5 Ways To Protect Online Privacy

Due to serious time constraints I'm going to refrain from much personal pontificating today and go straight to a great piece by Alternet's David Rosen entitled "Your Are Being Tracked Online: Here Are 5 Ways to Protect Your Privacy". Suffice to say, he lays out a number of the issues I've been covering on this blog, including ways that you can protect your own privacy, but more importantly, as I often argue, what kinds of rules and protections are needed to make this task easier - and give people more power over their data and what's done with it.

I think his general analysis of the President's Consumer Privacy Bill of Rights is on point too...namely, that while conceptually its got a lot of good stuff, there's not a lot of reason to be optimistic that it will end up being very strong, due to deference to the Congress and/or appeasement of big business interests when the time comes to fight for what's most important.

He also delves into the detrimental effects to privacy of media consolidation as well as the shift from paper based media to digitally based....which forces these companies to find new ways (like behavioral tracking) to raise revenue to stay afloat.

With that said, here's a few of the most important passages of his piece in case you don't have the time to read the whole thing:

Overlooked by the media, the Federal Trade Commission issued a warning earlier in February over apparent violations of children’s privacy rights involving the operating systems of the Apple iPhone and iPad as well as Google’s Android and their respective apps developers. Its report, "Mobile Apps for Kids," examined 8,000 mobile apps designed for children and found that parents couldn’t safeguard the personal information the app maker collected.

To illustrate how pernicious this practice is, one iPhone app, Path, offered by a Singapore developer, downloaded an iPhone users' entire address book without alerting them. Prodded by a letter from Congressmen Henry Waxman (D-CA) and G.K. Butterfield (D-NC), Apple’s CEO Tim Cook said the company will ensure that app developers get permission before downloading a user's address book.

The battle over your personal data is principally about ad spending. The mass media is witnessing a shift from “broadcast” media like newspapers, radio and TV to “targeted” media like website ads, search capabilities and social networks. The consequences for newspapers and magazines are clear; TV is fighting to hold onto every ad dollar with a new “social TV” initiative. And your personal information is what enables targeted advertising.
...

Two industries, advertising and data brokers, principally drive the colonization of digital personal information. Traditional online usage practices such as monitoring of sites visited, ad click-throughs and email keywords are the bread and butter of information capture.

At a Senate hearing in September 2007 reviewing Google’s acquisition of DoubleClick, Sen. Herb Kohl warned, "The antitrust laws were written more than a century ago out of a concern with the effects of undue concentrations of economic power for our society as a whole, and not just merely their effects on consumers’ pocketbooks. No one concerned with antitrust policy should stand idly by if industry consolidation jeopardizes the vital privacy interests of our ciitzens so essential to our democracy."

The merger of these two ad-serving businesses set the stage of greater integration of personal information gathering and the online ad industry.

According to Forrester Research, total online advertising will more than double over the next five years, jumping from the 2011 estimate of $34.5 billion to $76.6 billion by 2016. Giving some texture to these numbers, eMarketing estimates that the top five online services control more than 70 percent of all monies spent. These five (and their relative market share) are: Google (43.5%), Yahoo! (11.9%), Facebook (7.7%), Microsoft (5.4%) and AOL (2.8%)

Facebook collects two types of information: (i) personal details provided by a user and (ii) usage data collected automatically as the user spends time at the site clicking around. When joining Facebook, a user discloses such information as name, email address, telephone number, address, gender and schools attended. In addition, it records a user’s online usage patterns, including the browser they use, the user's IP address and how long they spend logged into the site.

...

More pernicious, your personal Social Security number, phone numbers, credit card numbers, medical prescriptions, shopping habits, political affiliations and sexual orientation are now fodder for both corporate and government exploitation.

Both the ad agencies and data brokers have information capture down to a bad science. They track your every keystroke, your every order and bill payment, words and phrases in your emails and your every mobile movement.

And your personal information is pretty cheap as the following examples illustrate: address - $0.50; phone number - $0.25; unpublished phone number - $17.50; cell phone number - $10; Social Security number - $8; drivers license - $3; marriage/divorce - $7.95; education background - $12; employment history - $13; credit history - $9; bankruptcy information - $26.50; shareholder information - $1.50; lawsuit history – $2.95; felony record - $16; sex offender status - $13; and voter registration - $0.25. [Source: www.turbulence.org]

...

1. Privacy needs to be made a right.

“Privacy” is an implied – as distinguished from an explicit – right guaranteed by the Constitution. For all the rights suggested in the White House’s white paper, no new real right to privacy is proposed.

...

2. Regulation should replace voluntary compliance.

The White House program is based on the various interested parties, particularly online advertising companies, adopting a voluntary compliance commitment to safeguard people’s online privacy. But will self-regulation work?

...

3. Data vendors should be held accountable.

The White House document calls for data brokers to permit consumer reasonable access to the data they collect. It encourages the collectors to provide a mechanism for review, revision and limits to its use.

...

4. Bar federal agencies from buying private data.

The white paper fails to address the federal government’s growing reliance on information gathered by private data collectors, whether the information is accurate or not.

...

5. There’s a need for a global personal privacy standard.

The U.S. and Europe are moving in two opposing directions with regard to data privacy rules. The White House plan emphasizes mutual recognition of privacy approaches, an international role for codes of conduct and enforcement cooperation to safeguard personal privacy. Yet, the U.S. model is in keeping with its long tradition of putting the interest of business before its citizens; the Europeans are developing an online privacy program that places the interests of citizens first.

Click here to read the article in its entirety.

Supreme Court Rules Search Warrant Needed to Track People Using GPS

The fourth amendment isn’t completely dead after all! While this fundamental right to privacy is admittedly in tatters, the Supreme Court ruled yesterday that police must have a warrant in order to track someone using a GPS device.

The case in question involved police covertly tracking a suspected cocaine dealer's car using a GPS device for an extended period of time without getting a warrant. The question before the court largely centered on whether the constant, and extended, use of a secret GPS tracking device violated the Fourth Amendment’s protection against unreasonable searches and seizures?

Or, is such use of these devices without a warrant acceptable on the grounds that there is no expectation of privacy when in public places and that such tracking technology merely makes public surveillance easier and more effective?

Clearly, a whole lot was riding on this decision for privacy advocates. Citizens shouldn’t be concerned that trips to a friend's house, a place of worship, or a therapist's office can be tracked in real time by the government.

Thankfully, in this case, the court agreed: attaching a GPS device to a car and tracking its movements is a violation of the Fourth Amendment. Unfortunately, the government will likely continue to insist that tracking the location of cell phones is unaffected by this ruling.

As previously laid out in an article in Wired Magazine, there is an important distinction between traditional surveillance and GPS tracking: "Repeated visits to a church, a gym, a bar, or a bookie tell a story not told by any single visit, as does one’s not visiting any of these places over the course of a month. The sequence of a person’s movements can reveal still more; a single trip to a gynecologist’s office tells little about a woman, but that trip followed a few weeks later by a visit to a baby supply store tells a different story."

Interestingly, though not surprising, the Court, while in unanimous agreement that a warrant is necessary, came to that conclusion from very different perspectives.

Certainly, the stand out Justice was Sonia Sotomayor, who went much further than her colleagues on the issue of privacy in the digital age - even making a case for revision of the “third-party” doctrine (i.e. we lose Fourth Amendment protection when we disclose certain information). She wrote, “More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers.”

On the question of surveillance, she also distanced herself from Antonin Scalia’s narrow property rights argument (i.e. by installing the device police were violating the suspect’s private property), writing “…the same technological advances that have made possible nontrespassory surveillance techniques will also affect the Katz test by shaping the evolution of societal privacy expectations. Under that rubric, I agree with Justice Alito that, at the very least, 'longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy.'" 

As Julian Sanchez of the CATO institute noted, the ruling was a big victory for privacy advocates and the Fourth Amendment, writing, “This is a pretty big deal. Fourth Amendment scholars have been warning for decades—and with increasing alarm—that modern communications technology could turn constitutional privacy protections into an empty formality if we’re regarded as waiving those protections whenever we “expose” information to a third party. It is inherent to the nature of the Internet and mobile telecommunications, after all, that almost everything we do online—and, increasingly, much that we do offline as well—leaves a trace in the vast databases of one corporation or another.

Sotomayor’s concurrence signals a recognition that we need to move beyond what privacy scholar Daniel Solove has called “The Secrecy Paradigm,” which assumes that whatever is not totally secret (or very nearly so) is effectively “public.” In other words, if your Internet provider has a record of every Web site you visit, there’s no invasion of privacy when the government decides to have a look at the list. At least one Justice, evidently, recognizes that this is an indefensible inference—and one hopes she’s not alone.” 

Does Sotomayor's case against the third party doctrine have any significance for privacy advocates moving  forward? Timothy B. Lee of ArsTechnica says yes, writing, “Sotomayor's discussion of the third-party doctrine has no legal significance, since she was the only one to sign onto her concurrence. But it could prove to have greater significance in the long run. The existence of at least one justice who is skeptical of the doctrine will inspire privacy advocates to raise objections to the idea in future cases. And one of those cases is likely to reach the high court at some point in the future.”

E-Health Records, Data Breaches, and Privacy

Rather than re-inventing the wheel today, if you want some past posts I've done on electronic health records (EHR's) and the need for strict privacy safeguards that protect consumers, you can go here, here, or here. Generally speaking, I've made the following arguments: yes, this transition from paper to EHR's is inevitable and necessary; yes, such a transition does offer numerous benefits from cost effectiveness to better care; but, and this is a big but, what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

Similarly, I have also documented, one medical records data breach after another, some due to hackers/identity thieves and some as a result of gross hospital incompetence and negligence (and more). In addition, I've detailed how states, like California for instance, are trying to create a set of privacy standards for these records that often means merging state rules and federal ones.

Given the lack of consistency, for instance, between California’s Confidentiality of Medical Information Act (CMIA) and the federal HIPAA (The Health Insurance Portability and Accountability Act), there is no single, comprehensive “rule” for the use and disclosure of health information in our state.

Thus the debate taking place over what kind of privacy standards and protections should apply to EHR’s centers around a few core principles: accountability among parties involved in processing electronic transactions, consumer control over how their information is shared and the availability of access to it, transparency (so anyone who accesses files is recorded and made available to the consumer if desired), and system security to ensure a patients private information is protected from identity thieves, overzealous law enforcement, or unwanted marketers.

Now that I've briefly gone over some of the general fundamentals of this very complex issue, I want to discuss two articles that have come out in the past week or so, one about the UC Regents dragging its feet in the lawsuit against it for a medical records data breach at the UCLA Health System, and the other, a MUST READ from the Los Angeles Times Michael Hiltzik entitled (apt for this blog), "Her case shows why healthcare privacy laws exist."

I want to bring these up because they demonstrate, particularly the Los Angeles Times piece, WHY the work that, in California for instance, CalOHII (State of California Office of Health Information Integrity) is doing to come up with ironclad privacy protections for the state to adopt is so important (full disclosure: I'm on the privacy steering committee).

Let's begin with Hiltzik's piece because it truly blows the mind, and brings home why this MATTERS. He writes:

Of all the personal information that you might want to keep private, your medical records are the most important. That's why federal and state laws carry stiff penalties, up to and including jail time, for healthcare providers who let such data loose into the wild.

So you should be aghast at how free and easy Prime Healthcare Services and two executives at Prime-owned Shasta Regional Medical Center have been with the medical chart of a patient named Darlene Courtois. They showed the entire chart to an editor of her hometown newspaper, and Prime's corporate office divulged some of her medical examination results to me (though I didn't ask for them). They didn't have her permission for those disclosures, her daughter says.

...

Here's what state and federal laws have to say: A hospital can't disclose a patient's medical information publicly, such as to a newspaper, without the patient's written authorization. The authorization has to be very specific, designating exactly which records may be disclosed and to whom.

The applicable laws are the federal Health Insurance Portability and Accountability Act of 1996, which is known as HIPAA, and the 2008 California Confidentiality of Medical Information Act. The covered records include any information about an individual's "past, present or future physical or mental health or condition," and "the provision of health care to the individual." (The language comes from the federal government's published privacy rule summary.)

There are a few limited circumstances in which a healthcare provider doesn't need permission. Chiefly these fall into the categories of "treatment, payment and healthcare operations" — in other words, charts can be seen by doctors treating the patient or insurers paying for care, or in connection with hospital functions such as evaluating doctors' competency — and regulatory activities or subpoenas.

...

Under the law, there's no such thing as an implied authorization by a patient for disclosure of personal records, said Linda Ackerman, a San Francisco expert in privacy law.

The office of civil rights of the U.S. Department of Health and Human Services, which enforces HIPAA, put it this way: "There is no 'waiver' that would apply to the release of a chart or medical record to the media without an individual's written authorization."

Several experts told me it doesn't matter if the hospital was trying to contradict misinformation provided by a patient (even if that's what Courtois did, which is debatable). Under the law, patients themselves can divulge anything they wish about their medical conditions and their treatment by a hospital. But a hospital's obligation is to keep its mouth shut. A desire to deflect bad PR is not an excuse. Even if they think they're in the right, the law says healthcare providers have to suffer in silence, the experts say.

Anthony Wright, executive director of the statewide patient advocacy group Health Access California, also mentioned the "chilling precedent" of a hospital company exposing a patient's personal information just because she criticized the company in public. Indeed, the lesson of the Courtois case is clear: Give an interview about your experience at a Prime-owned hospital, and don't be surprised if the hospital responds by exposing the most private details of your medical history to the world. 

Click here for more.

I would have to say, in addition to the blatant disregard for the privacy, and the RIGHTS of Darlene Courtois demonstrated by Prime, I find Anthony Wright's point on this serving as a "chilling effect" against patients who may speak out, to be of particular concern. I say this because all too often, as a consumer advocate, industry's from chemical to big pharma to big oil, and on down the line, we see intimidation, obfuscation, and in fact, a factoring in of the damage they cause people and the planet into their business model. I would HATE to think that EHR's could serve as yet one more tool to protect these kinds of corporate interests from proper justice and accountability.

My sense is, that in the case of Prime, its so egregious, there will be accountability, and this chilling effect will not take root. But, that is why I brought up the issue of factoring in the cost of the damage these corporate interests do into their business model: will the damages Prime faces outweigh the benefits, they, and other vultures like them, feel they might get from such intimidation?

This also is why, as Hiltzik rightly states in the articles title, "Her case shows why health care privacy laws exist", and why, INCREASED privacy protections, and increased accountability and enforcement, are also necessary...and must also exist.

On a similar note, let's look at the case of the UCLA Health System data breach and the lawsuit against it (remember, as I pointed out in a recent post, hospitals are NOT doing their job, and spending the required resources to protect these EHR's to date). As the Daily Bruin reports:

The UCLA Health System reported in November 2011 that a hard drive containing more than 16,000 patients’ information had been stolen from the home of a UCLA physician on Sept. 6, 2011.

Social Security numbers and financial information were not among the documents stolen, but they did include first and last names and may have contained birth dates, medical record numbers, addresses and medical record information, according to the Health System’s statement.

The lawsuit claims the September incident was a violation of the California Confidentiality of Medical Information Act, in place to protect the privacy of patients’ personal histories and information. The suit is calling for $1,000 in damages for each patient on the hard drive. The total cost of the suit for the Health System could amount to as much as $16 million, including the legal fees associated with the case.

...

While storing information online is an increasingly common practice, and can certainly coexist with patient privacy rights, the potential for data breach is significantly higher than a paper-based system, said Tena Friery, research director at the Privacy Rights Clearinghouse, a national nonprofit organization focused on consumer privacy protection.

She also cited a 2011 study revealing that 71 percent of health care organizations had suffered a data breach in the last year.

Kabateck was also involved in a case concerning similar violations against Stanford University’s Hospital and Clinics late last year, filed on behalf of 20,000 patients whose information was released onto a public website through a third party. 

Click here to read more.

Obviously, this brings me back to the same key points at the article before it...how do we prevent this MASS amounts, in some cases (as in Prime), intentional, data breaches from occurring? This, my friends, is serious business. And, as such, I would urge we seek and demand adequate penalties against those responsible for such breaches to ensure they don't keep happening going forward. This means BOTH privacy standards AND enforcement/security/accountability.

As I wrote in past posts, "If medical records fell into the wrong hands at worst they could be used for a host of purposes unrelated to improving your health: advertisers might flood our email inboxes with even more spam and patients may not feel so comfortable having an honest conversation with their doctor if it could end up for all to see. This treasure trove of personal information would also be a goldmine for insurance companies, drug companies, data mining companies, and software companies....


When it comes to the issue of e-health records certainly one question the consumers should ponder is "Where is my data and who has access to it and for what purposes?" Or perhaps even more importantly, "can my private data be traced back to me personally and sold to others?"...Clearly, what is MORE than clear now is that we need MORE attention paid to privacy, not less...and that means taking a bit more time to get this new system up and running...and more care given to the rights of patients...not hospitals, not suppliers, not the government, and not any other interest looking to profit off this transition. We can have BOTH privacy and a more efficient medical records system...there's no need to sacrifice one for the other.

Electronic Health Record Data Breaches Surge

Most of us have come to the obvious, inevitable realization that we are going to shift (and in fact are doing so right now) what are currently called personal health records from a paper system to an electronic one. Having your medical records computerized and stored electronically promises to reduce medical errors - including prescribing the wrong medications. The National Academy of Sciences' Institute of Medicine estimates between 44,000 and 98,000 people in the United States die each year because of errors such as being prescribed medicine to which they are allergic.

These EHR’S offer an easier way to collect, double-check and complement the information you receive from your physician. At the very least, your records can help you speed through waiting room forms and prompt important conversations with your physicians. If your doctor writes a new prescription, you can use your current medication list to ask about any interactions with the new drug. Or if your records suggest it’s time for a colonoscopy, you might make time to discuss the pros and cons of the procedure.

EHR’S can also allow you to access your health information to prepare for medical appointments. As laid out by Patient Privacy Rights, "It can enable you to communicate better with your healthcare providers about your medical needs. People with chronic health conditions may use them to keep track of such things as how their medications are affecting them, or how they’re feeling from day to day. People with hypertension might want use it to track their blood pressure readings."

Transitioning to a health information exchange will create much more patient data in electronic formats than ever before in history. The privacy threat posed by the interoperability of a national network is a key concern because in order for the records to be readily available and accessible they would have to be linkable and searchable.

If medical records fell into the wrong hands at worst they could be used for a host of purposes unrelated to improving your health: advertisers might flood our email inboxes with even more spam and patients may not feel so comfortable having an honest conversation with their doctor if it could end up for all to see. This treasure trove of personal information would also be a goldmine for insurance companies, drug companies, data mining companies, and software companies.

I give you this backdrop because we are witnessing increasing numbers of data breaches that are exposing - on a mass level - peoples personal health records.

Before I get to the latest news on partly why these breaches are occurring (hospitals skimping on their security costs), let me layout some of the data and its costs we ALREADY knew about:

• More than 11 million consumers have had medical data stolen or inappropriately disclosed since September 2009, and the privacy breaches are expected to rise as more health information is put online, according to the report released today by the New York-based accounting firm’s health research institute.
• While the report didn’t specify how many security thefts were carried out by insiders, 40 percent of surveyed providers reported an incident of improper internal use of protected health information during the past two years. 
• Health organizations notified approximately 5.4 million individuals affected by patient health data breaches in 2010, compared to approximately 2.4 million individuals in 2009.
• HHS' latest report to Congress revealed that in 2010 theft was the most common cause of large breach incidents that affected 500 or more individuals. Among the 207 breaches that covered entities such as healthcare providers, health plans, and healthcare clearinghouses reported last year, 99 incidents involved theft of paper records or electronic media, combined affecting approximately 3 million individuals. 
• In 2010, the second highest number of data breaches involved the loss of electronic media or paper records, with 33 reported cases that affected more than 1 million individuals. There were 31 breaches that involved unauthorized access to, or uses or disclosures of, protected health information that affected approximately 1 million individuals. Other breaches included 19 incidents resulting from human or technological errors that affected approximately 78,663 individuals. Eleven covered entities reported breaches caused by the improper disposal of protected health information that affected approximately 70,000 individuals.

Now that we've gone over just a few of the reasons why this is all so important, and why concerns articulated by privacy advocates that STRICT privacy safeguards, at every step of the transition process must be implemented have been proven true, lets get to some of the reasons WHY such breaches are occurring.

As Business Week reported: 

Data breaches at U.S. health-care providers are increasing as hospitals adopt electronic medical records and mobile technology without spending enough on security to ensure patient privacy, a research group said.

The frequency of data breaches at health organizations jumped 32 percent in 2011 from a year earlier, costing the industry an estimated $6.5 billion, according to a study released today by the Ponemon Institute LLC, a Traverse City, Michigan-based information-security research group.

Forty-nine percent of health organizations said that lost or stolen devices were to blame for breaches, according to the institute, which surveyed 72 hospitals and health providers. The study didn’t name the organizations surveyed.

...

Fifty-three percent of the organizations surveyed said that inadequate funding was the biggest barrier to preventing data breaches, according to the study.

U.S. data-breach notification laws for health organizations are making providers more aware of their security vulnerabilities, Ponemon said. Data breaches affecting more than 500 people must be reported to the Health and Human Services Department, which posts a list of incidents on its website.

Health providers, insurers and their business partners reported 373 breaches affecting almost 18 million individuals between September 2009 and October of this year, according to the list, which is tended by the Health and Human Services Department’s Office of Civil Rights.

In  fact, the Privacy Rights Clearinghouse listed the now notorious Sutter Health data breach as one of the largest of the year. Amber Yoo, the organization's Communications Director recently wrote in the California Progress Report, "Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) (Nov. 16) - A company-issued desktop computer was stolen from SMF's administrative offices in Sacramento, California, during the weekend of October 15th. Although the data was password protected, it was not encrypted. Approximately 3.3 million patients whose health care provider is supported by SPS had their names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and health insurance plan name exposed. An additional 934,000 SMF patients had dates of services and description of medical diagnoses and/or procedures used for business operations, bringing the total to 4.2 million patients. At least two lawsuits have been filed against Sutter Health. One class-action suit alleges that Sutter Health was negligent in safeguarding its computers and data, and then did not notify the millions of patients whose data went missing within the time required by state law....The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location). Although no Social Security numbers or financial information were apparently exposed, all the data elements needed for medical identity theft were included in the stolen records.

In addition, Amber points out another massive breach, writing, "Nine data servers containing sensitive health information went missing from Health Net's data center in Rancho Cordova, California. The servers contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information. Not only was Health Net the first massive medical breach of the year, but the company waited three months before notifying affected individuals. The servers were discovered missing in January, but policyholders were not notified until March. The breach highlights the importance of timely notification."

The good news, as if there is any in all this, is that California recently implemented one of the strongest data breach notification laws in the country - one we here at the Consumer Federation of California worked hard to pass the legislature and convince Governor Brown to sign. Now, thanks to the law, any breached entity must submit their notice letters to the California Attorney General. The AG's office will then post the letters on its website. In addition, the notifications sent to individual who's private information was breached will be clearer, more detailed, with specific recommendations for what to do no next, including who to call.

As for the larger issue of electronic health records, as these breaking news stories make clear, time is running out, because states across the country, including California, are working to implement such a system, with consumer privacy perhaps the paramount area of dispute.

We know such a system will save money and improve health care (though how significant these improvements and savings will be is still in question), but what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

When it comes to the issue of e-health records certainly one question the consumers should ponder is "Where is my data and who has access to it and for what purposes?" Or perhaps even more importantly, "can my private data be traced back to me personally and sold to others?"

But as it stands today, there still aren't uniform standards for electronic medical records. Yes, there are some protections in the Health Insurance Portability and Accountability Act of 1996, as well as some in the stimulus bill. But key protections are still absent, and state laws often conflict with federal ones.

For instance, the federal law on the books only require that patients are notified when their information was disclosed in the course of treatment but not how it was used. As a result, the patient will not know which hospital personnel looked at the information or for what purpose.

Clearly, what is MORE than clear now is that we need MORE attention paid to privacy, not less...and that means taking a bit more time to get this new system up and running...and more care given to the rights of patients...not hospitals, not suppliers, not the government, and not any other interest looking to profit off this transition. We can have BOTH privacy and a more efficient medical records system...there's no need to sacrifice one for the other.

A Near Privacy Sweep in California…With One BIG Exception

It was a near legislative sweep for privacy advocates this year as Governor Brown signed all but one of the key privacy bills that reached his desk. These include: 

SB 602 (Yee) will ensure that government and third parties cannot access private reading records without proper justification. This is no small victory being that digital books will store data that can include books browsed, how long a page is viewed, and even the electronic notes written in the margins. It's not hard to see the detailed portrait of your life such information could paint.

AB 22 (Mendoza) will prohibit a prospective employer from using consumer credit reports in the hiring process unless it’s directly related to the job. This bill was one of our top priorities this year for a number of reasons, including: credit reports do not have predictive value in determining a worker’s ability to perform job duties, while a bad credit report might unfairly influence a hiring employer’s attitude toward a job applicant; a significant percentage of credit reports are inaccurate, and correcting such information in a credit report is a tedious, time consuming affair; and millions of peoples credit scores have been decimated by a Great Recession that was no fault of their own, but in fact due to the actions of some of the very interests that then arbitrarily determine ones credit rating. For all of those reasons and more this legislation was a victory for both privacy and economic justice.

SB 24 (Simitian) will provide an important upgrade to California's landmark breach notification law. It spells out which key details must be included in that notification letter, and would make sure the Attorney General hears about the breach. SB 24 will help consumers make sense of these notices, and help arm us to stop identity theft. Sony, Citibank, and the Bay Area Rapid Transit District are recent examples of businesses and government agencies whose customers’ records were stolen by hackers.

And just a few weeks ago it was revealed that 300,000 Californians’ intimate medical records, along with their social security numbers, were viewable for months to anyone with an internet connection, owing to an insurance processing business’ failure to safeguard its electronic data files. This massive medical records data breach leads us to another privacy related legislative victory: SB 850 (Leno), which will expand the Confidentiality of Medical Information Act to both written and electronic health records.

Also of note, but not a high priority for CFC this year, was the signing of SB 208 (Alquist), which will authorize restitution to an identity theft victim for expenses to monitor a credit report and for the costs to repair a credit rating, and SB 636 (Corbett), which will provide further protection to individuals participating in the Safe at Home Program by prohibiting their addresses and telephone numbers from being posted on the Internet, and establishing crimes for publishing or failing to remove their identifying information.

The Big Disappointment: Governor Vetoes SB 914 (Leno) - Police Search of Smart Phones

Currently police can seize and search an individual’s smart phone or android without a warrant, just like a traditional cell phone. SB 914 would have clarified that an arrestee’s cell phone can only be accessed with a warrant, except in circumstances where there is an immediate threat to public safety or the arresting officer. It acknowledges that accessing information on a cell phone is fundamentally different than searching an arrested person’s wallet, cigarette pack or jeans pockets.

Being that modern cell phones are becoming more like all purpose computers, and therefore contain ALL KINDS of personal, private information, the authorities should not be granted the right to that information without a warrant.

Unfortunately, in 2007, California's Supreme Court ruled against such a distinction, arguing, "The cell phone was an item (of personal property) on the person at the time of his arrest and during the administrative processing at the police station. Because the cell phone was immediately associated with defendant’s person, (police were) entitled to inspect its contents without a warrant." 

But these justices went even further - comparing the cell phone to personal effects like clothing. Worse, it argued that it wasn't because the police had a particular right in this particular case, or there was some special exception that allowed such a search, but rather, that no exception was even necessary. In other words, this case was not an exception, but rather the NEW rule: cell phone records are now of little difference than the shirt on your back if you've been arrested.

Dissenting Justice Kathryn Werdegar raised similar concerns we have in her opinion: "The majority’s holding ... (grants) police carte blanche, with no showing of exigency, to rummage at leisure through the wealth of personal and business information that can be carried on a mobile phone or handheld computer merely because the device was taken from an arrestee’s person...The majority thus sanctions a highly intrusive and unjustified type of search, one meeting neither the warrant requirement nor the reasonableness requirement of the Fourth Amendment to the United States Constitution."

In response to the ruling, Jonathan Turley, a Constitutional law expert at George Washington University, seconded Justice’s fourth amendment related concerns, "The Court has left the Fourth Amendment in tatters and this ruling is the natural extension of that trend. While the Framers wanted to require warrants for searches and seizures, the Court now allows the vast majority of searches and seizures to occur without warrants. As a result, the California Supreme Court would allow police to open cell phone files — the modern equivalent of letter and personal messages.”

In light of increasing economic injustice and income inequality, and the likewise growth in number and size in protests across the country, granting authorities such powers should be viewed with great skepticism and caution. As State Senator Mark Leno noted, "If you like to attend political rallies, parades, protests or sit-ins, you might consider leaving your cell phone at home in the unlikely event arrests are made. A recent California Supreme Court decision allows police to rummage through all of the private information on your smart phone as part of an arrest, including your text messages and e-mails. This warrantless search is now legal in California, regardless of whether the information on the phone is relevant to the arrest or if criminal charges are ever filed.”

This fight isn’t over. Senator Mark Leno has indicated he will bring this legislation back next year in another effort to overturn the state Supreme Court’s ruling. Clearly, in this case and many others like it in the age of the Patriot Act and the War on Terror, Governor Brown was mistaken in his veto message when he said the courts are "better suited" than legislators to decide when a search is legal. Perhaps in most cases this is true...but not when they are so clearly in conflict with something as fundamental to our basic rights as the Fourth Amendment. Let’s hope we can change the Governors mind next year.

My Interview on AB 22 (Mendoza), and Governor Signs SB 602 (Reader Privacy Act)

A little less than two weeks ago I put together a major post on job seeker privacy, particularly when it comes to employers increasing use of intrusive background checks, most notably of your credit reports.

Rather than go into detail here again, let me just point you to the interview I did on the Rick Smith Show last week about legislation here in California, AB 22 (Mendoza), that would ban prospective employers from accessing your credit scores unless its directly related to the job your applying for. The Governor has until October 9th to decide.


Now to some great news...the Governor signed Senator Leland Yee's Reader Privacy Act (SB 602) on Sunday. As I've noted in the past here, The privacy threats posed by the explosion of digital books, which will store data that can include books browsed, how long a page is viewed, and even the electronic notes written in the margins. It's not hard to see the detailed portrait this could paint of your life.

Thankfully, this concern will finally be addressed by SB 602 (Yee) - which now will provide important privacy protections for digital book readers. Without such legislative protection, you can imagine how tempting this information could be to the government or other litigants, like those involved in divorce cases, custody battles, or insurance disputes.

In the case of digital books, we're not talking about just another library - librarians utilize a different standards for dealing with user information than does the online world. Many libraries routinely delete borrower information, and organizations such as the American Library Association have fought hard to preserve the privacy of their patrons in the face of laws such as the U.S. Patriot Act.

What the bill will do is update California's privacy protections in the digital age by preventing the disclosure of information about readers from booksellers without a warrant in a criminal case or a court order in a civil case. It also requires booksellers to report the number and type of requests they receive to track government demands for reader information. Without such protections, we're talking about a virtual one-stop shop for government and third party fishing expeditions into the personal details of our lives.

Here's what PC magazine had to say about the legislation being signed:

The bill, known as the Reader Privacy Act of 2011, will require government agencies to obtain a court order before they access customer records from book stores or online retailers. It will officially become law on January 1. 

"California law was completely inadequate when it came to protecting one's privacy for book purchases, especially for online shopping and electronic books," said Calif. state Sen. Leland Yee, the bill's sponsor. "Individuals should be free to buy books without fear of government intrusion and witch hunts. If law enforcement has reason to suspect wrongdoing, they should obtain a court order for such information."

Sen. Yee pointed to the McCarthy hearings of the 1950s, where Americans were questioned about whether they had read Marx or Lenin. In the years since September 11, meanwhile, the FBI has sought information from more than 200 libraries, he said. The bill was backed by the American Civil Liberties Union of California (ACLU) and the Electronic Frontier Foundation (EFF), as well as Google, TechNet, and the Consumer Federation of California.

"Reading choices reveal intimate facts about our lives, from our political and religious beliefs to our health concerns. Digital books and book services can paint an even more detailed picture—including books browsed but not read, particular pages viewed, how long spent on each page, and any electronic notes made by the reader," the EFF said in a statement. 

"Without strong privacy protections like the ones in the Reader Privacy Act, reading records can be too easily targeted by government scrutiny as well as exposed in legal proceedings like divorce cases and custody battles. Legal protections must keep up with technological advances," said Valerie Small Navarro, Legislative Advocate with the ACLU of California. 

Click here to read more.

A REALLY BAD Week for Electronic Health Record Privacy

Let me begin with an obvious caveat: I'm no Luddite and I COMPLETELY understand the logic behind transitioning to an electronic based health records system. 

It was just a few weeks ago that a San Jose Mercury News sounded a few alarm bells regarding just how "safe" our personal data will be in the coming cyber world reality of electronic health records. But after this week, these privacy concerns have just expanded and metastasized significantly. For those that don't know, we (America) are in the midst the massive transition to e-health records, a key component of both President Obama's health care proposal as well as the stimulus package itself.

Let me again reiterate that because the three stories I'm going to share with you today, all from this week, epitomize the concerns articulated by privacy advocates is not to say that we shouldn't make this transition, for all the money and even life saving reasons everybody has probably heard by now. But what it DOES say is that STRICT privacy safeguards, at every step of the transition process, must be implemented...from the beginning, not once the Genie is out of the bottle.

And the fact is, as these breaking news stories will make clear, time is running out, because states across the country, including California, are working to implement such a system, with consumer privacy perhaps the paramount area of dispute...as I write this!

AS I said, one of the most important challenges for privacy advocates has been making sure that the transition to electronic medical records includes ironclad privacy safeguards along with it. We know such a system will save money and improve health care (though how significant these improvements and savings will be is still in question), but what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

When it comes to the issue of e-health records certainly one question the consumers should ponder is "Where is my data and who has access to it and for what purposes?" Or perhaps even more importantly, "can my private data be traced back to me personally and sold to others?"

Before I go on too long, let me get to the three separate articles...the first entitled "Theft of Digital Health Data More Often Inside Job, Report Finds" from Bloomberg Business Week.

The article reports:

Electronic health data breaches are increasingly carried out by “knowledgeable insiders” bent on identity theft or access to prescription drugs, according to a report from PricewaterhouseCoopers LLP. 

More than 11 million consumers have had medical data stolen or inappropriately disclosed since September 2009, and the privacy breaches are expected to rise as more health information is put online, according to the report released today by the New York-based accounting firm’s health research institute. The most frequently reported issue was the improper use of protected information by an “internal party,” the study found. 

The report underscores the need to strengthen privacy and security controls as health records are more frequently stored online and accessed by portable devices, said James Koenig, co- lead of PwC’s Health Information Privacy and Security Practice. Consumer concerns that personal medical information may be vulnerable to disclosure are likely to increase as the Obama administration spurs the adoption of digital records.

 ...

While the report didn’t specify how many security thefts were carried out by insiders, 40 percent of surveyed providers reported an incident of improper internal use of protected health information during the past two years. Over the past several years, thefts by insiders or disgruntled former employees have surpassed disclosures by hackers and outsiders, Koenig said.

Read the rest here.

Now, if that wasn't enough to get grab your attention and maybe, for a second at least, question the "we don't have time for privacy protection rush" to implement this system correctly and responsibly, there's also an article from Information Week entitled "HHS: Patient Data Breaches Have More Than Doubled".

The article reports:

Health organizations notified approximately 5.4 million individuals affected by patient health data breaches in 2010, compared to approximately 2.4 million individuals in 2009. This according to a report recently sent by the Department of Health and Human Services (HHS) to Congress. The report comes several months after the HHS office of inspector general published two audits that highlighted the difficulties healthcare deliveryorganizations are facing in their efforts to protect sensitive patient information.

HHS' latest report to Congress revealed that in 2010 theft was the most common cause of large breach incidents that affected 500 or more individuals. Among the 207 breaches that covered entities such as healthcare providers, health plans, and healthcare clearinghouses reported last year, 99 incidents involved theft of paper records or electronic media, combined affecting approximately 3 million individuals. 

.... 

In 2010, the second highest number of data breaches involved the loss of electronic media or paper records, with 33 reported cases that affected more than 1 million individuals. There were 31 breaches that involved unauthorized access to, or uses or disclosures of, protected health information that affected approximately 1 million individuals. Other breaches included 19 incidents resulting from human or technological errors that affected approximately 78,663 individuals. Eleven covered entities reported breaches caused by the improper disposal of protected health information that affected approximately 70,000 individuals. In Gallagher's view, the increasing number of incidents could mean that the policies and procedures coming from HHS are encouraging the healthcare industry to do a better job of detecting and reporting breaches. 

Read the rest here.

But wait...there's more!! A Reuters article entitled "Health industry lacks patient data safeguards: poll" adds yet another wrinkle, which again, totally and completely validates and reinforces claims by privacy advocates that we must put the privacy of patients ahead of the need to get the system up and running as quickly as possible no matter the risks.

The article reports: 

A vast majority of hospitals, doctors, pharmacies and insurers are eager to adapt to increasingly digital patient data. However, less than half are addressing implications for privacy and security, a survey of healthcare industry executives by PricewaterhouseCoopers LLP found. PwC's Health Research Institute interviewed 600 executives in the spring of this year and also found that less than half of their companies have addressed issues related to the use of mobile devices. Less than a quarter have addressed implications of social media.

...

U.S. health and drug regulators are expected by the end of the year to finalize their updated rules on patient privacy protection, and they also continue to adapt to new technologies coming to health labs and physicians' offices. Some 74 percent of healthcare organizations were planning to expand the purposes for which they use electronic patient health data, the survey found. For instance, that may mean looking across patients to find better treatments or tracking records of one patient from doctors and pharmacies to analyze medication adherence. 

But only 47 percent of the companies have or are addressing related privacy and security issues, the report said.Reports of security breaches, although many not directly related to health IT, are not uncommon in the health industry. 

Just over half of surveyed executives said they were aware of some kind of a privacy or security breach at their companies in the past two years, with hospitals being the likelier offenders. 

Read the rest of that article here.

As I have written here before on this issue, we all consider our healthcare information to be extremely personal and expect the government to protect it from falling into the wrong hands. Granted, regulations alone (nor even technical safeguard perhaps) will never be the end all solution when it comes to privacy in the information age...it must be coupled with public awareness and the pressure that consumer choice can put on industry. 

But as it stands today, there still aren't uniform standards for electronic medical records. Yes, there are some protections in the Health Insurance Portability and Accountability Act of 1996, as well as some in the stimulus bill. But key protections are still absent. 

The prohibition on the sale of medical records is weak and full of loopholes, nor does it apply to vendors like Microsoft or Google. Both companies have agreed to contracts that say they won't release your information, but there is no law mandating that they don't sell the information. If we've learned anything about corporate behavior in recent years, it’s that without ironclad, legal requirements, we shouldn't expect them to behave the way we'd expect from say, a human being.

Similarly, the breach provisions requiring companies to notify patients when electronic medical records are accessed does apply to Google and Microsoft, however, there are safe-harbor provisions that let companies off the hook from the notification requirement if the breach occurred in "good faith."

The federal law on the books only requires that patients are notified when their information was disclosed in the course of treatment but not how it was used. As a result, the patient will not know which hospital personnel looked at the information or for what purpose.

Look, I don't yet consider myself an expert on this issue, for that, go to World Privacy Forum and read some of the work and research done by Pam Dixon on electronic health record privacy.

Clearly, if today's list of articles, and last months piece in the San Jose Mercury News, tells us anything its that we need MORE attention paid to privacy, not less...and that means taking a bit more time to get this new system up and running...and more care given to the rights of patients...not hospitals, not suppliers, not the government, and not any other interest looking to profit off this transition. We can have BOTH privacy and a more efficient medical records system...there's no need to sacrifice one for the other.

Protect Your Privacy Rights as a Job Seeker

I wanted to alert everybody to some excellent new information provided by the Privacy Rights Clearinghouse regarding not just the difficulties facing job seekers, but their privacy rights being violated in this very search (and a bill that helps address one aspect of this problem).

As PRC details in their email blast, "Taylor Thomas is left searching for employment after he is terminated from his job due to the bad economy.  Despite being highly qualified for the positions he interviews for, Taylor has one rejection after another. Two of the companies even seem ready to hire him. But, it is as if something happens to change their mind between the interview and the hiring decision.  Taylor has almost exhausted his list of potential employers and has landed an interview at what may be his best chance for a job.

Watch the video to find out what’s keeping Taylor from getting hired. Learn your rights about employment background checks, and spread the word! Although Taylor is a fictional character, the situation dramatized on the six-minute video is similar to many complaints we have received from individuals who have contacted our hotline with questions and complaints about background check errors."



Now, before I get to more about YOUR RIGHTS as a job seeker, particularly in what companies/employers can dig up on you and what they can't and shouldn't, let me point you to one bill, on the Governor's desk - AB 22 (Mendoza) - that addresses just one of the many concerns raised by PRC.

AB 22 would ban credit checks from being used in the screening process for most job candidates. Clearly this bill is about a lot more than privacy, it strikes at the heart of the increasing shift away from the rights of workers, and the increasing power of corporations and big employers.

As pointed out by bill proponents, including the Consumer Federation of California, when companies vet potential employees they often check everything from grade point average to criminal records. More and more, they are starting to factor in a person's credit rating as well. But given this economy, this practice is both unfair and counterproductive. The fact is, a credit report is not a good indicator of a person's trustworthiness or work ethic, particularly considering how many people's credit scores have suffered due to the Great Recession.

AB 22 as also a primary target of one of the more corrupt corporate lobbying organizations this country has ever known - the California Chamber of Commerce. In fact, they even made a video about it, listing it as one of their job killer bills.

All it does is simply prohibit most employers from conducting credit checks on applicants, unless it is substantially related to the job. For example, employers could still run credit reports on those potentially gaining access to confidential financial information. AB 22 will mean stronger privacy protections, a more fair work environment, and an easier time securing employment. 

So, this was an easy bill to support. It even provides exceptions in cases when the job duties include access to cash or other financial assets, when the job is in law enforcement and in other narrow areas. An employer should not have any right to obtain confidential information that is not germane to a prospective employee’s job. Credit reports do not have predictive value in determining a worker’s ability to perform job duties, but a bad credit report might unfairly influence a hiring employer’s attitude toward a job applicant. 

Unemployed workers are more likely to have suffered some downgrading of their credit score due to the circumstances of their unemployment; hence reliance on credit reports as a factor in hiring decisions might adversely impact those most in need of a job. 

Credit reports are often inaccurate, and could unfairly bias an employer. Correcting mistaken information in a credit report is a tedious, time consuming process, and in the meantime, the job applicant is harmed due to errors by credit reporting entities.

But there's more to the story when it comes to the infringement on the rights of workers by employers. PRC has more: 

Whether you are hired or promoted for a job may depend on the information revealed in a background check. Job applicants and existing employees as well as volunteers may be asked to submit to background checks. For some jobs, screening is required by federal or state law. The current emphasis on security and safety has dramatically increased the number of employment background checks conducted.

In short, employers are being cautious. At the same time, applicants and employees fear that employers can dig into the past in ways that have nothing to do with the job.

This guide explains the why and how of background checks. It also tells you what can be covered in a background report, your rights under the Fair Credit Reporting Act, and what you can do to prepare. For more information, go to the References section at the end of this guide. The PRC does not perform background checks.

1. Why Does an Employer Conduct a Background Check?
2. What Is Included in a Background Check?
3. What Cannot be in a Background Check Report?
4. Who Conducts Background Checks?
5. Fair Credit Reporting Act and Background Checks
6. FCRA Update: Workplace Investigations and Annual File Disclosures
7. Background Checks and Your Credit Report
8. Investigative Consumer Reports - What Will Your Neighbors Say?
9. How to Prepare for a Background Check
10. Resources

It's important to point out, just as when people say "why should I care about being wiretapped, I'm not doing anything wrong!",  its the same when people don't seem concerned about background investigations. Let's remember, what YOU think about your history and actions isn't necessarily what might come up, what others might say, or what the government/corporations might interpret. In addition, when did it become okay for some investigator poking around into your personal history?

As PRC correctly points out, "In-depth background checks could unearth information that is irrelevant, taken out of context, or just plain wrong. A further concern is that the report might include information that is illegal to use for hiring purposes or which comes from questionable sources."

And back to the credit check bill, because PRC has some important points to make on why this is important as well:

Often a poor credit rating results from circumstances that are beyond your control. The loss of a job or high medical bills often leads to late payments, even bankruptcy. Still a bank or other financial institution may reason that a solid financial history is a qualifying factor for an employee who has control over substantial sums of money.

However, the same argument cannot be made when a credit check serves only as a kind of character screening. Some states have now recognized the unfairness in this by adopting laws that require a direct relationship to the job before a credit check is made.

Several states have passed laws limiting credit reports for employment decisions with provisions that require a nexus to actual job duties. Those states are: Washington, Oregon, Hawaii, Illinois, Maryland and Connecticut. Similar laws have been introduced in other states.

Finally, let me make one more point from an economic justice perspective. Just how much influence and power do we want to give the banks and credit rating agencies? Do we want our very employment futures dependent on THEIR analysis of our worthiness??? Based on their list of criteria rather than PROVEN lists of what makes a good employee, like education, references, interview ability, and employment history? To that end, let me just briefly expose the grand hypocrisy of the Chamber of Commerce selling themselves as protectors of jobs...and the leading opposition to AB 22:

As the Center for America Progress notes, "While it tells the American public it cares about American jobs, the U.S. Chamber of Commerce actually works to send jobs overseas on behalf of its corporate members, which include some of Asia’s top offshoring companies. Its secretly-funded $75 million political ad campaign attacks the “anti-jobs record” of Sen. Barbara Boxer (D-CA), Jerry Brown (D-CA), Richard Blumenthal (D-CT), Alexi Giannoulias (D-IL), Rep. Dina Titus (D-NV), and others. 

As ThinkProgress previously noted, the Chamber has repeatedly sent out issue alerts attacking Democratic efforts to encourage businesses to hire locally rather than outsource to foreign counties. The Chamber has also bitterly fought Democrats for opposing unfettered free trade deals. The Chamber’s anti-American jobs agenda serves not only the profit-seeking of right-wing corporate executives in the United States, but also works to send jobs overseas to the following outsourcing companies, who are some of the dozens of foreign corporations that pay member dues to the Chamber of Commerce’s 501c(6) account, which is used to fund its political ads:

– InfoSys, Bangalore, India (at least $15,000 in annual member dues): “Infosys is the ‘Best Outsourcing Partner’ according to the Waters Rankings for the third consecutive year.”

– KPIT Cummins, Pune, India ($7,500): “Strategic global networking, together with industry-proven practices & processes, give KPIT Cummins a cutting edge in the realm of outsourcing.”

– Patni Americas, Mumbai, India ($15,000): “Patni, the world leader in IT outsourcing and business process outsourcing provides offshore software development, global sourcing, custom software development, and a vast array of product engineering and IT services to companies worldwide.”

– NIIT Technologies, Delhi, India ($15,000): “[L]eadership in the area of outsourcing.”

– QuEST Global, Singapore ($7,500): “QuEST is a leader in the engineering services outsourcing (ESO) space.”

– Rolta, Mumbai, India ($7,500): “Rolta’s global footprint and track record along with its capable off-shoring model gives it a unique positioning in this large market.”

– SKP Crossborder Consulting, Mumbai, India ($7,500): “SKP’s core outsourcing practice is managed out of a fully equipped, spacious premises based in Pune with access to facilities in Mumbai, Hyderabad, Delhi and Bangalore.”

– Tata Group, Mumbai, India ($15,000): “[W]orld-class solutions in outsourcing – business process outsourcing, application outsourcing, infrastructure outsourcing.”

Wipro, Bangalore, India ($15,000): “India’s biggest destination for U.S. offshoring.” 

Let's start to put workers and common sense...and privacy ahead of corporate profits and their insatiable desire to make money for their shareholders rather than protect employees or improve the quality of life of working families.

The Consumer Federation of California urges the Governor to protect the financial privacy of Californians from unwarranted snooping by prospective employers by signing AB 22. And, be sure to learn everything you can about your rights from PRC's comprehensive expose.

CA Financial Privacy Bill Passes State Senate (AB 22), On to Governor's Desk

A bit more good news on the California privacy front to report: AB 22 (Mendoza), a bill that would ban credit checks from being used in the screening process for most job candidate passed the State Senate by a razor thin 21 to 17 vote. Clearly this bill is about a lot more than privacy, it strikes at the heart of the increasing shift away from the rights of workers, and the increasing power of corporations and big employers.

As pointed out by bill proponents, including the Consumer Federation of California, when companies vet potential employees they often check everything from grade point average to criminal records. More and more, they are starting to factor in a person's credit rating as well. But given this economy, this practice is both unfair and counterproductive. The fact is, a credit report is not a good indicator of a person's trustworthiness or work ethic, particularly considering how many people's credit scores have suffered due to the Great Recession.

AB 22 as also a primary target of one of the more corrupt corporate lobbying organizations this country has ever known - the California Chamber of Commerce. In fact, they even made a video about it, listing it as one of their job killer bills.

Now, before I get to some of the more specific reasons we (CFC) support this legislation, and urge the Governor to sign it, let me just briefly expose the grand hypocrisy of the Chamber of Commerce selling themselves as protectors of jobs. 

As the Center for America Progress notes, "While it tells the American public it cares about American jobs, the U.S. Chamber of Commerce actually works to send jobs overseas on behalf of its corporate members, which include some of Asia’s top offshoring companies. Its secretly-funded $75 million political ad campaign attacks the “anti-jobs record” of Sen. Barbara Boxer (D-CA), Jerry Brown (D-CA), Richard Blumenthal (D-CT), Alexi Giannoulias (D-IL), Rep. Dina Titus (D-NV), and others. 

As ThinkProgress previously noted, the Chamber has repeatedly sent out issue alerts attacking Democratic efforts to encourage businesses to hire locally rather than outsource to foreign counties. The Chamber has also bitterly fought Democrats for opposing unfettered free trade deals. The Chamber’s anti-American jobs agenda serves not only the profit-seeking of right-wing corporate executives in the United States, but also works to send jobs overseas to the following outsourcing companies, who are some of the dozens of foreign corporations that pay member dues to the Chamber of Commerce’s 501c(6) account, which is used to fund its political ads:

– InfoSys, Bangalore, India (at least $15,000 in annual member dues): “Infosys is the ‘Best Outsourcing Partner’ according to the Waters Rankings for the third consecutive year.”

– KPIT Cummins, Pune, India ($7,500): “Strategic global networking, together with industry-proven practices & processes, give KPIT Cummins a cutting edge in the realm of outsourcing.”

– Patni Americas, Mumbai, India ($15,000): “Patni, the world leader in IT outsourcing and business process outsourcing provides offshore software development, global sourcing, custom software development, and a vast array of product engineering and IT services to companies worldwide.”

– NIIT Technologies, Delhi, India ($15,000): “[L]eadership in the area of outsourcing.”

– QuEST Global, Singapore ($7,500): “QuEST is a leader in the engineering services outsourcing (ESO) space.”

– Rolta, Mumbai, India ($7,500): “Rolta’s global footprint and track record along with its capable off-shoring model gives it a unique positioning in this large market.”

– SKP Crossborder Consulting, Mumbai, India ($7,500): “SKP’s core outsourcing practice is managed out of a fully equipped, spacious premises based in Pune with access to facilities in Mumbai, Hyderabad, Delhi and Bangalore.”

– Tata Group, Mumbai, India ($15,000): “[W]orld-class solutions in outsourcing – business process outsourcing, application outsourcing, infrastructure outsourcing.”

Wipro, Bangalore, India ($15,000): “India’s biggest destination for U.S. offshoring.” 

But let's get back to AB 22 (Mendoza). All it does is simply prohibit most employers from conducting credit checks on applicants, unless it is substantially related to the job. For example, employers could still run credit reports on those potentially gaining access to confidential financial information. AB 22 will mean stronger privacy protections, a more fair work environment, and an easier time securing employment. 

As the California Labor Federation noted, "It is no secret that our economy’s collapse threw thousands of Californians out of jobs and onto unemployment rolls. The ensuing foreclosure and credit crises also remain painfully familiar to all, as does the struggle many unemployed workers face keeping their families fed, clothed and sheltered. The horrible result can range from the occasional missed utility bill to home fore­closure. There is no doubt that workers’ credit scores have suffered during this depression.

What many may not know, however, is that some employers have quietly begun conducting credit checks on prospective workers. In fact, more than 40% of employers say they use credit reports in making employment decisions. Evi­dence also suggests that some supervisors factor credit scores into decisions regarding promotion and evaluation of current workers.

In any economic situation, this practice consti­tutes an unwarranted invasion of privacy. Credit checks are not only poor indicators of future job success, but the methods used to determine credit scores remain highly suspect – given evidence that people of color possess arbitrarily and inexplicably low credit scores.

Also, credit ratings agency fraud played no small part in the housing bubble burst, subse­quent economic crisis and the reduced credit scores suffered by so many Americans. In that context, for an employer to discriminate against someone with a less than stellar credit record is unconscionable.

Wall Street excesses and Congress’ weak re­sponse have built plenty of barriers between the jobless and their prospects for future employ­ment. Allowing employers to use credit checks to deny employment only serves as another obstacle to getting Californians back to work.

So, this was an easy bill to support. It even provides exceptions in cases when the job duties include access to cash or other financial assets, when the job is in law enforcement and in other narrow areas. An employer should not have any right to obtain confidential information that is not germane to a prospective employee’s job. Credit reports do not have predictive value in determining a worker’s ability to perform job duties, but a bad credit report might unfairly influence a hiring employer’s attitude toward a job applicant. 

Unemployed workers are more likely to have suffered some downgrading of their credit score due to the circumstances of their unemployment; hence reliance on credit reports as a factor in hiring decisions might adversely impact those most in need of a job. 

Credit reports are often inaccurate, and could unfairly bias an employer. Correcting mistaken information in a credit report is a tedious, time consuming process, and in the meantime, the job applicant is harmed due to errors by credit reporting entities.

The Consumer Federation of California urges the Governor to protect the financial privacy of Californians from unwarranted snooping by prospective employers by signing AB 22.

Another Massive E-Health Record Data "Spill"

A story in the San Jose Mercury News today sounded a few alarm bells regarding just how "safe" our personal data will be in the coming cyber world reality of electronic health records. As many know, the massive transition to e-health records was a key component of both President Obama's health care proposal as well as the stimulus package itself. 

Currently, states across the country, including California, are working to implement such a system, with consumer privacy perhaps the paramount area of dispute.

One of the most important challenges for privacy advocates has been making sure that the transition to electronic medical records includes ironclad data safeguards along with it. We know such a system will save money and improve health care (though how significant these improvements and savings will be is still in question), but what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

When it comes to the issue of e-health records certainly one question the consumers should ponder is "Where is my data and who has access to it?" Or perhaps even more importantly, "can my private data be traced back to me personally and sold to others?"

We all consider our healthcare information to be extremely personal and expect the government to protect it from falling into the wrong hands. Granted, regulations alone will never be the end all solution when it comes to privacy in the information age...it must be coupled with public awareness and the pressure that consumer choice can put on industry. 

But as it stands today, there still aren't uniform standards for electronic medical records. Yes, there are some protections in the Health Insurance Portability and Accountability Act of 1996, as well as some in the stimulus bill. But key protections are still absent. 

The prohibition on the sale of medical records is weak and full of loopholes, nor does it apply to vendors like Microsoft or Google. Both companies have agreed to contracts that say they won't release your information, but there is no law mandating that they don't sell the information. If we've learned anything about corporate behavior in recent years, it’s that without ironclad, legal requirements, we shouldn't expect them to behave the way we'd expect from say, a human being.

Similarly, the breach provisions requiring companies to notify patients when electronic medical records are accessed does apply to Google and Microsoft, however, there are safe-harbor provisions that let companies off the hook from the notification requirement if the breach occurred in "good faith."

The federal law on the books only requires that patients are notified when their information was disclosed in the course of treatment but not how it was used. As a result, the patient will not know which hospital personnel looked at the information or for what purpose.

In other words, there's a lot of work still to be done on this issue. Now let's get to the latest breach of very private, personal medical information. The San Jose Mercury News reports:

Until recently, medical files belonging to nearly 300,000 Californians sat unsecured on the Internet for the entire world to see. There were insurance forms, Social Security numbers and doctors' notes. Among the files were summaries that spelled out, in painstaking detail, a trucker's crushed fingers, a maintenance worker's broken ribs and one man's bout with sexual dysfunction.

At a time of mounting computer hacking threats, the incident offers an alarming glimpse at privacy risks as the nation moves steadily into an era in which every American's sensitive medical information will be digitized. 

... 

"When things go wrong, they can really go wrong," says Beth Givens, director of the nonprofit Privacy Rights Clearinghouse, which tracks data breaches. "Even the most well-designed systems are not safe. ... This case is a good example of how the human element is the weakest link."

Southern California Medical-Legal Consultants, which represents doctors and hospitals seeking payment from patients receiving workers' compensation, put the records on a website that it believed only employees could use, owner Joel Hecht says.

...

When mistakes occur, the fallout can be more severe than the typical breach of email addresses or credit card numbers.

In the wrong hands, health records can be used for blackmail and public humiliation. The information can also be used by insurance companies to inflate rates, or by employers to deny job applicants.

Usually when personal data are exposed, it's the result of a network break-in by a hacker or a theft of computer equipment. Sometimes, it can be a simple case of someone mishandling the information. Leaks are more likely the more data are passed around within the health industry's increasingly interconnected networks.

Dozens of companies can be authorized to handle a single person's medical records. The further away from the health care provider the records get, the flimsier the enforcement mechanisms for ensuring the data are protected. 

...

The latest incident is "an eye-opener, and we're going to get eye-opener after eye-opener," says Jim Dempsey, a security and public policy expert at the Center for Democracy & Technology.

As instances of data mishandling become more commonplace, government officials may seek greater control over security policies of companies with access to health care records that aren't currently regulated.

"It should be yet another warning bell for companies: You've got your reputation on the line, and you're also facing enforcement action if you don't pay attention to the security of the data you collect and process," Dempsey says.

For more click here.

In fact, a recent study by Patients Privacy Rights further validated privacy advocates concernsGoogle's scores of a D and F and systems offered by employers and insurers also receiving an F. These are two HUGE providers of what will be the electronic health record "industry" that are still failing us. The group notes:

"The bad news is other companies do not allow patients to control their PHRs. That is a scary thing when you consider that PHRs can store sensitive health information as well as lifestyle habits such as what you eat, how much you drink, and how often you exercise. This information can easily get into the wrong hands, especially if your PHR is offered by an employer or insurer. All PHRs claim to be “patient-centric” and claim that “privacy is important”, but it’s simply not true.

What grades did the PHRs earn?

CapMed’s ICE PHR: C

Google Health: D – Platform F - Partners

Microsoft HealthVault: B – Platform F - Programs

NoMoreClipboard: A

WebMDs: C

PHRs offered by Employers/Insurers: F

...

1) Know that if your PHR is sponsored by your employer or insurer, the odds are VERY GOOD that they have access to all your information. This was quite clear after reviewing a form privacy policy for employer/insurer sponsored PHRs. Sure, not every company is out there to take advantage but personal health information can be used to discriminate, damage reputations and harm opportunities.

2) Every company and product has their own privacy policy. Even if you feel comfortable with a PHRs policy and website, click on a link and leave the site, all bets are off. Any third party that touches your data may not be held to the same standard. This is a key lesson for the Google and Microsoft tools.

...

So what can be done?

1) The public needs to wake up and pay attention. Our personal health information is everywhere and being passed from one company to the next, without our permission or knowledge. If we don’t demand control, we will lose it forever.

2) We need federal laws that make Fair Information Practices the rule for all health information, including PHRs. Data shared for one purpose should be used solely for that purpose unless the patient gives consent for any new use. No single piece of data should be allowed to go to an employer, insurer or other entity without patient permission.

Click here to read the article in its entirety.
 

Pam Dixon of the World Privacy Forum not too long ago broke some of the challenges we face down, stating "Much of the discussion around PHRs has been oriented toward how they benefit consumers, with almost no meaningful or detailed discussion of the privacy risks. As a result, few consumers have the ability to make genuinely informed decisions about these tools. For example, many consumers assume that because a PHR involves health-related information, that special privacy protections must apply. However, there are different varieties of PHRs and PHR companies, some of which do not fall under the federal privacy rules that are usually applied to health information." 

"Many consumers have this deeply held belief that their health information, no matter where it travels, is protected in the same way as when you have a doctor/patient relationship," Dixon said. In reality, consenting to have data transmitted to a non-covered system likely would be viewed as an indication that you had waived your privacy privilege, she added.

Health information stored in commercial PHR systems is also less protected against subpoenas than it otherwise would be, Dixon asserted. Under HIPAA, if someone seeks to subpoena medical records about an individual from a covered entity, the patient has to be informed first. But that protection doesn't apply to PHRs in all instances, she said.

Even more worrisome to Dixon, though, is the potential for protected medical information stored in PHRs to be used for marketing purposes. HIPAA explicitly prohibits such uses, but the terms under which many PHR systems are operated could enable their owners to sell personal health data to marketers, she said. 

People should be aware of such issues when choosing whether to use PHR systems, Dixon said. She added that the operators of PHR systems should be required to clearly disclose whether they are covered under HIPAA and what sort of privacy protections they offer.

As we see the continuing consolidation of, and even the possible monopolization of information technologies, the concern and fear that forces beyond our control have access to EVERYTHING we've nearly ever done will only grow...as will the likelihood that this "power" will be abused...at our expense.

The fact that the health-care and drug-industry lobbies are spending so much effort to weaken privacy standards does not bode well either.

This is an issue I'll be following more on this blog in the coming weeks and months now that California is in the midst of establishing its own e-health record privacy regulations.