Protecting Privacy in State Government

Basic Privacy & Security Training

for State of Ohio Employees

2

Objectives & Agenda Overview: privacy & security

What is privacy?Privacy and security, what is the difference?Defining sensitive data

Why protect privacy?Best Practice Perspectives

Good information-handling practices Security incident response Privacy Quiz

3

What is Privacy? “The right to be left alone -- the most

comprehensive of rights, and the right most valued by civilized men.” ~ Louis Brandeis

“Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” ~ Alan Westin

“You have no privacy, get over it.” ~ Scott McNealy

4

What is Privacy: That was Then & This is Now

Then Practical Obscurity

No internet; no cell phones; marketing less pervasive; sense of “ain’t nobody’s business”

Now Information Age

More data gathering across government & business Smart phones, Camera phones Mobile & wireless computing 24/7 access Technological Developments (surveillance cameras

& software, RFID, biometrics)

Changing Threat Landscape 1997

• Amateur hackers

• Web site defacement

• Viruses

• Infrequent attacks

2007

• Organized crime

• SQL Injections

• Identity theft

• Constant threat

+• Amateur hackers • Web site defacement• Viruses

342 data breaches in the first half of 2008: more than 69% greater than the same time period in 2007

6

Privacy and Security, what is the difference? Privacy & Security are flipsides of a coin

Privacy Broadly speaking, how data is defined and used

Laws, regulations, and policies that define and classify data and date usage

SecuritySecuring the data, both physically

and technologically, per its definition to ensure its

Confidentiality (limited access) Integrity (authentic & complete)Availability (accessible)

7

Defining Sensitive Data

Personally Identifiable Information (PII) Broad definition: any information that is maintained by an

entity that identifies or describes an individual. Sensitive PII

Name, when associated with: Social Security number Financial Health & Medical ID Card (driver’s, state identification card) Biometric

8

Defining Sensitive Data (con’t.)

Sensitive data is more than PII, it is also information your organization classifies as sensitive Data mandated by law to be confidential Case numbers Security plans & reports Intellectual property Economic forecasts Passwords

9

Sensitive Data = Money

Handle Handle sensitive data sensitive data like cash!like cash!

October 10, 2007 10

Why Protect Privacy? – World View

AustraliaFederal Privacy Amendment Bill State Privacy Bills in Victoria, New South Wales and Queensland, new email spam and privacy regulations

CaliforniaSB 1, SB 1386, SB 27, AB 1950

South AfricaElectronic Communications and Transactions Act

US FederalHIPAA, GLBA Safeguards Rule, COPPA,

Hong KongPersonal Data Privacy Ordinance

CanadaPIPEDA

JapanPersonal Information Protection Act, METI Guidelines

ChileLaw for the Protection of Private Life

South KoreaAct on Promotion of Information and Communications Network Utilization and Data Protection

IndiaLaw pending currently under discussion

New ZealandPrivacy Act

ArgentinaPersonal Data Protection Law, Confidentiality of Information Law

PhilippinesData Privacy Law proposed by ITECCTaiwan

Computer-Processed Personal Data Protection Law

European UnionEU Data Protection Directive and Member States, Safe Harbor Principles

11

Why Protect Privacy? - Public Trust Citizens have no option to shop around –

they are required to provide personal information to government.

We have an obligation to protect the information entrusted to us.

12

Why protect privacy? – U.S. Federal Laws

HIPAA, GLBA, COPPA, FERPA, FCRA, genetic privacy, and more laws in works

State Data Breach notification Credit freeze PII in public records Biometrics RFID

13

Why protect privacy? - Ohio It’s a best practice and rapidly becoming statewide law

and policy! Executive Order 13S (2007): Improving State Agency Data

Privacy and Security Ohio IT Bulletin ITB-2007.02: Data Encryption and Securing

Sensitive Data ITP-B.11: Data Classification Policy HB 104: Data Breach Notification Law HB13: No SSN - Vehicle Registration Renewal Notice HB 46: Credit Freeze & SSN Redaction And more to come…

14

Why protect privacy? (con’t.)

Increasing citizen & consumer sensitivitySecurity breaches

Almost daily occurrence Data Breaches Hit 8.3 Million Records in First

Quarter 2008* 167 data breaches First Quarter 2008 448 incidents in 2007

Identity theft Low-risk, high-reward crime Becoming more and more organized

*Source - The Identity Theft Resource Center

Identity Theft

What It is and Its Impact

15

What is identity theft? A crime to intentionally use another person’s

identifying information to fraudulently obtain credit, property or services. Ohio Rev. Code Ann. §2913.49

Types: Financial

Access to existing accounts Creation of new accounts

Services: Employment, Medical Criminal

16

Incidence & Impact of Identity Theft

8.1 million incidents (2007)3.6% of adults

Out-of-pocket costs (2007)Average $691

Time spent recovering (2006)Average 25 hours

Source: Javelin, 2/07 & 2/0817

Impact of ID Theft on Economy

Total cost of identity theft in U.S. in 2007

$45 Billion

Source: Javelin, 2/08 18

19

Beware of Social Engineering Schemes

Identity thieves may try to trick employees into disclosing personal informationPhishing e-mails, phone calls

Verify identity and authority of anyone requesting sensitive data

Basic Data Handling for State Employees

20

21

Public Records and Sensitive DataMost records agencies handle are public records, but they may also contain sensitive information. Employees must employ protective measures to ensure the information is not improperly released.

The Ohio’s Public Records Act is based upon the concept that records produced by government are the people’s records.

Other laws require state government to protect sensitive information.

22

Basic Privacy Principles1. Minimization/Collection Limitation: only collect that data for which you have a

business need.

2. Notice/Awareness: clear and complete disclosure to individuals on the specifics of how the data they submit is to be collected, used, and shared with other organizations, in addition to the steps taken to preserve the data’s confidentiality, integrity, and quality.

3. Choice/Consent: where applicable, give individuals the choice of what data they submit, how it can be used, and with whom it can be shared.

4. Access: where applicable, give reasonable access to an individual’s personal data for review, modification, correction, and, where appropriate, deletion.

5. Integrity/Security: ensure that personal information is relevant, accurate, and consistent throughout the enterprise; and that reasonable security precautions are taken to protect data from unauthorized use, access, or transfer

6. Accountability/Enforcement: specify an individual(s) to ensure the integrity and security of the data, and to enforce applicable law and policy.

23

International Privacy Principles1. Openness: There should be a general policy of openness about the practices and policies with respect

to personal information.

2. Purpose Specification: The purposes for which personal information is collected should be specified at the time of collection. Further uses should be limited to those purposes.

3. Collection Limitation: Minimize the data you collect. Only the data necessary for the stated purpose should be collected. Personal information should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the individual.

4. Data Quality: Personal information should be accurate, complete and kept up-to-date, and relevant to the purposes for which it is to be used, .

5. Use Limitation: Personal information should not be used for purposes other than those specified, except with the consent of the data subject or by the authority of law.

6. Individual Participation: Individuals should have the right to inspect and correct their personal information

7. Security Safeguards: Personal information should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure.

8. Accountability: Someone in the organization should be accountable for compliance with the organization’s privacy policies.

~Based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (www.oecd.org)~

October 10, 2007 24

The Life Cycle of Sensitive DataData is an asset. The value associated with a piece of data is determined by its attributes, context within the agency, and associated risk…all are key factors in data classification.

Data LifeCycle

Collection Storage Use Sharing Destruction

AttributesAttributes ContextContext RiskRisk

Data ValueData Value

25

Handling Sensitive Data - Overview Take stock

What is PII & Other Sensitive Data Where is it in your organization

Scale down Only collect what you need

Lock it Secure, encrypt, protect

Proper Disposal Securely dispose of documents per your retention

schedule – remember the Sunshine Laws! Plan ahead

Know your security incident response procedure

26

Take Stock

Know Where Sensitive Data Lives Learn where sensitive data is stored in your office

and systems PCs, workstation file drawers, laptops, BlackBerrys, and

other portable devices Sensitive PII: Employee data, as well as data of

citizens/consumers, licensees, and others Other data classified as sensitive

HB 46 calls for all agencies to engage in Privacy Impact Assesments for new data systems.

Data Minimization is Your Friend – less is more Data quantity (only take what is necessary for a particular

function) Access Levels (only give access to those that need it)

1. Everything you take is something you have to retain2. Everything you retain is something that can be

breached3. Everything that can be breached is something for which

you are liable4. Less data collected = less liability

REMEMBER: Comply with Ohio Sunshine laws and your agency’s records

retention policy 27

Scale Down

Scale Down (cont.) Collect & Retain only what you need and keep it

only for the time you need it. Regularly purge documents with sensitive data from

individual file folders (unless required to keep per public records law)

Avoid downloading sensitive data unless necessary. Regularly cleanse sensitive data from PCs, laptops, other

portable devices.

REMEMBER: Comply with Ohio Sunshine laws and your

agency’s records retention policy

29

Lock It

Protect Sensitive Data from Unauthorized AccessLimit access to sensitive data (especially PII)

to those who need to use it to perform their duties

Minimum necessary accessPasswords & other access controls

30

Lock It - Desks

Protect Sensitive Data on Your Desk“Clean-desk policy”

Don’t leave documents with sensitive data out when away from your workstation

Lock up documents w/ sensitive data overnight and on weekends

Lock PC when away from your workstation

31

Lock It – Workstations

Protect Sensitive Data in WorkstationsMake sure you have a timed lock-outDon’t download “free” software onto PC – it

may contain spyware or other malwareAngle your monitor away from prying eyes or

ask for a “privacy screen” for your monitor if you enter sensitive data in a public place

32

Lock It - Passwords Your password is like your toothbrush - Don’t share it!

Password “Don’ts” Do not reveal your password over the phone Do not send your password in an e-mail message Do not reveal your password to a supervisor or manager Do not talk about your password in front of others Do not hint at the format of your password (e.g., "my family name") Do not reveal your password on questionnaires or security forms Do not share your password with family members Do not reveal your password to co-workers while on vacation

Use strong passwords 8+ characters, including numerals and symbols

Ohio IT Policy ITB-B.3: Password-PIN Security

33

Lock It – Laptops & Sensitive Data

All laptops must be encrypted.

Do not place sensitive data on portable devices (thumb drives and other portable devices), unless the placement has been authorized following agency policy and procedures, and the device is encrypted.

34

Lock It – E-mail & Mail Don’t send or receive sensitive data – SSN,

DL number, financial account number, medical info – via email (in text or via attachments) unless allowed by agency and it is encrypted

Mail securelyDon’t leave incoming or outgoing mail in

unlocked or unattended receptaclesMake sure mailings are not exposing sensitive

data CalPERS & State of Wisconsin

Lock It - Faxes & Voicemail Don’t send sensitive data by fax

unless security procedures are usedConfirm accuracy of number before

keying inArrange for and confirm prompt pick-up

Don’t leave sensitive data in voice mail messages

36

Lock It – At Home?

Do Not Take State Sensitive Data Home

‘NUFF SAID

37

Dispose of Records Safely

Shred documents with sensitive data and other confidential info before throwing away CDs and floppy disks too

Have computers and hard drives properly “wiped” or overwritten when discarding

REMEMBER:Comply with Ohio Sunshine laws and record

retention policy

38

Handling Sensitive Data – Bottom Line Take stock Scale down Lock it Proper Disposal Plan ahead

Remember the Sunshine Laws

How would you want someone handling your data?

Incident Response

39

40

Report Info Security Incidents

KNOW YOUR ORGANIZATIONS SECURITY INCIDENT RESPONSE POLICY AND PROCEDURE

Reportable incidents might include: Loss or theft of laptop, BlackBerry, disk, etc. Loss or theft of paper records Unauthorized acquisition of protected info Unauthorized release, modification, or destruction of

protected info Interfering with state computers or data systems Any activity involving illegal activity or serious wrongdoing

What is an Incident? Viruses E-mail viruses E-mail harassment Worms Other malicious code Denial of service

attacks Intrusions Stolen hardware Network or system

sabotage Website defacements

Stolen Sensitive Data

Unauthorized access to files or systems

Loss of system availability

Misuse of service, systems or information

Physical damage to computer systems, networks, or storage media

Illegal Activity Serious Wrongdoing

42

Incident Response Guidance Ohio HB 104: Data Breach Notification

http://www.legislature.state.oh.us/bills.cfm?ID=126_HB_104

ITP – B.7: Security Incident Response http://www.oit.ohio.gov/IGD/policy/pdfs_policy/ITP-B.7.pdf

OIT IT Bulletin No: ITB-2007.02 http://oit.ohio.gov/IGD/policy/pdfs_bulletins/ITB-2007.02.pdf

Governor’s Memo on Illegal Activity & Serious Wrongdoing http://www.governor.ohio.gov/GovernorsOffice/Policies/SuspectedWrongdoing/

tabid/800/Default.aspx

Incident Response Management Guide http://privacy.ohio.gov/resources/OITIncidentResponseGuide.doc

Incident Response Training Presentation http://privacy.ohio.gov/resources/Incident_Response_Training.ppt

43

Why Protect Privacy? - Public Trust Citizens have no option to shop around –

they are required to provide personal information to government.

We have an obligation to protect the information entrusted to us.

44

Privacy Protection: Bottom Line

Privacy and security are everyone’s responsibility

45

(Some) Privacy Resources Ohio Privacy & Security Information Center

http://www.privacy.ohio.gov/ Federal Citizen Information Privacy Resources

http://www.pueblo.gsa.gov/privacy_resources.htm Federal Trade Commission Privacy Initiatives

http://www.ftc.gov/privacy/index.html Onguard Online

http://onguardonline.gov/index.html Identity Theft Resource Center

http://www.idtheftcenter.org/ Center for Democracy & Technology

http://www.cdt.org/privacy/

Privacy Quiz

Just for Fun – Test Your Knowledge

46

Quiz Question 1

If you believe that incoming mail containing sensitive data has been stolen from your office, where should you report it?

47

Options for Q1

a) To your mailroom supervisor.

b) To your department’s information security point of contact, supervisor, legal office, director’s office

c) To the U.S. Postal Inspection Service.

d) To the local police department.

48

Correct Answer to Q1

b) To your department’s information security point of contact, supervisor, legal office, director’s office

49

Quiz Question 2

Which of the following is the strongest – most secure – password for access to your PC?

50

Options for Q2

a) FLUFFY

b) 9151950

c) ERICKSON

d) HmW1cWC&

51

Correct Answer to Q2d) HmW1cWC&

5 steps for a a strong, memorable password

1. Think of a sentence that you can remember. This will be the basis of your strong password or pass phrase. Use a memorable sentence, such as "My dog Steve is three years old.“

2. If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each word of the sentence that you've created to create a new, nonsensical word. Using the example above, you'd get: “mdsityo".

3. Add complexity by mixing uppercase and lowercase letters and numbers. It is valuable to use some letter swapping or misspellings as well. This might yield a password like “MdSi3yo".

4. Finally, substitute some special characters and/or add back some characters. You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, you create a password (using the first letter of each word) "Md$i3y0ld".

5. Test your new password with a Password Checker (http://www.microsoft.com/protect/yourself/password/checker.mspx). Password Checker is a non-recording feature on Microsoft provides that helps determine your password's strength as you type.

52

Quiz Question 3

Which of the following is the most secure way to get the SSNs of seven people to a co-worker, who is on a business trip, is authorized to have the information, and needs it to do his job?

53

Options for Q3

a) Send the information in an e-mail.b) Call your co-worker and give him the

information over the phone.c) Leave the information in a voice mail

message on your co-worker’s cell phone.d) Fax the information to your co-worker at

his hotel.

54

Correct Answer to Q3

b) Call your co-worker and give him the information over the phone.

55

Quiz Question 4

TRUE OR FALSE: If you delete files from your PC – and empty the recycle bin – that means the data in the files is erased.

56

Correct Answer to Q4

FALSE

57

Quiz Question 5

Which of the following would NOT be an information security incident that needs to be reported?

58

Options for Q5

a) Loss of a laptop containing unencrypted sensitive data.

b) Accidental mailing of an individual’s medical records to the wrong person.

c) Theft of your purse, which contained a CD with state data on it.

d) Theft of a state-owned computer monitor.

59

Correct Answer to Q5

d) Theft of a state-owned computer monitor.• This is a trick question - remember the

Gov’s Memo on Illegal Activity & Serious Wrongdoing. Report this to your Chief Legal Counsel!

60

Quiz Question 6

Which of the following should you do before leaving your workstation for a meeting?

61

Options for Q6

a) Put documents, disks, other records containing personal information in a locked drawer or otherwise out of sight.

b) Hit “control-alt-delete” and lock your computer.

c) Call your best friend and have a long chat.

d) Both a and b.

62

Correct Answer to Q6

d) Both a and b above. Put documents, disks, other records

containing personal information (including your purse) in a drawer or otherwise out of sight.

Hit “control-alt-delete” and lock your computer.

63