A presentation that a group and I did on information privacy.

1. Information Privacy

2. Table of Contents
• Introduction
• Technical Implications
• Impact and Rationales
• Organizational View
• Online Data Privacy
• Information Security

3. • What is going on?
– The User Data walls are coming down across
services.
» Simplification
» Unification
» Services are now features not products

4. What is Information Privacy???

5. • Simply put…
– Information privacy is the relationship between
collection and dissemination of:
• Data
• Technology
• The public expectation of privacy
• Legal and political issues surrounding them

6. What does privacy mean in society???
• Older Generation: Privacy is about secrecy.
• Younger Generation: Privacy is about control.
People's relationship with privacy is socially
complicated

7. Identity
• Personally Identifiable Information (PII)
– Name, IP Address, Face, Fingerprint, Genetic
Information
• Non-Personally Identifiable Information
– Behaviors on website
• Information privacy concern exists wherever
those information is collected or stored in
digital form or otherwise.

8. Four Primary Concerns
– Collection: The very act of data collection. Legal or
illegal.
– Unauthorized secondary use
– Improper access
– Errors

9. Double-edged Sword
– Used carefully under proper safeguards, increase
public utility trough:
• Each new service is backed by a database, and that
database is vulnerable
• Data makes services better
• Free is Cheap
• Shared data makes individual experiences better
– Abuse can lead to invasion of information privacy.

10. Technical Implications

11. Information:
Content Range
• Healthcare records
• Criminal justice investigations and proceedings
• Financial institutions and transactions
• Biological traits, such as genetic material
• Residence and geographic records
• Invisible Traces of our presence
– Data trails
– Credit Card Databases
– Phone Company Databases
– ISP Databases
– Relationship Management Database

12. Web Data Collection
• Personal information-Profile
• Other information
– Device information
– Cookies
– Log information
– User communications
– Location data

13. Devices/Tools
• Hardware
– Security tokens :Physical access + PIN
– Data Centers /Servers
– Biometric Technology
– Device Fingerprinting
• Software(Encryption)
– GNU Privacy Guard (GPG)
– Portable Firefox
– Pretty Good Privacy (PGP)
– Secure Shell (SSH)
– I2P - The Anonymous Network
– Tor (anonymity network)

14. General Cost Items for
Information Privacy Management
• Government/Legal:
– Bill C-30: Canadian government’s invasive and warrantless online spying scheme $80 million
– Privacy of bill of right in U.S.: cooperation of many different agencies over years
• Company:
– Data collection
– Personnel Costs
– Protect users’ data from outside hacking
– Expertise to safeguard the service-remote storage service “Cloud”
– “Do not track bar” in to Browser: Google and Microsoft
• Consumer:
– Time to learn
– Switch cost between different browser
• Limit the ability to correlate behavior
• Malicious criminal activity.
All Costs Related to Scale

15. Impact & Rationales

16. Why Do Industries Invest?
• Provides security for all users
• Keeps information internal, not external
• Helps protect against lawsuits
• Heavy Investments from the
Healthcare, Military and IT Industries.

17. Concerns for the Future
• What is considered “private” information
• How to make information more accessible
• How to evolve systems to prevent breaches

18. Facebook
• Full Name
• Birthday
• Address
• Photos
• Education Locations
• Family Members

19. How it applies country to country
“No one shall be subjected to arbitrary
interference with his privacy, family, home or
correspondence, nor to attacks upon his honor
and reputation. Everyone has the right to the
protection of the law against such interference
or attacks.”
—Universal Declaration of Human Rights, Article
12

20. Laws by Countries
• US
– HIPAA
– Electronic Communications Privacy Act
– PATROIT Act
– The Children’s Online Privacy Protection Act
– “Safe Harbor”
• European Union
– Data Protection Directive
– European Data Protection Regulation

21. Organizational View

22. Who enforces the Health Insurance Portability
and Accountability Act (HIPAA)?
• The Office of E-Health Standards and Services (OESS)
– Transactions
– Code Sets
– National Identifiers (Employer and Provider identifiers)
regulation
• Office for Civil Rights OCR
– The HIPAA Privacy and Security Rules

23. HIPPA Secure Hosting for Protected
Data
• HIPAA Compliance Data Center
– Stores Protected Health Information (PHI)
• Security Measures
– A Virtual or Dedicated Private Firewall Services
– Advanced Encryption Standard
– SSL Certificates & HTTPS
– Remote VPN Access
– Disaster Recovery

24. Information Privacy in Organizations
Internal Implications
• Information Privacy is:
– Associated with creative performance
– Associated with psychological empowerment
– Context specific
• Control initiatives may undermine employee:
• Perceptions of fairness and privacy

25. Organizational Leadership
C-level executives vs. IT Teams
– There is a measurable understanding gap
• C-level executives focus on driving the business.
– Long-Term view
• IT team is thinking and deploying its resources to
protect.
– Near-term view

26. Business Priorities as Interpreted by IT

27. What Takes Priority with IT Teams?

28. Online Data Privacy

29. Consumer Data
• In 1996 E-commerce revenue in 1996: $600M
• In 2013 E-commerce revenue expected to
reach 2013: $963B

30. Expectations
• Consumers should expect reasonable measures:
– Technical
– Physical
– Administrative.
• Privacy Professionals in organizations handle compliance
with privacy promises
• No such thing as Perfect Privacy, just acceptable levels
of risk

31. Govt. Searching Standards
• Constitutional Standard
– Preventing Unreasonable Search & Seizure
• 4th Amendment protections
• Applies to In-House “Data in the home”
• Statutory Standard
– Jurisprudence Define Legality
• Warshack vs. USA
• Applies Out-of-House “Cloud Data”
• Privacy Act
– Right to see records held about you

32. Federal Trade Commission
• Federal Trade Commission Principals
1. Notice/Awareness
2. Choice/Consent
3. Access/Participation
4. Integrity/Security
5. Enforcement/Redress
• Power of “Privacy Audits”

33. Growth Outpacing Regulation
• The FTC 1st established guidelines in a 1998.
SELF-REGULATION IS ESTABLISHED
“The commission believes that legislation to address online privacy is not
appropriate at this time”
Burden of Privacy Protection largely on the Website
User or You!

34. Information Security

35. Information Security (cont...)
• Corporate Policy
– Processes/Policies are needed to encourage responsible information
handling within organizations
– Importance of security measures taken to
ensure customer/employee privacy
– Example policies:
• Storing sensitive information on secure
or disconnected servers
• Requiring all employees to install
antivirus or firewall software

36. Information Security (cont…)
• International Standards
– Generally Accepted Privacy Principles (GAPP)
– ISO/IEC 27002
• IS standard – best practice recommendations for those
“initiating, implementing, or maintaining Information Security
Management Systems (ISMS)
– Risk Assessment
– Security Policy
– Asset Management
– Physical/Environmental Security
– Access Control
– Etc.

37. Breach Cases
2011
• Sony’s PlayStation Network
– Size: 101 million user accounts
– Type of Data: name, home and e-mail addresses, login credentials, some credit
card information
– Consequence: Identity theft, class-action law-suits
• Epsilon, Alliance Data Systems
– Size: Unknown; 60 million estimated e-mail addresses
– Type of Data: e-mail addresses, some names
– Consequence: Exposed confidential customer lists, loss of business

38. Breach Cases (Cont…)
2011
• University of South Carolina
– Size: 31,000
– Type of Data: names, addresses, health records, financial data, Social
Security numbers
– Consequence: Identity theft, loss of business
• RSA Security
– Size: Unknown
– Type of Data: "information related to SecurID technology“
– Consequence: Compromised enterprises and govt. agencies that rely on
SecurID security technology

39. Lessons Learned
• Need to have IS policies, procedures, and technologies in place
to prevent and deal with Information Privacy issues
• Negligence in IS and maintaining PII can have damaging
effects on the customer and employee relationship

40. Relationship Management Benefits of
IS and IP
• Increased usage of online services by existing customers and
increased number of new customers due to:
– Fulfillment of the need for privacy of customers (Some customers may
only use the service if their privacy needs are fulfilled, other may use
the service more often.)
– Increased public image and trust (especially if the privacy friendly
attitude is advertised)
– Competitive advantage (if the competition doesn't have a similar offer)
– Increased customer retention (Customers appreciate the privacy
enhancing functions of the service and don't like the idea of not finding
them with competing services.)

41. Questions?