contains some surprises and challenges for employers.  Genetic information is defined broadly, to include not only the results of genetic testing but also information about "the manifestation of a disease or disorder in family members”, such as that found in family medical histories of the employee or of the employee’s spouse or dependents.  The law does not become effective until November 21, 2009.

As some corporations, such as Dell, begin to utilize Facebook’s social networking software, privacy advocates and regulators continue to pressure the company to improve its privacy policies and practices. In Canada, Federal Privacy Commissioner Jennifer Stoddart said in a speech at Queens’ University that websites such as Facebook and MySpace were “the single biggest threat to the security of Canadians' personal information.” A few weeks later CIPPIC, a Canadian public policy group, filed a complaint with Commissioner Stoddart charging Facebook with 22 separate violations of a Canadian personal information protection law. In the US, Facebook reached an agreement with Attorneys General from 49 states and the District of Columbia to strengthen privacy protections for minors and teenagers using the site.

A group of HR organizations, led by the Society for Human Resource Management, is backing a federal bill that would replace the E-Verify program with one based on existing state systems used to locate non-child-support-paying parents.  The New Employee Verification Act (H.R. 5515), introduced by Reps. Sam Johnson, R-Texas, Kevin Brady, R-Texas, and Paul Ryan, R-Wis, would expand the use of databases currently used by 90% of US employers and eliminate the paper-based I-9 process.  Supporters claim the new approach would help prevent ID theft and be more reliable than the E-Verify program.

A federal appeals court ruled that NASA should be blocked from conducting intensive background checks on low-risk employees at its Jet Propulsion Laboratory, saying the practice threatens workers' constitutional rights.  The government had demanded that the workers, who include scientists involved with the Mars Rover mission, fill out questionnaires on their personal lives, waive the privacy of their financial, medical and psychiatric records and permit open-ended interviews with third parties about them.  As a result of the decision, NASA will be enjoined from proceeding with the investigations while a suit brought by the workers proceeds.

With the passage of a new law that became effective on January 1, New York became the fifth state to restrict even the use of truncated Social Security Numbers by companies.  A total of 29 states now have laws prohibiting certain common uses of SSNs.  The New York law also requires companies to take “reasonable measures” to ensure that access to SSNs is strictly for “a legitimate or necessary purpose” and that “necessary or appropriate” safeguards are in place to protect the confidentiality of SSNs.

Microsoft has filed a patent application for a computer system that links workers to their computers via wireless sensors allowing managers to monitor employees’ performance by measuring their heart rate, body temperature, movement, facial expression and blood pressure.  Such systems have been used for astronauts, pilots and firefighters, but never for office workers.  While described as a tool to alert managers to the need to intervene when a worker experiences excessive stress or frustration, revelation of the patent application drew strong criticism from unions, civil rights lawyers and privacy advocates.  A separate patent application from Microsoft presents a method of collecting offline information from users' cell phones, geolocation systems, credit-card information and other data sources to build individual profiles that can facilitate "targeted advertising" when the users go online.

There was no lessening of breaches of employee data in January, with losses reported by the Workers Compensation Fund in Utah (a laptop containing information on 2,800 individuals stolen from the garage of a staff auditor); Health Net in Connecticut (5,000 employees affected by a laptop stolen from a vendor); University of Wisconsin-Madison (information of 200 employees exposed on the Internet); and the Navy Surface Warfare Center (up to 10,000 employees at risk when four ID thieves were apprehended with employment verification reports).

On January 19 the Spanish Data Protection Agency published a new Regulation on Data Protection (Royal Decree 1720/2007, of December 21, 2007, currently available only in Spanish).  The Regulation establishes new rules on the relationship between data controllers and data processors, on security measures and on paper files.  It also authorizes the Data Protection Agency to declare that a non-European country has an adequate level of protection for purposes of data transfers, even if that country has not been approved by the European Union.  A provision that calls for getting consent from family members could affect conflict of interest and benefits practices of employers.

The FTC has published “Protecting Personal Information: A Guide for Business”. The 28-page high-level guide, which may be most valuable to small and medium-sized businesses, promotes a data security plan built upon five key principles:  Take Stock; Scale Down; Lock It; Pitch It; and Plan Ahead.  The FTC website makes the basic content of the guide available in an online multi-media tutorial (mistakenly called “interactive”), as well as in a set of PowerPoint slides.

A US District Court in California issued an order temporarily blocking implementation of the Department of Homeland Security’s regulation on the legal obligations of employers receiving "no-match" letters from the Social Security Administration.  A hearing on the Immigration and Customs Enforcement ("ICE") program will be held on October 1.  Separately, the Bush administration filed suit to block a new Illinois law that bars employers from using the federal employment verification database until it is certified as being 99% accurate.

The scope of the August data breach at Monster.com widened in September, with evidence that 150,000 users of USAJobs.gov, the official federal government job site for which Monster provides technology, had been affected by malicious software that siphoned off their contact information.  Veterans and National Guard members using TurboTAP.org, a Department of Defense website designed to ease transition to civilian life, were also impacted.  Monster has warned all active users of its job boards that their personal contact information may have been compromised.  Experts contended that the breaches could have been prevented through readily available security measures.  Meanwhile, records of 800,000 job applicants at the Gap were exposed when an unidentified vendor managing applicant data for the retail chain reported the theft of an unencrypted laptop.

Pfizer reported the third breach of employee data in as many months, this one affecting 34,000 employees who received letters on August 24^th stating that the company had only recently learned that their confidential information had been taken without authorization from an internal system late last year.  Earlier breaches stemmed from an employee’s use of peer-to-peer software and the theft of a laptop from a contractor’s vehicle.  Apart from the losses at Pfizer and the Gap, no other significant new breaches of employment-related data were reported, making September the quietest month for such losses in the last two years.

According to documents obtained under FOI legislation, the European Commission believes that the government of the UK failed to properly implement almost one-third of the articles of the Data Protection Directive.  Deficiencies were previously thought to center on the definition of personal data, but are now seen now include the handling of manual files; the conditions under which sensitive personal data can be processed; the fair processing notices give to individuals; the rights granted to data subjects; the application of exemptions from these rights; the ability of individuals to seek remedies for breaches; liability for breaches of data protection law; transfers of personal data outside the EU; and the powers of the Information Commissioner.  The Commission has been negotiating with the UK government for several years; it could initiate infringement proceedings before the European Court of Justice at any time.

After staging the largest public consultation process in its history, the Australian Law Reform Commission (ALCR) has released 301 proposals that would involve a sweeping overhaul of Australia's privacy laws.  Amongst the proposals are calls for bringing public and private sector organizations under a single unified privacy law; eliminating the current exemption for employee records; data breach notification requirements; a new statutory cause of action where an individual’s reasonable expectation of privacy has been violated; and expanding the enforcement powers of the Information Commissioner   The ALRC will make its final recommendations to the government in March 2008 after a further round of public consultation.

Other HR data breaches in August placed 445,000 pensioners of the State of California and 280,000 pensioners of New York City in jeopardy of ID theft; the west coast breach occurred when SSNs were accidentally printed on mailing labels attached to brochures announcing an upcoming CalPERS election, while the east coast breach involved a laptop stolen at a restaurant from a consultant hired by the City.  Breaches were also reported during the month by the security firm VeriSign (a laptop stolen from the garaged car of an employee); by Merrill Lynch (a laptop containing information on 33,000 employees stolen from a corporate office in New Jersey); and by Pfizer, which suffered a major breach last month (this time a laptop with information on 950 employees stolen from a consultant’s car in Boston).

The International Security, Trust and Privacy Alliance (ISTAPA), a global alliance of technology providers, research institutions and companies, released an 85-page study entitled Analysis of Privacy Principles: Making Privacy Operational.  The study provides a structured comparison of 12 international data protection laws and directives, including the EU Data Protection Directive, the U.S. Privacy Act, and California’s data breach notification law.  It is designed to be useful to privacy practitioners responsible for developing operational requirements for implementing privacy in their business processes and IT systems.