The State of Privacy in Washington State August 16, 2016 Alex Alben Chief Privacy Officer Washington
I. The Global Privacy Environment Snowden Revelations of NSA surveillance International relations EU terminates Safe Harbor in October 2015 Lack of Trust in U.S. Corporations Brazil arrests Facebook vice president
The Domestic Privacy Environment: Foreign hacking of domestic databases OPM (scale); Democratic National Committee Malicious attacks, malware, and Spear Phishing Domestic data breaches Adobe, Anthem, AOL, AT&T, ebay, Evernote, Heartland, Home Depot, JP Morgan, MySpace, Premera, RockYou!, Target, Sony, SonyPSN, Zappos and many more...
Eroding Public Trust
The Privacy Environment in Washington State UW Medical Center data breach HCA data breach Courts data breach RCW 19.255.010 - Washington State sapps.leg.wa.gov apps.leg.wa.gov RCWs Title 19 Chapter 19.255 Notice is not required if the breach of the security of the system is not... if the data owner or licensee contacts a law enforcement agency after discovery of a... Office of Privacy and Data Protection Created in April of 2016
The Privacy Environment: Data Spills Is this just an HR issue?
The Privacy Environment: Inadequate response University of Washington Medical Center Non-Compliance with HIPAA $750,000 fine by OCR 90,000 patient names and billing records released after employee downloaded malicious malware UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments. 12/14/15
The Privacy Environment: Responses Congress reforms the bulk data collection program (2016) Companies go to court to protect consumer data Apple, Microsoft (email server) State data breach laws People get free credit reporting in event of breach
The Privacy Environment: Where do we stand today? Lack of trust in government to do the right thing Lack of trust in industry Very few consumer tools Leading to high level of consumer anxiety over data protection People are right to be upset
II. The Law Lags Behind Technology and Bad Actors U.S. Constitution Right to Privacy 1890 State Statutes Federal Laws FTC and FCC Enforcement
American Law: U.S. Constitution
Louis Brandies and Samuel Warren, 1890 The right to be left alone.
American Law: Supreme Court Griswold v. Connecticut Riley v. California
U.S. Supreme Court Griswold vs. Connecticut 1965
U.S. Supreme Court California v. Riley 2014
American Law: Silos HIPAA (1996) FERPA (1974) Privacy Act of 1974 Right to Financial Privacy Act (1978) Electronic Communications Privacy Act (1986) Children s Online Privacy Protection Act (1998)
American Law: Federal Agencies FTC and FCC Unfair and Deceptive Practices Net Neutrality Privacy Rules
American Law: Washington State Consumer Protection Act (1986) Attorney General consumer protection division Office of Privacy and Consumer Protection (2016)
Washington is Special State Constitution Public Records Act Eight Exemptions Open Data Data Breach Law
Office of Privacy and Data Protection Established by Executive Order 16-01 Updating Privacy Policies Consumer Education and Outreach Monitor Citizen Complaints Promote Best Practices
III. The Challenge of Data Proliferation Consumer Profiling BIG data analytics Internet of Things
Private Data: Personal Devices Cell Phones Fitness Monitors Social Media Automobiles Biometric Identifiers
Private Data: Government Surveillance Drones Body Cameras
Data Strategies Understanding the data life cycle Privacy and Security Your role as a data custodian
The Lifecycle of Data Minimization Privacy Modeling Training Design Records Center / Archive Delete Collect Privacy Policy Retain Process Privacy Impact Assessment Use Store Encryption Share Breach Response De- Duplication Data Sharing Agreements
Data Minimization 1. Don t collect what you don t need Collection limitation - collect only what is directly relevant and necessary to accomplish a specified purpose. Interagency sharing - minimize the information disclosed. Data retention - retain the data only for as long as is necessary to fulfill your original purpose or as required by law.
Access 2. Limit Access to Data Identify sensitive data and restrict access Ask, Who has the need to know? Administrative separate user accounts and limit system-wide administrative access
Security 3. Email, authentication, and passwords Spear-phishing is responsible for 90% of successful attacks Hackers use password guessing tools Store passwords securely e.g., not in cookies or readable text Administrative Look for patterns and disable user credentials after unsuccessful log-in attempts Implement multi-factor authentication when necessary
Product Development 4. Apply security to development and testing phases of product development When do you begin storing customer data and other sensitive information? Train your software development team in secure coding practices Verify that your security and privacy features actually work as promised. Test for common vulnerabilities: SQL ineciton attacks (See OWASP common vulnerabilities)
Contractors and Service Providers 5. Vet your contractors and service providers Put your security standards in writing and make them part of third party contracts Verify compliance designate a person to check up on a developer or contractor End of contract what happens to the PII entrusted to the contractor at the end of the engagement?
State Initiatives: I. Privacy Modeling Promoting privacy and data protection compliance from the start Privacy as a key consideration in the early stages of any project, and then throughout its lifecycle Request for proposal - include data minimization and security principles in proposal Forms for public - include only necessary fields for collection
II. Update Privacy Policies
III. Privacy Assessment Privacy questionnaire for state agencies will lead to report on state privacy practices Establish best practices Training, training, training
IV. Consumer Education Visit: Privacy.wa.gov
You are going to save the day! You are the first line of defense! Be aware of privacy risks Know the law Use best practices to protect citizens privacy
Alex Alben alex.alben@watech.wa.gov To view our Privacy Guide for Washington Citizens: Privacy.wa.gov