The State of Privacy in Washington State. August 16, 2016 Alex Alben Chief Privacy Officer Washington

Transcription

1 The State of Privacy in Washington State August 16, 2016 Alex Alben Chief Privacy Officer Washington

2 I. The Global Privacy Environment Snowden Revelations of NSA surveillance International relations EU terminates Safe Harbor in October 2015 Lack of Trust in U.S. Corporations Brazil arrests Facebook vice president

3 The Domestic Privacy Environment: Foreign hacking of domestic databases OPM (scale); Democratic National Committee Malicious attacks, malware, and Spear Phishing Domestic data breaches Adobe, Anthem, AOL, AT&T, ebay, Evernote, Heartland, Home Depot, JP Morgan, MySpace, Premera, RockYou!, Target, Sony, SonyPSN, Zappos and many more...

4

5 Eroding Public Trust

6

7 The Privacy Environment in Washington State UW Medical Center data breach HCA data breach Courts data breach RCW Washington State sapps.leg.wa.gov apps.leg.wa.gov RCWs Title 19 Chapter Notice is not required if the breach of the security of the system is not... if the data owner or licensee contacts a law enforcement agency after discovery of a... Office of Privacy and Data Protection Created in April of 2016

8 The Privacy Environment: Data Spills Is this just an HR issue?

9 The Privacy Environment: Inadequate response University of Washington Medical Center Non-Compliance with HIPAA $750,000 fine by OCR 90,000 patient names and billing records released after employee downloaded malicious malware UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments. 12/14/15

10 The Privacy Environment: Responses Congress reforms the bulk data collection program (2016) Companies go to court to protect consumer data Apple, Microsoft ( server) State data breach laws People get free credit reporting in event of breach

11 The Privacy Environment: Where do we stand today? Lack of trust in government to do the right thing Lack of trust in industry Very few consumer tools Leading to high level of consumer anxiety over data protection People are right to be upset

12 II. The Law Lags Behind Technology and Bad Actors U.S. Constitution Right to Privacy 1890 State Statutes Federal Laws FTC and FCC Enforcement

13 American Law: U.S. Constitution

14 Louis Brandies and Samuel Warren, 1890 The right to be left alone.

15 American Law: Supreme Court Griswold v. Connecticut Riley v. California

16 U.S. Supreme Court Griswold vs. Connecticut 1965

17 U.S. Supreme Court California v. Riley 2014

18 American Law: Silos HIPAA (1996) FERPA (1974) Privacy Act of 1974 Right to Financial Privacy Act (1978) Electronic Communications Privacy Act (1986) Children s Online Privacy Protection Act (1998)

19 American Law: Federal Agencies FTC and FCC Unfair and Deceptive Practices Net Neutrality Privacy Rules

20 American Law: Washington State Consumer Protection Act (1986) Attorney General consumer protection division Office of Privacy and Consumer Protection (2016)

21 Washington is Special State Constitution Public Records Act Eight Exemptions Open Data Data Breach Law

22 Office of Privacy and Data Protection Established by Executive Order Updating Privacy Policies Consumer Education and Outreach Monitor Citizen Complaints Promote Best Practices

23 III. The Challenge of Data Proliferation Consumer Profiling BIG data analytics Internet of Things

24 Private Data: Personal Devices Cell Phones Fitness Monitors Social Media Automobiles Biometric Identifiers

25 Private Data: Government Surveillance Drones Body Cameras

26 Data Strategies Understanding the data life cycle Privacy and Security Your role as a data custodian

27 The Lifecycle of Data Minimization Privacy Modeling Training Design Records Center / Archive Delete Collect Privacy Policy Retain Process Privacy Impact Assessment Use Store Encryption Share Breach Response De- Duplication Data Sharing Agreements

28 Data Minimization 1. Don t collect what you don t need Collection limitation - collect only what is directly relevant and necessary to accomplish a specified purpose. Interagency sharing - minimize the information disclosed. Data retention - retain the data only for as long as is necessary to fulfill your original purpose or as required by law.

29 Access 2. Limit Access to Data Identify sensitive data and restrict access Ask, Who has the need to know? Administrative separate user accounts and limit system-wide administrative access

30 Security 3. , authentication, and passwords Spear-phishing is responsible for 90% of successful attacks Hackers use password guessing tools Store passwords securely e.g., not in cookies or readable text Administrative Look for patterns and disable user credentials after unsuccessful log-in attempts Implement multi-factor authentication when necessary

31 Product Development 4. Apply security to development and testing phases of product development When do you begin storing customer data and other sensitive information? Train your software development team in secure coding practices Verify that your security and privacy features actually work as promised. Test for common vulnerabilities: SQL ineciton attacks (See OWASP common vulnerabilities)

32 Contractors and Service Providers 5. Vet your contractors and service providers Put your security standards in writing and make them part of third party contracts Verify compliance designate a person to check up on a developer or contractor End of contract what happens to the PII entrusted to the contractor at the end of the engagement?

33 State Initiatives: I. Privacy Modeling Promoting privacy and data protection compliance from the start Privacy as a key consideration in the early stages of any project, and then throughout its lifecycle Request for proposal - include data minimization and security principles in proposal Forms for public - include only necessary fields for collection

34 II. Update Privacy Policies

35 III. Privacy Assessment Privacy questionnaire for state agencies will lead to report on state privacy practices Establish best practices Training, training, training

36 IV. Consumer Education Visit: Privacy.wa.gov

37 You are going to save the day! You are the first line of defense! Be aware of privacy risks Know the law Use best practices to protect citizens privacy

38 Alex Alben To view our Privacy Guide for Washington Citizens: Privacy.wa.gov