The creation of a Privacy Task Force by Connecticut’s Attorney General was triggered by online and data privacy issues. This development was announced to the public last September 15th in answer to the ever increasing number of internet privacy concerns and data breaches. The announcement clarified that the task force’s main activity is public education about data protection requirements.

The Attorney General’s office has felt the need for a plan that will directly deal with these two big issues. Internet and data privacy problems have been pestering consumers and the general public interest for quite some time. There are at most a dozen ongoing investigations concerning security breaches. These cases mostly resulted in the loss of medical records of patients, insurance records or personal information of customers. A lesser number of cases have something to do with the unauthorized collection of personally identifiable information.

The office has also asked the help of giant tech companies to boost the campaign on protecting the privacy of consumers. While the investigations are going on, Google and Facebook have also committed to get involved in consumer protection. To some extent, the willingness of these companies to take part in the campaign is turning out positive results.

This blog is intended for Filipinos in the Philippines and all over the world. It’s good to get updated with privacy issues and how these affect people in different parts of the world. Read on…

Hindi nauunawaan ng karamihan sa mga mahihilig sa internet na maaari silang makulong kapag sila ay nagbibigay ng pekeng impormasyon tungkol sa kanilang sarili. Sa pamamagitan ng blog na ito, ang mga gumagamit ng Facebook ay mag-iisip muna ng maraming beses. Maaaring nakatatawa o parang walang halaga, subalit marami nang ganitong mga kaso. Maraming internet users ang naparusahan dahil sa paglabag sa “terms of use” ng isang website na hindi naman talaga binabasa.

Sa ngayon, ang ganitong batas ukol sa “cybersecurity” ay maaari pang palawakin ng U.S. Congress. Matatandaang mayroon nang Computer Fraud and Abuse Act na naipasa sa bansa noon pang 1986. Ito ay sumasaklaw sa lalo pang lumalaganap na computer hacking. Ang batas na ito ay nirerebisa at pinalalawak tuwing nakatakdang panahon. Sa ngayon may posibilidad na ito’y sumakop nang mas malawak na saklaw kaysa sa hacking lamang.

Internet users do not give second thoughts that they could be penalized for faking their personal information on the internet. Now, Facebook users may have to think many times before providing any false name, age, or date of birth on their accounts. Such occurrences may sound silly, but there have been several cases where users were penalized for violating the “terms of use” of the websites that they visited.

The U.S. Congress is now set on expanding the scope of laws that pertain to “cybersecurity”. There is already the so-called Computer Fraud and Abuse Act, which was enacted in 1986, but little is known about it. It mainly deals with the laws that pertain to computer hacking. Since its enactment, its provisions are periodically broadened, and it now extends far beyond hacking.

At present, it is unlawful for any person to use a website outside of its terms of “authorized access”. This means that users cannot go beyond the limits in the terms and conditions set by the owner. The user faces a criminal responsibility, particularly if these are committed within a workplace setting.

Once more, a data breach committed against patients’ hospital records stirred up privacy concerns. This time, it involved thousands of emergency room patients’ data that was posted online. The New York Times reported that Stanford Hospital in California verified that the records belonged to them, yet they are not certain as to how that data was stolen and who stole it.

The data has been on a commercial website for almost a year already, but the breach was discovered only last month. A hospital representative said that the data first appeared on that website on September 9, 2010. This makes it hard for hospital officials to tell exactly who committed the offense. There are many third parties who can actually gain access to this hospital data, and it could be any one of them.

There are many policies and regulations in place that oblige companies to publicly reveal data breaches. These laws impose heavy fines to give strength to such legislations. Experts on medical security connect the breach on the presence of too many outside contractors that are able to gain access to private hospital data.

These days, businesses cannot just shrug their shoulders if their customers’ email addresses are stolen or lost. They may have the legal obligation to immediately notify their customers about the data breach. The recent turn of events in the privacy arena serves as a wake-up call to businesses and CIOs.

There have been major changes in the way businesses are held responsible for the protection of personal information. Public disclosure of data breaches is taking a wider range so fast that it seems difficult for many businesses to cope with. They act as one in posing the question about which kind of data legally requires public disclosure.

It used to be that businesses and CIOs only concerned themselves with “personally identifiable information”. This means that if a company did not collect information that can identify or be traced back to a person, it has no obligation to disclose the loss of such data. But when a business collects data which includes bank account numbers, Social Security numbers, medical information and others, it has the obligation to inform the individuals of any data breach.

The most threatening and persistent online espionage was publicly disclosed last August. After years of surveillance, the disclosure was made by Silicon Valley internet security experts. They said that the cyberattacks were not new and had been going on for five years. U.S. companies and government agencies were some of the identified targets. If these attacks were to persist, they would clearly be threats to the country’s national security and economy.

In a statement by McAfee, there were 72 organizations targeted, but the total number could reach into the thousands, which include those that have not yet been identified. It was found that the attacks were mostly directed at stealing sensitive information. Analyzing the nature of the attacks, experts believed that the perpetrator is a nation. For privacy reasons, the experts chose not to name the offender.

The espionage slowly wears away at both the economic and national security advantages of the U.S., as stated by a McAfee spokesperson. He considers the activity to be a grave matter as it steals expensive intellectual property. The end result will unfavorably impact jobs and the condition of the economic community. The spokesperson kept other information about the data that is being stolen confidential because making this public might raise privacy concerns of the organizations involved. However, he reiterated that a nation-state is behind all of these attacks.

The recent discovery of the use of “supercookies” has prompted MSN to reconsider its use of this tracking tool. The company announced that it has stopped its secret tracking of users’ browsing behavior. Microsoft’s Associate General Counsel disclosed that without delay, the company investigated the code after researchers brought the concern to its attention.

It could be recalled that about a month ago, researchers at Stanford University identified a “supercookie” that is able to resurrect users’ cookies even after these were deleted. This means that the cookies persist even after a user intentionally deletes them. Without their knowledge, users’ browsing habits can still be monitored. They believe that everything is “safe” because the cookies were deleted, but that is not the case.

MSN responded quickly to the users’ protests by stopping the code. To remedy the situation, the company extended its efforts to giving reassurance to users about the company’s commitment to upholding their privacy. It clarified to the public that whatever users’ information was assembled by using the code was never shared with other companies or organizations.