what does privacy have to do with it? privacy risk assessment
TRANSCRIPT
What Does Privacy Have to Do With IT?
Privacy Risk Assessment
Privacy: Its Different Legal Meanings and Expectations
• Warrant and Brandeis “Right to Privacy” 1890– Torts and private rights of action
• Based on property law
– Reaction to “Yellow Journalism”• And technology: consumer camera
– Prosser, On Torts, 1960 catalogue• Intrusion upon seclusion• Public disclosure of private facts• False light• Misappropriation of likeness
Privacy: Its Different Legal Meanings and Expectations
• Constitutional Law– Criminal Procedure
• 4th Amendment– No search or seizure without probable cause of criminal
activity and judicial oversight
• At issue for government surveillance– Olmstead 1928
» “no intrusion on person”– Katz
» Overrules Olmstead» 4th A. “protects people, not places”» “Wiretap Act” 1968
Constitutional Law:Personal Privacy
• Griswold v. Conn. 1965– “right of privacy:”
– Information and birth control materials for married couples
– penumbra of 1,3,4,5,9 Amendments
• Eisenstadt v. Baird 1972– Right to information and birth control for unmarried
individuals
• Roe v. Wade 1973– Right to abortion in first trimester
Public Privacy Acts• Fair Credit Reporting Act 1970
– Credit Reporting Information
• Character• Credit worthiness• Credit history, etc.
– Early “fair information practice” type of law• Notice, relevance, use of data, ability to correct, etc.
– Updated FACTA 2003– Protect against identity theft with credit alerts– Annual right to review credit
• Privacy Act 1974– Federal government and agencies– Sets standard for distinction between privacy and security– Tension with federal other laws: FOIA, Patriot Act?
Public Privacy Laws
• Family Education Rights Privacy Act 1974– Educational Records
• Electronic Communications Privacy Act 1986– Reworked “Wiretapping” Act– Compressed telecommunications and data
communications– Amended by the Patriot Act
• Emergency disclosures
• Required disclosures
• Computer Trespass
Public Laws
• Computer Matching and Privacy Protection Act 1988– Procedural requirements for matching of different
government databases– Detailed cousin of the Privacy Act of 1974– Largely ignored, if not effectively superceded by the Patriot
Act
• Video Privacy Protection Act 1988– “Bork Law”– Restricts disclosure of data about customer selections– Limits law enforcement access– Notice to customers
Public Privacy Laws
• Cable Communications Privacy Act 1989– Restricts disclosure of customer selections– Notice of subpoena– Limit on law enforcement
• Telephone Consumer Protection Act 1994– Restricts disclosure of customer selections– Notice of subpoena– Limit on law enforcement
*All sounds good, patchy however, and weakly enforced!*
Public Privacy Laws
• Health Insurance Portability Accountability Act 1996– Medical records– Separate privacy and security requirements– Combines fair information practices use
restrictions– Floor of protection, states can go higher
Public Privacy Laws
• Financial Services Modernization Act 1999– Updates New Deal banking laws, but includes
privacy considerations– Separate privacy and security regulations– Can share with affiliates– Notice and correction law– Initial and annual privacy notices – Pre-empts other laws
Observations
• Patchwork, but no quilt!• Some principles
– Fair Information Practices– Restrictions on use….but
• No comprehensive application of principles comprised from various sectors the the law as university– Cf: Declaration of Rights– EU Directives
The Harbinger is Here:• STATE OF MICHIGAN COURT OF APPEALS • AUDREY BELL, LEO BEASLEY, BRENDA BLACK, KIMBERLY
BLEVINS, KATHLEEN CONQUEST, VERONICA DORSETTE, LINDA FACEY, JAYNE FLOYD, GRACE JENNINGS, MARY OLIVER, TERRI SUTTON, ANGELA TURNER, and ALCITA WILLIAMS, Plaintiffs-Appellees,
• UNPUBLISHED February 15, 2005 v No. 246684 Wayne Circuit Court
• MICHIGAN COUNCIL 25 OF THE AMERICAN FEDERATION OF STATE, COUNTY, AND MUNICIPAL EMPLOYEES, AFL-CIO, LOCAL 1023, LC No. 01-107819-NO Defendants-Appellants, and DENTRY BERRY and STEVEN MALACH, Personal Representative of the ESTATE OF YVONNE BERRY, Deceased, Defendants.
Privacy Leaders
Policy values
Legal compliance structures
Enterprise-wide solutions
Balance of culture and goals, laws and reputation
Security vs. Privacy
• Security Risk Assessment is different from Privacy Risk Assessment
– Security is about resources (systems, software, storage, networking, transmission, users, etc.) (our usual stuff)
– Privacy is about data
Data
• Policies and procedures for collecting and protecting confidential data– why collect, what to collect, who collects,
context, who has responsibility
• Classification of data
• Data retention-why, how long
• Data ownership
Data
• Accuracy
• Storage – where (local and offsite-DR)
• Access/Use – who and why
• Disposal – when and how
• Personnel training/awareness
Security Risk Assessment
• Audit trails/logs
• Authentication
• Authorization
• Change Management
• Firewalls
Security Risk Assessment
• Levels of authority
• Network security
• Physical security
• System security
i.e. keeping physical and electronic assets secure
Privacy Risk Assessment
• Relates to policies and procedures
• Applications and services that contain or collect confidential information
Privacy Risk Assessment
• What information is being collected and why it is being collected
• Procedures for obtaining consent from individuals
• Is the data necessary?• Is it accurate?
Privacy Risk Assessment
• Compliance regulations
• Standards for – development projects– auditing compliance
• Authorization and authentication requirements
Privacy Risk Assessment
• Risks of theft, modification, or disclosure and mitigation procedures
• Third party vulnerabilities
• Disclosure incident procedures
• Awareness training
Risks to Privacy
• Unauthorized or improperly authorized access/disclosure
• Inadequate or ineffective protection processes
• Third party access/disclosure
Consequences of Breaches
• Legal liability
• Financial liability
• Reputational loss
• Business loss
• Trust loss
Security and Privacy
Privacy must be part of
a comprehensive
Security program
February, 2005
• Choice Point admits that personal data of 145,000 consumers may have been compromised
• Bank of America discloses the loss of computer data tapes containing the personal financial information of 1.2 million federal employees
• DSW Shoe Warehouse admits credit card information from 103 of its stores has been stolen
• LexisNexis announces that names, addresses, social security number and driver’s license information of 32,000 individuals had been hacked
So what does this have to do with Higher Education?
January - March 2005Incidents Involving
Colleges and Universities• George Mason University – DB containing personal information of over 32,000 students and
employees hacked
• Cal State – personal information of 59,000 hacked
• Boston College – Personal information re. 100,000 alumni exposed– Involved use of a third party vendor to manage the data
• U of Georgia – Officials reconsidering providing servers for on line student portfolios after discovering a student was maintaining names and credit card number of other students in his portfolio
• Northwestern University – Server in Kellogg School of Business containing personal information re. approximately 24,000 students, faculty and alumni hacked
• University of California, Berkley - A computer laptop containing personal information re. nearly 100,000 alumni, graduate students and past applicants, is stolen
April – December 2005?
• Insert “my college or university” here…..
Next year, Tracy may be speaking on the new “privacy” laws likely to be enacted in the
wake of these incidents
But in the meantime, what is the state of privacy on your campus?
Security and Privacy
Privacy and Security
Two sides of the same coin?Or are they entirely different coins of
the same realm?
?• They are necessarily interrelated, but privacy often
receives short shrift in the understandable rush to secure our electronic environments
• Perhaps we should begin to think more distinctly about privacy AND…
about our role as campus IT leaders in fostering a “culture” of privacy
So, what does any of this have
to do with me??? • I just want to keep my system up, functioning, secure, stable, etc…..
BUT,• What happens when (not if) you have a serious security breach on your campus?
• Concern for privacy issues is often driven by a serious incident in which confidential information is exposed, or there is a request to examine confidential information in response to a crisis
• IT organizations are often placed in the unacceptable position of decision maker regarding response to the potential exposure and/or access to the requested information
• We risk becoming the arbiters of ethical issues; such as whether affected individuals will be notified of potential compromises of their private information (where not required by law); whether any information is shared with requesting officials, as well as its scope and content;
• This approach can result in ad hoc decisions that may have serious legal and/or social consequences
Campus IT organizations have a definite stake in building a “culture of privacy”
• A culture of privacy often must be built, brick by brick, office by office, administrator by administrator
• FERPA and more recently, HIPAA, compliance efforts provide a foundation for pushing the culture out to the broader campus
• A culture of privacy is most clearly reflected by a privacy policy
• A privacy policy enables IT professionals to perform their responsibilities and respond to requests regarding private or confidential information with a minimum of confusion or risk
It may be helpful to conceptualize as follows:
• Security – Authentication
• Privacy – Authorization
This approach may seem almost absurdly reductionist, BUT, this is a very useful
concept in the development of a privacy policy for your campus
Policy Considerations
Do you have a written policy applicable to all data owners and custodians?
• Does it contain a clear policy statement regarding the confidentiality of personally identifiable information?
– Definition of “private” or “confidential” information » Names, social security numbers, home addresses, salaries» What about e-mail, library records (many states have statues),
visits to internet sites, etc.
• Does it clearly state a commitment by the institution to maintain confidentiality and prohibit routine monitoring of such information except as necessary to develop or maintain systems, investigate substantive allegations of misconduct, and/or to comply with legal obligations?
– This type of provision is sometimes resisted, especially by Counsel
Does your campus have a “culture of privacy”? Policy Considerations (con’t.)
• Does the policy make clear that authorization to access confidential information should be no broader than that essential to perform a particular responsibility or duty?
• Does it state the circumstances under which individuals whose confidential information may have been exposed will be notified of the potential compromise?
• Does it clearly identify the office or individual that may authorize access to private or confidential information in the event of an emergency, need to investigate, etc.?
• Is it clear that IT organizations should have no role in the decision to authorize such access?
Other (often aspirational) indicators of a “culture of privacy”
– Established procedure(s) regarding when access to confidential information should begin and end
• e.g., DB developers, employees who change jobs
– System administrators, DBA’s and others with broad access to confidential information are required to sign “Confidentiality” or “Nondisclosure” Agreements
– Established policy/procedure regarding access to confidential information by third party vendors or contractors
– Privacy Statements/Policies on all institutionally sponsored websites
– Established policy/procedure for correcting information that may contain errors
• Importance cannot be overstated
Colleges and Universities, especially their IT organizations, can play a critical role in the current
national debate about Privacy
• Higher Education has long been at the fore of social policy debate
• As citizens, we too are concerned about security and privacy and the need to strike the proper balance
• Our long experience with FERPA compliance and more recently, HIPAA, as well as our historical commitment to academic freedom renders us uniquely positioned to contribute to this complex debate
• We can have a strong voice in the national legislative agenda re. privacy, but we must take the time to educate our top administrators
– See “Alma Mater as Big Brother” Op-Ed in Washington Post (March 29, 2005) by Katherine Haley Will, President of Gettysburg College
• We can be leaders in the development of institutional “cultures of privacy” that may help crystallize and inform the issues surrounding privacy in a digital world
If interested in learning more:
Article:
• Information Age Privacy Concerns are More Kafkaesque than Orwellian– Daniel J. Solove
Chronicle of Higher Education (12/10/2004)
Book:
• No Place to Hide– Robert O’Harrow, Jr. (2005)