2014 Chief Information Security Officer
(CISO) Leadership Forum
What every security professional needs to know
about priva...
2
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth G...
3
 I am a lawyer but not your lawyer. This presentation should not be
construed as legal advice
 If you don’t have a law...
4
 Difference between privacy and security
 Commitments
 Ethical & political considerations
 Data collection
 Locatio...
5
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth G...
6
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth G...
7
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth G...
8
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth G...
9
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth G...
10
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth ...
11
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth ...
12
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth ...
13
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth ...
14
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth ...
15
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth ...
Upcoming SlideShare
Loading in …5
×

What Every Security Professional Needs to Know About Privacy: Elimu Kajunju, Chief Privacy Officer & Senior Compliance Director, UnitedHealth

468
-1

Published on

Elimu Kajunju, Chief Privacy Officer and Senior Compliance Director at UnitedHealth, discussed privacy during his presentation at the 2014 Chief Information Security Officer (CISO) Leadership Forum in San Francisco on May 6. In his presentation, “What Every Security Professional Needs to Know About Privacy,” Kajunju pointed out organizations must take responsibility for securing sensitive information.

According to Kajunju, a security leader needs to pay attention to privacy. Kajunju noted an organization must develop a privacy policy that outlines how it manages privacy issues: “In the privacy space, you make a lot of commitments. The commitments can be in the form of a privacy policy, so if you’re in a consumer-facing business, you’ll have a privacy policy that’s supposed to describe exactly what you’re doing with that person’s information.”

In addition, Kajunju said ethical and political considerations are important for organizations of all sizes, especially when it comes to privacy. An organization also must implement good data collection practices to avoid privacy issues down the line, Kajunju said. If an organization understands how to collect data, Kajunju said, it can effectively safeguard its sensitive information: “Data collection is really the start of the privacy data lifecycle. Without the data, the rest of this is meaningless. Good data collection practices and really honest data collection data practices are necessary.”

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
468
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

What Every Security Professional Needs to Know About Privacy: Elimu Kajunju, Chief Privacy Officer & Senior Compliance Director, UnitedHealth

  1. 1. 2014 Chief Information Security Officer (CISO) Leadership Forum What every security professional needs to know about privacy - Elimu Kajunju, CISSP, CIPP/US Chief Privacy Officer & Senior Associate General Counsel, Privacy and Security
  2. 2. 2 Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group. UnitedHealthcare Military & Veterans • UnitedHealthcare Military & Veterans draws on the unmatched experience and expertise of the UnitedHealth Group family of companies to provide affordable, high-quality health care to active duty military, retirees, and their families. • In partnership with the Department of Defense, UnitedHealthcare provides health care services to over 2.9 million beneficiaries as the TRICARE Managed Care Support Contractor for the TRICARE West Region.
  3. 3. 3  I am a lawyer but not your lawyer. This presentation should not be construed as legal advice  If you don’t have a lawyer advising you on privacy or security compliance, you should get one  This presentation represents my personal opinion and not that of United Health Group, UnitedHealthcare or any of its affiliates  Making friends with your privacy colleague is the best way to learn more about privacy Disclaimers
  4. 4. 4  Difference between privacy and security  Commitments  Ethical & political considerations  Data collection  Location, location, location  Data disclosure  Data use  Data retention  Takeaways Topics Covered
  5. 5. 5 Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group. Privacy Confessional
  6. 6. 6 Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group. Difference between privacy & security Privacy The rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure and destruction of personal information Security The processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
  7. 7. 7 Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group. Commitments Importance of the following commitments • Privacy policies – usually interpreted in favor of the consumer • Regulatory requirements • Legal obligations • Self-regulatory obligations • Contracts
  8. 8. 8 Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group. Ethical & political considerations Importance of these ethical and political considerations • If your customer knew everything you did with her data, would she approve? • “Ick” factor • Political implications • Legislative scrutiny • Media attention/scrutiny • Social media backlash
  9. 9. 9 Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group. Data collection Data collection practices • Most important factor in privacy compliance • Question the need to collect data • Question scope of collection • Contradictions between collection and commitments • Frontline for guarding against the “ick” factor
  10. 10. 10 Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group. Location, location, location Critical for multi-state or multi-country businesses • Know your customers • Know your jurisdictions • Understand the enforcement landscape • Location of your customer is just as important as where you locate your customer’s information • Pay careful consideration of the impact of location-related decisions
  11. 11. 11 Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group. Data disclosure (external) Ethical & political considerations may impact data disclosure practices • Know who you are or will soon share information with • Make this very clear in your policies • Don’t add “future” disclosures to your policies • Limit disclosures to minimum necessary • Ask for permission from the customer when it makes sense to
  12. 12. 12 Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group. Data use (internal) This is the reason why you collect the data – Make sure it is on solid ground • Know what you are or will soon be using the information for • Make this very clear in your policies • Don’t add “future” uses to your policies • Limit uses to minimum necessary • Use de-identified data when appropriate
  13. 13. 13 Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group. Data retention Mature data retention strategy is key • Simple but comprehensive data retention schedule is needed • Very few sets of data need to be kept forever • Without a solid implementation plan, the strategy won’t work • Use your record retention program to reduce your risks • Hope is not a strategy
  14. 14. 14 Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group. Takeaways • Familiarize yourself with the Generally Accepted Privacy Principles • http://www.cica.ca/resources-and-member-benefits/privacy-resources-for- firms-and-organizations/gen-accepted-privacy-principles/item61833.pdf • Understand the commitments you have made in your privacy policies and contracts and with regulatory bodies • Put yourself in the approval chain of your contracts and other voluntary commitments • Before making security implementation decisions, familiarize yourself with the requirements for the applicable location (or make sure someone is checking). Some free and good resources for this information include: • Morrison/Foerster Privacy Library (http://www.mofo.com/privacylibrary/PrivacyLibraryListing.aspx?xpST=Priv acyLibraryListing&pid) • National Conference of State Legislators (http://www.ncsl.org/research/telecommunications-and-information- technology/state-laws-related-to-internet-privacy.aspx)
  15. 15. 15 Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group. Questions

×