Embed Size (px)
Citation preview
Protecting Privacy in Today’s Digital EnvironmentAlex Alben
Chief Privacy Officer
Washington State
Data Breach Erodes Public Trust
“We need to give consumers more information about how their data are being used and shared, and we need to obtain more meaningful consent from people when they agree to give their data to a company.”
Seattle Times Opinion, “The folly of data-breach notification” by Alex Alben 10/25/16
Effect of notice . . .
The Internet of Things
Private Data: Personal Devices
• Cell Phones• Fitness Monitors• Social Media• Automobiles• Biometric Identifiers
Private Data and Surveillance• Drones• Body Cameras• Automobiles• Traffic cameras
Washington is Special• State Constitution
• Public Records Act
• Eight Exemptions
• Open Data
• Data Breach Law
Washington State Law
• Consumer Protection Act (1986)
• Attorney General consumer protection division
• Article I, Section 7
• “No person shall be disturbed in his private affairs, or his home invaded, without authority of law.”
• RCW 19.255.010 - Washington State sapps.leg.wa.gov• apps.leg.wa.gov › RCWs › Title 19 › Chapter 19.255
• Notice is not required if the breach of the security of the system is not ... if the data owner or licensee contacts a law enforcement agency after discovery of a ...
Office of Privacy and Data Protection- 2016
• Established by Executive Order 16-01, SHB 2875• Updating Privacy Policies• Consumer Education and Outreach• Monitor Citizen Complaints• Promote Best Practices• Privacy Assessment
Findings of the Auditor’s Report– 8/29/16
Effect of Public Records Requests on State and Local Governments:
• Fulfilling requests costs state and local governments over $60 million per year*
• More than 285,000 requests in the past year
• Governments recover less than 1% of costs
• 17% reported spending over $10 million in litigation in past year
• PRR is not keeping up with changing technology
*Calculated on 541 of the 923 survey responses (59%); does not count undesignated staff time
State Auditor’s recommendations for Public Records Act reform• Differentiate requesters and requests by their purpose
• Recover costs associated with disclosing records: material and personnel time
• Develop a statewide alternative dispute resolution program
• Address complexities in public records laws
• Look at “leading practices” of other jurisdictions
Headlines:
• UW Medical Center data breach
• HCA data breach
• Courts data breach
• Fish & Wildlife data breach
The Lifecycle of Data Minimization
Training
Privacy Policy
Encryption
De-Duplication
Data Sharing Agreements
Breach Response
Privacy Impact Assessment
Records Center / Archive
Privacy Modeling
Design
Collect
Process
Store
Share
Use
Retain
Delete
Data Minimization–
• Collection limitation - collect only what is directly relevant and necessary to accomplish a specified purpose.
• Interagency sharing - minimize the information disclosed.
• Data retention - retain the data only for as long as is necessary to fulfill your original purpose or as required by law.
Don’t collect what you don’t need
Security–
• Spear-phishing is responsible for 90% of successful attacks
• Hackers use “password guessing” tools• Store passwords securely– e.g., not in cookies or readable
text• Administrative– Look for patterns and disable user
credentials after unsuccessful log-in attempts• Implement multi-factor authentication when necessary
Email, authentication, and passwords
Privacy Modeling
• Promoting privacy and data protection compliance from the start• Privacy as a key consideration in the early stages of
any project, and then throughout its lifecycle• Request for proposal - include data minimization
and security principles in proposal• Forms for public - include only necessary fields for
collection
“You have zero privacy anyway. Get over it.--Scott McNealy, 1999
