"Security and Privacy After September 11 Professor Peter P. Swire Ohio State Law School Consultant, Morrison & Foerster Privacy & Data Security Summit.

Slides:

Advertisements

Similar presentations

“Maintaining Trust in an Electronic World”

Advertisements

Why the Financial Privacy Law is Better than People Think Professor Peter P. Swire Ohio State University University of Minnesota Symposium February 9,

Telecom, Privacy & Security After September 11 Professor Peter P. Swire Ohio State University Ohio Telecommunications Industry Association October 2, 2001.

Privacy and the Internet Professor Peter P. Swire Ohio State University National Press Foundation February 14, 2001.

Privacy & Security After September 11 Professor Peter P. Swire Ohio State University University of Michigan Lecture December 4, 2001.

Privacy and National Security After September 11 Professor Peter P. Swire Ohio State University FLICC 2002 Forum Library of Congress March 19, 2002.

The Chief Privacy Officer for the U.S. Government Professor Peter P. Swire Ohio State University Visiting, George Washington University Privacy Officers.

Reflections on the White House Privacy Office Peter P. Swire U.S. Chief Counselor for Privacy, OSU College of Law, 2001-present CFP, March 8,

Electronic Surveillance, Security, and Privacy Professor Peter P. Swire Ohio State University InSITes -- Carnegie Mellon February 7, 2002.

Why E-Commerce is Like a Bottle of Tylenol Professor Peter P. Swire Ohio State Law School Conference on New Technologies and International Governance February.

Key New Surveillance Provisions Professor Peter P. Swire Ohio State University Privacy 2001 Conference October 4, 2001.

The Sunset of the Patriot Act Professor Peter P. Swire Moritz College of Law Ohio State University Winter College February 19, 2005.

A State of the Union for Privacy: Fall, 2002 Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP International Privacy Officers.

"Security and Privacy After September 11: The Healthcare Example Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP April.

HIPAA In Relation to Other Federal Laws Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Glasser LegalWorks/HIPAA Conference.

Better Security and Privacy for Home Broadband Peter P. Swire Moritz College of Law The Ohio State University Morrison & Foerster LLP Privacy 2002 Conference.

Gag Rules and Information Flows: Or, How to Do Secret Surveillance in an Open Society Peter P. Swire Ohio State University Modest Proposals Conference.

"Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop.

Research and Privacy Under HIPAA Professor Peter P. Swire Moritz College of Law Ohio State University National Academy of Science Panel on Science, Technology.

Data Breach as a Critical Infrastructure & Computer Security Issue Peter P. Swire Professor, The Ohio State University Senior Fellow, Center for American.

The Role of the Federal Government in Privacy Policy Professor Peter P. Swire The Ohio State University Center for American Progress The Privacy Symposium,

HIPAA and the War on Terrorism Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP HIPAA Summit West June 7, 2003.

"Security and Privacy After September 11: Implications for Healthcare" Professor Peter P. Swire George Washington Law School Consultant, Morrison & Foerster.

Mental Health Issues & Information Sharing Professor Peter P. Swire The Ohio State University NAAG Task Force on School Safety July 5, 2007.

Reflections on the White House Privacy Office Peter P. Swire Ohio State University Center for American Progress N.C. State Privacy Day January 29, 2008.

Government Pattern Analysis: Securing Terrorists While Preserving Privacy? Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster.

The Need for Government-Wide Privacy Policy Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP DHS Privacy Advisory Committee.

Surviving Securely & Surviving Security -- Thoughts After 9/11 Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP HIPAA.

The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 USA PATRIOT ACT 9 th Annual Factoring Conference Grand America Hotel – Salt Lake City, UT Brian J. Peretti, Esq. US Department of the Treasury Office.

Passed by the Senate 98-1 Passed by the House October 26, 2001 – Signed into law by President Bush 130 pages in length Divided into 10 titles.

USA PATRIOT ACT: Is it a legitimate law to protect national security or is it a violation of your Civil Liberties? Essential Question:

Chapter 17 Law and Terrorism.

Works Citied. How Has the War on Terrorism Affected Civil Liberties? Opposing Viewpoints Civil Liberties Cole, David. The War on Terrorism.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.

USA PATRIOT ACT USA PATRIOT ACT

Responding to Cybercrime in the Post-9/11 World Scott Eltringham Computer Crime and Intellectual Property Section U.S. Department of Justice (202)

13.1 Chapter 13 Privacy © 2003 by West Legal Studies in Business/A Division of Thomson Learning.

Chapter 15 Counter-terrorism. Introduction  United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.

Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

(Geneva, Switzerland, September 2014)

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Law and Terrorism “The laws will thus not be silent in time of war, but they will speak with a somewhat different voice.” Chief Justice Rehnquist.

“Privacy and the Future of Justice Statistics” Peter P. Swire Chief Counselor for Privacy OMB/OIRA National Conf.on Privacy, Technology & Criminal Justice.

Federal Bureau of Investigation

HIPAA PRIVACY AND SECURITY AWARENESS.

Other Laws (Primarily for E-Government) COEN 351.

The Patriot Act Protecting the US or Violating People’s Freedoms.

Security and Privacy Strategic Global Partners, LLC.

Lesson 5-Legal Issues in Information Security. Overview U.S. criminal law. State laws. Laws of other countries. Issues with prosecution. Civil issues.

IAPP KnowledgeNet Los Angeles “Thinking Outside the Cookie Jar” The Second Wave of Global Privacy Protection: Why This Year Is Different Peter Swire, Senior.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Agencies and Surveillance Authority SNFI Agencies and Surveillance Authority 1.Civics 101, Courts, and the Constitution 2.Executive Agencies 3.PATRIOT.

Mission Statement The mission of NW3C is to provide training, investigative support and research to agencies and entities involved in the prevention,

1 The Broader Picture Laws Governing Hacking and Other Computer Crimes Consumer Privacy Employee Workplace Monitoring Government Surveillance Cyberwar.

September 11 th Attacks By: Jacob Wall.

Healthcare Privacy and Security After September 11 The HIPAA Colloquium At Harvard University August 20, 2002 Presented by: Lauren Steinfeld Privacy Consultant,

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

STUDENT RIGHTS MINI-WRITE On a half sheet of paper write at least two paragraphs on the following questions: What rights do you have when you come to school?

Bellwork Think about this…. Historical Event

Legal Implications.

Networking 2002 USA-Patriot Act Tracy Mitrano Cornell University

Confidentiality October 14, 2005.

"Security and Privacy After September 11: The Healthcare Example”

U.S. Intelligence Oversight Reforms & the Cloud Act

“Court Records and Data Privacy: Online or Over the Line?”

Presentation transcript:

"Security and Privacy After September 11 Professor Peter P. Swire Ohio State Law School Consultant, Morrison & Foerster Privacy & Data Security Summit January 31, 2002

Overview n Background n Security and Privacy after September 11 n Examples from USA Patriot Act n Enron, Privacy, and the role of the CPO

I. Background n Clinton Administration Chief Counselor for Privacy n Unusual double major: – White House coordinator for HIPAA medical privacy rule, – Chair, White House task force on how to update wiretap and surveillance laws for the Internet age

Currently n Professor of Law, Ohio State University n Resident in D.C. (currently visiting at GW Law School) n Consultant, Morrison & Foerster, especially for medical privacy n

II. Security & Privacy After September 11 n Greater focus on security n Security vs. privacy n Security and privacy

Greater Focus on Security n More physical security n Cyber-security: less tolerance for hackers and other unauthorized use n Cyber-security: the need to protect critical infrastructures n Greater funding for security

Security vs. Privacy n Security sometimes means greater surveillance, information gathering, & information sharing n Report possible terrorists n Err on the side of public health reporting n More support for surveillance n In short, greater disclosures to foster security

Security vs. Privacy n Physical Security n Airport searches -- your bag, your shoes n ID/authentication at more checkpoints n Proposals for national ID system – NAS Study coming soon – Will be one of my research focuses

Security vs. Privacy n Computer Security – Less support for anonymity – Stronger authentication – Intrusion detection -- FIDNet – Pressure to retain records -- Cybercrime Convention – Information sharing among federal, state, local governments and system owners

Security and Privacy n Security is a fair information practice – FTC Lilly enforcement action n Good data handling practices are more important – Prevent intrusion from the outside – Prevent unauthorized use by employees n Penn. Homeland Defense Ombudsman looks at security and privacy of web sites

Security and Privacy n Inventory your systems – You dont know your security vulnerabilities until you know your own systems – Key first step of any privacy compliance -- know your data flows – Should be part of your GLB, HIPAA compliance

Security and Privacy n Audit trails and accounting – An essential security practice – Polices and procedures should be followed – Accounting specifically required by HIPAA

Summary on Security and Privacy n Greater security threatens privacy when have greater surveillance n Greater security helps privacy when create better-audited data systems n Security as an opportunity – The budget for security can help upgrade your systems, and build privacy in – HIPAA philosophy -- transactions, security, and privacy should be built together

III. Anti-terrorism Examples n In the name of security: – The Uniting and Strengthening America Act by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism n USA PATRIOT Act – Changes to wiretap laws, foreign intelligence, money laundering, new terrorism crimes, etc. n How manage for security and privacy?

Grand Jury Secrecy Changed n Previous law: separation between law enforcement (grand jury, constitution applies) and foreign intelligence n New law: All the walls are down now between FBI, CIA, etc. n Example: you release PHI to grand jury, & records can go to foreign intelligence without notice to you or a judge

Nationwide search orders n Previous law: you must respond to an order from judge in your local federal district n Section 220 USA-PATRIOT: – Electronic evidence: and web surfing records – Binding order from any federal judge in the country – What if the order seems overbroad? Must contest with that distant judge.

Computer Trespasser Exception n Previous law: – Under ECPA, could monitor your own system for security – Could turn over evidence of past hacker attacks – Could not invite law enforcement to surf over your shoulder to investigate possible ongoing attacks -- that was considered an open-ended wiretap

Computer Trespasser (cont.) n Sec. 217 USA Patriot n Now system owner can invite law enforcement to surf over the shoulder n Only for – Computer trespassers with no reasonable expectation of privacy – Relevant to an investigation – No communications other than those to/from the trespasser

Computer Trespasser (cont.) n Any employee can authorize this surfing over the shoulder – Do you have policies in place for this? n What if health information would be disclosed? – HIPAA issues n Never any hearing before passage of the provision -- study before the sunset

IV. Enron, Privacy & the Role of the CPO n An important and good system – Corporate financial statements n We complied with all applicable rules – The letter (but not the spirit) of accounting rules n Huge transfers hidden from view – Billions in off-balance sheet assets

Enron Applied to Privacy n An important and good system – Financial, medical, e-commerce systems to provide service to customers n We complied with all applicable rules – Perhaps the letter, likely not the spirit, of GLB and other laws n Huge transfers hidden from view – Are there data flows you would not want in the press?

Effects of bad accounting and hidden transfers n For Enron, the hidden flows became public – New, strict laws will result – Strict enforcement n For U.S. Bank, the hidden flows became public – Immediate effect on GLB – Strict enforcement n In your organization, will hidden flows become public?

The Role of the CPO n You dont want to have to be Sherron Watson, the Enron whistleblower n How can you help create good policies in advance? n How can you help create good compliance? n How can there be credible accounting and accountability?

How to Talk like a CPO n Move toward the letter and the spirit of good privacy policies n Know the horror stories – Breaches of security and privacy, and effects on the organizations n Use security as a leverage for privacy – Good data practices are essential after 9/11

In Conclusion: n Pass the friends and family test – How would the Enron deals have sounded if they had been explained at the family dinner table? – How do your data practices sound? n Your security and privacy practices will become known n Help your company be proud on that day n None of us wants to be part of the next Enron

Contact Information n Professor Peter Swire n Phone: (301) n n Web: n Presidential Privacy Archives: