IAPP Announces Appointments to New Education Advisory Board
Privacy pros with experience in diverse industries and disciplines are working with the International Association of Privacy Professionals (IAPP), the world's largest association for the privacy profession, to identify educational programming that captures emerging privacy issues while offering a range of advanced and general topics across industry sectors.

"The IAPP has been known for six years as the leading provider of privacy education, certification and networking for the growing ranks of privacy professionals," said IAPP Board President, Kirk M. Herath, CIPP/G, Associate Vice President, Chief Privacy Officer, Nationwide Insurance Companies. "The Education Advisory Board is another strong resource that will continue to reinforce and strengthen the IAPP's ability to deliver leading international privacy programming."

The 19-member committee is comprised of privacy pros representing financial services, healthcare, marketing, higher education, government, consultants, online services and information technology services.

J. Trevor Hughes, the Executive Director of the IAPP, announced the appointment of these IAPP members to serve on the inaugural Education Advisory Board.

The board's first mission was to cull through more than 200 IAPP Privacy Summit 07 session proposals submitted for programming consideration. The Education Advisory Board carefully reviewed the proposals and helped the IAPP craft programming for the IAPP Privacy Summit 07.

The board identified several priorities, including offering Summit attendees sessions on third-party relationships and auditing; government efforts to collect personal information from private-sector databases; and direct access to regulators - including Deborah Platt Majoras, Chairman of the Federal Trade Commission and Richard Thomas, Information Commissioner of the UK, two of the keynote speakers.

Inaugural Education Advisory Board Members

Deborah Butler, Chief Privacy Officer, Unisys Corporation
Mary Ellen Callahan, CIPP, Partner, Hogan & Hartson
Janet Chapman, Chief Privacy Officer, The Charles Schwab Corp.
Jay Cline, CIPP, President, Minnesota Privacy Consultants
Mike Drobac, CIPP, Global Private Client Privacy Office, Merrill Lynch
Dean Forbes, CIPP, Director, Corporate Privacy, Schering-Plough Corp.
Reed Freeman, CIPP, Partner, Kelley Drye Collier Shannon
Stuart Ingis, Partner, Venable LLP
Eva Kleederman, CIPP/G, Deputy for Privacy, Civil Liberties and Privacy Office, Office of the Director of National Intelligence
Jacqueline Klosek, CIPP, Associate, Goodwin Procter LLP
James Koenig, CIPP, Co-Leader Privacy Practice, PricewaterhouseCoopers
Sachin Kothari, Business Manager, Privacy SME, AT&T Inc.
Sagi Leizerov, CIPP, Senior Manager, Technology & Security Risk Services, Ernst & Young
David Lindstrom, CIPP/G, Chief Privacy Officer, Pennsylvania State University
Melissa Mitchell, Attorney, Vorys, Sater, Seymour, and Pease
Emily Mossburg, CIPP, Senior Manager, Deloitte & Touche LLP, Enterprise Risk Services, Security and Privacy Services Group
Brian O'Connor, CIPP, Chief Privacy Officer, Kodak
Rebecca Richards, CIPP/G
Eduardo Ustaran, Partner, Field Fisher Waterhouse
Sara Wood, CIPP, Senior Manager, Customer Privacy, Best Buy


Canadian Privacy Commissioner Launches Investigation Into Breaches
Jennifer Stoddart, Privacy Commissioner of Canada, recently announced that she is launching two separate investigations into security breaches in Canada, one involving the personal information of close to half a million clients of Talvest Mutual Funds, a subsidiary of the Canadian Imperial Bank of Commerce (CIBC), and the other involving shoppers at Winners Merchants Inc. and HomeSense, which are owned by TJX Companies.

The Office of the Privacy Commissioner of Canada (OPC) was initially notified about the Talvest breach by the bank of the disappearance of a hard drive containing personal information and financial data of approximately 470,000 Talvest clients. Since then, the OPC has been working with the CIBC to find out what happened, assess the privacy risks and provide guidance on how to deal with the situation while police continue to investigate.

The Commissioner also has launched a probe into the loss of the hard drive to determine whether there have been any violations of the Personal Information and Protection and Electronic Documents Act (PIPEDA). In her statement, Stoddart said, "Although I appreciate that the bank notified us of this incident and that it is working cooperatively with my Office, I am nevertheless deeply troubled, especially given the magnitude of this breach, which puts at risk the personal information of hundreds of thousands of Canadians. My Office is committed to carrying out a thorough investigation into this matter and to ensuring that preventive and corrective measures are put in place so that this does not reoccur."

The Commissioner expressed similar concerns regarding the TJX breach. She launched a joint investigation with the Privacy Commissioner of Alberta, Frank Work, into the incident to examine the company's "collection of personal information and whether appropriate security safeguards are in place to protect consumers against unauthorized access, use and disclosure of personal information," according to a press release issued by the OPC. The investigation will also look at the personal information collection practices of both Winners Merchants Inc. and HomeSense following numerous calls from concerned citizens.

OCR Statistics on Medical Privacy Complaints Raise Questions
In its 3rd Annual Review of Medical Privacy and Security Enforcement audio seminar, Melamedia reveals that less than a quarter of the total medical privacy complaints lodged with the Department of Health and Human Services (HHS) were deemed eligible for further federal investigation of the targeted healthcare organizations covered by HIPAA.

Of the 22,664 complaints received by the HHS Office for Civil Rights (OCR) from the launch of the complaint system in April 2003 through Sept. 30, 2006, approximately 5,400 (23.8 percent) merited further investigation or action, according to agency statistics.

Of the 5,400 complaints that were pursued, OCR took informal action in 3,700 cases. In the remaining 1,700 cases, OCR found that the covered healthcare organization named in the complaint had not violated the HIPAA privacy rule.

"These statistics raise a lot more questions than they answer," said Dennis Melamed, President of Melamedia LLC, a publisher of newsletters and seminars on regulatory issues in healthcare. "For example, does this mean that concerns over medical privacy are overblown? Or does it mean that the HIPAA privacy rule does not cover everyone it should? We just don't know," he told seminar participants.

"While we shouldn't read too much into these statistics," Melamed said, "they do point out that we still do not have a grasp on how well we protect patient confidentiality. And that, by itself, is important to know as the U.S. pursues a national system of electronic health records and personal health records."

HHS Issues Guidance on Remote Access to EPHI
Following several security breaches that resulted in the loss of Electronic Protected Health Information (EPHI), the Department of Health and Human Services (HHS) issued a guidance document targeted to HIPAA-covered entities with the objective of outlining the ways healthcare-related organizations can protect sensitive information when it is accessed or used remotely.

The document specifically addresses the vulnerability of laptops, portable and/or mobile devices and external hardware that is used to store, contain or access EPHI, and outlines the minimal compliance expectations for the security of sensitive health information that is accessed offsite. The guidance calls for organizations to carefully evaluate their need for offsite use of EPHI, and to closely examine their risk analysis and risk management strategies; policies and procedures for safeguarding EPHI; and security awareness and training on the policies and procedures for safeguarding EPHI.

Furthermore, the guidelines offer a list of potential risks associated with offsite use of sensitive data and appropriate risk management strategies to mitigate them under the HIPAA Security Rule.

The document can be downloaded at www.cms.hhs.gov/SecurityStandard/ Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»