notes for discussion on a privacy practice © joe cleetus
TRANSCRIPT
Notes for Discussion on Notes for Discussion on a Privacy Practicea Privacy Practice
© Joe Cleetus
Security and PrivacySecurity and Privacy
Security is a wider Concept Security of Information embraces:
– Confidentiality– Integrity– Availability
Achieving Security involves People, Procedures, and Technology
The same is true for Privacy
Privacy DefinitionPrivacy Definition
Privacy is the expectation that confidential personal information disclosed in a private place, will NOT be disclosed to third parties, when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities
Laws and Policies govern Laws and Policies govern PrivacyPrivacy
Privacy is no longer a vague concept It has been legislated A body of case law existsFederal laws, State Laws, Supra-
national lawsEven the US Constitution has a bearingBesides, companies have Policies
Topical RelevanceTopical Relevance
Massive on-line databases of people Extensive on-line interactions between
companies Millions of daily transactions between
companies and customers
Who owns all this, and who has a need to know?
MotivationMotivation
Maintain competitive edge
Ensure legal compliance
Enhance company image
Privacy is a requirement – not a customer delight
4 Rights4 Rights
Unreasonable intrusion on the seclusion of
another person
Misappropriation of another’s identity, or
exploitation of the name
Publication of private facts
Propagation of false information about a
person
Many older laws have been re-interpreted for IT
Information Privacy PrinciplesInformation Privacy Principles
1. Collect information lawfully, fairly, and only
what is relevant for the purpose
2. If personal information is collected, state the
purpose and to whom it will be disclosed
3. If personal information is collected, make sure
all reasonable steps are taken against
unauthorized access, use, modification or
disclosure, and against other misuse
Information Privacy PrinciplesInformation Privacy Principles
4. Those collecting PII (personally identifiable information)
should maintain a public record of what is kept, its
purpose, who has access, and how a person may get
access to his/her information.
5. If PII is collected, make sure the record is accurate and
targeted only for the purpose kept, and permit a person to
correct the record, or attach a note to it showing the
owner of the information contests the information
contained.
Information Privacy PrinciplesInformation Privacy Principles
6. If personal information is collected for one
purpose, is to be used for another purpose, or
divulged to a party, then secure the consent of
the person, unless a an emergency exists or the
law demands it, and then make a note of such
event in the record.
Many Privacy Rights are Many Privacy Rights are embedded in Criminal Statutesembedded in Criminal StatutesUS Mail
Telephone conversation
Library borrowing
Bank records
Student records
Etc.Federal and States
Plethora of LawsPlethora of Laws
FERPA
– Student records
ECPA Electronic Communications Privacy Act
– Most basic act for access, use, disclosure, interception
and privacy of electronic communications
Section 208 of The E-Government Act
– Federal agencies should protect PII collected
Plethora of LawsPlethora of Laws
HIPAA Health Information Portability and Accountability
Act
– Medical records
Gramm-Leach Bliley Act
– protects consumers’ personal financial information held by
financial institutions.
The (Federal) Privacy Act of 1974
– FTC approved “fair information practices” that are widely
accepted principles of privacy protection
Plethora of LawsPlethora of Laws
EU Data Protection Directive of 1995
– notice
– choice
– access
– onward transfer
– security
– data integrity, and
– remedy
Plethora of LawsPlethora of Laws
FTC Guidelines encompass
– Web Privacy,
– E-mail privacy,
– Spam, Spyware,
– Privacy of customer data given up on commercial transaction
sites,
– Credit reports, etc.
Complaints are against unfair or deceptive trade
practices
Plethora of LawsPlethora of Laws
P3P (Platform for Privacy Preferences
Project)
– An open privacy specification developed and
administered by the W3C
– Allowing visitors to a Web site to decide what
they want to give up
Plethora of LawsPlethora of Laws
California SB 1386 – Personal Information:
Privacy
– applies to state agencies, or a person or
business that conducts business in California,
and owns or licenses computerized data
containing personal information
Plethora of LawsPlethora of Laws
PIPEDA Personal Information Protection and
Electronic Documents Act of Canada.
FISMA Federal Information Security Management
Act (applies to Federal agencies)
– federal agencies must develop, document and
implement a department-wide information security
program
Plethora of LawsPlethora of Laws
Sarbanes-Oxley
Basel II
Lastly – the anti-law of PrivacyLastly – the anti-law of Privacy
USA Patriot Act
– Negates almost every prescription heretofore stated,
under special circumstances
– The circumstances are so loosely defined that much
Governmental abuse is expected
– Not only allows the Government to violate Privacy, but
mandates that companies collude in this
ISO/IEC 17799ISO/IEC 17799
Standard based on BS 7799
– Covers People, Process and Technology
– A wide-ranging document on Information
Security
– Has numerous recommendations in detail
– Companies can be certified against this
standard
ProposalProposal Develop a Privacy Compliance Assessment Tool
– Cover People, Process and Technology
It will be a multi-part assessment (multiple laws, multiple
departments)
It will be embedded within the a client GUI, using the APIs
provided
It will– assign an aggregate score,
– highlight serious issues, and
– provide clear pointers for improvement
Benefits to ClientsBenefits to Clients Make a complex subject simple
Provide internal consultancy for bringing company
into compliance with its own policies and laws
Reduce cost of compliance
Generate a first-cut plan for improvement
Monitor compliance on an ongoing basis
BenefitsBenefits Enter a new market for products and services
Obtain follow-on custom work
– Consulting
– Programming for technology to support Privacy
– Customizing the general Privacy Practice to suit
industry/company