notes for discussion on a privacy practice © joe cleetus

Notes for Discussion on Notes for Discussion on a Privacy Practicea Privacy Practice

© Joe Cleetus

Security and PrivacySecurity and Privacy

Security is a wider Concept Security of Information embraces:

– Confidentiality– Integrity– Availability

Achieving Security involves People, Procedures, and Technology

The same is true for Privacy

Privacy DefinitionPrivacy Definition

Privacy is the expectation that confidential personal information disclosed in a private place, will NOT be disclosed to third parties, when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities

Laws and Policies govern Laws and Policies govern PrivacyPrivacy

Privacy is no longer a vague concept It has been legislated A body of case law existsFederal laws, State Laws, Supra-

national lawsEven the US Constitution has a bearingBesides, companies have Policies

Topical RelevanceTopical Relevance

Massive on-line databases of people Extensive on-line interactions between

companies Millions of daily transactions between

companies and customers

Who owns all this, and who has a need to know?

MotivationMotivation

Maintain competitive edge

Ensure legal compliance

Enhance company image

Privacy is a requirement – not a customer delight

4 Rights4 Rights

Unreasonable intrusion on the seclusion of

another person

Misappropriation of another’s identity, or

exploitation of the name

Publication of private facts

Propagation of false information about a

person

Many older laws have been re-interpreted for IT

Information Privacy PrinciplesInformation Privacy Principles

1. Collect information lawfully, fairly, and only

what is relevant for the purpose

2. If personal information is collected, state the

purpose and to whom it will be disclosed

3. If personal information is collected, make sure

all reasonable steps are taken against

unauthorized access, use, modification or

disclosure, and against other misuse


4. Those collecting PII (personally identifiable information)

should maintain a public record of what is kept, its

purpose, who has access, and how a person may get

access to his/her information.

5. If PII is collected, make sure the record is accurate and

targeted only for the purpose kept, and permit a person to

correct the record, or attach a note to it showing the

owner of the information contests the information

contained.


6. If personal information is collected for one

purpose, is to be used for another purpose, or

divulged to a party, then secure the consent of

the person, unless a an emergency exists or the

law demands it, and then make a note of such

event in the record.

Many Privacy Rights are Many Privacy Rights are embedded in Criminal Statutesembedded in Criminal StatutesUS Mail

Telephone conversation

Library borrowing

Bank records

Student records

Etc.Federal and States

Plethora of LawsPlethora of Laws

FERPA

– Student records

ECPA Electronic Communications Privacy Act

– Most basic act for access, use, disclosure, interception

and privacy of electronic communications

Section 208 of The E-Government Act

– Federal agencies should protect PII collected


HIPAA Health Information Portability and Accountability

Act

– Medical records

Gramm-Leach Bliley Act

– protects consumers’ personal financial information held by

financial institutions.

The (Federal) Privacy Act of 1974

– FTC approved “fair information practices” that are widely

accepted principles of privacy protection


EU Data Protection Directive of 1995

– notice

– choice

– access

– onward transfer

– security

– data integrity, and

– remedy


FTC Guidelines encompass

– Web Privacy,

– E-mail privacy,

– Spam, Spyware,

– Privacy of customer data given up on commercial transaction

sites,

– Credit reports, etc.

Complaints are against unfair or deceptive trade

practices


P3P (Platform for Privacy Preferences

Project)

– An open privacy specification developed and

administered by the W3C

– Allowing visitors to a Web site to decide what

they want to give up


California SB 1386 – Personal Information:

Privacy

– applies to state agencies, or a person or

business that conducts business in California,

and owns or licenses computerized data

containing personal information


PIPEDA Personal Information Protection and

Electronic Documents Act of Canada.

FISMA Federal Information Security Management

Act (applies to Federal agencies)

– federal agencies must develop, document and

implement a department-wide information security

program


Sarbanes-Oxley

Basel II

Lastly – the anti-law of PrivacyLastly – the anti-law of Privacy

USA Patriot Act

– Negates almost every prescription heretofore stated,

under special circumstances

– The circumstances are so loosely defined that much

Governmental abuse is expected

– Not only allows the Government to violate Privacy, but

mandates that companies collude in this

ISO/IEC 17799ISO/IEC 17799

Standard based on BS 7799

– Covers People, Process and Technology

– A wide-ranging document on Information

Security

– Has numerous recommendations in detail

– Companies can be certified against this

standard

ProposalProposal Develop a Privacy Compliance Assessment Tool

– Cover People, Process and Technology

It will be a multi-part assessment (multiple laws, multiple

departments)

It will be embedded within the a client GUI, using the APIs

provided

It will– assign an aggregate score,

– highlight serious issues, and

– provide clear pointers for improvement

Benefits to ClientsBenefits to Clients Make a complex subject simple

Provide internal consultancy for bringing company

into compliance with its own policies and laws

Reduce cost of compliance

Generate a first-cut plan for improvement

Monitor compliance on an ongoing basis

BenefitsBenefits Enter a new market for products and services

Obtain follow-on custom work

– Consulting

– Programming for technology to support Privacy

– Customizing the general Privacy Practice to suit

industry/company