Notes for Discussion on a Privacy Practice © Joe Cleetus

Security and Privacy Security is a wider Concept Security of Information embraces: – Confidentiality – Integrity – Availability Achieving Security involves People, Procedures, and Technology The same is true for Privacy

Privacy Definition Privacy is the expectation that confidential personal information disclosed in a private place, will NOT be disclosed to third parties, when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities

Laws and Policies govern Privacy Privacy is no longer a vague concept It has been legislated A body of case law exists Federal laws, State Laws, Supra- national laws Even the US Constitution has a bearing Besides, companies have Policies

Topical Relevance Massive on-line databases of people Extensive on-line interactions between companies Millions of daily transactions between companies and customers Who owns all this, and who has a need to know?

Motivation Maintain competitive edge Ensure legal compliance Enhance company image Privacy is a requirement – not a customer delight

4 Rights Unreasonable intrusion on the seclusion of another person Misappropriation of another’s identity, or exploitation of the name Publication of private facts Propagation of false information about a person Many older laws have been re-interpreted for IT

Information Privacy Principles 1. Collect information lawfully, fairly, and only what is relevant for the purpose 2. If personal information is collected, state the purpose and to whom it will be disclosed 3. If personal information is collected, make sure all reasonable steps are taken against unauthorized access, use, modification or disclosure, and against other misuse

Information Privacy Principles 4. Those collecting PII (personally identifiable information) should maintain a public record of what is kept, its purpose, who has access, and how a person may get access to his/her information. 5. If PII is collected, make sure the record is accurate and targeted only for the purpose kept, and permit a person to correct the record, or attach a note to it showing the owner of the information contests the information contained.

Information Privacy Principles 6. If personal information is collected for one purpose, is to be used for another purpose, or divulged to a party, then secure the consent of the person, unless a an emergency exists or the law demands it, and then make a note of such event in the record.

Many Privacy Rights are embedded in Criminal Statutes US Mail Telephone conversation Library borrowing Bank records Student records Etc. Federal and States

Plethora of Laws FERPA – Student records ECPA Electronic Communications Privacy Act – Most basic act for access, use, disclosure, interception and privacy of electronic communications Section 208 of The E-Government Act – Federal agencies should protect PII collected

Plethora of Laws HIPAA Health Information Portability and Accountability Act – Medical records Gramm-Leach Bliley Act – protects consumers’ personal financial information held by financial institutions. The (Federal) Privacy Act of 1974 – FTC approved “fair information practices” that are widely accepted principles of privacy protection

Plethora of Laws EU Data Protection Directive of 1995 – notice – choice – access – onward transfer – security – data integrity, and – remedy

Plethora of Laws FTC Guidelines encompass – Web Privacy, – privacy, – Spam, Spyware, – Privacy of customer data given up on commercial transaction sites, – Credit reports, etc. Complaints are against unfair or deceptive trade practices

Plethora of Laws P3P (Platform for Privacy Preferences Project) – An open privacy specification developed and administered by the W3C – Allowing visitors to a Web site to decide what they want to give up

Plethora of Laws California SB 1386 – Personal Information: Privacy – applies to state agencies, or a person or business that conducts business in California, and owns or licenses computerized data containing personal information

Plethora of Laws PIPEDA Personal Information Protection and Electronic Documents Act of Canada. FISMA Federal Information Security Management Act (applies to Federal agencies) – federal agencies must develop, document and implement a department-wide information security program

Plethora of Laws Sarbanes-Oxley Basel II

Lastly – the anti-law of Privacy USA Patriot Act – Negates almost every prescription heretofore stated, under special circumstances – The circumstances are so loosely defined that much Governmental abuse is expected – Not only allows the Government to violate Privacy, but mandates that companies collude in this

ISO/IEC Standard based on BS 7799 – Covers People, Process and Technology – A wide-ranging document on Information Security – Has numerous recommendations in detail – Companies can be certified against this standard

Proposal Develop a Privacy Compliance Assessment Tool – Cover People, Process and Technology It will be a multi-part assessment (multiple laws, multiple departments) It will be embedded within the a client GUI, using the APIs provided It will – assign an aggregate score, – highlight serious issues, and – provide clear pointers for improvement

Benefits to Clients Make a complex subject simple Provide internal consultancy for bringing company into compliance with its own policies and laws Reduce cost of compliance Generate a first-cut plan for improvement Monitor compliance on an ongoing basis

Benefits Enter a new market for products and services Obtain follow-on custom work – Consulting – Programming for technology to support Privacy – Customizing the general Privacy Practice to suit industry/company