Embed Size (px)
DESCRIPTION
Elimu Kajunju, Chief Privacy Officer and Senior Compliance Director at UnitedHealth, discussed privacy during his presentation at the 2014 Chief Information Security Officer (CISO) Leadership Forum in San Francisco on May 6. In his presentation, “What Every Security Professional Needs to Know About Privacy,” Kajunju pointed out organizations must take responsibility for securing sensitive information. According to Kajunju, a security leader needs to pay attention to privacy. Kajunju noted an organization must develop a privacy policy that outlines how it manages privacy issues: “In the privacy space, you make a lot of commitments. The commitments can be in the form of a privacy policy, so if you’re in a consumer-facing business, you’ll have a privacy policy that’s supposed to describe exactly what you’re doing with that person’s information.” In addition, Kajunju said ethical and political considerations are important for organizations of all sizes, especially when it comes to privacy. An organization also must implement good data collection practices to avoid privacy issues down the line, Kajunju said. If an organization understands how to collect data, Kajunju said, it can effectively safeguard its sensitive information: “Data collection is really the start of the privacy data lifecycle. Without the data, the rest of this is meaningless. Good data collection practices and really honest data collection data practices are necessary.”
Citation preview
2014 Chief Information Security Officer
(CISO) Leadership Forum
What every security professional needs to know
about privacy
- Elimu Kajunju, CISSP, CIPP/US
Chief Privacy Officer &
Senior Associate General Counsel, Privacy and Security
2
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group.
UnitedHealthcare Military & Veterans
• UnitedHealthcare Military & Veterans draws on the unmatched experience and expertise
of the UnitedHealth Group family of companies to provide affordable, high-quality health
care to active duty military, retirees, and their families.
• In partnership with the Department of Defense, UnitedHealthcare provides health care
services to over 2.9 million beneficiaries as the TRICARE Managed Care Support
Contractor for the TRICARE West Region.
3
I am a lawyer but not your lawyer. This presentation should not be
construed as legal advice
If you don’t have a lawyer advising you on privacy or security
compliance, you should get one
This presentation represents my personal opinion and not that of
United Health Group, UnitedHealthcare or any of its affiliates
Making friends with your privacy colleague is the best way to learn
more about privacy
Disclaimers
4
Difference between privacy and security
Commitments
Ethical & political considerations
Data collection
Location, location, location
Data disclosure
Data use
Data retention
Takeaways
Topics Covered
5
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group.
Privacy Confessional
6
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group.
Difference between privacy & security
Privacy
The rights and obligations of individuals and organizations with respect to the collection,
use, retention, disclosure and destruction of personal information
Security
The processes and methodologies which are designed and implemented to protect print,
electronic, or any other form of confidential, private and sensitive information or data from
unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
7
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group.
Commitments
Importance of the following commitments
• Privacy policies – usually interpreted in favor of the consumer
• Regulatory requirements
• Legal obligations
• Self-regulatory obligations
• Contracts
8
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group.
Ethical & political considerations
Importance of these ethical and political considerations
• If your customer knew everything you did with her data, would she approve?
• “Ick” factor
• Political implications
• Legislative scrutiny
• Media attention/scrutiny
• Social media backlash
9
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group.
Data collection
Data collection practices
• Most important factor in privacy compliance
• Question the need to collect data
• Question scope of collection
• Contradictions between collection and commitments
• Frontline for guarding against the “ick” factor
10
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group.
Location, location, location
Critical for multi-state or multi-country businesses
• Know your customers
• Know your jurisdictions
• Understand the enforcement landscape
• Location of your customer is just as important as where you locate your customer’s
information
• Pay careful consideration of the impact of location-related decisions
11
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group.
Data disclosure (external)
Ethical & political considerations may impact data disclosure practices
• Know who you are or will soon share information with
• Make this very clear in your policies
• Don’t add “future” disclosures to your policies
• Limit disclosures to minimum necessary
• Ask for permission from the customer when it makes sense to
12
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group.
Data use (internal)
This is the reason why you collect the data – Make sure it is on solid ground
• Know what you are or will soon be using the information for
• Make this very clear in your policies
• Don’t add “future” uses to your policies
• Limit uses to minimum necessary
• Use de-identified data when appropriate
13
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group.
Data retention
Mature data retention strategy is key
• Simple but comprehensive data retention schedule is needed
• Very few sets of data need to be kept forever
• Without a solid implementation plan, the strategy won’t work
• Use your record retention program to reduce your risks
• Hope is not a strategy
14
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group.
Takeaways
• Familiarize yourself with the Generally Accepted Privacy Principles
• http://www.cica.ca/resources-and-member-benefits/privacy-resources-for-
firms-and-organizations/gen-accepted-privacy-principles/item61833.pdf
• Understand the commitments you have made in your privacy policies and contracts
and with regulatory bodies
• Put yourself in the approval chain of your contracts and other voluntary commitments
• Before making security implementation decisions, familiarize yourself with the
requirements for the applicable location (or make sure someone is checking). Some
free and good resources for this information include:
• Morrison/Foerster Privacy Library
(http://www.mofo.com/privacylibrary/PrivacyLibraryListing.aspx?xpST=Priv
acyLibraryListing&pid)
• National Conference of State Legislators
(http://www.ncsl.org/research/telecommunications-and-information-
technology/state-laws-related-to-internet-privacy.aspx)
15
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group.
Questions
