Mark E.S. Bernard Protecting Children’s PII under the Care Of Volunteer Organizations


Published on

Title: Protecting Children’s PII under the Care Of Volunteer Organizations. I created this presentation after I discovered that the local minor hockey association and the local minor baseball association did not have personal information policy or handling procedures in place. I want to share my knowledge and experience as Privacy and Security Compliance Officer with these volunteer groups so that they can do a better job. The alarming thing is that they seemed completely unaware of the risks associated with breach of security for personal information even with studies that show children’s personal information is actually stolen to commit fraud 50% more than adults. Another alarming fact is that credit institutions grand Children credit based on their parent’s credit record. In one case a 16 year old girl in the United States had $650k racked up against her credit record.

Published in: Education
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mark E.S. Bernard Protecting Children’s PII under the Care Of Volunteer Organizations

  1. 1. Compiled by Mark E.S. Bernard, CRISC, CGEIT, CISM, CISSP, CISA, ISO 27001 Lead Auditor, PM, PA, CNA
  2. 2. BBB Watch: Watch out for child ID theftThe Better Business Bureau is alerting parents their child may be at riskof identity theft. Crime stats show last year more than 9.9 millionAmericans were victims of ID theft, costing them about $5 billion. TheFederal Trade Commission also received more than 19,000 complaintsabout child identity theft last year.Many parents have no idea that their child is a victim, and this crime maygo undetected until the child applies for a job, loan or rents their firstapartment. Major reasons for the identity theft of minors include illegalimmigration (to obtain false IDs for employment), organized crime (toengage in financial fraud) and friends and family (to offset bad personalcredit ratings). Source;
  3. 3. There are a number of places where children’s personal information, includingSocial Security numbers, may be vulnerable. Realize that the following placestypically request detailed personal information. • Hospitals and physicians’ offices, through patient records. • Schools, through student records. • Daycare centers, through enrolment records. • Libraries, through member records. • Sports team organizations, through athlete applications. • Online social networks, through personal pages or via e-mails as thieves coax information from teens.Source;
  4. 4. Because most parents do not consider that their child has a credit report, or the need to check achild’s report, the crime of identity theft and resulting damage can continue for years. In 2007, anExperian-Gallup survey polled 3,029 adults ages 18 and older on the topic of child identity theft.The results showed that many consumers are unaware of the dangers of child identity theft. Hereare some statistics the survey revealed: • 68 percent of respondents knew “only a little” to “nothing at all” about child identity theft. • 11 percent knew “a great deal” about child identity theft. • 5 percent felt it would be “very difficult” to steal a child’s identity. • 39 percent of parents with children under the age 18 felt it was “not too likely” that their own child’s identity could be stolen. • 11 percent of parents thought that it was “very likely” that their own child’s identity could be stolen. Source;
  5. 5. •Guarantee of Rights and Freedoms •Fundamental Freedoms •Democratic Rights •Mobility Rights •Legal Rights •Equality Rights •Official Languages of Canada •Minority Language Educational Rights •EnforcementWeb link;
  6. 6. Legal Rights7. Everyone has the right to life, liberty and security ofthe person and the right not to be deprived thereofexcept in accordance with the principles of fundamentaljustice.8. Everyone has the right to be secure againstunreasonable search or seizure. Web link;
  7. 7. •Policy 1 – Collecting Personal Information•Policy 2 – Consent•Policy 3 – Using and Disclosing Personal Information•Policy 4 – Retaining Personal Information•Policy 5 – Ensuring Accuracy of Personal Information•Policy 6 – Securing Personal Information•Policy 7 – Providing Constituent’s with Access to PersonalInformation•Policy 8 – Questions and Complaints: The Role of the PrivacyOfficer or designated individual
  8. 8. • Classification labeling• Access restriction• Classified information authorization list• Information input/output validation• Protection of spooled/printed information• Storage complies with manufactures specifications• Keep distribution to a minimum• Clear Marking of recipient/sender• Review distribution list
  9. 9. •Granting Access Rights •Third-party / External-party•Network Access Control Disclosure•Storage on Servers •US Personnel Disclosure•Storage on Removable Media •Electronic Media Labeling•Physical Removal •Hardcopy Labeling Required•Duplicating/Copying •Physical Mail Handling•Faxing •Tracking Process by Log•Transmission over Internet •Human Resources•Transmission over FTP •Remote Access•Transmission over email •Desktop•Transmission over wireless •Laptop•Disposal/Destruction
  10. 10. The Government Response to the Report of the Standing Committee onAccess to Information, Privacy and Ethics on the Statutory Review of thePersonal Information Protection and Electronic Documents Act (PIPEDA) indicated the government’s intention to consult on the manner of implementing a legislative requirement for data breach reporting and notification.The document builds on a previous working paper (Proposed Model, March 27, 2008) and reflects views from stakeholders provided at a roundtable meeting held April 11, 2008 in Ottawa, as well as written comments provided subsequent to the meeting. It is presented solely as a working model to provide additional background to assist in framing and considering the proposed legislative amendments to PIPEDA.
  11. 11. “Data breach” means an incidentinvolving loss of, unauthorized access to, or disclosure of, personal information as a result of a breach of an organization’ssecurity safeguards pursuant to Principle 7 of Schedule 1 of PIPED Act.
  12. 12. • In the event of a data breach, where it is reasonable to considerin the circumstances that there exists a substantial risk ofsignificant harm to affected individuals, the organization willnotify affected individuals as a matter of course, and otherorganizations as required, as soon as is reasonably possible afterdetection, confirmation and assessment of the scope and extentof the breach.• Notification to affected individuals will be provided in a clearand conspicuous manner using a direct means of communication,and will include information that is sufficient for the individual tounderstand the significance of the breach, and to take steps tomitigate harm resulting from it.
  13. 13. • Factors that are relevant to the determination of substantialrisk include (i) the sensitivity of the information involved in thedata breach and (ii) the probability that the information could bemisused, or that harm to the affected individuals might result.• Factors that are relevant to the determination of which otherorganizations should be notified are (i) whether an organizationhas a role in the mitigation or prevention of harm to the affectedindividuals; or (ii) whether an organization could reasonably beexpected to suffer direct harm as a result of the data breach.
  14. 14. • The organization will also report to the Privacy Commissionerany material data breach, as soon as is reasonably possiblefollowing detection, confirmation, and an assessment of scopeand extent of the breach.• Factors relevant to the determination of material data breachinclude (i) the sensitivity of the information involved in thebreach, (ii) the number of individuals affected, and (iii) if itconstitutes a pattern, or provides evidence of a systemic root-cause, outside of commercially acceptable operating standards.
  15. 15. •The organization having control of the information will beresponsible for determining the need for notification to affectedindividuals and organizations and for reporting to the PrivacyCommissioner.
  16. 16. The threat of Child Identity Theft has raised a concern not justfor the protection of children’s personal information but has alsoshed light on the need for a higher standard of care withinvolunteer organizations.CVOs believe in there fiduciary responsibility and wants todemonstrate a higher standard of care.CVOs are also guided by morals and community values, so its inthe best interest of our members to demonstrate that higherstandard of care starting now.