Information Security s New Partner: Privacy

Transcription

1 Information Security s New Partner: Privacy A Presentation for: ISACA WNY Controls and Compliance Conference 2017 by: Brandan Keaveny, Ed.D., CIPM Copyright 2017, Data Ethics LLC 1

2 Objectives Participants will 1) be able to identify where privacy and security processes overlap and where they are different. 2) be able to identify different types of privacy management considerations. 3) relate the concepts of privacy to a reality based scenario. 4) be introduced to the IAPP, and be knowledgeable about the efforts occurring to form a regional chapter. Copyright 2017, Data Ethics LLC 2

3 Privacy in Context, A Video Scenario Copyright 2017, Data Ethics LLC 3

4 Privacy in Context-Things to Consider Is this situation a privacy issue or a security issue or both? What are the differences between privacy and security? Copyright 2017, Data Ethics LLC 4

5 Privacy in Context-Things to Consider Is this situation a privacy issue or a security issue or both? What are the differences between privacy and security? Copyright 2017, Data Ethics LLC 5

6 Defining privacy 1a : the quality or state of being apart from company or observation : SECLUSION 1b : freedom from unauthorized intrusion <one's right to privacy> 2 archaic : a place of seclusion 3a : SECRECY 3b : a private matter : SECRET Source: Privacy. (n.d.). Retrieved February 8, 2017, from Copyright 2017, Data Ethics LLC 6

7 Further refining the definition: General: the right to be free from secret surveillance and to determine whether, when, how, and to whom, one's personal or organizational information is to be revealed. In specific, privacy may be divided into four categories 1. Physical: restriction on others to experience a person or situation through one or more of the human senses; 2. Informational: restriction on searching for or revealing facts that are unknown or unknowable to others; 3. Decisional: restriction on interfering in decisions that are exclusive to an entity; 4. Dispositional: restriction on attempts to know an individual's state of mind. Source: privacy. BusinessDictionary.com. Retrieved February 04, 2017, from BusinessDictionary.com website: Copyright 2017, Data Ethics LLC 7

8 Classes of Privacy As defined by Banisar and Davies: Information privacy, involving the establishment of rules governing the collection and handling of personal data such as credit information and medical records; Bodily privacy, concerning the protection of people's physical beings against invasive procedures such as drug testing and cavity searches; Privacy of communications, covering the security and privacy of mail, telephones, and other forms of communication; and Territorial privacy, concerning the setting of limits on intrusion into the domestic and other environments such as the workplace or public space. Source: Banisar, D. & Davies, S. (1999). Global trends in privacy protection: An International survey of privacy, data protection, and surveillance laws and developments. John Marshall Journal of Computer & Information Law 18. Copyright 2017, Data Ethics LLC 8

9 What is the relationship between privacy and security? Security aims to ensure the confidentiality, integrity and availability of data as stored, transmitted and used Privacy addresses the rights of individuals to control how and to what extent information about them is collected and further processed. Source: Densmore, R (2013). Privacy Program Management: Tools for Managing Privacy Within Your Organization. Portsmouth, NH: International Association of Privacy Professionals. Copyright 2017, Data Ethics LLC 9

10 Privacy Depends on Security Condition Privacy Security The server is not secure. Someone with legitimate access provided information to someone else Someone with legitimate access at the time obtains information and then shares information at a later date. A network environment can be secure, however how the information obtained may lead to the disclosure of private information. If a network environment is not secure, there is no way privacy can be assured. Hacking v. Leaking Copyright 2017, Data Ethics LLC 10

11 What is the relationship between privacy and security? Information security and privacy practices exist within a mutual space of data protection. Copyright 2017, Data Ethics LLC 11

12 Back to the Scenario: Privacy in Context Problem: Several days after the debate records are leaked to the media showing that the young candidate was suspended as a sophomore in high school for cyber bullying. Situation: An attorney for the candidate contacts you for consultation as to how this information could have been obtained. Question: How do you respond? Copyright 2017, Data Ethics LLC 12

13 Are these valid questions? Were the school district databases hacked? Did someone from the school district have legitimate access to the database? Did someone at one time have legitimate access, archive information locally, and then lost a copy of the data? Copyright 2017, Data Ethics LLC 13

14 Are these valid questions? Were the school district databases hacked? Did someone from the school district have legitimate access to the database? Did someone at one time have legitimate access, archive information locally, and then lost a copy of the data? Copyright 2017, Data Ethics LLC 14

15 NYS Information Security Breach and Notification Act The NYS Information Security Breach and Notification Act is comprised of section 208 of the State Technology Law and section 899-aa of the General Business Law. State entities and persons or businesses conducting business in New York who own or license computerized data which includes private information must disclose any breach of the data to New York residents (state entities are also required to notify non-residents) Source: New York State Office of Information Technology Services ( Copyright 2017, Data Ethics LLC 15

16 NYS Information Security Breach and Notification Act 899-aa of the General Business Law Personal Information shall mean any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such a natural person. Private Information shall mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired: Social Security number Driver s license number or non-driver identification card number Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual s financial account. Source: New York State Office of Information Technology Services ( Copyright 2017, Data Ethics LLC 16

17 NYS Information Security Breach and Notification Act 899-aa of the General Business Law Under section 899-aa of the General Business Law, a person or business conducting business in New York must also notify three (3) NYS offices: the NYS Attorney General; the NYS Division of State Police; and the Department of State's Division of Consumer Protection. Notification Requirements to those individuals affected by the breach Source: New York State Office of Information Technology Services ( Copyright 2017, Data Ethics LLC 17

18 Taking the first step to implementing a Privacy Program Does your organization/business have a privacy statement that is derived from a privacy policy? Components of a Privacy Policy Copyright 2017, Data Ethics LLC 18

19

20 About the IAPP A global community for privacy professionals to connect, share best practices, advance privacy management issues and exchange ideas More than 26,000 members spanning 88 countries A resource that provides services, education, networking, conferences and certification addressing the latest privacy trends and challenges

21 KnowledgeNet Chapters Meet other privacy pros in your area, network and learn something new. 75+ chapters worldwide 200+ chapter activities held worldwide per year Free for members, guests and non-members are allowed to attend one meeting as space allows Earn free CPE credits Learn more:

22 Contact Information Copyright 2017, Data Ethics LLC 22