Data Privacy: Global Issues & Trends Charles Mok Internet Society Hong Kong 2009.04.16

Recent local data breaches 09.04 / United Christian Hospital / Doctor lost USB drive / 8 patients 09.03 / United Christian Hospital / Doctor lost USB drive / 47 patients 09.03 / Open University / Staff lost USB drive / undisclosed # of students 09.03 / HK Police / 70 internal documents on Foxy 09.02 / SCAA / Players and coaches salaries for past 10 yrs on Foxy 09.02 / HK Police / Personnel files lost in auxiliary police file cabinet 09.02 / Fire Services / 20 personnel/appraisal reports etc on Foxy 09.01 / Hawk Control, FEHD / USB drive w/ internal docs found on bus 08.12 / Social Welfare Dept / USB drives lost / 63 clients/109 data subjects 08.11 / BEA / Customer statements trashed, used to wrap flowers 08.07 / HSBC / 25,000 customers' conversations on tapes lost in mail

09.04 / United Christian Hospital / Doctor lost USB drive / 8 patients

09.03 / United Christian Hospital / Doctor lost USB drive / 47 patients

09.03 / Open University / Staff lost USB drive / undisclosed # of students

09.03 / HK Police / 70 internal documents on Foxy

09.02 / SCAA / Players and coaches salaries for past 10 yrs on Foxy

09.02 / HK Police / Personnel files lost in auxiliary police file cabinet

09.02 / Fire Services / 20 personnel/appraisal reports etc on Foxy

09.01 / Hawk Control, FEHD / USB drive w/ internal docs found on bus

08.12 / Social Welfare Dept / USB drives lost / 63 clients/109 data subjects

08.11 / BEA / Customer statements trashed, used to wrap flowers

08.07 / HSBC / 25,000 customers' conversations on tapes lost in mail

Recent local data breaches...more 08.06 / Customs & Excise Dept / Internal doc & statement found on Foxy 08.06 / Immigration Dept / Confidential file taken home by staff to familiarize himself with procedures, found on Foxy 08.05 / Census & Statistics Dept / USB drive lost / 2 companies' data 08.05 / HK Police / Info about undercover operations, appraisal report and ICAC job description on Foxy 08.03 /HSBC / Server lost in Kwun Tong branch during renovation 08.04 / Civil Service Bureau / USB drive lost 08.04 / HK Police / Documents found on Foxy 08.04 / Civil Aviation Dept / Documents found on Foxy 08.04 and before / Hospital Authority / over 10 cases involving loss of USB drives, digital cameras, notebook, PDA, MP3 players, etc.

08.06 / Customs & Excise Dept / Internal doc & statement found on Foxy

08.06 / Immigration Dept / Confidential file taken home by staff to familiarize himself with procedures, found on Foxy

08.05 / Census & Statistics Dept / USB drive lost / 2 companies' data

08.05 / HK Police / Info about undercover operations, appraisal report and ICAC job description on Foxy

08.03 /HSBC / Server lost in Kwun Tong branch during renovation

08.04 / Civil Service Bureau / USB drive lost

08.04 / HK Police / Documents found on Foxy

08.04 / Civil Aviation Dept / Documents found on Foxy

08.04 and before / Hospital Authority / over 10 cases involving loss of USB drives, digital cameras, notebook, PDA, MP3 players, etc.

You think that's bad? Wait... 09.04 / Moses Cone Hospital (Greensboro, NC) / 14,380 patients' data stolen on notebook 09.04 / Peninsula Orthopaedic Associates / Tapes with 100,000 patients' data stolen 09.04 / Tennessee Dept of Human Services / Employee caught selling personal data / 1,178 people 09.04 / Borrego State Bank (CA) / 7 notebook PCs stolen from audit firm 09.04 / Hawaii Transport Dept / Computer stolen / 1,892 driver license holders 09.04 / Nashville Schools (TN) / Contractor put student data on unsecured web server / 18,000 students 09.04 / City of Culpeper (VA) / Contractor exposed 7,845 taxpayers data on Internet 09.02 / Arkansas Dept of Info Systems / Computer tapes lost / 807,000 people http://www.privacyrights.org

09.04 / Moses Cone Hospital (Greensboro, NC) / 14,380 patients' data stolen on notebook

09.04 / Peninsula Orthopaedic Associates / Tapes with 100,000 patients' data stolen

09.04 / Tennessee Dept of Human Services / Employee caught selling personal data / 1,178 people

09.04 / Borrego State Bank (CA) / 7 notebook PCs stolen from audit firm

09.04 / Hawaii Transport Dept / Computer stolen / 1,892 driver license holders

09.04 / Nashville Schools (TN) / Contractor put student data on unsecured web server / 18,000 students

09.04 / City of Culpeper (VA) / Contractor exposed 7,845 taxpayers data on Internet

09.02 / Arkansas Dept of Info Systems / Computer tapes lost / 807,000 people

http://www.privacyrights.org

...and there're more... 09.01 / Merrill Lynch (NY) / Contractor burglarized, losing a computer containing unknown number of staff info 09.01 / Pepsi (NY) / Portable storage device lost w/ unknown # of staff data 09.01 / CheckFree (Atlanta, GA) / Hackers took over domains and redirected customers to phishing site in the Ukraine. At least 16,000 customers are believed to be affected, but company warned 5 million customers. 09.01 / Genica/Geeks.com (Oceanside, CA) / Data of unknown number of e-commerce site customers, incl. credit card numbers, stolen by hacker 09.01 / U of Rochester (NY) / 450 students info incl SS# hacked 09.01 / Columbus City Schools (OH) / Police raid uncovered 100 city employees' personal info, believed to be intercepted in mails 09.01 / Heartland Payment (NJ) / Cyberfraud compromised over 100M transaction records http://www.privacyrights.org

09.01 / Merrill Lynch (NY) / Contractor burglarized, losing a computer containing unknown number of staff info

09.01 / Pepsi (NY) / Portable storage device lost w/ unknown # of staff data

09.01 / CheckFree (Atlanta, GA) / Hackers took over domains and redirected customers to phishing site in the Ukraine. At least 16,000 customers are believed to be affected, but company warned 5 million customers.

09.01 / Genica/Geeks.com (Oceanside, CA) / Data of unknown number of e-commerce site customers, incl. credit card numbers, stolen by hacker

09.01 / U of Rochester (NY) / 450 students info incl SS# hacked

09.01 / Columbus City Schools (OH) / Police raid uncovered 100 city employees' personal info, believed to be intercepted in mails

09.01 / Heartland Payment (NJ) / Cyberfraud compromised over 100M transaction records

http://www.privacyrights.org

...by everyone (just 2009) Univ of Oregon / unknown Seventh Day Adventists /292 Continental Airlines / 230 Forcht Bank (KY) / 8,500 Charleston Health Dept (WV) / 11,000 Missouri State U / 565 Monster.com / unknown US Military / 60 US Consulate (Jerusalem) Indiana Dept of Admin / 8,775 phpBB.com / 400,000 ComCast / 4,000 http://www.privacyrights.org Kaiser Permanente (CA) / 30,000 Kaspersky, Symantec / unknown Parkland Memorial Hospital (TX) / 9,300 Federal Aviation Dept / 43,000 U of Alabama / 37,000 Wyndham Hotels / 21,000 CVS Pharmacies / unknown Walgreens / 28,000 New York Police / 80,000 Idaho National Lab / 59,000 Google (doc users) / unknown US Army / 1,600

Univ of Oregon / unknown

Seventh Day Adventists /292

Continental Airlines / 230

Forcht Bank (KY) / 8,500

Charleston Health Dept (WV) / 11,000

Missouri State U / 565

Monster.com / unknown

US Military / 60

US Consulate (Jerusalem)

Indiana Dept of Admin / 8,775

phpBB.com / 400,000

ComCast / 4,000

http://www.privacyrights.org

Kaiser Permanente (CA) / 30,000

Kaspersky, Symantec / unknown

Parkland Memorial Hospital (TX) / 9,300

Federal Aviation Dept / 43,000

U of Alabama / 37,000

Wyndham Hotels / 21,000

CVS Pharmacies / unknown

Walgreens / 28,000

New York Police / 80,000

Idaho National Lab / 59,000

Google (doc users) / unknown

US Army / 1,600

A new attitude is needed Changing environment The impact of IT and Internet Working outside of office Increasing awareness by the community Legal requirements and consequences From policy to guidelines From education to communications The role of technology Preventing occurrence as much as possible Minimizing the damage when problems occur

Changing environment

The impact of IT and Internet

Working outside of office

Increasing awareness by the community

Legal requirements and consequences

From policy to guidelines

From education to communications

The role of technology

Preventing occurrence as much as possible

Minimizing the damage when problems occur

The need for a new culture It is about people's behavior It is not about: Simply putting blames on the staff Strict punishment? Avoiding the use of technology – trading off efficiency and even safety etc. Developing a new corporate culture Convenience vs. security and respect for other people's privacy Legal and institutional safeguards

It is about people's behavior

It is not about:

Simply putting blames on the staff

Strict punishment?

Avoiding the use of technology – trading off efficiency and even safety etc.

Developing a new corporate culture

Convenience vs. security and respect for other people's privacy

Legal and institutional safeguards

Information security Classification of sensitive information Privacy impact study and security audit Clear, down-to-earth, up-to-date guidelines Frequent and effective reminders Do not ignore physical security Explore and maximize technological means: System design Encryption But, no easy cure-all – Set the right expectations!

Classification of sensitive information

Privacy impact study and security audit

Clear, down-to-earth, up-to-date guidelines

Frequent and effective reminders

Do not ignore physical security

Explore and maximize technological means:

System design

Encryption

But, no easy cure-all – Set the right expectations!

Business implications Surveys found data breaches and financial crimes are scaring customers away Be good custodians of sensitive customer data -> customer confidence -> best CRM Gartner: Privacy function is usually under IT and information security, more than legal dept. But 60% does not have a dedicated budget! – chronically underfunded, esp. problematic in current economic downturn Firms must set up privacy governance model Establish role of CPO (chief privacy officer)

Surveys found data breaches and financial crimes are scaring customers away

Be good custodians of sensitive customer data -> customer confidence -> best CRM

Gartner: Privacy function is usually under IT and information security, more than legal dept.

But 60% does not have a dedicated budget! – chronically underfunded, esp. problematic in current economic downturn

Firms must set up privacy governance model

Establish role of CPO (chief privacy officer)

Policy trends – next gen enforcement EU introduces European Privacy Seal (EuroPriSe) for IT products and services to show compliance with privacy legislation in EU member states. EU Data Protection Directive (EU DPD) defines fundamental principles for privacy protection, with mechanisms for cross-border transfers of personal data. E.g. use of live personal data for test purpose can be illegal

EU introduces European Privacy Seal (EuroPriSe) for IT products and services to show compliance with privacy legislation in EU member states.

EU Data Protection Directive (EU DPD) defines fundamental principles for privacy protection, with mechanisms for cross-border transfers of personal data.

E.g. use of live personal data for test purpose can be illegal

Policy trends – notification Over 30 states in the US have passed breach notification law First to legislate: California Last year, California enhanced the law mandating the breach notification be user friendly so that “common people can understand.” Australian Privacy Commissioner is consulting public on “Draft Voluntary Information Security Breach Notification Guide”: Mandatory disclosure likely in 18-24 months Voluntary scheme may be ineffective: consultants are already advising client companies not to disclose voluntary, as their competitors may not.

Over 30 states in the US have passed breach notification law

First to legislate: California

Last year, California enhanced the law mandating the breach notification be user friendly so that “common people can understand.”

Australian Privacy Commissioner is consulting public on “Draft Voluntary Information Security Breach Notification Guide”:

Mandatory disclosure likely in 18-24 months

Voluntary scheme may be ineffective: consultants are already advising client companies not to disclose voluntary, as their competitors may not.

Recommendations for Hong Kong Review Personal Data (Privacy) Ordinance Criminalization of certain violations Mandatory breach notifications Strengthen Privacy Commissioner's Office Improve privacy protection in public bodies Establish Chief Security/Privacy Officers Mandatory privacy/security impact studies Education and public awareness Respect other people's data privacy Include privacy culture in basic and professional education

Review Personal Data (Privacy) Ordinance

Criminalization of certain violations

Mandatory breach notifications

Strengthen Privacy Commissioner's Office

Improve privacy protection in public bodies

Establish Chief Security/Privacy Officers

Mandatory privacy/security impact studies

Education and public awareness

Respect other people's data privacy

Include privacy culture in basic and professional education

莫乃光 Charles Mok [email_address] http://www.charlesmok.hk http://charlesmok.blogspot.com

莫乃光 Charles Mok

[email_address]

http://www.charlesmok.hk

http://charlesmok.blogspot.com