ICO orders Scottish health board to improve data protection

The Information Commissioner’s Office (ICO) has ordered Grampian Health Board to take action to protect patients’ information, following six data breaches in thirteen months. The breaches included papers containing sensitive personal data being left abandoned in public areas of the hospital and, once, at a local supermarket. The ICO concluded that the mistakes kept occurring because there was no information register to identify the personal information held and who was responsible for it.

Cyber-attack on HSBC in Turkey

HSBC Holdings’ Turkish unit confirmed a cyber-attack resulting in the theft of 2.7 million customers’ bank data. The breach is said to be limited to Turkey and the bank is working with the local banks regulator and the police to investigate the leak. Historically, Turkey has not enforced a requirement to disclose data breaches to victims so it is unclear whether this is Turkey’s worst security breach.

TRUSTe settles FTC charge

TRUSTe, Inc., a provider of privacy certificates, has agreed to settle its charges with the US Federal Trade Commission (FTC). TRUSTe provides certificates to online businesses that meet the requirements of consumer privacy programmes. The FTC alleged that TRUSTe failed to conduct annual recertifications and facilitated its misrepresentation as a non-profit entity. Under the terms of the settlement, TRUSTe agreed to pay USD 200,000 and is prohibited from making misrepresentations about its certification process and barred from misrepresenting its corporate status.

US State Department shutdown

Having initially said that the disruption was part of scheduled maintenance, the US State Department has confirmed that it shut down its unclassified computer network over the weekend after “activity of concern” was detected. This breach follows attacks on the White House, the US Postal Service and the US Weather service in recent weeks. The State Department’s press office director said there was “no reason to believe classified information was compromised”, although the breach remains under investigation.

Home Depot litigation consolidation

After a flood of lawsuits were filed in courts throughout the US arising from the theft of credit card data that was confirmed by Home Depot in September, plaintiffs in one of the first actions to go on file have filed a motion to transfer eleven of cases pending in seven separate federal courts to the Northern District of Georgia for consolidated pre-trial proceedings. The retailer and many of the other plaintiffs support the request but some plaintiffs oppose the venue. A hearing on the motion is scheduled for 4 December.

Australian Privacy Commissioner issues warning to companies

Timothy Pilgrim, the Australian Privacy Commissioner, issued a strong warning to companies on Monday that attempts to conceal a data breach “will not be looked well on by [his] office”. The Office of the Australian Information Commissioner (OAIC) has recently released the government’s Privacy Regulatory Action Policy, detailing the privacy commissioner’s powers, and the OAIC is currently working on a “Guide to privacy regulatory action”. The OAIC has largely been thought of as toothless and so companies should be on notice following Pilgrim’s warning as these measures are intended to give the office additional potency.