IAPP Announces Appointments to New Education Advisory Board
Privacy pros with experience in diverse industries and disciplines are working with the International Association of Privacy Professionals (IAPP), the world's largest association for the privacy profession, to identify educational programming that captures emerging privacy issues while offering a range of advanced and general topics across industry sectors.

"The IAPP has been known for six years as the leading provider of privacy education, certification and networking for the growing ranks of privacy professionals," said IAPP Board President, Kirk M. Herath, CIPP/G, Associate Vice President, Chief Privacy Officer, Nationwide Insurance Companies. "The Education Advisory Board is another strong resource that will continue to reinforce and strengthen the IAPP's ability to deliver leading international privacy programming."

The 19-member committee is comprised of privacy pros representing financial services, healthcare, marketing, higher education, government, consultants, online services and information technology services.

J. Trevor Hughes, the Executive Director of the IAPP, announced the appointment of these IAPP members to serve on the inaugural Education Advisory Board.

The board's first mission was to cull through more than 200 IAPP Privacy Summit 07 session proposals submitted for programming consideration. The Education Advisory Board carefully reviewed the proposals and helped the IAPP craft programming for the IAPP Privacy Summit 07.

The board identified several priorities, including offering Summit attendees sessions on third-party relationships and auditing; government efforts to collect personal information from private-sector databases; and direct access to regulators - including Deborah Platt Majoras, Chairman of the Federal Trade Commission and Richard Thomas, Information Commissioner of the UK, two of the keynote speakers.

Inaugural Education Advisory Board Members

Deborah Butler, Chief Privacy Officer, Unisys Corporation
Mary Ellen Callahan, CIPP, Partner, Hogan & Hartson
Janet Chapman, Chief Privacy Officer, The Charles Schwab Corp.
Jay Cline, CIPP, President, Minnesota Privacy Consultants
Mike Drobac, CIPP, Global Private Client Privacy Office, Merrill Lynch
Dean Forbes, CIPP, Director, Corporate Privacy, Schering-Plough Corp.
Reed Freeman, CIPP, Partner, Kelley Drye Collier Shannon
Stuart Ingis, Partner, Venable LLP
Eva Kleederman, CIPP/G, Deputy for Privacy, Civil Liberties and Privacy Office, Office of the Director of National Intelligence
Jacqueline Klosek, CIPP, Associate, Goodwin Procter LLP
James Koenig, CIPP, Co-Leader Privacy Practice, PricewaterhouseCoopers
Sachin Kothari, Business Manager, Privacy SME, AT&T Inc.
Sagi Leizerov, CIPP, Senior Manager, Technology & Security Risk Services, Ernst & Young
David Lindstrom, CIPP/G, Chief Privacy Officer, Pennsylvania State University
Melissa Mitchell, Attorney, Vorys, Sater, Seymour, and Pease
Emily Mossburg, CIPP, Senior Manager, Deloitte & Touche LLP, Enterprise Risk Services, Security and Privacy Services Group
Brian O'Connor, CIPP, Chief Privacy Officer, Kodak
Rebecca Richards, CIPP/G
Eduardo Ustaran, Partner, Field Fisher Waterhouse
Sara Wood, CIPP, Senior Manager, Customer Privacy, Best Buy

Canadian Privacy Commissioner Launches Investigation Into Breaches
Jennifer Stoddart, Privacy Commissioner of Canada, recently announced that she is launching two separate investigations into security breaches in Canada, one involving the personal information of close to half a million clients of Talvest Mutual Funds, a subsidiary of the Canadian Imperial Bank of Commerce (CIBC), and the other involving shoppers at Winners Merchants Inc. and HomeSense, which are owned by TJX Companies.

The Office of the Privacy Commissioner of Canada (OPC) was initially notified about the Talvest breach by the bank of the disappearance of a hard drive containing personal information and financial data of approximately 470,000 Talvest clients. Since then, the OPC has been working with the CIBC to find out what happened, assess the privacy risks and provide guidance on how to deal with the situation while police continue to investigate.

The Commissioner also has launched a probe into the loss of the hard drive to determine whether there have been any violations of the Personal Information and Protection and Electronic Documents Act (PIPEDA). In her statement, Stoddart said, "Although I appreciate that the bank notified us of this incident and that it is working cooperatively with my Office, I am nevertheless deeply troubled, especially given the magnitude of this breach, which puts at risk the personal information of hundreds of thousands of Canadians. My Office is committed to carrying out a thorough investigation into this matter and to ensuring that preventive and corrective measures are put in place so that this does not reoccur."

The Commissioner expressed similar concerns regarding the TJX breach. She launched a joint investigation with the Privacy Commissioner of Alberta, Frank Work, into the incident to examine the company's "collection of personal information and whether appropriate security safeguards are in place to protect consumers against unauthorized access, use and disclosure of personal information," according to a press release issued by the OPC. The investigation will also look at the personal information collection practices of both Winners Merchants Inc. and HomeSense following numerous calls from concerned citizens.

OCR Statistics on Medical Privacy Complaints Raise Questions
In its 3rd Annual Review of Medical Privacy and Security Enforcement audio seminar, Melamedia reveals that less than a quarter of the total medical privacy complaints lodged with the Department of Health and Human Services (HHS) were deemed eligible for further federal investigation of the targeted healthcare organizations covered by HIPAA.

Of the 22,664 complaints received by the HHS Office for Civil Rights (OCR) from the launch of the complaint system in April 2003 through Sept. 30, 2006, approximately 5,400 (23.8 percent) merited further investigation or action, according to agency statistics.

Of the 5,400 complaints that were pursued, OCR took informal action in 3,700 cases. In the remaining 1,700 cases, OCR found that the covered healthcare organization named in the complaint had not violated the HIPAA privacy rule.

"These statistics raise a lot more questions than they answer," said Dennis Melamed, President of Melamedia LLC, a publisher of newsletters and seminars on regulatory issues in healthcare. "For example, does this mean that concerns over medical privacy are overblown? Or does it mean that the HIPAA privacy rule does not cover everyone it should? We just don't know," he told seminar participants.

"While we shouldn't read too much into these statistics," Melamed said, "they do point out that we still do not have a grasp on how well we protect patient confidentiality. And that, by itself, is important to know as the U.S. pursues a national system of electronic health records and personal health records."

HHS Issues Guidance on Remote Access to EPHI
Following several security breaches that resulted in the loss of Electronic Protected Health Information (EPHI), the Department of Health and Human Services (HHS) issued a guidance document targeted to HIPAA-covered entities with the objective of outlining the ways healthcare-related organizations can protect sensitive information when it is accessed or used remotely.

The document specifically addresses the vulnerability of laptops, portable and/or mobile devices and external hardware that is used to store, contain or access EPHI, and outlines the minimal compliance expectations for the security of sensitive health information that is accessed offsite. The guidance calls for organizations to carefully evaluate their need for offsite use of EPHI, and to closely examine their risk analysis and risk management strategies; policies and procedures for safeguarding EPHI; and security awareness and training on the policies and procedures for safeguarding EPHI.

Furthermore, the guidelines offer a list of potential risks associated with offsite use of sensitive data and appropriate risk management strategies to mitigate them under the HIPAA Security Rule.

The document can be downloaded at www.cms.hhs.gov/SecurityStandard/ Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf.