2. Table of Contents
โข Introduction
โข Technical Implications
โข Impact and Rationales
โข Organizational View
โข Online Data Privacy
โข Information Security
3. โข What is going on?
โ The User Data walls are coming down across
services.
ยป Simplification
ยป Unification
ยป Services are now features not products
5. โข Simply putโฆ
โ Information privacy is the relationship between
collection and dissemination of:
โข Data
โข Technology
โข The public expectation of privacy
โข Legal and political issues surrounding them
6. What does privacy mean in society???
โข Older Generation: Privacy is about secrecy.
โข Younger Generation: Privacy is about control.
People's relationship with privacy is socially
complicated
7. Identity
โข Personally Identifiable Information (PII)
โ Name, IP Address, Face, Fingerprint, Genetic
Information
โข Non-Personally Identifiable Information
โ Behaviors on website
โข Information privacy concern exists wherever
those information is collected or stored in
digital form or otherwise.
8. Four Primary Concerns
โ Collection: The very act of data collection. Legal or
illegal.
โ Unauthorized secondary use
โ Improper access
โ Errors
9. Double-edged Sword
โ Used carefully under proper safeguards, increase
public utility trough:
โข Each new service is backed by a database, and that
database is vulnerable
โข Data makes services better
โข Free is Cheap
โข Shared data makes individual experiences better
โ Abuse can lead to invasion of information privacy.
11. Information:
Content Range
โข Healthcare records
โข Criminal justice investigations and proceedings
โข Financial institutions and transactions
โข Biological traits, such as genetic material
โข Residence and geographic records
โข Invisible Traces of our presence
โ Data trails
โ Credit Card Databases
โ Phone Company Databases
โ ISP Databases
โ Relationship Management Database
12. Web Data Collection
โข Personal information-Profile
โข Other information
โ Device information
โ Cookies
โ Log information
โ User communications
โ Location data
13. Devices/Tools
โข Hardware
โ Security tokens :Physical access + PIN
โ Data Centers /Servers
โ Biometric Technology
โ Device Fingerprinting
โข Software(Encryption)
โ GNU Privacy Guard (GPG)
โ Portable Firefox
โ Pretty Good Privacy (PGP)
โ Secure Shell (SSH)
โ I2P - The Anonymous Network
โ Tor (anonymity network)
14. General Cost Items for
Information Privacy Management
โข Government/Legal:
โ Bill C-30: Canadian governmentโs invasive and warrantless online spying scheme $80 million
โ Privacy of bill of right in U.S.: cooperation of many different agencies over years
โข Company:
โ Data collection
โ Personnel Costs
โ Protect usersโ data from outside hacking
โ Expertise to safeguard the service-remote storage service โCloudโ
โ โDo not track barโ in to Browser: Google and Microsoft
โข Consumer:
โ Time to learn
โ Switch cost between different browser
โข Limit the ability to correlate behavior
โข Malicious criminal activity.
All Costs Related to Scale
16. Why Do Industries Invest?
โข Provides security for all users
โข Keeps information internal, not external
โข Helps protect against lawsuits
โข Heavy Investments from the
Healthcare, Military and IT Industries.
17. Concerns for the Future
โข What is considered โprivateโ information
โข How to make information more accessible
โข How to evolve systems to prevent breaches
18. Facebook
โข Full Name
โข Birthday
โข Address
โข Photos
โข Education Locations
โข Family Members
19. How it applies country to country
โNo one shall be subjected to arbitrary
interference with his privacy, family, home or
correspondence, nor to attacks upon his honor
and reputation. Everyone has the right to the
protection of the law against such interference
or attacks.โ
โUniversal Declaration of Human Rights, Article
12
20. Laws by Countries
โข US
โ HIPAA
โ Electronic Communications Privacy Act
โ PATROIT Act
โ The Childrenโs Online Privacy Protection Act
โ โSafe Harborโ
โข European Union
โ Data Protection Directive
โ European Data Protection Regulation
22. Who enforces the Health Insurance Portability
and Accountability Act (HIPAA)?
โข The Office of E-Health Standards and Services (OESS)
โ Transactions
โ Code Sets
โ National Identifiers (Employer and Provider identifiers)
regulation
โข Office for Civil Rights OCR
โ The HIPAA Privacy and Security Rules
23. HIPPA Secure Hosting for Protected
Data
โข HIPAA Compliance Data Center
โ Stores Protected Health Information (PHI)
โข Security Measures
โ A Virtual or Dedicated Private Firewall Services
โ Advanced Encryption Standard
โ SSL Certificates & HTTPS
โ Remote VPN Access
โ Disaster Recovery
24. Information Privacy in Organizations
Internal Implications
โข Information Privacy is:
โ Associated with creative performance
โ Associated with psychological empowerment
โ Context specific
โข Control initiatives may undermine employee:
โข Perceptions of fairness and privacy
25. Organizational Leadership
C-level executives vs. IT Teams
โ There is a measurable understanding gap
โข C-level executives focus on driving the business.
โ Long-Term view
โข IT team is thinking and deploying its resources to
protect.
โ Near-term view
29. Consumer Data
โข In 1996 E-commerce revenue in 1996: $600M
โข In 2013 E-commerce revenue expected to
reach 2013: $963B
30. Expectations
โข Consumers should expect reasonable measures:
โ Technical
โ Physical
โ Administrative.
โข Privacy Professionals in organizations handle compliance
with privacy promises
โข No such thing as Perfect Privacy, just acceptable levels
of risk
31. Govt. Searching Standards
โข Constitutional Standard
โ Preventing Unreasonable Search & Seizure
โข 4th Amendment protections
โข Applies to In-House โData in the homeโ
โข Statutory Standard
โ Jurisprudence Define Legality
โข Warshack vs. USA
โข Applies Out-of-House โCloud Dataโ
โข Privacy Act
โ Right to see records held about you
32. Federal Trade Commission
โข Federal Trade Commission Principals
1. Notice/Awareness
2. Choice/Consent
3. Access/Participation
4. Integrity/Security
5. Enforcement/Redress
โข Power of โPrivacy Auditsโ
33. Growth Outpacing Regulation
โข The FTC 1st established guidelines in a 1998.
SELF-REGULATION IS ESTABLISHED
โThe commission believes that legislation to address online privacy is not
appropriate at this timeโ
Burden of Privacy Protection largely on the Website
User or You!
35. Information Security (cont...)
โข Corporate Policy
โ Processes/Policies are needed to encourage responsible information
handling within organizations
โ Importance of security measures taken to
ensure customer/employee privacy
โ Example policies:
โข Storing sensitive information on secure
or disconnected servers
โข Requiring all employees to install
antivirus or firewall software
36. Information Security (contโฆ)
โข International Standards
โ Generally Accepted Privacy Principles (GAPP)
โ ISO/IEC 27002
โข IS standard โ best practice recommendations for those
โinitiating, implementing, or maintaining Information Security
Management Systems (ISMS)
โ Risk Assessment
โ Security Policy
โ Asset Management
โ Physical/Environmental Security
โ Access Control
โ Etc.
37. Breach Cases
2011
โข Sonyโs PlayStation Network
โ Size: 101 million user accounts
โ Type of Data: name, home and e-mail addresses, login credentials, some credit
card information
โ Consequence: Identity theft, class-action law-suits
โข Epsilon, Alliance Data Systems
โ Size: Unknown; 60 million estimated e-mail addresses
โ Type of Data: e-mail addresses, some names
โ Consequence: Exposed confidential customer lists, loss of business
38. Breach Cases (Contโฆ)
2011
โข University of South Carolina
โ Size: 31,000
โ Type of Data: names, addresses, health records, financial data, Social
Security numbers
โ Consequence: Identity theft, loss of business
โข RSA Security
โ Size: Unknown
โ Type of Data: "information related to SecurID technologyโ
โ Consequence: Compromised enterprises and govt. agencies that rely on
SecurID security technology
39. Lessons Learned
โข Need to have IS policies, procedures, and technologies in place
to prevent and deal with Information Privacy issues
โข Negligence in IS and maintaining PII can have damaging
effects on the customer and employee relationship
40. Relationship Management Benefits of
IS and IP
โข Increased usage of online services by existing customers and
increased number of new customers due to:
โ Fulfillment of the need for privacy of customers (Some customers may
only use the service if their privacy needs are fulfilled, other may use
the service more often.)
โ Increased public image and trust (especially if the privacy friendly
attitude is advertised)
โ Competitive advantage (if the competition doesn't have a similar offer)
โ Increased customer retention (Customers appreciate the privacy
enhancing functions of the service and don't like the idea of not finding
them with competing services.)
Google will combine user data from service like YouTube, Gmail and Google Search and create a single merged profile for each user of its service. A way to attract more users? Effective on Mar 1st, 201270 policies into one
Just say it is viewed differently under different contexts and is hard to define.. Computational, Content, and Structural Viewsโฆ Next slide
ย In other words, the only reason privacy exists in the first place is because it was too much trouble for anyone to bother monitoring everything they would otherwise want to. Thereโs no innate right to privacy, itโs just that no one could be arsed to deprive you of it. Setting aside myย understanding of economics, this was a relatively jarring perspective for me (Iโm a lot more accustomed to hearing privacy described as a right) and it gave me pause for thought.
Free is Cheap: Data collection makes services free due to Add Revenue and this is a Plus for end users.Talk about why abuse is bad for the public utility
Important content informations
Compare more FB and Google with Infogrphic
protected health information (PHI)ย are now stored and hosted online in accordance to HIPAA hosting standards
The survey of 718 IT and IT security practitioners in the United Statesโmore than half of whom report directly to the CIOโdetermined that the number one reason senior management funded data protection efforts was โthe need to comply with regulations, laws, and other mandatesโ followed closely by โresponse to a recent data breachโ (a response likely necessitated by a regulation). At the very bottom of the justification list is โprotect the companyโs good reputation.โhttp://www.datacenterjournal.com/it/business-first-thinking-for-it-security/
ย Here, ITโs top answer is intellectual property (IP). Customer, employee and consumer information (PII) occupy the bottom of the list.
Viacom vs. Google
Constitutional Standard:requires search warrant/ and โprobable causeโ.Statutory Standard: Police only need a court orderWarshackvs USA: First Case to attempt to establish constitutional protections for ISPPrivacy Act: Right to see rteccords from federal governemrnt