digital privacy: laws, rights, and protections deborah a. robinson, cissp chief information security...

Digital Privacy:

Laws, Rights, and Protections

Deborah A. Robinson, CISSPChief Information Security OfficerGeorgia Perimeter College

04/18/23 1

285

04/18/23 2

How many records were reported compromised in 2009?285 million662 data breaches reported in 2010, up from 250 reported in 2009

285

04/18/23 3

How long does it take to break your password?6 days to break a reasonably strong password (10 characters) with 5 lowercase, 2 uppercase and 3 numbers.

Less than 2 minutes to break an 8 character password with uppercase, lowercase, and numbers

More common passwords like "test", "password" or "123" will be cracked instantly.

Per SANS statistics

285

04/18/23 4

Which country hosts the most phishing attacks?

The United States

In first half of 2010, the United States hosted 70-80% of all such sites. Second and third place was Hong Kong and China.

285

04/18/23 5

The average security breach in 2010 cost the enterprise $7.2 million. The average cost per record was $214.

285

04/18/23 6

Do you know where your mobile devices are?

10 to 15 percent of all handheld computers, smart phones, and cell phones are eventually lost by their owners.

Losses (theft/other) per 1,000 laptops last year was just under 20.

285

04/18/23 7

Cyber Crime

Identity theft is the fastest growing crime, according to the Federal Trade Commission.

Experts estimate that about 10 million people become victims each year. That means every minute, 19 people become new victims of identity fraud!

Drug trafficking has been replaced by identity theft as the number one crime. The major player is now organized crime, responsible for 70% and billions in ill-gotten gains.

285

04/18/23 8

In the News:

A security firm discovered a botnet responsible for stealing sensitive data from more than 2,500 companies, gov’t agencies, and educational institutions over the past 18 months.

The company found a 75GB cache of data that included 68,000 logon credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail, and others. The company described it as "a vast cache of dossier-level data sets on individuals including complete dumps of entire identities from victim machines.”

Once infected, the botnet can capture everything the victim types (including passwords), files, cookies, usernames, and provides full remote control. Once an endpoint is infected, the attacker then makes their way onto the primary network.

Digital Privacy

04/18/23 9

Digital Privacy - Issues

Risks Identity theft and fraud Profiling and commercial

targeting Personal attacks

04/18/23 10


Threats Malware* Social networking – many issues Phishing Impersonation Cookies and web bugs Cloud computing (HealthVault, Flickr,

Gmail) Data mining Web browsing history Digital trails and retained data

04/18/23 11


Malware(Malicious Software)

Viruses, trojans, worms Root kits, botnets Key loggers and scrapers Spyware, adware, spam

04/18/23 12

“Malware has, in fact, become professionalized. Malware is now coded by professional software developers, often working for organized crime. Malware authors now employ encryption to make detection more difficult, and, in the spirit of the best defense being a good offense, aggressively target and remove security software and even rival malware. This evolution in the nature of malware behavior is forcing security experts to change their approach to security, moving from a threat recognition model to a behavior analysis model.”


Did You Know?You can buy on underground Internet:

04/18/23 13

Identity Data

$1-$15

Credit Card Numbers$.10-$20

Malware Kits

$25 and up

Digital Privacy - Protections

Laws and Regulations Electronic Communications Privacy Act Computer Fraud and Abuse Act Identity Theft Enforcement and Restitution Act The Children's Online Privacy Protection Act FERPA HIPAA/HITECH and Health Breach Notification

Rule PCI DSS GLBA Red Flags Rule Privacy and Identity Theft Notification Laws USA PATRIOT Act

04/18/23 14


Electronic Communications Privacy Act Derived from Fourth Amendment protection against

unreasonable search and seizure Regulates when and how law enforcement can

intercept and use electronic communication Protects electronic and telephone communications

from non-government eavesdroppers Amended by USA PATRIOT Act Administered by Department of Justice

04/18/23 15


Computer Fraud and Abuse Act Prohibits unauthorized use of computers –

hacking, implementing malware, data theft, etc. Prohibits trafficking in passwords or other

unauthorized means of access Amended by USA PATRIOT Act Administered by Department of Justice

04/18/23 16


Identity Theft Enforcement and Restitution Act

Strengthens federal prosecution of identity theft crimes

Makes certain acts felonies that were previously misdemeanors

Allows for the restitution of victims of identity theft

04/18/23 17


Children’s Online Privacy Protection Act Applies to online collection of information

from children under 13 Must post easily accessible policy Must obtain parental consent for gathering

information from the child Administered by FTC

04/18/23 18


FERPA – Family Educational Rights and Privacy Act

Specifies rights to view educational data Protects against unauthorized disclosure of

educational data Requires reasonable and appropriate protection

of educational data Administered by Department of Education

04/18/23 19


HIPAA/HITECH and Health Breach Notification Rule HIPAA – Health Insurance Portability and Accountability

Act Applies to health conditions, treatments, and payment Requires enterprises to implement reasonable and

appropriate security to protect your information Failure to comply carries fines and criminal penalties Consumers must be notified of security breaches and

unauthorized exposure of protected information HIPAA and HITECH – Administered by HHS Health Breach Notification Rule – administered by FTC

04/18/23 20


HIPAA/HITECH Non-compliance Rite Aid – fined $1 million, 7/2010 – improper

disposal of data General Hospital Corp. and Massachusetts

General Physicians Organization Inc. – fined $1 million, 2/2011 – document left on subway

CVS – fined $2.25 million, 2/2009 – improper disposal of data

04/18/23 21


PCI DSS – Payment Card Industry Data Security Standard

Industry regulation – credit card companies Specifies detailed security measures for merchants

handling credit and debit card information Requires levels of compliance verification Stiff fines levied by payment card companies Ability for merchants to take cards can be revoked Administered by individual credit card companies

and acquiring banks

04/18/23 22


PCI – TJX Data Breach 2/2007 Loss of 45 million credit and debit card

records $40.9 million settlement with Visa Unsecured wireless

04/18/23 23


PCI – CardSystems Solutions MasterCard processor 6/2005 Loss of up to 40 million credit card records Lack of reasonable and appropriate security

04/18/23 24


PCI – HeartLand Payment Systems 1/2009 Loss of tens of millions of credit card records $60 million settlement with Visa Keylogger

04/18/23 25


GLBA – Gramm Leach Bliley Act The Financial Privacy Rule – governs collection and disclosure of

customers’ personal financial information by financial institutions and other companies that receive the information with specific privacy policy requirements

The Safeguards Rule – requires financial and other institutions to design, implement, and maintain safeguards (security) to protect customer information

Pretexting protection – reduces chances of someone gaining unauthorized access to customer information by impersonation, phishing, social engineering, etc.

Weak enforcement and compensation mechanisms Administered by Federal Trade Commission

04/18/23 26


Red Flags Rule Part of Fair and Accurate Credit Transactions (FACT) Act Requires financial institutions and creditors to implement

an Identity Theft Prevention Program Designed to detect warning signs — or "red flags" — of

identity theft in day-to-day operations Examples – alerts from credit agencies or customers of

possible identity theft, suspicious customer documents, suspicious personal identifying information, unusual activity on the account

Administered by Federal Trade Commission

04/18/23 27


Privacy and Identity Theft Notification Laws State laws that specify protections and/or

notifications for unauthorized disclosure of personally identifiable information (PII)

Currently 47 states, first was California, strongest is Massachusetts

Georgia law – specifies timely notification to any individuals whose unencrypted personally identifiable information was, or is reasonably believed to have been, acquired by an unauthorized person.

04/18/23 28


USA PATRIOT Act USA PATRIOT Act – Uniting and Strengthening America by

Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act

Reduced restrictions on law enforcement agencies' ability to search telephone, e-mail communications, medical, financial, and other records

Expanded access to variety of business records Significantly expanded wiretapping, surveillance, and

physical search capabilities, with “intelligence” warrants not requiring probable cause or specific location

Weakened privacy rights

04/18/23 29


What Organizations Do to Protect Your Data Identify risks to sensitive data Implement information security program to ensure

adequate protection of sensitive data:– Policies and procedures– Incident response plans– Security awareness– Encryption of sensitive data– Technical security measures

Comply with industry standard security practices Comply with applicable laws and regulations

04/18/23 30


What You Can DoProtect your PII - Personally Identifiable

Information Name + SSN, drivers license number, any financial account

number, address, phone number Never give it out unless necessary Don’t put it on social media, you can’t take it back Be sure who you’re giving it to Use sniff test

04/18/23 31


What You Can DoPractice good security Opt out Use strong privacy settings Read policies and agreements Patch and apply upgrades Use current AV and firewalls Use strong passwords Search and surf anonymously Don’t click on anything unsolicited

Think – be smart!

04/18/23 32


What You Can Do

Anonymizers Most use proxy servers and multiple relays Tor Network – www.torproject.org I2P – www.i2p2.de ShadowSurf – www.shadowsurf.com Startpage – private search engine – www.startpage.com Anonymous remailers

04/18/23 33

http://www.torproject.org/



http://www.i2p2.de/

http://www.i2p2.de/

http://www.i2p2.de/

http://www.shadowsurf.com/



http://www.startpage.com/



Digital Privacy

Report problems!!!

04/18/23 34

Information Security

04/18/23 35

digital privacy: laws, rights, and protections deborah a. robinson, cissp chief information security...

Documents