Presentation is loading. Please wait.

Presentation is loading. Please wait.

Keeping Secrets: An Overview of Privacy Considerations in recent Legislation David W Houser, CISSP ISSA Delaware Valley Chapter March 2003 Lockheed Martin.

Published byRonald Kennedy Modified over 8 years ago

Similar presentations

Presentation on theme: "Keeping Secrets: An Overview of Privacy Considerations in recent Legislation David W Houser, CISSP ISSA Delaware Valley Chapter March 2003 Lockheed Martin."— Presentation transcript:

1 Keeping Secrets: An Overview of Privacy Considerations in recent Legislation David W Houser, CISSP ISSA Delaware Valley Chapter March 2003 Lockheed Martin ProSpot Sept 2004 VTIS Aug 2006

2 “To keep your secret is wisdom; but to expect others to keep it is folly.” - Samuel Johnson

3 What Data Needs to be Protected?

4 Courtney’s Laws Nothing useful can be said about security except in the context of an application and an environment. Never spend more money eliminating a vulnerability than tolerating it will cost you. There are management solutions to technical problems but there are no technical solutions to management problems.

5 What Data Needs to be Protected? Medical Financial Personal

6 Typing the phrase "Select a database to view" into Google yielded about 200 links, almost all of which led to FileMaker databases accessible online.Select a database to view One search result pointed to a page served by A UNIVERSITY COLLEGE OF MEDICINE, which linked to a database of 5,500 records of the medical college's neurosurgical patients. The patient record included addresses, telephone numbers and detailed write- ups of diseases and treatments. "Google, properly leveraged, has more intrusion potential than any hacking tool." Hacker Adrian Lamo.

7 Genetic Background In February 2001, Norwich Union Life, one of Britain's largest insurers, admitted using genetic tests for breast and ovarian cancer and Alzheimer's disease to evaluate applicants. Norwich Union Life was violating the industry's code of conduct since the genetic tests had not been approved by the government's Human Genetics Commission. The controversial practice resulted in some individuals paying higher insurance premiums based on genetic predispositions, creating political pressure to outlaw the use of genetic data by insurers in the United Kingdom altogether.

8 Buying Habits In 1999, DoubleClick announced that it was buying Abacus, owner of the largest direct marketing lists in the country, with information on the purchasing habits of 90 percent of all United States households, and that DoubleClick was going to merge information from the purchasing databases with information from online browsing. Following a public outcry, the company suspended its plan to merge personal data with profiles. July 2000 the Federal Trade Commission reached an agreement with the largest online advertisers including DoubleClick, which will allow for online profiling and any future merger of such databases to occur with only “opt-out” consent.

9 Jan 2001 – NY Attorney General Spitzer announced a bankruptcy court settlement that ensures that a defunct Internet retailer will destroy its customer list, thereby protecting the privacy rights of consumers in New York and nationwide. In the agreement, … a subsidiary of the Walt Disney Company will pay $50,000 to Internet retailer Toysmart.com to destroy its customer list. … Spitzer said the sale of the list, which included about 250,000 names, addresses, billing information and family profiles of consumers, would have violated the company’s stated privacy policy, and would have constituted a deceptive business practice under State law. Mailing Lists

10 PRIVACY "The right to be left alone -- the most comprehensive of rights, and the right most valued by a free people." - Justice Louis Brandeis, Olmstead v. U.S. (1928).

11 http://www.privacyinternational.org/countries/index.html http://www.privacyinternational.org/survey/dpmap.jpg Worldwide

12 The widely accepted Fair Information Practice Principles are the basis for many privacy laws in the United States, Canada, Europe and other parts of the world. The Principles were first formulated by the U. S. Department of Health, Education and Welfare in 1973, and were distributed by OECD (the Organization for Economic Cooperation and Development) as Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. http://www.privacy.ca.gov/fairinfo.htm Fair Information Practice Principles

13 The U.S. approach to privacy protection relies on industry-specific legislation and self-regulation, while the European Union relies on comprehensive privacy legislation. For example, the European Directive on Data Protection (October 1998) includes the requirement to create government data protection agencies, registration of databases with those agencies, and in some instances prior approval before personal data processing may begin. In order to bridge these different privacy approaches, the U.S. Department of Commerce working with the European Commission developed a "safe harbor" framework. The safe harbor - approved by the EU in July of 2000 - is a way for U.S. companies to comply with European privacy laws. Safe Harbor and EU Principles

14 European Union Data Protection Directive (DPD) Effective Oct 1998 The European Union Directive 95/46/EC provides protection of individuals with regard to the processing of personal data and on the free movement of such data. As well as regulating the buying and selling of personal data about European citizens and forcing Web sites to tell users when data about them is collected and allow users to refuse disclosure, the Data Protection Directive also restricts the flow of information about Europeans to companies based in countries with more lax privacy standards. http://www.privacy.org/pi/intl_orgs/ec/eudp.html http://europa.eu.int/comm/internal_market/en/dataprot/law/index.htm

15 The Safe Harbor accord, developed by the US Commerce Department and approved by the EU Commission in July of 2000, provides a set of principles for US firms to ensure they follow appropriate guidelines for information handling when it concerns European Citizens. Certifying to the safe harbor will assure that EU organizations know that a US company provides “adequate” privacy protection, as defined by the EU Data Protection Directive. http://www.export.gov/safeharbor/ Safe Harbor Effective July 2000

16 The Gramm-Leach-Bliley Act (GLBA) includes limited privacy protections for customer non-public personal information held by financial companies. GLBA included three requirements to protect personal individual data: Banks, brokerage companies, and insurance companies must securely store personal financial information. They must advise the consumer of their policies on sharing of personal financial information. They must give consumers the option to opt-out of some sharing of personal financial information. http://www.epic.org/privacy/glba/ GLBA - The Gramm-Leach-Bliley Act The Financial Services Modernization Act of 1999

17 Enacted to govern the way in which customer and employee personal information collected and used in electronic commerce is protected. Companies doing business in Canada must obtain consumer consent before using personal data for commercial purposes, and consumers may review data about them that is on file. As of Jan 2001, C6 covers Federally Regulated companies. As of 2004, All companies doing business in Canada must comply. http://laws.justice.gc.ca/en/P-8.6 Canadian Personal Information Protection and Electronic Documents Act (C6) including Model Code for the Protection of Personal Information

18 Standards for Privacy of Individually Identifiable Health Information, Final Rule - 45 CFR Parts 160 and 164 The regulations are the first federal privacy protections for medical information and will apply to both paper and electronic health records. HIPAA includes provisions for health care businesses with electronic transactions and also regulations to protect the security and confidentiality of patient information (PHI, Protected Health Information). The privacy rule took effect April 2001, with most covered entities (health plans, health care clearinghouses providers who conduct financial and administrative transactions electronically) having until April 2003 to comply. http://aspe.hhs.gov/admnsimp/bannerps.htm#privacy http://www.hhs.gov/ocr/hipaa HIPAA - Health Information Portability and Accountability Act of 1996 Effective 2001 – Privacy 2003 - Security

19 Effective 2000 The sole US Federal Law governing information use Online, the act requires : That Websites get parental consent before collecting, using, and disclosing data about children under 13 years of age That parents are allowed to review and have their children’s information deleted from a Database That Prominent notice of collection procedures, use, and disclosure of personal information from children be displayed. http://www.coppa.org http://www.ftc.gov/os/2002/04/67fr18818.pdf COPPA - Children's Online Privacy Protection Act Federal Trade Commission 16 CFR Part 312

20 The Online Privacy Protection Act requires a privacy policy to be posted on all commercial Web sites that collect personal information on California consumers. It also requires operators of commercial Web sites to comply with their posted policies. In other words, Web sites must say what they do and do what they say with Californians’ personal information.Online Privacy Protection Act The Financial Information Privacy Act gives Californians more say in how their personal financial information is used. The law, which applies to banks, insurance companies, securities firms and other financial service companies doing business in California, provides more consumer control than federal law. It also requires an easy-to- read, plain-language privacy notice.Financial Information Privacy Act http://www.privacy.ca.gov/ OPPA – Financial Privacy Act – California Privacy Laws Effective July 2004

21 “Trust him not with your secrets, who, when left alone in your room, turns over your papers.” - Johann Kaspar Lavater

22 Principle 1: Notice An organization must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the mechanism provided for limiting its use and disclosure. This notice must be provided in a clear and conspicuous manner when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for another purpose. This principle is common to all the regulations EU DPD Article 10, 11 Principle 8 of C6 Section 312.4 of COPPA, Section 502(b) and 503 of GLBA Sections 502(i) and 520 of HIPAA.

23 Principle 2: Choice An organization must offer individuals clear and conspicuous, readily available, and affordable mechanisms to choose whether their personal information is to be disclosed to a third party or to be used for a purpose that is incompatible with the purpose for which it was originally collected or authorized. For sensitive information (i.e. medical, racial, political, religious, group membership or sex information), they must be given affirmative or explicit choice if the information is to be disclosed to a third party or used for another purpose. An organization should treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive.

24 Principle 2: Choice EU DPD Article 7, 14 Principle 3 of C6 requires consent of the individual for use of such information. Under Sections 312.5 and 312.6 of COPPA, verifiable consent by the child’s parent for the collection, use, or disclosure of personal information, and must allow parents to withdraw consent for such use and disclosure. The organization must provide a mechanism for customers to choose not to have their information shared under Section 502(b) of GLBA, but explicit consent is not required. In HIPAA regulations the organization must obtain prior “consent” for use and “authorization” for disclosure of PHI under Sections 506 and 508, and provide the opportunity to decline or object to use of their PHI under Section 510.

25 Principle 3 : Onward Transfer To disclose information to a third party, an organization must first apply the Notice and Choice Principles. It may then perform a disclosure if it first determines that the third party subscribes to the Principles, or if it enters into a written agreement with the third party requiring it to provide the same level of privacy protection. EU DPD Article 25 This principle is included in C6 under Principle 3. The organization is required to obtain parental permission before disclos-ing information to another organization under Section 312.5 of COPPA. Section 502(b) of GLBA permits sharing for business purposes with prior notice and with an agreement for protection in place. The organization may disclose the information only to other organizations with which it has a business associate agreement according to Section 502(e) of HIPAA.

26 Principle 4: Security Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction. EU DPD Article 17 This principle is included in C6 (Principle 7), COPPA (Section 312.8), and GLBA (Section 501). It is also mandated under Section 530(c) of HIPAA, and a separate set of regulations for Security has just been completed (Mar 2003).

27 Principle 5: Data Integrity Personal information collected must be relevant to the purposes for which it is to be used. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or authorized. And to the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current. EU DPD Article 6 In C6, information may be collected and used only for “reasonable” purposes [Clause 5] and limited to that needed for identified purposes [Principle 4]. No more information than is “reasonable” for the purpose may be required according to Section 312.7 of COPPA. The organization is also prohibited from using or releasing PHI in a manner inconsistent with its published policies per Section 502(i) of HIPAA. But GLBA includes no specific requirement to ensure data integrity. Note that Fair Credit Reporting Act and Electronic Funds Transfer Act include Integrity for financial transactions.

28 Principle 6: Access Individuals must have access to the personal information about them, and be able to correct, amend, or delete that information where it is inaccurate. EU DPD Article 12 This principle is included in C6 under Clause 8 and Principle 9. The parent has the right to review and ask for removal of the information collected from the child under Section 312.6 of COPPA. And an individual has the right to review the information being held, to request updates to the information, and to review a record of disclosures that have been made under Sections 524, 526, and 528 of HIPAA. But again, no specific requirement of GLBA permits customer access to the information.

29 Principle 7: Enforcement Effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals affected by non-compliance, and consequences for the organization when the Principles are violated. EU DPD Article 24 Clauses 11-17 of C6 set up a legal process for submitting and resolving complaints, but no sanctions are required within the organization. Section 312.9 of COPPA and Section 505 of GLBA assign responsibility for enforcement to individual regulatory bodies. The organization is required to provide its own sanctions for non-compliance under Section 530(e) of HIPAA, and additional civil and legal penalties are outlined in other sections of the HIPAA regulations.

30 Principles from Safe Harbor provisions It is the right of the individual to: Know what information is being collected, how it is to be used, and to whom it will be given; Choose not to have this information collected and used; Know to whom it has been given when it is shared and know that it is still protected; Be able to review the information collected; Have a means to obtain satisfaction if the principles are violated. It is the responsibility of the organization to: Keep the information secure; and Keep the information accurate and not use it except as approved.

31 Other Considerations include a number of US Federal Laws Including FOIA (Freedom of Information Act), Communications Assistance to Law Enforcement Act (1994, Wiretap Laws considered), Patriot Act (Wiretapping laws updated), etc http://www.epic.org http://www.privacyinternational.com State Laws A number of State Constitutions include a right to privacy. States generally follow the federal sectoral model and enact privacy enhancing statutes on a sectoral (industry by industry) basis http://www.lexis-nexis.com Other Considerations

Download ppt "Keeping Secrets: An Overview of Privacy Considerations in recent Legislation David W Houser, CISSP ISSA Delaware Valley Chapter March 2003 Lockheed Martin."

Similar presentations

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.

Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Disclaimer This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not.

Disclaimer This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Similar presentations

Ads by Google