1 / 63

Protecting Privacy in State Government

Protecting Privacy in State Government Basic Privacy & Security Training for State of Ohio Employees Objectives & Agenda Overview: privacy & security What is privacy? Privacy and security, what is the difference? Defining sensitive data Why protect privacy? Best Practice Perspectives

Philip
Download Presentation

Protecting Privacy in State Government

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Protecting Privacy in State Government Basic Privacy & Security Training for State of Ohio Employees

  2. Objectives & Agenda Overview: privacy & security What is privacy? Privacy and security, what is the difference? Defining sensitive data Why protect privacy? Best Practice Perspectives Good information-handling practices Security incident response Privacy Quiz 2

  3. What is Privacy? “The right to be left alone -- the most comprehensive of rights, and the right most valued by civilized men.” ~ Louis Brandeis “Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” ~ Alan Westin “You have no privacy, get over it.” ~ Scott McNealy 3

  4. What is Privacy: That was Then & This is Now Then Practical Obscurity No internet; no cell phones; marketing less pervasive; sense of “ain’t nobody’s business” Now Information Age More data gathering across government & business Smart phones, Camera phones Mobile & wireless computing 24/7 access Technological Developments (surveillance cameras & software, RFID, biometrics) 4

  5. Changing Threat Landscape 1997 • Amateur hackers • Web site defacement • Viruses • Infrequent attacks 2007 • Organized crime • SQL Injections • Identity theft • Constant threat + • Amateur hackers • Web site defacement • Viruses 342 data breaches in the first half of 2008: more than 69% greater than the same time period in 2007

  6. Privacy and Security, what is the difference? Privacy & Security are flipsides of a coin Privacy Broadly speaking, how data is defined and used Laws, regulations, and policies that define and classify data and date usage • Security • Securing the data, both physically and technologically, per its definition to ensure its • Confidentiality (limited access) • Integrity (authentic & complete) • Availability (accessible) 6

  7. Defining Sensitive Data Personally Identifiable Information (PII) Broad definition: any information that is maintained by an entity that identifies or describes an individual. Sensitive PII Name, when associated with: Social Security number Financial Health & Medical ID Card (driver’s, state identification card) Biometric 7

  8. Defining Sensitive Data (con’t.) Sensitive data is more than PII, it is also information your organization classifies as sensitive Data mandated by law to be confidential Case numbers Security plans & reports Intellectual property Economic forecasts Passwords 8

  9. Sensitive Data = Money Handle sensitive data like cash! 9

  10. Why Protect Privacy? – World View European Union EU Data Protection Directive and Member States, Safe Harbor Principles US Federal HIPAA, GLBA Safeguards Rule, COPPA, Canada PIPEDA South Korea Act on Promotion of Information and Communications Network Utilization and Data Protection Japan Personal Information Protection Act, METI Guidelines Hong Kong Personal Data Privacy Ordinance Philippines Data Privacy Law proposed by ITECC California SB 1, SB 1386, SB 27, AB 1950 Taiwan Computer-Processed Personal Data Protection Law India Law pending currently under discussion Chile Law for the Protection of Private Life South Africa Electronic Communications and Transactions Act Argentina Personal Data Protection Law, Confidentiality of Information Law Australia Federal Privacy Amendment Bill State Privacy Bills in Victoria, New South Wales and Queensland, new email spam and privacy regulations October 10, 2007 10 New Zealand Privacy Act

  11. Why Protect Privacy? - Public Trust Citizens have no option to shop around – they are required to provide personal information to government. We have an obligation to protect the information entrusted to us. 11

  12. Why protect privacy? – U.S. Federal Laws HIPAA, GLBA, COPPA, FERPA, FCRA, genetic privacy, and more laws in works State Data Breach notification Credit freeze PII in public records Biometrics RFID 12

  13. Why protect privacy? - Ohio It’s a best practice and rapidly becoming statewide law and policy! Executive Order 13S (2007): Improving State Agency Data Privacy and Security Ohio IT Bulletin ITB-2007.02: Data Encryption and Securing Sensitive Data ITP-B.11: Data Classification Policy HB 104: Data Breach Notification Law HB13: No SSN - Vehicle Registration Renewal Notice HB 46: Credit Freeze & SSN Redaction And more to come… 13

  14. Why protect privacy? (con’t.) Increasing citizen & consumer sensitivity Security breaches Almost daily occurrence Data Breaches Hit 8.3 Million Records in First Quarter 2008* 167 data breaches First Quarter 2008 448 incidents in 2007 Identity theft Low-risk, high-reward crime Becoming more and more organized *Source - The Identity Theft Resource Center 14

  15. Identity Theft What It is and Its Impact 15

  16. What is identity theft? • A crime to intentionally use another person’s identifying information to fraudulently obtain credit, property or services. • Ohio Rev. Code Ann. §2913.49 • Types: • Financial • Access to existing accounts • Creation of new accounts • Services: Employment, Medical • Criminal 16

  17. Incidence & Impact of Identity Theft • 8.1 million incidents (2007) • 3.6% of adults • Out-of-pocket costs (2007) • Average $691 • Time spent recovering (2006) • Average 25 hours 17 Source: Javelin, 2/07 & 2/08

  18. Impact of ID Theft on Economy • Total cost of identity theft in U.S. in 2007 $45 Billion Source: Javelin, 2/08 18

  19. Beware of Social Engineering Schemes Identity thieves may try to trick employees into disclosing personal information Phishing e-mails, phone calls Verify identity and authority of anyone requesting sensitive data 19

  20. Basic Data Handling for State Employees 20

  21. Public Records and Sensitive Data Most records agencies handle are public records, but they may also contain sensitive information. Employees must employ protective measures to ensure the information is not improperly released. The Ohio’s Public Records Act is based upon the concept that records produced by government are the people’s records. Other laws require state government to protect sensitive information.

  22. Basic Privacy Principles • Minimization/Collection Limitation: only collect that data for which you have a business need. • Notice/Awareness: clear and complete disclosure to individuals on the specifics of how the data they submit is to be collected, used, and shared with other organizations, in addition to the steps taken to preserve the data’s confidentiality, integrity, and quality. • Choice/Consent: where applicable, give individuals the choice of what data they submit, how it can be used, and with whom it can be shared. • Access: where applicable, give reasonable access to an individual’s personal data for review, modification, correction, and, where appropriate, deletion. • Integrity/Security: ensure that personal information is relevant, accurate, and consistent throughout the enterprise; and that reasonable security precautions are taken to protect data from unauthorized use, access, or transfer • Accountability/Enforcement: specify an individual(s) to ensure the integrity and security of the data, and to enforce applicable law and policy. 22

  23. International Privacy Principles Openness: There should be a general policy of openness about the practices and policies with respect to personal information. Purpose Specification: The purposes for which personal information is collected should be specified at the time of collection. Further uses should be limited to those purposes. Collection Limitation: Minimize the data you collect. Only the data necessary for the stated purpose should be collected. Personal information should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the individual. Data Quality: Personal information should be accurate, complete and kept up-to-date, and relevant to the purposes for which it is to be used, . Use Limitation: Personal information should not be used for purposes other than those specified, except with the consent of the data subject or by the authority of law. Individual Participation: Individuals should have the right to inspect and correct their personal information Security Safeguards: Personal information should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure. Accountability: Someone in the organization should be accountable for compliance with the organization’s privacy policies. ~Based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (www.oecd.org)~ 23

  24. The Life Cycle of Sensitive Data Data is an asset. The value associated with a piece of data is determined by its attributes, context within the agency, and associated risk…all are key factors in data classification. Data Value Attributes Context Risk Data LifeCycle October 10, 2007 Collection Storage Use Sharing 24 Destruction

  25. Handling Sensitive Data - Overview Take stock What is PII & Other Sensitive Data Where is it in your organization Scale down Only collect what you need Lock it Secure, encrypt, protect Proper Disposal Securely dispose of documents per your retention schedule – remember the Sunshine Laws! Plan ahead Know your security incident response procedure 25

  26. Take Stock Know Where Sensitive Data Lives Learn where sensitive data is stored in your office and systems PCs, workstation file drawers, laptops, BlackBerrys, and other portable devices Sensitive PII: Employee data, as well as data of citizens/consumers, licensees, and others Other data classified as sensitive HB 46 calls for all agencies to engage in Privacy Impact Assesments for new data systems. 26

  27. Data Minimization is Your Friend – less is more Data quantity (only take what is necessary for a particular function) Access Levels (only give access to those that need it) Everything you take is something you have to retain Everything you retain is something that can be breached Everything that can be breached is something for which you are liable Less data collected = less liability REMEMBER: Comply with Ohio Sunshine laws and your agency’s records retention policy Scale Down 27

  28. Scale Down (cont.) Collect & Retain only what you need and keep it only for the time you need it. Regularly purge documents with sensitive data from individual file folders (unless required to keep per public records law) Avoid downloading sensitive data unless necessary. Regularly cleanse sensitive data from PCs, laptops, other portable devices. REMEMBER: Comply with Ohio Sunshine laws and your agency’s records retention policy

  29. Lock It Protect Sensitive Data from Unauthorized Access Limit access to sensitive data (especially PII) to those who need to use it to perform their duties Minimum necessary access Passwords & other access controls 29

  30. Lock It - Desks Protect Sensitive Data on Your Desk “Clean-desk policy” Don’t leave documents with sensitive data out when away from your workstation Lock up documents w/ sensitive data overnight and on weekends Lock PC when away from your workstation 30

  31. Lock It – Workstations Protect Sensitive Data in Workstations Make sure you have a timed lock-out Don’t download “free” software onto PC – it may contain spyware or other malware Angle your monitor away from prying eyes or ask for a “privacy screen” for your monitor if you enter sensitive data in a public place 31

  32. Lock It - Passwords Your password is like your toothbrush - Don’t share it! Password “Don’ts” Do not reveal your password over the phone Do not send your password in an e-mail message Do not reveal your password to a supervisor or manager Do not talk about your password in front of others Do not hint at the format of your password (e.g., "my family name") Do not reveal your password on questionnaires or security forms Do not share your password with family members Do not reveal your password to co-workers while on vacation Use strong passwords 8+ characters, including numerals and symbols Ohio IT Policy ITB-B.3: Password-PIN Security 32

  33. Lock It – Laptops & Sensitive Data All laptops must be encrypted. Do not place sensitive data on portable devices (thumb drives and other portable devices), unless the placement has been authorized following agency policy and procedures, and the device is encrypted. 33

  34. Lock It – E-mail & Mail Don’t send or receive sensitive data – SSN, DL number, financial account number, medical info – via email (in text or via attachments) unless allowed by agency and it is encrypted Mail securely Don’t leave incoming or outgoing mail in unlocked or unattended receptacles Make sure mailings are not exposing sensitive data CalPERS & State of Wisconsin 34

  35. Lock It - Faxes & Voicemail Don’t send sensitive data by fax unless security procedures are used Confirm accuracy of number before keying in Arrange for and confirm prompt pick-up Don’t leave sensitive data in voice mail messages

  36. Lock It – At Home? Do Not Take State Sensitive Data Home ‘NUFF SAID 36

  37. Dispose of Records Safely Shred documents with sensitive data and other confidential info before throwing away CDs and floppy disks too Have computers and hard drives properly “wiped” or overwritten when discarding REMEMBER: Comply with Ohio Sunshine laws and record retention policy 37

  38. Handling Sensitive Data – Bottom Line Take stock Scale down Lock it Proper Disposal Plan ahead Remember the Sunshine Laws How would you want someone handling your data? 38

  39. Incident Response 39

  40. Report Info Security Incidents KNOW YOUR ORGANIZATIONS SECURITY INCIDENT RESPONSE POLICY AND PROCEDURE Reportable incidents might include: Loss or theft of laptop, BlackBerry, disk, etc. Loss or theft of paper records Unauthorized acquisition of protected info Unauthorized release, modification, or destruction of protected info Interfering with state computers or data systems Any activity involving illegal activity or serious wrongdoing 40

  41. Viruses E-mail viruses E-mail harassment Worms Other malicious code Denial of service attacks Intrusions Stolen hardware Network or system sabotage Website defacements Stolen Sensitive Data Unauthorized access to files or systems Loss of system availability Misuse of service, systems or information Physical damage to computer systems, networks, or storage media Illegal Activity Serious Wrongdoing What is an Incident?

  42. Incident Response Guidance Ohio HB 104: Data Breach Notification http://www.legislature.state.oh.us/bills.cfm?ID=126_HB_104 ITP – B.7: Security Incident Response http://www.oit.ohio.gov/IGD/policy/pdfs_policy/ITP-B.7.pdf OIT IT Bulletin No: ITB-2007.02 http://oit.ohio.gov/IGD/policy/pdfs_bulletins/ITB-2007.02.pdf Governor’s Memo on Illegal Activity & Serious Wrongdoing http://www.governor.ohio.gov/GovernorsOffice/Policies/SuspectedWrongdoing/tabid/800/Default.aspx Incident Response Management Guide http://privacy.ohio.gov/resources/OITIncidentResponseGuide.doc Incident Response Training Presentation http://privacy.ohio.gov/resources/Incident_Response_Training.ppt 42

  43. Why Protect Privacy? - Public Trust Citizens have no option to shop around – they are required to provide personal information to government. We have an obligation to protect the information entrusted to us.

  44. Privacy Protection: Bottom Line Privacy and security are everyone’s responsibility

  45. (Some) Privacy Resources Ohio Privacy & Security Information Center http://www.privacy.ohio.gov/ Federal Citizen Information Privacy Resources http://www.pueblo.gsa.gov/privacy_resources.htm Federal Trade Commission Privacy Initiatives http://www.ftc.gov/privacy/index.html Onguard Online http://onguardonline.gov/index.html Identity Theft Resource Center http://www.idtheftcenter.org/ Center for Democracy & Technology http://www.cdt.org/privacy/

  46. Privacy Quiz Just for Fun – Test Your Knowledge 46

  47. Quiz Question 1 • If you believe that incoming mail containing sensitive data has been stolen from your office, where should you report it? 47

  48. Options for Q1 • To your mailroom supervisor. • To your department’s information security point of contact, supervisor, legal office, director’s office • To the U.S. Postal Inspection Service. • To the local police department. 48

  49. Correct Answer to Q1 • To your department’s information security point of contact, supervisor, legal office, director’s office 49

  50. Quiz Question 2 • Which of the following is the strongest – most secure – password for access to your PC? 50

More Related