The State of Privacy in Washington State. August 16, 2016 Alex Alben Chief Privacy Officer Washington

Similar documents
Subject: University Information Technology Resource Security Policy: OUTDATED

This Webcast Will Begin Shortly

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

HIPAA & Privacy Compliance Update

Data Security: Public Contracts and the Cloud

U.S. Private-sector Privacy Certification

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Putting It All Together:

Data Security and Privacy at Handshake

UTAH VALLEY UNIVERSITY Policies and Procedures

Multi-Factor Authentication (MFA)

2017 Annual Meeting of Members and Board of Directors Meeting

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Summary Comparison of Current Data Security and Breach Notification Bills

Cyber Security Issues

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

How NOT To Get Hacked

Maria Hishikawa MSIX Technical Lead Sarah Storms MSIX Contractor Security

2018 Edition. Security and Compliance for Office 365

Dealing with the Reality of a Privacy Breach: Civil Litigation, Regulatory Response, and Minimizing Your Risks

Government Privacy. Julie Smith McEwen, CIPP/G, CISSP Principal Information Systems Privacy and Security Engineer

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Healthcare HIPAA and Cybersecurity Update

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

VERSION 1.3 MAY 1, 2018 SNOWFLY PRIVACY POLICY SNOWFLY PERFORMANCE INC. P.O. BOX 95254, SOUTH JORDAN, UT

Emerging Challenges in mhealth: Keeping Information Safe & Secure HCCA CI Web Hull Privacy, Data Protection, & Compliance Advisor

Topics 4/11/2016. Emerging Challenges in mhealth: Keeping Information Safe & Secure. Here s the challenge It s just the beginning of mhealth

Cybersecurity in Higher Ed

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

ecare Vault, Inc. Privacy Policy

Data Breach Trends: What Local Government Lawyers Need to Know

The Impact of Cybersecurity, Data Privacy and Social Media

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Privacy Policy on the Responsibilities of Third Party Service Providers

PULSE TAKING THE PHYSICIAN S

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

If you have any questions or concerns about this Privacy Policy, please Contact Us.

All 3 Billion Yahoo Accounts Were Affected by 2013 Attack NY Times 10/3/17

How to Take Advantage of the Cloud for ediscovery

MOBILE.NET PRIVACY POLICY

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Social Media and Texting: A Growing Concern

Cybersecurity and Hospitals: A Board Perspective

Data Compromise Notice Procedure Summary and Guide

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

QuickBooks Online Security White Paper July 2017

ETSY.COM - PRIVACY POLICY

The Rise of the CSO Welcome

Breaches and Remediation

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

Re: Special Publication Revision 4, Security Controls of Federal Information Systems and Organizations: Appendix J, Privacy Control Catalog

Certified Information Privacy Professional/United States

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

DeMystifying Data Breaches and Information Security Compliance

NYDFS Cybersecurity Regulations

ID Theft and Data Breach Mitigation

University of North Texas System Administration Identity Theft Prevention Program

Bar The Gates: Cyber Threat. Wednesday, August 12, 2015: ISACA Geek Week

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

HIPAA UPDATE. Michael L. Brody, DPM

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Jeff Wilbur VP Marketing Iconix

Employee Security Awareness Training

Privacy Policy. Optimizely, Inc. 1. Information We Collect

Hacking and Cyber Espionage

Cyber Security Risk Management and Identity Theft

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

DROPBOX.COM - PRIVACY POLICY

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Defending Our Digital Density.

Beam Technologies Inc. Privacy Policy

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

DATA PROTECTION LAWS OF THE WORLD. United States

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Presented by: Jason C. Gavejian Morristown Office

OA Cyber Security Plan FY 2018 (Abridged)

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

Solv3D Privacy Policy

Hot Topics in Privacy

Hot Topics in Privacy

DATA BREACH PREVENTION, RESPONSE & MANAGEMENT

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Information Governance, the Next Evolution of Privacy and Security

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

PROTECTING ARIZONA AGAINST CYBER THREATS THE ARIZONA CYBERSECURITY TEAM

HIPAA Security and Privacy Policies & Procedures

Privacy Policy Effective Date - May 2017

Transcription:

The State of Privacy in Washington State August 16, 2016 Alex Alben Chief Privacy Officer Washington

I. The Global Privacy Environment Snowden Revelations of NSA surveillance International relations EU terminates Safe Harbor in October 2015 Lack of Trust in U.S. Corporations Brazil arrests Facebook vice president

The Domestic Privacy Environment: Foreign hacking of domestic databases OPM (scale); Democratic National Committee Malicious attacks, malware, and Spear Phishing Domestic data breaches Adobe, Anthem, AOL, AT&T, ebay, Evernote, Heartland, Home Depot, JP Morgan, MySpace, Premera, RockYou!, Target, Sony, SonyPSN, Zappos and many more...

Eroding Public Trust

The Privacy Environment in Washington State UW Medical Center data breach HCA data breach Courts data breach RCW 19.255.010 - Washington State sapps.leg.wa.gov apps.leg.wa.gov RCWs Title 19 Chapter 19.255 Notice is not required if the breach of the security of the system is not... if the data owner or licensee contacts a law enforcement agency after discovery of a... Office of Privacy and Data Protection Created in April of 2016

The Privacy Environment: Data Spills Is this just an HR issue?

The Privacy Environment: Inadequate response University of Washington Medical Center Non-Compliance with HIPAA $750,000 fine by OCR 90,000 patient names and billing records released after employee downloaded malicious malware UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments. 12/14/15

The Privacy Environment: Responses Congress reforms the bulk data collection program (2016) Companies go to court to protect consumer data Apple, Microsoft (email server) State data breach laws People get free credit reporting in event of breach

The Privacy Environment: Where do we stand today? Lack of trust in government to do the right thing Lack of trust in industry Very few consumer tools Leading to high level of consumer anxiety over data protection People are right to be upset

II. The Law Lags Behind Technology and Bad Actors U.S. Constitution Right to Privacy 1890 State Statutes Federal Laws FTC and FCC Enforcement

American Law: U.S. Constitution

Louis Brandies and Samuel Warren, 1890 The right to be left alone.

American Law: Supreme Court Griswold v. Connecticut Riley v. California

U.S. Supreme Court Griswold vs. Connecticut 1965

U.S. Supreme Court California v. Riley 2014

American Law: Silos HIPAA (1996) FERPA (1974) Privacy Act of 1974 Right to Financial Privacy Act (1978) Electronic Communications Privacy Act (1986) Children s Online Privacy Protection Act (1998)

American Law: Federal Agencies FTC and FCC Unfair and Deceptive Practices Net Neutrality Privacy Rules

American Law: Washington State Consumer Protection Act (1986) Attorney General consumer protection division Office of Privacy and Consumer Protection (2016)

Washington is Special State Constitution Public Records Act Eight Exemptions Open Data Data Breach Law

Office of Privacy and Data Protection Established by Executive Order 16-01 Updating Privacy Policies Consumer Education and Outreach Monitor Citizen Complaints Promote Best Practices

III. The Challenge of Data Proliferation Consumer Profiling BIG data analytics Internet of Things

Private Data: Personal Devices Cell Phones Fitness Monitors Social Media Automobiles Biometric Identifiers

Private Data: Government Surveillance Drones Body Cameras

Data Strategies Understanding the data life cycle Privacy and Security Your role as a data custodian

The Lifecycle of Data Minimization Privacy Modeling Training Design Records Center / Archive Delete Collect Privacy Policy Retain Process Privacy Impact Assessment Use Store Encryption Share Breach Response De- Duplication Data Sharing Agreements

Data Minimization 1. Don t collect what you don t need Collection limitation - collect only what is directly relevant and necessary to accomplish a specified purpose. Interagency sharing - minimize the information disclosed. Data retention - retain the data only for as long as is necessary to fulfill your original purpose or as required by law.

Access 2. Limit Access to Data Identify sensitive data and restrict access Ask, Who has the need to know? Administrative separate user accounts and limit system-wide administrative access

Security 3. Email, authentication, and passwords Spear-phishing is responsible for 90% of successful attacks Hackers use password guessing tools Store passwords securely e.g., not in cookies or readable text Administrative Look for patterns and disable user credentials after unsuccessful log-in attempts Implement multi-factor authentication when necessary

Product Development 4. Apply security to development and testing phases of product development When do you begin storing customer data and other sensitive information? Train your software development team in secure coding practices Verify that your security and privacy features actually work as promised. Test for common vulnerabilities: SQL ineciton attacks (See OWASP common vulnerabilities)

Contractors and Service Providers 5. Vet your contractors and service providers Put your security standards in writing and make them part of third party contracts Verify compliance designate a person to check up on a developer or contractor End of contract what happens to the PII entrusted to the contractor at the end of the engagement?

State Initiatives: I. Privacy Modeling Promoting privacy and data protection compliance from the start Privacy as a key consideration in the early stages of any project, and then throughout its lifecycle Request for proposal - include data minimization and security principles in proposal Forms for public - include only necessary fields for collection

II. Update Privacy Policies

III. Privacy Assessment Privacy questionnaire for state agencies will lead to report on state privacy practices Establish best practices Training, training, training

IV. Consumer Education Visit: Privacy.wa.gov

You are going to save the day! You are the first line of defense! Be aware of privacy risks Know the law Use best practices to protect citizens privacy

Alex Alben alex.alben@watech.wa.gov To view our Privacy Guide for Washington Citizens: Privacy.wa.gov

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback