U.S. Federal Privacy Protection: An Overview (Concepts and History of the Federal Privacy Framework)


Published on

U.S. Federal Privacy Protection: An Overview (Concepts and History of the Federal Privacy Framework) is a training presentation that provides:
1) an overview/review of the foundations of privacy and privacy protection in the United States.
2) a historical overivew of privacy events and guidance in chronological format that shows four separate timelines side by side, to help provide a frame of reference to the issuance of privacy guidance by showing the “Privacy Events” and then providing information about the Advancement of IT Technology, “Hacking Events”, and in addition, provides some of the current events that taking place.
3) A visual representation of federal laws, requirements, or guidance and the relationships created byt the various laws.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • February 18, 2007
  • February 18, 2007 [it’s easier to see the certifications when they are bulleted]
  • February 18, 2007
  • February 18, 2007 Privacy concerns and the U.S. Federal Government have a long history, some of which can be traced back to the founding of the country or at the very least the drafting and ratification of the U.S. Constitution and Bill of Rights. While neither the Constitution nor the Bill of Rights specifically address the concept of “Privacy”, the foundations for privacy can be found in many places. Even though the U.S. Federal Government is no new comer to dealing with privacy concerns, privacy practices within U.S. Federal Agencies are a relatively new concept for most agencies. Since about the mid- to late- 1990’s, privacy programs and practices of federal agencies have slowly emerged as a critical issue that has and is providing federal agencies with many difficulties when it comes to addressing concerns and establishing a comprehensive privacy program. Traditionally, the Federal Government has played four different roles in addressing privacy within the United States and part of the difficulty arises from the four different roles played by the Federal Government when it comes to privacy. : Legislation of requirements for privacy Includes both laws that require release of private information (e.g. Deeds, Bank Secrecy Act) and requirements concerning protection of private information to both government entities and the private sector. Oversight of private sector compliance Publication of rules and requirements for the private sector, ensuring compliance with laws, rules, and requirements by the private sector, investigating/addressing complaints/violations by private sector entities (e.g. Fair Credit Reporting Act) Judicial Review Case Law concerning validity of laws, rules, and requirements Lawsuits to effect change in practices Criminal and Civil Suits to punish violators and compensate victims Safeguarding & Protecting data collect by and used by the Government concerning citizens (e.g. Privacy Act, FISMA)
  • February 18, 2007
  • February 18, 2007
  • February 18, 2007 This material is primarily focused on what the various departments, agencies and bureaus' within the Executive Branch of the Federal Government are required and expected to do to protect information that it collects, uses, and shares about private citizens and a citizens right to view and correct information about them held by federal agencies. This material will discuss, at a high-level, the critical privacy areas the Executive Branch of the Federal Government is involved with such as: Government Records Communications Medical Information Commerce In addition to this, the material will also briefly touch on other key privacy concerns within agencies such as: Privacy in the Federal Workplace Protection of Federal Employee Information Protection of Federal Contractor Information This material has been developed primarily to help raise the awareness of Federal Employees and Contractors that have some level of responsibilities in privacy oversight within a Federal Agency or Program. Secondly, this material was developed be useful to auditors of federal agency privacy programs, practices, and processes. Lastly, this material was developed to help those outside the federal government develop a better insight as to the complexities and requirements federal agencies must meet to ensure the protection of privacy information in their custody. This material does not cover privacy requirements for the Legislative or Judicial Branches of the U.S. Federal Government which have different requirements therefore most of the information that will be covered in this material is not applicable to the Legislative or Judicial Branches. Similarly, this material will not focus on the Federal Government’s oversight of privacy in the private sector. Again, this material is ONLY concerned with what federal agencies of the Executive Branch of the U.S. Federal Government are required to comply with to protect the privacy of information they collect and use about U.S. Citizens.
  • February 18, 2007
  • February 18, 2007 Before getting to far along in the material, it is important that we establish and define some terminology. Within the Federal Government there are multiple definitions to the term “privacy information” depending on the context in which the term is used and even the agency the term is used in. The most common definitions (some of which have been statutorily defined) are: Information collected about a “person” obtained or resulting from a transaction to obtain services Information collect by the government about a citizen maintained in an information system These two definitions are by far the most common and is traditionally what comes to mind when someone talks about privacy information, and for the purposes of this material will be the types of privacy information we are going to focus on. While at first glance these two definitions appear to saying the same thing, there are subtle differences between them that impact their scope. Lets start by looking at the first definition. This definition might be used to describe the information processed by the Government Printing Office’s Online Bookstore (bookstore.gpo.gov) during the purchase of a Pocket Edition of The Constitution of the United States and the Declaration of Independence. Within this definition, there are two items that can effect how the information collected is used and protected. The first item is the word “person” and in this context a “person” can be: Natural – as in a human being Legal – as in a corporation Citizen – may be a citizen of the U.S. Alien – Legal, Resident, or Illegal Organization – business, non-profit, educational Foreign Interest – resident, business, government The other key item is the phrase “a transaction to obtain services” and results in that the information is collected to allow the government to fulfill a request, in this case sell and deliver a Pocket Edition of The Constitution of the United States and the Declaration of Independence. This also implies that the information collected to be able to provide the service is used only for that specific reason and is not maintained in such a way the government can use the information to make determinations about a person by another federal entity. The second definition is the traditionally thought of information a government agency has about each one of us. Theoretically this would also be a system of records as defined by the Privacy Act. Like the first definition, there are two key items that effect how the information collected is used and protected. The first item is the word “citizen” and in this context only means: A person born with in the borders of the United States or its territories A foreign born person who has become a naturalized citizen The second item is the statement of “collected by the government” and the statement of “maintained in an information system”. These statements imply that the information is collected and may not have been provided by the actual person the information is about and that the information is maintained to support future reference to the information at some later date and/or that it is updated periodically.
  • February 18, 2007 3. Information about Federal Employees and Contractors This definition is what you might receive when talking with agency personnel or a human resources group, and of course OPM. 4. Restricting access to subscriber or relying party information This definition comes from NIST SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure. “ Subscriber” = A Subscriber is an entity that (1) is the subject named or identified in a certificate issued to that entity, (2) holds a private key that corresponds to the public key listed in the certificate, and (3) does not itself issue certificates to another party. This includes, but is not limited to, an individual or network device. “ Relying Party” = A person or Agency who has received information that includes a certificate and a digital signature verifiable with reference to a public key listed in the certificate, and is in a position to rely on them. In this context the definition is concerned with protecting the information associated with the use of a PKI system for authentication and identification purposes supporting non-repudiation (ability to deny that you did something) With the exceptions of Department of Defense entities or an IT Security group, it is not very likely you will run across the use of this definition. 5. Restricting access to proprietary information provided for review With this definition, legally created entities (businesses, non-profit organizations, etc.) have been accorded some right to privacy over certain types of information created by the entity and is basically centered around information that would provide another organization with an unfair competitive advantage. For most federal agencies, the main place they will be dealing with this information is in the procurement arena and is addressed in the Federal Acquisitions Regulations (FAR) or DFAR the agency must comply with. There may be one other area of concern for some agencies: information provided by an organization for review and use by an agency voluntarily and at no cost to the agency to support or assist in research or development of policy. The best example of this would be found by looking at the National Transportation and Safety Board (NTSB) accident investigations. Often manufactures will provide NTSB investigators full access to and copies of trade secrets, design specifications, and other documentation to support a crash or accident investigation. 6. Information collected as part of statistical surveys, program evaluations, and research studies While this definition may seem vague, there are statutory requirements behind this definition that are agency specific. In a nutshell what this definition means is that the participants have a right to anonymity. In cases where a participants identity is required to be known for collection of information the participants identity, participation in the survey/evaluation/study, and the data provided is to be protected to prevent others from knowing who participated or from linking the information to a participant. Customer Satisfaction surveys also fall under this definition as a type of program evaluation.
  • February 18, 2007 Privacy (all lowercase letters) or privacy protection, for this material, refers to the controls or processes to protect privacy information from unauthorized used or disclosure. Privacy discussions often are centered around the term of “confidentiality”, especially when information security personnel, polices, and laws are involved. While confidentiality is often used when talking about privacy information, it is important to remember that confidentiality is not a “class” of information within a system like “privacy information”. Instead, confidentiality is a principal for a control framework to establish a level of protection for all information within an information system. Confidentially has been defined statutorily in 44 U.S.C. 3542 as: “ Preserving authorized restrictions within the Federal Government including means for protection personal privacy and proprietary information.” It has also been defined by NIST in FIPS 140-2 as “the property that sensitive information is not disclosed to unauthorized individuals, entities, or processes.”
  • February 18, 2007 Aside from the term “Privacy Information” the U.S. Federal Government has a number of other terms that have been defined concerning “Privacy Information” or categorizing a set of data as privacy information. Privacy Act Data – This term is the most familiar to federal employees and contractors. Privacy Act Data is often used when discussing Privacy Information. However, it is often misused to describe a broad category of information when in reality the Privacy Act of 1974 as amended, statutorily has defined what is covered by and what makes information “Privacy Act Data”. Personally Identifiable Information (PII) and Protected Personal Information (PPI) are currently inter-changeable with each other. PII was statutorily defined by Section 208 of the E-Government Act of 2002 and further defined by OMB memo’s. PPI is often seen in use with the Department of Defense. Information Identifiable Format (IIF) was established by Section 208 of the E-Government Act of 2002 and was originally meant as a way to classify data that may not identify a person directly that could be used to identify a person after the fact and associate transactions made with that information (for example IP Address, session start and end times, browser information, referring domain address, or machine name) Proprietary Information and Confidential Commercial Information can be inter-changed with each other. This type of “privacy information” is mainly applicable to only specific information about a Federal Contracting Organization and has specific clauses defined concerning this information in both the Federal Acquisitions Regulation (FAR) and the Defense Federal Acquisitions Regulation (DFAR). PHI was created by HIPAA. CPNI was defined by Telecommunications Act of 1996
  • February 18, 2007 Aside from the ramifications and consequences resulting from not ensuring privacy, privacy is considered one of the core values by the society we live in. The society in which we live and interact with recognizes that a person has a “reasonable” expectation of privacy. The American judicial system has extensive case law concerning privacy and defining privacy “as the right to be left alone” that dates back to the 1800’s. In the 1890’s U.S. Supreme Court Justices Louis Brandeis and Samuel D. Warren first put forth the concept of privacy as the right to be left alone in an article they co-wrote that was published in the Harvard Law Review. In 1928 in the Olmstead v. United States case, Justice Brandies wrote that the Constitution “conferred, as against the government, the right to be let alone – the most comprehensive of rights and the rights most valued by civilized men.” It is a legislative right in that in many cases the right to privacy, the protection of privacy information, and mandated lack of privacy (or required disclosure of privacy information) primarily has been defined by Acts passed by Congress and in some cases Presidential Executive Orders. Privacy is deemed a “penumbral right” within the Constitution resulting from the intersections of the various rights that are established in the Constitution and the Bill of Rights. While there is no explicit statement to the right of privacy in the Constitution, the right of privacy has underpinnings in the U.S. Constitution within: the Fourth Amendment – “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” The Ninth Amendment – “The enumeration in the Constitution of certain rights shall not be construed to deny or disparage others retained by the people.”
  • February 18, 2007 Privacy is a subjective condition that a person has in regards to the degree they can determine what personal information about themselves is to be shared and for what purposes it can be used. It is subjective because each person has their own definition of what personal information is, what information about them can shared, and what information about themselves they want to control. In other words privacy is the authority and ability to govern the: Acquisition of information from an individual (or third party) to another party Disclosure of any or all of the information to another party Use or Purpose agreed to between the parties when the person disclosed the information to the other party
  • February 18, 2007 Privacy, while a value of society that conveys to an individual certain expectations of a right to privacy, the right to privacy is not unlimited (as in a person can prevent releasing any information) nor is it an absolute right (as in under certain circumstances a person right to privacy can be revoked). In order for a person to interact and participate fully (or in any way) in society or engage in any type of social discourse will require a person to release different types of personal information to different entities and to different levels of detail. Ultimately, privacy is a social contract that tries to balance the need for disclosure of information to government entities, commercial organizations, and other individuals with the desire of a person to control what information about themselves is available to others.
  • February 18, 2007 Within the United States there is no omnibus Privacy legislation. Instead, the privacy issues area addressed through sector-specific privacy rules, legislation, regulations, and/or voluntary codes to ensure privacy protection. When looking at how privacy issues have been addressed within the United States, there are six critical areas that privacy governance occurs: Privacy of Government Records Privacy of Communications Privacy of Medial Records Privacy in the Marketplace Privacy in the Workplace Privacy of the Home & Family Each of these areas has specific regulations or case law that establish requirements for privacy protection and in some cases those requirements may span multiple areas. While each of these six area has different requirements, processes, and oversight for protection of privacy, the foundation of guiding principles and the governance of privacy in each area is the same.
  • February 18, 2007 The U.S. Federal Government has adopted a set of Fair Information Practices and a set of Privacy Principles for governance of privacy. The Fair Information Practices were published in 1973 in a Health, Education, and Welfare Advisory Committee report outlining a framework for how personal information should be collected, disclosed, and used to ensure a citizens right to participate. The Fair Information Practices call for: Openness Notice Use Correction Accuracy and Security
  • February 18, 2007 The U.S. Privacy Principles were developed by the Privacy Working Group of the Information Infrastructure Task Force. In June of 1995, the Privacy Working Group published the report “Principles for Providing and Using Personal Information”. The Privacy Working Group was not seeking to replace the Fair Information Practices, which had been published by the Secretary of Health, Education, and Welfare Department (Casper Weinberger) over 12 years ago in 1973. Instead they were looking to build upon the Fair Information Practices, refine them, and strengthen them, as needed, while taking into account the technology infrastructure that was in place for most medium to large companies. The Principles for Providing and Using Personal Information report put forth a set of privacy principles which recognized that: Consumers and Citizens, government entities (federal, state, or local), and business ALL share in the responsibilities to secure personal information Technology has the potential to empower individuals to protect their information, but that very same technology can facilitate an individual having their information compromised Organizations that collect and use Privacy Data need be open about and share information about their data collection processes and reasons for collecting the data Individuals have to be able to understand the impacts of how their information can be used AND clearly understand how their information will be used.
  • February 18, 2007 The Principles for Providing and Using Personal Information Report further noted that organizations that collect and use personal information as well as the individual that is providing information to an organization have additional responsibilities that they should perform.
  • February 18, 2007 As we talked about earlier, in order to participate and interact fully with society or engage in any type of social discourse, requires a person to release personal information of different types and to varying degrees. However, society does recognize that a person has the right to expect a reasonable level of privacy concerning themselves. We also have defined that the expectation to the right of privacy is not an unlimited nor an absolute right. Personal information is information which can be used to identify a person uniquely and reliably. It is both information about a person (data elements like: address, social security numbers, employer) and also includes information about their persona (elements like pictures, video, reputation).
  • February 18, 2007
  • February 18, 2007
  • February 18, 2007
  • February 18, 2007
  • February 18, 2007
  • February 18, 2007
  • February 18, 2007
  • February 18, 2007 While there may be an office or an agency official with designated responsibilities for Privacy Concerns they alone can not ensure that personal information collect, used, and maintained by the agency is protected. They can only oversee and monitor the implementation of privacy policies and programs for the agencies. Information Technology plays a large role when it come to protecting and ensuring the protection of personal information. Agency CIO’s have statutory requirements in regards to privacy. However, the CIO Office, the IT Group, and Information Security Group only provide a part of the protection required to ensure privacy protection. Some of the offices within an agency that have requirements concerning privacy governance are: FOIA Officers Privacy Act Officers (may also be the FOIA Officer) Agency Chief Information Officer Agency General Counsel’s Office Agency Chief Financial Officer Agency Senior Privacy Official / Chief Privacy Officer Application System Owners NOTE: We will be going into more detail concerning the offices with privacy governance responsibilities later in the training in Sections 3 and 4.
  • February 18, 2007 As that privacy governance requirements are spread across a number of offices within an agency there are a number of policies and procedures that must coordinate and compliment each other to ensure a unified approach to ensuring privacy protection. Ultimately, privacy protection involves implementation of three distinct control families. Management Controls Are the controls put in place concerning such items like: the Agency Specific Policies, reviewing business practices, ensuring needs for privacy are budgeted for, reviewing and assessing the effectiveness of the privacy program, and reviewing and assessing compliance with the privacy program by employees and contractors. Operational Controls Are the controls put in place concerning such items like: Privacy Awareness and Training, Physical protection, standard procedures, labeling of information and documents, monitoring access to information, retention of and destruction of documents and information. Technical Controls Are the controls that are typically provided by the CIO’s Office, the agency network infrastructure, and the Software Application that the information is maintained in. Many of these controls may not be purely technical controls and instead augment the management and operational controls of the privacy program.
  • February 18, 2007 Privacy Protection within Federal Agencies can be best achieved through the: Implementation of a comprehensive agency-wide Visible Privacy Program Establishment of privacy coordination group or team that represents a cross-section of agency Creation of a Privacy Training and Awareness Program with periodic refresher training to educate personnel to their responsibilities regarding privacy protection and raise awareness of issues regarding privacy. Can not be successful if the CIO’s office and the Agency Senior Privacy Official do not have a close working relationship and keep each other informed to changes and concerns. NOTE: We will be going into much more detail concerning these and other elements of a privacy program later in Section 3 of this material.
  • February 18, 2007 While the IT department, group, or individuals have always provide some level of protection for privacy information, they don’t always see it that way or realize it. The IT department thinks in terms of, and often in this order: Availability – is the system up and can the users access it Integrity – are the systems protected, are they stable platforms? Confidentiality – Let the people in that have access and keep everyone else out. Confidentiality, while important or an IT department, usually gets overridden by availability for internal users. Part of this stems from that the IT Departments usually have as part of their mission, either stated or implied, is the goal of supporting the sharing of information within an organization. This mission statement usually drives everything else the department does. In a lot of cases this results in on coarse grain protection of information based on roles or groups that are broadly defined that associate people to a division or department with in the organization. The other analogy that can be drawn between Privacy and Security is that Security can be seen as protecting the information based on authentication of a person (do they have a right to gain access to the system), and privacy is protecting the information based on authorization for a person (do they have a need to access the information). Just because you have access to a shared area on a system does not always mean you have the authorization or right to access any of the documents or materials stored there. The IT system usually will support controls to that level, but IT departments don’t have the staff to support the amount of changes to access rights done to that level, and most end-users don’t even know that, in a lot of cases, they have some limited abilities to control access to files and directories they establish on the system. NOTE: We will be going into much more detail concerning security-related items later in Section 3 of this material.
  • February 18, 2007 If we look back at IT Security we can see that it is still an evolving practice. First there was Computer Security or Information Technology Security and was really focused on protecting the equipment more than anything else. This slowly changed into Information Security and is where the IT Groups began viewing security in the terms of Confidentiality, Integrity, and Availability. It was not too long after the “INFOSEC” methodology or practices had taken hold, the controls about authentication and non-repudiation merged into the practice and now we had Information Assurance. And the “Security” profession is still evolving, adapting, and learning new practices.
  • February 18, 2007 Some where in about 2001, is where the security practice slowly started another change that we are just beginning to see the results of where Privacy Assurance has become a focus and concern for IT Security professionals, even though most of the industry still refers to security practitioners as Information Security or Information Assurance. Look at what the CIO Groups within the Federal Agencies are doing currently that was not being done just 2 years ago: FIPS 199 System Categorizations Privacy Impact Assessments E-Authentication Risk Assessments Privacy Policies for websites in both human and machine readable formats The minimum recommendation of controls from NIST even has some specific controls that only are concerned with privacy. An entire section of the annual FISMA Report is concerned with privacy issues Quarterly updates on privacy issues required to accompany the quarterly submission of POA&M and security concerns within the IT Group. In some cases the addition of the privacy controls were a new concept for the IT groups, in others it was a matter of adding or refining some processes or controls, but for a lot it was more of an “ah ha!” experience because they realized they had been doing it as part of some other process and never had thought to take credit for it.
  • February 18, 2007 Every agency, no matter what size, if it handles privacy data (and I can’t think of one that doesn’t at some level, if nothing else for their for employees) needs to have a Privacy Breach Incident Response Plan that supplements the Security Incident Response Plan, DR Plans, COOP, or other contingency related plans. It is not a matter of “IF” the agency will a have breach, it is a matter of “WHEN” it will happen. Privacy Concerns also need to be well integrated into the DR Plans and COOP’s since a privacy breach is even more likely to happen when operating in a reduced capacity or state of emergency as a lot of the normal IT Controls may no longer be functional. A privacy breach should be considered on the same level in an Organizations DR Plan or COOP as the loss of a building. While physically every thing may be operating, the response to a privacy breach will be just as important as getting water on a fire in storage room. And more importantly, people and the media will ask MORE question about the privacy breach than they will the cause of a fire in the building.
  • February 18, 2007
  • February 18, 2007 Note: These next few slides provides examples of various privacy breaches over a six month period of time.
  • February 18, 2007
  • February 18, 2007
  • February 18, 2007
  • February 18, 2007
  • February 18, 2007
  • February 18, 2007
  • February 18, 2007 Depending on the impact and severity of an unauthorized disclosure of personal information: Agencies may have to cut budgets, postpone projects, or delay offering new services in order to pay for corrective actions like Credit Monitoring New control measures New / Refresher Training Senior Leadership of the Agency called before congressional committees to explain how it happened, why it was not prevented, what is being done to prevent it from happening again, and who was responsible for it In 2005 at NTSB, during confirmation hearings for a new director, congress had some very pointed and tough questions concerning the lack of progress and poor FISMA reports. This resulted in a major re-organization of the CIO group which included removing the person in the CIO position to a new duty assignment. NTSB Directorship scrutinized every action in the CIO shop and resulted in a CIO shop that was effectively paralyzed. Senior Leadership may change due to a “request to resign from a position” In the summer of 2006 we follow the VA mishap concerning a stolen laptop potentially exposing 28 million veterans’ personal information: The Associate Deputy Assistant Secretary for Cyber and Information Security resigns The Deputy Assistant Secretary for Policy resigns The Acting Assistant Secretary for Policy was placed on Administrative Leave
  • February 18, 2007
  • February 18, 2007
  • February 18, 2007 As we discussed earlier, privacy in the U.S. has been evolving since the adoption of the Constitution. We will specifically be concentrating on the privacy guidance from the 1960’s until today which encompasses both laws, rules, and regulations that have been enacted for the private sector as well as those for the public sector. Prior to the 1960’s there was hardly anything concerning the collection of information from citizens, and how that information might be used. There was some limited case law, but it wasn’t until the mid- to late 1960’s that the federal government began to effect how agencies collected information, how it was used, or how it would be disclosed. The one piece of legislation enacted prior to the 1960’s that helps support the Federal Privacy Framework was the Federal Records Act of 1950. This act required agencies to document and preserve evidence of the agency’s activities and established that OMB, GSA, and NARA would share the responsibility for oversight of Records Management by an agency. The next series of slides start with the 1960’s and will begin to illustrate the history and evolution of privacy guidance and requirements within the United States. These slides have been developed to show four separate timelines to help provide a frame of reference to the various privacy related events by showing the privacy event on one flow and then providing information as to the current events of the time, as well as information about the Advancement of both IT Technology and Hacking events.
  • February 18, 2007 The top three timelines, IT Incidents, IT Advancements, and “Current” Events are informational. If there is a key point that you may need to remember, it will be pointed out during the discussion around the year an event takes place in. In some cases being able to see these additional timelines can help to understand why a privacy event (law, report, etc) came about. As we start to look at the timeline slides I want to point out that the IT Incidents timeline, only highlights IT Incidents related to the U.S. Federal Government or a milestone event.
  • February 18, 2007
  • February 18, 2007
  • February 18, 2007
  • February 18, 2007 The Federal Privacy Framework we will be looking at is a Conceptual Node Connectivity Diagram created to provide a visual representation of federal laws, requirements, or guidance that apply to all Executive Branch Departments, Agencies, and Bureaus that also help shows how oversight of privacy is accomplished by OMB, Congress, and each agency. The other benefit of this diagram is it can help show how there have been relationships created by various laws that have created a in-direct relationship to an agency function that result in a privacy controls have a direct impact to the other agency function.
  • February 18, 2007
  • February 18, 2007
  • U.S. Federal Privacy Protection: An Overview (Concepts and History of the Federal Privacy Framework)

    1. 1. U.S. Federal Privacy Protection: An Overview Concepts and History of the Federal Privacy Framework February 18, 2007
    2. 2. <ul><li>This material was developed by William L. Dana. </li></ul><ul><ul><li>Mr. Dana has over fourteen years of experience in the field of Information Technology and currently holds the following certifications: </li></ul></ul><ul><ul><ul><li>Certified Information Systems Security Professional (CISSP) </li></ul></ul></ul><ul><ul><ul><li>Certified Information Security Manager (CISM) </li></ul></ul></ul><ul><ul><ul><li>Certified Business Continuity Professional (CBCP) </li></ul></ul></ul><ul><ul><ul><li>Certified Information Privacy Professional (CIPP). </li></ul></ul></ul><ul><ul><li>During his career he has managed corporate IT departments, and supported clients needs in Information Technology, System/Software Development, Information Security, and Privacy Assurance ranging from small businesses to Federal Agencies like the U.S. Navy, The Department of Education’s Office of Federal Student Aid, the National Transportation and Safety Board, the Federal Housing Finance Board, the Department of Homeland Security, and the Bureau of Labor Statistics. </li></ul></ul><ul><ul><li>Mr. Dana also has a Masters in Education with a concentration in Higher Education. </li></ul></ul><ul><ul><li>In 2002, Mr. Dana started his own consulting company offering Privacy and Security Assurance Consulting and Information Technology Services and Solutions. </li></ul></ul>February 18, 2007
    3. 3. Table of Contents <ul><li>Introduction </li></ul><ul><li>Purpose </li></ul><ul><li>Objectives </li></ul><ul><li>Scope </li></ul><ul><li>Section 1: Privacy 101 </li></ul><ul><li>Section 2: The Evolution of Privacy </li></ul><ul><li>Section 3 - A Conceptual Visualization of The Federal Privacy Framework </li></ul>February 18, 2007
    4. 4. Introduction <ul><li>There is a long history with privacy concerns and the involvement of the U.S. Federal Government </li></ul><ul><li>It is a critical issue with many difficulties for Federal Agencies to address concerns and provide resolutions </li></ul><ul><li>Traditionally, the U.S. Federal Government plays four different roles in privacy governance: </li></ul><ul><ul><li>Legislation of requirements for privacy </li></ul></ul><ul><ul><li>Oversight of private sector compliance </li></ul></ul><ul><ul><li>Judicial review of issues </li></ul></ul><ul><ul><li>Safeguarding & Protecting data collected by and used by the Federal Government concerning U.S. Citizens </li></ul></ul>February 18, 2007
    5. 5. Purpose <ul><li>Provide an overview of the concepts, history, requirements, and responsibilities of Federal Agencies related to the protection of privacy of U.S. Citizens </li></ul><ul><li>Develop a highly skilled and competent federal privacy workforce </li></ul><ul><li>Increase the awareness of privacy issues and practices within Federal Agencies </li></ul>February 18, 2007
    6. 6. Objectives <ul><li>Provide a foundation concerning the history, laws, requirements, and responsibilities of Federal Agencies in protecting privacy </li></ul><ul><li>Fulfill annual, biennial, and refresher training requirements as required by the Privacy Act of 1974 (as amended), FISMA, and the Federal Workforce Training Initiative. </li></ul>February 18, 2007
    7. 7. SCOPE <ul><li>Focuses only on the requirements of the Executive Branch of the U.S. Federal Government in protecting privacy information </li></ul><ul><li>Covers the requirements of Federal Agencies to protect and safeguard “personally identifiable information” that they collect and use about U.S. Citizens </li></ul>February 18, 2007
    8. 8. Section 1 Privacy 101 February 18, 2007
    9. 9. Terms and Definitions <ul><li>The word “Privacy Information” has multiple definitions within the U.S. Federal Government: </li></ul><ul><ul><li>Information collected about a person obtained or resulting from a transaction to obtain services </li></ul></ul><ul><ul><li>Information collected by the government about a citizen maintained in an information system </li></ul></ul>February 18, 2007
    10. 10. Terms and Definitions (cont’d) <ul><ul><li>Information about Federal Employees and Contractors </li></ul></ul><ul><ul><li>Restricting access to “subscriber” or “relying party” information </li></ul></ul><ul><ul><li>Restricting access to proprietary information provided for review </li></ul></ul><ul><ul><li>Information collected as part of statistical surveys, program evaluations, and research studies </li></ul></ul>February 18, 2007
    11. 11. Terms and Definitions (cont’d) <ul><li>privacy (all lowercase) or privacy protection </li></ul><ul><ul><li>the controls or processes to protect privacy information from unauthorized used or disclosure </li></ul></ul><ul><li>Confidentiality </li></ul><ul><ul><li>Can be synonymous for “privacy” </li></ul></ul><ul><ul><li>Preserving authorized restrictions to and protection of personal privacy </li></ul></ul>February 18, 2007
    12. 12. Terms and Definitions (cont’d) <ul><li>Common or Statutorily defined terms used to categorize “Privacy Information”: </li></ul><ul><ul><li>Privacy Act Data </li></ul></ul><ul><ul><li>Personally Identifiable Information (PII) </li></ul></ul><ul><ul><li>Information Identifiable Format (IIF) </li></ul></ul><ul><ul><li>Protected Personal Information (PPI) </li></ul></ul><ul><ul><li>Proprietary Information </li></ul></ul><ul><ul><li>Confidential Commercial Information </li></ul></ul><ul><ul><li>Protected Health Information (PHI) </li></ul></ul><ul><ul><li>Customer Proprietary Network Information (CPNI) </li></ul></ul>February 18, 2007
    13. 13. The Importance of Privacy in the U.S. <ul><li>Privacy is a core value of our Society </li></ul><ul><li>Case law supports the concept of privacy in the terms of “as the right to be left alone” </li></ul><ul><li>In the United States, privacy is a legislative right: </li></ul><ul><ul><li>Provides for legal recourse when violated </li></ul></ul><ul><ul><li>Codifies basic expectations to privacy </li></ul></ul><ul><ul><li>Outlines circumstances when this right can be revoked from a person </li></ul></ul><ul><li>It is deemed a “penumbral right” within the Constitution </li></ul>February 18, 2007
    14. 14. Defining Privacy <ul><li>What is “Privacy”? </li></ul><ul><ul><li>Privacy is a subjective condition that a person has in regards to the degree they can determine what personal information about themselves is to be shared and for what purposes it can be used </li></ul></ul><ul><ul><li>It is subjective because each person has their own definition of what personal information about them can be shared and what is private </li></ul></ul>February 18, 2007
    15. 15. A Working Definition of Privacy <ul><li>It is a value and individuals have an expectation of a right to privacy, however: </li></ul><ul><ul><li>It is not unlimited </li></ul></ul><ul><ul><li>It is not absolute </li></ul></ul><ul><li>Privacy rights are a social contract that tries to balance the need for disclosure of information to participate in society with the desire of an individual to control what information they make available about themselves to others </li></ul>February 18, 2007
    16. 16. Defining Privacy within the United States <ul><li>Privacy issues can be grouped along six critical areas of governance: </li></ul><ul><ul><li>Privacy of Government Records </li></ul></ul><ul><ul><li>Privacy of Communications </li></ul></ul><ul><ul><li>Privacy of Medial Records </li></ul></ul><ul><ul><li>Privacy in the Marketplace </li></ul></ul><ul><ul><li>Privacy in the Workplace </li></ul></ul><ul><ul><li>Privacy of the Home & Family </li></ul></ul><ul><li>Each area my have different requirements, but all share the same foundation </li></ul>February 18, 2007
    17. 17. Privacy Governance in the U.S. <ul><li>Privacy Governance by the U.S. Federal Government is based on: </li></ul><ul><ul><li>A set of Fair Information Practices: </li></ul></ul><ul><ul><ul><li>Openness </li></ul></ul></ul><ul><ul><ul><li>Notice </li></ul></ul></ul><ul><ul><ul><li>Use </li></ul></ul></ul><ul><ul><ul><li>Correction </li></ul></ul></ul><ul><ul><ul><li>Accuracy and Security </li></ul></ul></ul><ul><ul><li>Supported by a set of Privacy Principles founded on and developed from the Fair Information Practices </li></ul></ul>February 18, 2007
    18. 18. U.S. Privacy Principles <ul><li>U.S. Privacy Principles recognize that: </li></ul><ul><ul><li>Citizens, government, and businesses all share in the responsibilities for fair and secure use of personal information </li></ul></ul><ul><ul><li>Technology has the potential to empower individuals to protect their information </li></ul></ul><ul><ul><li>Openness about, and accountability for, the collection and uses of personal information is critical </li></ul></ul><ul><ul><li>Openness and accountability is not meaningful unless individuals understand the ways of using information and how their personal information can be used </li></ul></ul>February 18, 2007
    19. 19. U.S. Privacy Principles (cont’d) <ul><li>These principles also proposed: </li></ul><ul><ul><li>Organizations that collect / use personal information recognize and protect personal information by: </li></ul></ul><ul><ul><ul><li>Conducting impact analysis on the collection of and use of the personal information </li></ul></ul></ul><ul><ul><ul><li>Collecting only the personal information that has to be used to support the activity </li></ul></ul></ul><ul><ul><li>Individuals should educate themselves on their choices and the organization should provide: </li></ul></ul><ul><ul><ul><li>Why the information is needed, in what manner the information will be used, and the impact if they choose not to provide the information </li></ul></ul></ul><ul><ul><ul><li>How the information will be protected </li></ul></ul></ul><ul><ul><ul><li>How will concerns be addressed and updates to the provided information be made </li></ul></ul></ul>February 18, 2007
    20. 20. Defining Personal Information <ul><li>Every interaction a person has with the society they live in requires the release of personal information that varies as to the types/categories of information and level of detail provided </li></ul><ul><li>Personal information covers any information that directly relates to a person or their persona </li></ul>February 18, 2007
    21. 21. Categories of Personal Information <ul><li>Personal information can be grouped into three categories: </li></ul><ul><ul><li>Public Personal Information </li></ul></ul><ul><ul><li>Discretionary Personal Information </li></ul></ul><ul><ul><li>Professional Personal Information </li></ul></ul><ul><li>An individual has different expectations of control over or the ability to withhold information in that category </li></ul>February 18, 2007
    22. 22. Public Personal Information Category <ul><li>Public Personal Information consists of information that is a public record or a person has chosen to make public </li></ul><ul><li>Public Records about a person may also have restrictions to availability and use </li></ul><ul><li>Information available in public records does not mean that the same information when contained in other records has any less of a right to be protected </li></ul><ul><li>Public Personal Information does not mean a “grant of authority” to use that information for any purpose </li></ul>February 18, 2007
    23. 23. Examples of Public Personal Information <ul><li>Deeds / Property Records </li></ul><ul><li>Motor Vehicle Records </li></ul><ul><li>Media reports / publications </li></ul><ul><li>Security and Exchange Filings </li></ul><ul><li>Hunting Licenses </li></ul><ul><li>Address / Phone Number </li></ul><ul><li>Personal Web Pages </li></ul><ul><li>Personal Blog’s </li></ul><ul><li>Published Writings </li></ul>February 18, 2007
    24. 24. Discretionary Personal Inf ormation Category <ul><li>Discretionary Personal Information is information that a person releases only as needed or required for a specific purpose and/or period of time </li></ul><ul><li>Requires the highest level of protection by organizations that collect information in this category </li></ul><ul><li>Individuals have a responsibility to make educated decisions concerning the disclosure of their information in this category </li></ul>February 18, 2007
    25. 25. Examples of Discretionary Personal Info rmation <ul><li>Social Security Number </li></ul><ul><li>Financial and Credit Information </li></ul><ul><li>Medical Information </li></ul><ul><li>Family Information </li></ul><ul><li>Religion / Race / National Origin </li></ul><ul><li>Subscriber Information </li></ul><ul><li>Purchasing History </li></ul><ul><li>Communications </li></ul>February 18, 2007
    26. 26. Professional Personal Information Category <ul><li>Personal Information that is associated with a n individual’s employment / professional career </li></ul><ul><li>Available within the work area </li></ul><ul><li>Depending on the work environment, this information may: </li></ul><ul><ul><li>Have portions that are made publicly accessible </li></ul></ul><ul><ul><li>Have portions that are “need to know” within the organization </li></ul></ul><ul><ul><li>Have portions that a person has limited control over or limited ability to restrict release </li></ul></ul>February 18, 2007
    27. 27. Examples of Professional Personal Info <ul><li>Work Location </li></ul><ul><li>Work Contact Information (phone / e-mail) </li></ul><ul><li>Position / Job Description / Resume </li></ul><ul><li>Security Clearance Level </li></ul><ul><li>Certifications / Specializations / Subject Expert </li></ul><ul><li>Salary / Pay Grade </li></ul><ul><li>Type of Leave / Reason for Leave </li></ul><ul><li>Impact Card Information </li></ul><ul><li>Performance Ratings / Reviews </li></ul><ul><li>Professional Writings </li></ul>February 18, 2007
    28. 28. Protecting & Safeguarding Information <ul><li>Everyone has a responsibility to protect personal information collected, used, and maintained by an agency </li></ul><ul><li>Privacy protection is inherently intertwined and interlink with I nformation Technology and Information Assurance/Security but does not exclusively rely only on IT Solutions </li></ul><ul><li>Requires coordination, cooperation, and participation of several offices within agency, each with different agency responsibilities and/or statutory requirements related to privacy </li></ul>February 18, 2007
    29. 29. Protecting & Safeguarding Information (cont’d) <ul><li>Requires the coordination of policy, procedures, and oversight of: </li></ul><ul><ul><li>Agency IT Security Policies </li></ul></ul><ul><ul><li>Agency Data Quality Policies </li></ul></ul><ul><ul><li>Agency Records Management Policy </li></ul></ul><ul><ul><li>Agency Freedom of Information Act Processes </li></ul></ul><ul><ul><li>Agency Privacy Policy </li></ul></ul><ul><li>Requires implementation of three distinct families of controls: Management Controls, Operational Controls, and Technical Controls </li></ul>February 18, 2007
    30. 30. Protecting & Safeguarding Information (cont’d) <ul><li>Agencies can best achieve privacy protection by: </li></ul><ul><ul><li>Implementation of a comprehensive, agency wide privacy policy and privacy program </li></ul></ul><ul><ul><li>Establishment of a cross-functional privacy coordination team or group </li></ul></ul><ul><ul><li>Development of a Training and Awareness Program </li></ul></ul><ul><ul><li>A close working relationship between the CIO’s Office and the Agency Senior Privacy Official, or FOIA Officers / Privacy Act Officers where the CIO serves as the Agency Senior Privacy Official </li></ul></ul>February 18, 2007
    31. 31. Privacy or Security? <ul><li>In the “ Safeguarding Information ” slides it can be seen how interconnected privacy is with security and that security is a key aspect of safeguarding privacy, however: </li></ul><ul><ul><li>Privacy can not be achieved without the presence of adequate security controls. </li></ul></ul><ul><ul><li>Security can be achieved without Privacy Controls. </li></ul></ul><ul><li>When privacy is left only to the IT group, more often than not they will focus on availability of the systems and enabling the sharing of resources. </li></ul>February 18, 2007
    32. 32. Defining Security: ITSEC / INFOSEC / IA <ul><li>Information Technology Security (ITSEC) </li></ul><ul><ul><li>ITSEC considers the impact of the IT system on other systems. Subsequently, system user interaction, mission, and data types are taken into account. In order to determine the impact on other systems, the risk of the specific system to other systems must be assessed. </li></ul></ul><ul><li>Information Security (INFOSEC) </li></ul><ul><ul><li>Information systems security concerns itself with the maintenance of three critical characteristics of information: confidentiality (Pfleeger’s “secrecy“), integrity, and availability [PFL89]. These attributes of information represent the full spectrum of security concerns in an automated environment. They are applicable for any organization irrespective of its philosophical outlook on sharing information. -NSTISSI No. 4011 </li></ul></ul><ul><li>Information Assurance (IA) </li></ul><ul><ul><li>Information assurance can be understood as the information operations (IO) that protect and defend information and information systems (IS) by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. - Principles of Survivability and Information Assurance, CERT </li></ul></ul>February 18, 2007
    33. 33. ISAP: The New Definition of Security <ul><li>Information Security & Privacy Assurance (ISPA) </li></ul><ul><ul><li>Confidentiality Controls </li></ul></ul><ul><ul><li>Integrity Controls </li></ul></ul><ul><ul><li>Availability Controls </li></ul></ul><ul><ul><li>Authentication Controls </li></ul></ul><ul><ul><li>Privacy Controls </li></ul></ul><ul><ul><ul><li>Web based policies </li></ul></ul></ul><ul><ul><ul><li>Impact Assessments </li></ul></ul></ul><ul><ul><ul><li>Data Classification </li></ul></ul></ul><ul><ul><ul><li>Some controls are just starting to be added: </li></ul></ul></ul><ul><ul><ul><ul><li>Digital Rights </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Automated Labeling of Documents concern data classifications </li></ul></ul></ul></ul>February 18, 2007
    34. 34. Responding to Privacy Breach Incidents <ul><li>Every Agency should have a Privacy Breach Incident Response Plan that outlines how the agency will respond to a privacy breach </li></ul><ul><li>A Privacy Breach Incident “WILL” occur at some point </li></ul><ul><li>How an agency responds, reacts, and reports a privacy breach can either </li></ul><ul><ul><li>Help minimize the impact to the agency </li></ul></ul><ul><ul><li>Make a bad situation even worse </li></ul></ul>February 18, 2007
    35. 35. Privacy Breach Incidents <ul><li>Between February 13, 2005 and January 2, 2007 there have been approximately 37 privacy breaches involving U.S. Federal Agencies involving approximately 29,687,877 records containing personal information </li></ul><ul><li>For that same time there have been approximately 441 privacy breaches involving private industry involving approximately 100,453,858 records containing personal information </li></ul><ul><li>And these are just what has been reported! </li></ul><ul><li>Information about Privacy Breach Incidents and the following May – Dec 06 Federal Privacy Breaches slides was taken from the Privacy Rights Clearinghouse Chronology of Data Breaches http://www.privacyrights.org/ar/ChronDataBreaches.htm </li></ul>February 18, 2007
    36. 36. May – Dec 06 Federal Privacy Breaches February 18, 2007 DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER OF RECORDS 12/28/06 U.S. State Department A bag containing approximately 700 completed passport applications was reported missing on December 1st. The bag, which was supposed to be shipped to Charlotte, NC, was found later in the month at Los Angeles International Airport. 700 12/05/06 Army National Guard 130th Airlift Wing (Charleston, WV) A laptop was stolen from a member of the unit while he was attending a training course. It contained names, SSNs, and birth dates of everyone in the 130th Airlift Wing. Unknown 11/15/06 Internal Revenue Service (Washington, DC) According to document s obtained under the Freedom of Information Act, 478 laptops were either lost or stolen from the IRS between 2002 and 2006. 112 of the computers held sensitive taxpayer information such as SSNs. Unknown 11/01/06 U.S. Army Cadet Command (Fort Monroe, VA) A laptop computer was stolen that contained the names, addresses, telephone numbers, birthdates, SSNs, parent names, and mother's maiden names of applicants for the Army's four-year ROTC college scholarship. 4,600 high school seniors 10/25/06 Transportation Security Administration (TSA) (Portland, OR) A thumb drive is missing from the TSA command center at Portland International Airport and believed to contain the names, addresses, phone numbers and SSNs of approximately 900 current and former employees. 900 current and former Oregon TSA employees 10/20/06 Manhattan Veterans Affairs Medical Center, New York Harbor Health Care System (New York, NY) On Sept. 6th, an unencrypted laptop computer containing veterans' names, SSNs, and medical diagnosis was stolen from the hospital. 1,600 veterans who receive pulmonary care at the facility
    37. 37. May – Dec 06 Federal Privacy Breaches February 18, 2007 DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER OF RECORDS 10/12/06 Congressional Budget Office (CBO) (Washington, D.C.) Hackers broke into the Congressional Budget Office's mailing list and sent a phishing e-mail that appeared to come from the CBO. Unknown number of e-mail addresses 10/12/06 U.S. Census Bureau This spring, residents of Travis County, TX helped the Census Bureau test new equipment. When the test period ended, 15 devices were unaccounted for. The Census Bureau and the Commerce Department issued a press release saying the devices held names, addresses and birthdates, but not income or SSNs. Unknown number of Travis Co., TX, residents 10/06/06 Camp Pendleton Marine Corps base via Lincoln B.P. Management (Camp Pendleton near Oceanside, CA) A laptop missing from Lincoln B.P. Management Inc. holds personally identifiable data about 2,400 Camp Pendleton residents. 2,400 09/21/06 U.S. Dept. of Commerce and Census Bureau (Washington, DC) The agency reported that 1,137 laptops have been lost or stolen since 2001. Of those, 672 were used by the Census Bureau, with 246 of those containing personal data. Secretary Gutierrez said the computers had &quot;protections to prevent a breach of personal information.&quot; Unknown 09/17/06 Direct Loans, part of William D. Ford Federal Direct Loan Program within U.S. Dept. of Education and Federal Student Aid via its IT contractor ACS A security breach exposed private information of student loan borrowers from Aug. 20th – 22nd during a computer software upgrade. Users of the Direct Loans Web site were able to view information other than their own if they used certain options. SSNs were among the data elements exposed online. 21,000 accounts
    38. 38. May – Dec 06 Federal Privacy Breaches February 18, 2007 DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER OF RECORDS 09/07/06 Florida National Guard (Bradenton, FL) A laptop computer was stolen from a soldier's vehicle containing training and administrative records, including SSNs of up to 100 Florida National Guard soldiers. 100 09/05/06 Transportation Security Administration (TSA) via Accenture (Washington, DC) In late August 2006, Accenture, a contractor for TSA mailed documents containing former employees' SSN, date of birth, and salary information to the wrong addresses due to an administrative error. 1,195 former TSA employees 08/25/06 U.S. Dept. of Transportation, Federal Motor Carrier Safety Administration (FMCSA) (Baltimore, MD) A laptop that &quot;might contain&quot; personal information of people with commercial driver's licenses was stolen Aug. 22nd. FMCSA said the data might include names, dates of birth, and commercial driver's license numbers of 193 individuals from 40 trucking companies. 193 08/23/06 U.S. Dept. of Education, Direct Loan Servicing Online (Atlanta, GA) A faulty Web site software upgrade resulted in personal information of 21,000 student loan holders being exposed on the Department's loan Web site. Information included names, birthdates, SSNs, addresses, phone numbers, and in some cases, account information. Affiliated Computer Services Inc. is the contractor responsible for the breach. The breach did not include those whose loans are managed through private companies. 21,000 08/21/06 U.S. Dept. of Education via contractor, DTI Associates (Washington, DC) Two laptops were stolen from DTI's office in downtown DC containing personal information on 43 grant reviewers for the Teacher Incentive Fund. DTI could not rule out that the data included SSNs. 43
    39. 39. May – Dec 06 Federal Privacy Breaches February 18, 2007 DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER OF RECORDS 08/15/06 U.S. Dept. of Transportation (Orlando, FL) On April 24th, a DOT employee's laptop computer was stolen from an Orlando hotel conference room. It contained several unencrypted case files. Investigators are in the process of determining if it contained sensitive personal information. Unknown 08/09/06 U.S. Dept. of Transportation The DOT's Office of the Inspector General reported a special agent's laptop was stolen on July 27th from a government-owned vehicle in Miami, FL, parked in a restaurant parking lot. It contained names, addresses, SSNs, and dates of birth for 80,670 persons issued commercial drivers licenses in Miami-Dade County; 42,800 persons in FL with FAA pilot certificates; and 9,000 persons with FL driver's licenses. Update (11/21/06): A suspect was arrested in the same parking lot where the theft occurred, but the laptop has not been recovered. Investigators found a theft ring operating in the vicinity of the restaurant parking lot. 132,470 08/07/06 Veterans Affairs Dept. through its contractor Unisys Corp. (Reston, VA) Computer at contractor's office was reported missing Aug. 3rd, containing billing records with names, addresses, SSNs, and dates of birth of veterans at 2 Pennsylvania locations. Update (9/15/06): Law enforcement recovered the computer and arrested an individual who had worked for a company that provides temporary labor to Unisys. 5,000 Philadelphia patients, 11,000 Pittsburgh patients, 2,000 deceased patients, plus possibly 20,000 more patients
    40. 40. May – Dec 06 Federal Privacy Breaches February 18, 2007 DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER OF RECORDS 07/26/06 U.S. Navy recruitment offices (Washington, D.C.) Two laptop computers with information on Navy recruiters and applicants were stolen in June and July. Also included was information from selective service and school lists. About 4,000 records contained SSNs. Files were password protected. 31,000 records were stolen, with about 4,000 containing SSNs. The latter number is included in the total below (6/23/06). 07/18/06 U.S. Dept. of Agriculture (USDA) (Washington, D.C.) (Wellington, KS) Laptop computer and printout containing names, addresses and SSNs of 350 employees was stolen from an employee's car and later recovered. 350 07/07/06 Naval Safety Center SSNs and other personal information of Naval and Marine Corps aviators and air crew, both active and reserve, were exposed on the Center web site and on 1,100 computer discs mailed to naval commands. “ More than 100,000&quot; 06/27/06 Gov't Accountability Office (GAO) (Washington, D.C.) Data from audit reports on Defense Department travel vouchers from the 1970s were inadvertently posted online and included some service members' names, SSNs and addresses. The agency has subsequently removed the information. &quot;Fewer than 1,000&quot; 06/23/06 U.S. Navy recruitment offices (Washington, D.C.) Navy personnel were notified on June 22nd that a civilian web site contained files with personal information of Navy members and dependents including names, birth dates and SSNs. 30,000
    41. 41. May – Dec 06 Federal Privacy Breaches February 18, 2007 DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER OF RECORDS 06/22/06 Federal Trade Commission (FTC) (Washington, D.C.) Two laptop computers containing personal and financial data were stolen from an employee's vehicle. The data included names, addresses, SSNs, dates of birth, and in some instances, financial account numbers gathered in law enforcement investigations. 110 06/21/06 U.S. Dept. of Agriculture (USDA) (Washington, D.C.) During the first week in June, a hacker broke into the Department's computer system and may have obtained names, SSNs and photos of current and former employees and contractors. 26,000 06/13/06 U.S. Dept of Energy, Hanford Nuclear Reservation (Richland, WA) Current and former workers at the Hanford Nuclear Reservation found that their personal information may have been compromised, after police discovered a 1996 list with workers' names and other information in a home during an unrelated investigation. 4,000 06/12/06 U.S. Dept. of Energy (Washington, D.C.) Names, SSNs, security clearance levels and place of employment for mostly contract employees who worked for National Nuclear Security Administration may have been compromised when a hacker gained entry to a computer system at a service center in Albuquerque, N.M. eight months ago. 1,502 06/05/06 Internal Revenue Service (Washington, DC) A laptop computer containing personal information of employees and job applicants, including fingerprints, names, SSNs, and dates of birth, was lost during transit on an airline flight. 291
    42. 42. May – Dec 06 Federal Privacy Breaches February 18, 2007 DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER OF RECORDS 05/22/06 Dept. of Veterans Affairs (VA) (Washington, DC) On May 3rd, data of all American veterans who were discharged since 1975 including names, SSNs, dates of birth and in many cases phone numbers and addresses, were stolen from a VA employee's home. Theft of the laptop and computer storage device included data of 26.5 million veterans. The data did not contain medical or financial information, but may have disability numerical rankings. Update: An additional 2.1 million active and reserve service members were added to the total number of affected individuals June 1st. Update (6/29/06): The stolen laptop computer and the external hard drive were recovered. Update (7/14/06): FBI claims no data had been taken from stolen computer. Update (8/5/06): Two teens were arrested in the theft of the laptop. Update (8/25/06): In an Aug. 25th letter, Secretary Nicholson told veterans of the decision to not offer them credit monitoring services. Rather the VA has contracted with a company to conduct breach analysis to monitor for &quot;patterns of misuse.&quot; 28,600,000 05/05/06 Dept. of Veteran Affairs (VA) (Washington, D.C.) A data tape disappeared from a VA facility in Indianapolis, IN that contained information on legal cases involving U.S. veterans and included veterans' SSNs, dates of birth and legal documents. Update (10/11/06): The VA's Office of the General Counsel is offering identity theft protection services to those affected by the missing tape. 16,500
    43. 43. Consequences of Not Protecting Privacy <ul><li>For the affected persons </li></ul><ul><ul><li>Potential Identity Theft Issues </li></ul></ul><ul><ul><li>Public Embarrassment </li></ul></ul><ul><ul><li>Emotional Distress </li></ul></ul><ul><li>For the Agency involved </li></ul><ul><ul><li>Reduced ability to perform / carry out its mission </li></ul></ul><ul><ul><li>Loss of credibility, confidence, and trust </li></ul></ul><ul><ul><li>Possibility of OMB, GAO, DOJ, and/or Congressional Inquires </li></ul></ul><ul><ul><li>Possibility of a period of Congressional Oversight </li></ul></ul>February 18, 2007
    44. 44. Consequences (cont’d) <ul><li>For the federal employees / contractors responsible for safeguarding the information; involved in or responsible for the breach: </li></ul><ul><ul><li>Potential disciplinary actions </li></ul></ul><ul><ul><li>Potentially facing civil and/or criminal charges </li></ul></ul><ul><ul><li>Public Embarrassment / Humiliation </li></ul></ul>February 18, 2007
    45. 45. Section 2 The Evolution of U.S Privacy: A Historical Overview February 18, 2007
    46. 46. A Timeline of Privacy Guidance <ul><li>Privacy in the U.S. has been Evolving since the adoption of the Constitution and subsequent Bill-of-Rights and amendments </li></ul><ul><li>In 1891, Privacy as a “right” in the U.S. was discussed in the article &quot;The Right to Privacy&quot; written by Justices Samuel D. Warren and Louis D. Brandeis </li></ul><ul><li>Modern day privacy guidance in the U.S. started in the 1960’s </li></ul><ul><li>A relationship to the development of privacy guidance can be drawn when compared to advancements of Information Technology </li></ul>February 18, 2007
    47. 47. 1960-1969 February 18, 2007
    48. 48. 1970-1974 February 18, 2007
    49. 49. 1975-1979 February 18, 2007
    50. 50. 1980-1984 February 18, 2007
    51. 51. 1985-1989 February 18, 2007
    52. 52. 1990-1994 February 18, 2007
    53. 53. 1995-1997 February 18, 2007
    54. 54. 1998-1999 February 18, 2007
    55. 55. 2000-2004 February 18, 2007
    56. 56. 2005-2007 February 18, 2007
    57. 57. Summary: Timeline of Privacy Guidance <ul><li>A mixture of “principles”, laws, recommendations and voluntary standards </li></ul><ul><li>Created a “patchwork” of Guidance that: </li></ul><ul><ul><li>Have different scopes, jurisdictions, or applicability </li></ul></ul><ul><ul><li>Have assigned responsibilities for oversight or implementation to various organizations or persons </li></ul></ul><ul><ul><li>In some cases has created overlapping responsibilities </li></ul></ul>February 18, 2007
    58. 58. Section 3 A Conceptual Visualization of The Federal Privacy Framework February 18, 2007
    59. 59. Introduction <ul><li>The Federal Privacy Framework is a model that provides: </li></ul><ul><ul><li>A visual representation of federal laws, requirements, or guidance that apply to all Executive Branch Departments, Agencies, and Bureaus </li></ul></ul><ul><ul><li>Illustrates some of the relationships between the Federal Laws and Oversight of Privacy by OMB, Congress, and each Agency </li></ul></ul><ul><ul><li>Demonstrates how due to a responsibility assigned by a Federal Law has created a relationship that is effected by privacy controls or can influence how privacy controls are implemented </li></ul></ul>February 18, 2007
    60. 60. The Federal Privacy Framework February 18, 2007
    61. 61. Federal Privacy Framework Applicability <ul><li>Applies to Agency Records, regardless of format and includes, but is not limited to: </li></ul>February 18, 2007 <ul><li>Paper Records </li></ul><ul><li>Electronic Records </li></ul><ul><ul><li>Application files – excel spreadsheets, word documents, etc.) </li></ul></ul><ul><ul><li>E-mail Messages </li></ul></ul><ul><ul><li>Exported “Reports” </li></ul></ul><ul><ul><li>Images of paper records </li></ul></ul><ul><ul><li>Graphical Images </li></ul></ul><ul><li>Interconnections / Information Exchange </li></ul><ul><ul><li>System to System </li></ul></ul><ul><ul><li>System to Person </li></ul></ul><ul><ul><li>Person to Person </li></ul></ul><ul><li>IT Systems </li></ul><ul><ul><li>Databases & Data Warehouses </li></ul></ul><ul><ul><li>Websites & Portals </li></ul></ul><ul><ul><li>Content Management Systems </li></ul></ul>