Agenda What is privacy?
Privacy & security, what’s the difference?
The Future of privacy & security in Ohio
What agencies need to do Define; Classify; Map; Minimize Invest budget & staff resources towards privacy & security
Bottom line
3
What is Privacy & Where is it Going?
“The right to be left alone -- the most comprehensive of rights, and the right most valued by civilized men.” ~ Louis Brandeis
“Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” ~ Alan Westin
“You have no privacy, get over it.” ~ Scott McNealy
4
What is Privacy: That was Then & This is Now Privacy not in Constitution
Has been interpreted in “penumbra” Privacy - Then
Practical Obscurity No internet; no cell phones; less data gathering; sense of “ain’t nobody’s
business”
Privacy - Now Information Age
More data gathering across government & business Cell phones Mobile & wireless computing 24/7 access Technological Developments (surveillance cameras & software, RFID)
Privacy Spheres Consumer privacy (online & offline)
Usage of data by private businesses & organizations Opt-in, opt-out Data Sharing Cookies, shopping incentive cards Social networking
Governmental privacy Similar issues as with consumer privacy PLUS Privacy as a civil liberty
Governmental monitoring: Wiretapping, Surveillance, etc…
The Future – Pervasive & ubiquitous computing Constant data gathering
RFID, REAL ID, biometrics, facial & behavior recognition, social networking, GPS, nanotechnology
6
Basic Privacy Principles1. Minimization/Collection Limitation: only collect that data for which you have a
business need.
2. Notice/Awareness: clear and complete disclosure to individuals on the specifics of how the data they submit is to be collected, used, and shared with other organizations, in addition to the steps taken to preserve the data’s confidentiality, integrity, and quality.
3. Choice/Consent: where applicable, give individuals the choice of what data they submit, how it can be used, and with whom it can be shared.
4. Access: where applicable, give reasonable access to an individual’s personal data for review, modification, correction, and, where appropriate, deletion.
5. Integrity/Security: ensure that personal information is relevant, accurate, and consistent throughout the enterprise; and that reasonable security precautions are taken to protect data from unauthorized use, access, or transfer
6. Accountability/Enforcement: specify an individual(s) to ensure the integrity and security of the data, and to enforce applicable law and policy.
7
Privacy and Security, what is the difference? Privacy & Security are flipsides of a coin
Privacy Broadly speaking, how data is defined and used
Laws, regulations, and policies that define and classify data and date usage
SecuritySecuring the data, both physically
and technologically, per its definition to ensure its
Confidentiality (limited access) Integrity (authentic & complete)Availability (accessible)
8
CPO Role – Data Protection Strategist & Evangelist
Statewide subject matter expert for advice, counsel, & direction Work to align state practices with recognized fair information principles,
federal & state laws Statewide & OIT Policy and Procedure Development Administrative rules Centralized forum for agency guidance & sharing of best practices Executive & Legislative Guidance
Executive Orders Testimony Bill development & guidance
Incident Response Awareness, Training & Education
Web presence, presentations Work alongside CISO
Implement security standards, technologies, programs Prognosticate the Future While Helping Shape the Present
REAL ID, RFID, Biometrics, Surveillance, Social Networking
9
CISO Role – Data Protection Architect
Statewide SME for technical guidance & implementation SME in NIST, ISO 27001 & 27002, and other recognized standards Enable & implement security standards, technologies, programs that align
with international and federal standards Encryption; Wireless; IT Security Policy (ex: remote access security, boundary
security) Incident Response Assess/Audit IT security infrastructure & policy
Network & application security assessments ISO/NIST security assessments of IT security policy
Work alongside CPO Education Awareness & Training Develop statewide IT strategic plan Prognosticate the Future While Helping Shape the Present
Data classification Systems Lifecyle Policy RFID, Biometrics
October 10, 2007 10
Why Protect Privacy? – World View
AustraliaFederal Privacy Amendment Bill State Privacy Bills in Victoria, New South Wales and Queensland, new email spam and privacy regulations
CaliforniaSB 1, SB 1386, SB 27, AB 1950
South AfricaElectronic Communications and Transactions Act
US FederalHIPAA, GLBA Safeguards Rule, COPPA,
Hong KongPersonal Data Privacy Ordinance
CanadaPIPEDA
JapanPersonal Information Protection Act, METI Guidelines
ChileLaw for the Protection of Private Life
South KoreaAct on Promotion of Information and Communications Network Utilization and Data Protection
IndiaLaw pending currently under discussion
New ZealandPrivacy Act
ArgentinaPersonal Data Protection Law, Confidentiality of Information Law
PhilippinesData Privacy Law proposed by ITECCTaiwan
Computer-Processed Personal Data Protection Law
European UnionEU Data Protection Directive and Member States, Safe Harbor Principles
11
Why protect privacy? – Federal View Federal privacy legislation & rules on the rise
HIPAA GLB FCRA COPPA Do-not-call REAL ID OMB mandate on data breach reporting
The Office of Management and Budget's Office of Electronic Government and Information Technology reports that about 30 incidences occur daily exposing individuals' personal information
Currently in Congress: breach notification; SSN protection; electronic health information sharing
12
Why protect privacy? – Ohio View It’s a best practice and rapidly becoming Ohio law and policy!
Executive Order 13: Improving State Agency Data Privacy and Security Ohio IT Bulletin ITB-2007.02: Data Encryption and Securing Sensitive
Data ITP-B.11: Data Classification Policy HB 104: Data Breach Notification Law HB13: No SSN - Vehicle Registration Renewal Notice SB 6: Credit Freeze; SSN Redaction; PIA SafeBoot encryption Upcoming Administrative Rules on Sensitive Data Protection, and
Privacy Policies And more…
Other states, especially California, are also pushing forward with privacy & security legislation
13
Why protect privacy? – Citizen View Increasing sensitivity & fear of ID Theft
Cost of ID Theft in U.S. 2006 = $49 Billion Security breaches - Daily occurrence
446 Breaches as of 12/31/07, involving 128 million records
TJ Maxx breach may cost as much as $256 million! UK Breach: sensitive info of 25 million citizens Federal OMB: 30 data breach incidences occur
daily
14
Why Protect Privacy? - Public Trust
Citizens have no option to shop around – they are required to provide personal information to government.
We have an obligation to protect the information entrusted to us.
The Future of Privacy & Security
Data aggregation
Data Sharing
Threats/ Vulnerabilities
Biometrics, RFID
Risk Assessment
Transparency
Accountability
We can no longer make assumptions about privacy & use of data. We must create a legal and policy framework that respects personal information (privacy) and safeguards its proper use (security), all while respecting Ohio’s Sunshine Laws.
17
Privacy (law, policy, rules, awareness) Law:
Data minimization; bulk records requests Policies
Business Continuity; System Development Lifecycle (PIA & app vulnerability testing); Physical security
Enhanced awareness & training efforts Incident response training a *must*
Security (technology) Data-level encryption ID/Access Management Physical security
Threats Social engineering; netbots; web app vulnerabilities; wireless;
employee activities
The Future of Privacy & Security - Ohio
18
Increased inter-agency data-sharing OAKS & elsewhere
Development of a template data-sharing agreement
Increased multi-agency solutions Sharing of best practices, policies, procedures, RFQs Enterprise-wide procurement opportunities
Mobile encryption
Statewide CISO & CPO Shared resources for enabling & auditing Ohio’s privacy
security environment SB 6 calls for statewide CISO; Governor’s & DAS/OIT office already
looking at the issue
The Future of Privacy & Security - Ohio
19
What Agencies Need to Do: Publish, test & maintain your incident response plan Define & Classify Data
Sensitive PII; Confidential/Critical Map data
Where does it live; follow data flows; data lifecycle Minimize – less is more
Data & Access Work Cooperatively
Within the agency; across the state enterprise Vendor Management
Build privacy & security into contract terms Validate & monitor vendor practices Beware of vendor sub-contracting
Invest in Privacy & Security Policy & Procedure Technology Awareness & Training
20
Investing in Privacy & Security Policy & Procedure Investment
Make sure agency-specific policies & procedures are promulgated & implemented (especially incident response)
Classify Data Keep abreast of the latest privacy & security laws & news
Weekly CPO Privacy & Security News Brief State of Ohio Privacy & Security Information Center website
Technological Investment Encryption Data mapping ID/Access Management Physical security
Awareness & Training Investment (Might be most important investment of all)
Use centralized resources (CPO, training ppts, OIT FAQs) Build into on-boarding & performance reviews Regular refreshers
21
Privacy & Security Are NOT Just IT-Related Sr. Staff/Data Owners/Legal
Data Minimization Risk Analysis Data Classification Policy & Procedure Development Ensuring Funding Vendors/contracting Education & Awareness
IT = Data Custodian Secure data per risk analysis & classification Maintain security throughout system life cycle
Spotlight on Data Classification Data classification is NOT an IT function – it is a business
process and requires business resources to be successful. Classification requires an educated Steering Committee to
include: IT management, security & audit Risk management Business Leaders Legal
Use the Steering Committee to: Baseline the data environment & determine scope Identify risk, laws, policies, and regulations Validate objectives Monitor progress
BOTTOM LINEIncidents will occur
Understand that privacy & security are EVERYONE’S business
Be prepared & invest Policy, procedure, planning
Incident response policy - plan & test Awareness & training
Part of on-boarding; performance review IT security infrastructure Build privacy & security at beginning
Lifecycle view: PIA & App testing
24
Public Trust
Privacy & security are the right thing to doCitizens have no option to shop around – they
are required to provide personal information to government.
We have an obligation to protect the information entrusted to us.
26
(Some) Privacy Resources Ohio Privacy & Security Information Center
http://www.privacy.ohio.gov/ Federal Citizen Information Privacy Resources
http://www.pueblo.gsa.gov/privacy_resources.htm Federal Trade Commission Privacy Initiatives
http://www.ftc.gov/privacy/index.html Onguard Online
http://onguardonline.gov/index.html Identity Theft Resource Center
http://www.idtheftcenter.org/ Center for Democracy & Technology
http://www.idtheftcenter.org/