Presentation is loading. Please wait.

Presentation is loading. Please wait.

Traffic Crash Records and Emerging Security Issues Traffic Records Coordinating Committee (TRCC) Meeting September 7, 2006.

Published byBaby Bramwell Modified over 9 years ago

Similar presentations

Presentation on theme: "Traffic Crash Records and Emerging Security Issues Traffic Records Coordinating Committee (TRCC) Meeting September 7, 2006."— Presentation transcript:

1 Traffic Crash Records and Emerging Security Issues Traffic Records Coordinating Committee (TRCC) Meeting September 7, 2006

2 Summary of the Issue Recent improvements in the State’s traffic records infrastructure and data accessibility raises numerous questions related to privacy and security of personal information contained in crash reports/data Recent improvements in the State’s traffic records infrastructure and data accessibility raises numerous questions related to privacy and security of personal information contained in crash reports/data The release of traffic crash data (with personal identifiers) raises issues of particular concern The release of traffic crash data (with personal identifiers) raises issues of particular concern

3 Types of Access Crash data and image extracts Crash data and image extracts Traffic Crash Reporting System (TCRS) web application Traffic Crash Reporting System (TCRS) web application Crash reports received directly from the source (i.e. law enforcement) Crash reports received directly from the source (i.e. law enforcement)

4 Courtesy of Sgt. Jeff Yonker, MSP-CID How Could the Data Be Used? Sold to third parties for commercial use/profit Sold to third parties for commercial use/profit Identity Theft Identity Theft Providing false identity to law enforcement at time of an arrest Providing false identity to law enforcement at time of an arrest Producing counterfeit driver license or ID Producing counterfeit driver license or ID Producing counterfeit checks Producing counterfeit checks Affecting credit ratings or criminal history Affecting credit ratings or criminal history Other violations of personal privacy Other violations of personal privacy

5 In May 2006: Theft of laptop computer containing personal information on millions of veterans stolen from an employees apartment makes national news. In May 2006: Theft of laptop computer containing personal information on millions of veterans stolen from an employees apartment makes national news. “VA hit with two class-action suits over data theft” June 6, 2006 “VA hit with two class-action suits over data theft” June 6, 2006 “Report: VA not doing enough to protect data: GAO finds veterans' information still vulnerable” “Report: VA not doing enough to protect data: GAO finds veterans' information still vulnerable” June 14, 2006 June 14, 2006

6 July 2006: Laptop computer owned by the USDOT containing personal information on 133,000 pilots was stolen from a vehicle in Florida July 2006: Laptop computer owned by the USDOT containing personal information on 133,000 pilots was stolen from a vehicle in Florida

7 August 22, 2006: “Laptop theft puts 28,000 IDs at risk - Beaumont home patients caught in tech epidemic” August 22, 2006: “Laptop theft puts 28,000 IDs at risk - Beaumont home patients caught in tech epidemic”

8 Impact on Traffic Safety Potential data security issues for crash reports on over 350,000 crashes each year. Potential data security issues for crash reports on over 350,000 crashes each year. Criminal and civil liability for state and local users who possess crash data that includes personal information Criminal and civil liability for state and local users who possess crash data that includes personal information Potential for adverse negative political/media fallout for your agency in the event of a security breach Potential for adverse negative political/media fallout for your agency in the event of a security breach

9 Act 26 Overview HB 4377 introduced March 28, 2979 by Rep. Perry Bullard HB 4377 introduced March 28, 2979 by Rep. Perry Bullard Public Act 26 of 1980 (Section 257.624) Public Act 26 of 1980 (Section 257.624) Purpose was to allow for crash research while ensuring that personal information is protected, and to establish penalties for unauthorized disclosure Purpose was to allow for crash research while ensuring that personal information is protected, and to establish penalties for unauthorized disclosure Amended the Michigan Vehicle Code to permit OHSP to authorize release of crash data/reports only for scientific/medical research/studies Amended the Michigan Vehicle Code to permit OHSP to authorize release of crash data/reports only for scientific/medical research/studies Release of data/reports is not required Release of data/reports is not required Information not admissible in court Information not admissible in court Release of personal information to a third party prohibited with criminal penalties attached Release of personal information to a third party prohibited with criminal penalties attached

10 History of Security Breach Laws In 2003 CA passed what is considered the first “security breach” law In 2003 CA passed what is considered the first “security breach” law Requires the reporting of any breach or suspected breach in security that results in the disclosure of personal information to unauthorized parties Requires the reporting of any breach or suspected breach in security that results in the disclosure of personal information to unauthorized parties Personal information defined as name plus any one of a number of identifiers (DLN, SSN, or credit card/account/PIN number) Personal information defined as name plus any one of a number of identifiers (DLN, SSN, or credit card/account/PIN number)

11 Security Breach State Laws To-date, thirty-one states have enacted security breach laws (Michigan not included) To-date, thirty-one states have enacted security breach laws (Michigan not included) Michigan had two bills introduced in 2005 (HB 4658 and SB 309) Michigan had two bills introduced in 2005 (HB 4658 and SB 309) Both bills would require breach notification within 5 days of any affected individuals through written, electronic, or substitute notice (email, website posting, and news release) Both bills would require breach notification within 5 days of any affected individuals through written, electronic, or substitute notice (email, website posting, and news release)

12 Key Questions Does your agency receive or possess crash data with personal information/identifiers? Does your agency receive or possess crash data with personal information/identifiers? How is the data stored in your agency? Is the data secure? How is the data stored in your agency? Is the data secure? How many people have access to the data? Who are they? (i.e. employees, students, etc.) Do you keep records of those who have access? How many people have access to the data? Who are they? (i.e. employees, students, etc.) Do you keep records of those who have access? How do you ensure that once they leave your agency, they no longer have access? How do you ensure that once they leave your agency, they no longer have access? Could others gain or be provided access without the knowledge of your agency? Could others gain or be provided access without the knowledge of your agency? Could the data be provided to unauthorized users without the knowledge of your agency? Could the data be provided to unauthorized users without the knowledge of your agency? Can you guarantee the security of the data and that it will not be lost, stolen, or shared with unauthorized parties or individuals? Can you guarantee the security of the data and that it will not be lost, stolen, or shared with unauthorized parties or individuals? Does the data ever leave your facility on a laptop or in some other form? Does the data ever leave your facility on a laptop or in some other form? Are there agency policies in place that restrict the transportation of the data to another location? Are there agency policies in place that restrict the transportation of the data to another location? If it is transported, how it is transported? If it is transported, how it is transported? Do you have a data security policy in place? Do you have a data security policy in place? Do you have an Incident Response Plan in place in the event of a security breach? Do you have an Incident Response Plan in place in the event of a security breach? Have you had discussions internally with data security or legal counsel regarding data security, liability, and associated issues? Have you had discussions internally with data security or legal counsel regarding data security, liability, and associated issues? Do you have adequate liability coverage for damages resulting from a breach of security involving personal information? Do you have adequate liability coverage for damages resulting from a breach of security involving personal information?

13 Agencies Need to Consider That sharing personal information obtained through Act 26 with unauthorized third parties is illegal and subject to criminal prosecution That sharing personal information obtained through Act 26 with unauthorized third parties is illegal and subject to criminal prosecution That the risks associated with possessing un- encrypted personal information, even for legitimate uses, are significant That the risks associated with possessing un- encrypted personal information, even for legitimate uses, are significant How a data breach would impact your agency How a data breach would impact your agency Public confidence Public confidence Credibility Credibility Criminal or civil liability Criminal or civil liability Economic impact Economic impact

14 Process for Release of Crash Data Data and image extracts Data and image extracts Continue to be processed under Act 26 by OHSP Continue to be processed under Act 26 by OHSP Data fields of concern have been identified Data fields of concern have been identified New Agency Agreement form is in development New Agency Agreement form is in development Release of personal information (i.e. name, address, DLN, DOB) in the future more restrictive Release of personal information (i.e. name, address, DLN, DOB) in the future more restrictive TCRS access TCRS access System security issues System security issues Creation of a TCRS that is “sanitized” of personal information Creation of a TCRS that is “sanitized” of personal information Use of TCRS limited to research under Act 26 approvals Use of TCRS limited to research under Act 26 approvals Authorizing agency transition from OHSP to CJIC Authorizing agency transition from OHSP to CJIC

15 Data Fields of Concern Form ID Fields Form ID Fields ORI ORI Case Number Case Number Serial Number Serial Number CMV Fields CMV Fields Carrier Name Carrier Name Carrier Street, City, Zip Carrier Street, City, Zip ICCMC Number ICCMC Number USDOT Number USDOT Number MPSC Number MPSC Number Involved Party Fields Involved Party Fields Party City, State, Zip Party City, State, Zip EMS Fields EMS Fields Ambulance Hospital Vehicle Info Fields Vehicle Info Fields VIN Number Plate Number Personal Info Fields Personal Info Fields DLN Name Street Address DOB

16 Recommended Action Have respect for other people’s personal information Have respect for other people’s personal information Be sensitive to emerging security issues Be sensitive to emerging security issues Determine whether your agency possesses personal information from crash data reports and take steps to mitigate risk Determine whether your agency possesses personal information from crash data reports and take steps to mitigate risk Adhere to all provisions under Act 26 Adhere to all provisions under Act 26 Consult with your security/legal advisors Consult with your security/legal advisors Take prudent and responsible action to protect the security of the data and yourself and your agency from criminal and civil liability Take prudent and responsible action to protect the security of the data and yourself and your agency from criminal and civil liability

17 Recommended Action Be aware of ongoing changes at the state and national level in response to increased privacy concerns and threats to security Be aware of ongoing changes at the state and national level in response to increased privacy concerns and threats to security Anticipate how these changes may impact your agency Anticipate how these changes may impact your agency

18 Access to crash data is critical to making advances in improving highway traffic safety Access to crash data is critical to making advances in improving highway traffic safety State and local agencies with planning/research responsibilities need access to crash data State and local agencies with planning/research responsibilities need access to crash data The challenge, and our collective responsibility, is meeting the needs of traffic safety researchers and planners while still preserving security of personal information and maintaining individual privacy

19 Questions/Discussion

Download ppt "Traffic Crash Records and Emerging Security Issues Traffic Records Coordinating Committee (TRCC) Meeting September 7, 2006."

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Overview of the Privacy Act

Overview of the Privacy Act
VOTER REGISTRATION AND IDENTIFICATION

VOTER REGISTRATION AND IDENTIFICATION
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.

Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

Similar presentations

Ads by Google