640 likes | 936 Views
Protecting Privacy in State Government. Basic Privacy & Security Training for State of Ohio Employees. Objectives & Agenda. Overview: privacy & security What is privacy? Privacy and security, what is the difference? Defining sensitive data Why protect privacy? Best Practice Perspectives
E N D
Protecting Privacy in State Government Basic Privacy & Security Training for State of Ohio Employees
Objectives & Agenda Overview: privacy & security What is privacy? Privacy and security, what is the difference? Defining sensitive data Why protect privacy? Best Practice Perspectives Good information-handling practices Security incident response Privacy Quiz 2
What is Privacy? “The right to be left alone -- the most comprehensive of rights, and the right most valued by civilized men.” ~ Louis Brandeis “Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” ~ Alan Westin “You have no privacy, get over it.” ~ Scott McNealy 3
What is Privacy: That was Then & This is Now Then Practical Obscurity No internet; no cell phones; marketing less pervasive; sense of “ain’t nobody’s business” Now Information Age More data gathering across government & business Smart phones, Camera phones Mobile & wireless computing 24/7 access Technological Developments (surveillance cameras & software, RFID, biometrics) 4
Changing Threat Landscape 1997 • Amateur hackers • Web site defacement • Viruses • Infrequent attacks 2007 • Organized crime • SQL Injections • Identity theft • Constant threat + • Amateur hackers • Web site defacement • Viruses 342 data breaches in the first half of 2008: more than 69% greater than the same time period in 2007
Privacy and Security, what is the difference? Privacy & Security are flipsides of a coin Privacy Broadly speaking, how data is defined and used Laws, regulations, and policies that define and classify data and date usage • Security • Securing the data, both physically and technologically, per its definition to ensure its • Confidentiality (limited access) • Integrity (authentic & complete) • Availability (accessible) 6
Defining Sensitive Data Personally Identifiable Information (PII) Broad definition: any information that is maintained by an entity that identifies or describes an individual. Sensitive PII Name, when associated with: Social Security number Financial Health & Medical ID Card (driver’s, state identification card) Biometric 7
Defining Sensitive Data (con’t.) Sensitive data is more than PII, it is also information your organization classifies as sensitive Data mandated by law to be confidential Case numbers Security plans & reports Intellectual property Economic forecasts Passwords 8
Sensitive Data = Money Handle sensitive data like cash! 9
Why Protect Privacy? – World View European Union EU Data Protection Directive and Member States, Safe Harbor Principles US Federal HIPAA, GLBA Safeguards Rule, COPPA, Canada PIPEDA South Korea Act on Promotion of Information and Communications Network Utilization and Data Protection Japan Personal Information Protection Act, METI Guidelines Hong Kong Personal Data Privacy Ordinance Philippines Data Privacy Law proposed by ITECC California SB 1, SB 1386, SB 27, AB 1950 Taiwan Computer-Processed Personal Data Protection Law India Law pending currently under discussion Chile Law for the Protection of Private Life South Africa Electronic Communications and Transactions Act Argentina Personal Data Protection Law, Confidentiality of Information Law Australia Federal Privacy Amendment Bill State Privacy Bills in Victoria, New South Wales and Queensland, new email spam and privacy regulations October 10, 2007 10 New Zealand Privacy Act
Why Protect Privacy? - Public Trust Citizens have no option to shop around – they are required to provide personal information to government. We have an obligation to protect the information entrusted to us. 11
Why protect privacy? – U.S. Federal Laws HIPAA, GLBA, COPPA, FERPA, FCRA, genetic privacy, and more laws in works State Data Breach notification Credit freeze PII in public records Biometrics RFID 12
Why protect privacy? - Ohio It’s a best practice and rapidly becoming statewide law and policy! Executive Order 13S (2007): Improving State Agency Data Privacy and Security Ohio IT Bulletin ITB-2007.02: Data Encryption and Securing Sensitive Data ITP-B.11: Data Classification Policy HB 104: Data Breach Notification Law HB13: No SSN - Vehicle Registration Renewal Notice HB 46: Credit Freeze & SSN Redaction And more to come… 13
Why protect privacy? (con’t.) Increasing citizen & consumer sensitivity Security breaches Almost daily occurrence Data Breaches Hit 8.3 Million Records in First Quarter 2008* 167 data breaches First Quarter 2008 448 incidents in 2007 Identity theft Low-risk, high-reward crime Becoming more and more organized *Source - The Identity Theft Resource Center 14
Identity Theft What It is and Its Impact 15
What is identity theft? • A crime to intentionally use another person’s identifying information to fraudulently obtain credit, property or services. • Ohio Rev. Code Ann. §2913.49 • Types: • Financial • Access to existing accounts • Creation of new accounts • Services: Employment, Medical • Criminal 16
Incidence & Impact of Identity Theft • 8.1 million incidents (2007) • 3.6% of adults • Out-of-pocket costs (2007) • Average $691 • Time spent recovering (2006) • Average 25 hours 17 Source: Javelin, 2/07 & 2/08
Impact of ID Theft on Economy • Total cost of identity theft in U.S. in 2007 $45 Billion Source: Javelin, 2/08 18
Beware of Social Engineering Schemes Identity thieves may try to trick employees into disclosing personal information Phishing e-mails, phone calls Verify identity and authority of anyone requesting sensitive data 19
Public Records and Sensitive Data Most records agencies handle are public records, but they may also contain sensitive information. Employees must employ protective measures to ensure the information is not improperly released. The Ohio’s Public Records Act is based upon the concept that records produced by government are the people’s records. Other laws require state government to protect sensitive information.
Basic Privacy Principles • Minimization/Collection Limitation: only collect that data for which you have a business need. • Notice/Awareness: clear and complete disclosure to individuals on the specifics of how the data they submit is to be collected, used, and shared with other organizations, in addition to the steps taken to preserve the data’s confidentiality, integrity, and quality. • Choice/Consent: where applicable, give individuals the choice of what data they submit, how it can be used, and with whom it can be shared. • Access: where applicable, give reasonable access to an individual’s personal data for review, modification, correction, and, where appropriate, deletion. • Integrity/Security: ensure that personal information is relevant, accurate, and consistent throughout the enterprise; and that reasonable security precautions are taken to protect data from unauthorized use, access, or transfer • Accountability/Enforcement: specify an individual(s) to ensure the integrity and security of the data, and to enforce applicable law and policy. 22
International Privacy Principles Openness: There should be a general policy of openness about the practices and policies with respect to personal information. Purpose Specification: The purposes for which personal information is collected should be specified at the time of collection. Further uses should be limited to those purposes. Collection Limitation: Minimize the data you collect. Only the data necessary for the stated purpose should be collected. Personal information should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the individual. Data Quality: Personal information should be accurate, complete and kept up-to-date, and relevant to the purposes for which it is to be used, . Use Limitation: Personal information should not be used for purposes other than those specified, except with the consent of the data subject or by the authority of law. Individual Participation: Individuals should have the right to inspect and correct their personal information Security Safeguards: Personal information should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure. Accountability: Someone in the organization should be accountable for compliance with the organization’s privacy policies. ~Based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (www.oecd.org)~ 23
The Life Cycle of Sensitive Data Data is an asset. The value associated with a piece of data is determined by its attributes, context within the agency, and associated risk…all are key factors in data classification. Data Value Attributes Context Risk Data LifeCycle October 10, 2007 Collection Storage Use Sharing 24 Destruction
Handling Sensitive Data - Overview Take stock What is PII & Other Sensitive Data Where is it in your organization Scale down Only collect what you need Lock it Secure, encrypt, protect Proper Disposal Securely dispose of documents per your retention schedule – remember the Sunshine Laws! Plan ahead Know your security incident response procedure 25
Take Stock Know Where Sensitive Data Lives Learn where sensitive data is stored in your office and systems PCs, workstation file drawers, laptops, BlackBerrys, and other portable devices Sensitive PII: Employee data, as well as data of citizens/consumers, licensees, and others Other data classified as sensitive HB 46 calls for all agencies to engage in Privacy Impact Assesments for new data systems. 26
Data Minimization is Your Friend – less is more Data quantity (only take what is necessary for a particular function) Access Levels (only give access to those that need it) Everything you take is something you have to retain Everything you retain is something that can be breached Everything that can be breached is something for which you are liable Less data collected = less liability REMEMBER: Comply with Ohio Sunshine laws and your agency’s records retention policy Scale Down 27
Scale Down (cont.) Collect & Retain only what you need and keep it only for the time you need it. Regularly purge documents with sensitive data from individual file folders (unless required to keep per public records law) Avoid downloading sensitive data unless necessary. Regularly cleanse sensitive data from PCs, laptops, other portable devices. REMEMBER: Comply with Ohio Sunshine laws and your agency’s records retention policy
Lock It Protect Sensitive Data from Unauthorized Access Limit access to sensitive data (especially PII) to those who need to use it to perform their duties Minimum necessary access Passwords & other access controls 29
Lock It - Desks Protect Sensitive Data on Your Desk “Clean-desk policy” Don’t leave documents with sensitive data out when away from your workstation Lock up documents w/ sensitive data overnight and on weekends Lock PC when away from your workstation 30
Lock It – Workstations Protect Sensitive Data in Workstations Make sure you have a timed lock-out Don’t download “free” software onto PC – it may contain spyware or other malware Angle your monitor away from prying eyes or ask for a “privacy screen” for your monitor if you enter sensitive data in a public place 31
Lock It - Passwords Your password is like your toothbrush - Don’t share it! Password “Don’ts” Do not reveal your password over the phone Do not send your password in an e-mail message Do not reveal your password to a supervisor or manager Do not talk about your password in front of others Do not hint at the format of your password (e.g., "my family name") Do not reveal your password on questionnaires or security forms Do not share your password with family members Do not reveal your password to co-workers while on vacation Use strong passwords 8+ characters, including numerals and symbols Ohio IT Policy ITB-B.3: Password-PIN Security 32
Lock It – Laptops & Sensitive Data All laptops must be encrypted. Do not place sensitive data on portable devices (thumb drives and other portable devices), unless the placement has been authorized following agency policy and procedures, and the device is encrypted. 33
Lock It – E-mail & Mail Don’t send or receive sensitive data – SSN, DL number, financial account number, medical info – via email (in text or via attachments) unless allowed by agency and it is encrypted Mail securely Don’t leave incoming or outgoing mail in unlocked or unattended receptacles Make sure mailings are not exposing sensitive data CalPERS & State of Wisconsin 34
Lock It - Faxes & Voicemail Don’t send sensitive data by fax unless security procedures are used Confirm accuracy of number before keying in Arrange for and confirm prompt pick-up Don’t leave sensitive data in voice mail messages
Lock It – At Home? Do Not Take State Sensitive Data Home ‘NUFF SAID 36
Dispose of Records Safely Shred documents with sensitive data and other confidential info before throwing away CDs and floppy disks too Have computers and hard drives properly “wiped” or overwritten when discarding REMEMBER: Comply with Ohio Sunshine laws and record retention policy 37
Handling Sensitive Data – Bottom Line Take stock Scale down Lock it Proper Disposal Plan ahead Remember the Sunshine Laws How would you want someone handling your data? 38
Report Info Security Incidents KNOW YOUR ORGANIZATIONS SECURITY INCIDENT RESPONSE POLICY AND PROCEDURE Reportable incidents might include: Loss or theft of laptop, BlackBerry, disk, etc. Loss or theft of paper records Unauthorized acquisition of protected info Unauthorized release, modification, or destruction of protected info Interfering with state computers or data systems Any activity involving illegal activity or serious wrongdoing 40
Viruses E-mail viruses E-mail harassment Worms Other malicious code Denial of service attacks Intrusions Stolen hardware Network or system sabotage Website defacements Stolen Sensitive Data Unauthorized access to files or systems Loss of system availability Misuse of service, systems or information Physical damage to computer systems, networks, or storage media Illegal Activity Serious Wrongdoing What is an Incident?
Incident Response Guidance Ohio HB 104: Data Breach Notification http://www.legislature.state.oh.us/bills.cfm?ID=126_HB_104 ITP – B.7: Security Incident Response http://www.oit.ohio.gov/IGD/policy/pdfs_policy/ITP-B.7.pdf OIT IT Bulletin No: ITB-2007.02 http://oit.ohio.gov/IGD/policy/pdfs_bulletins/ITB-2007.02.pdf Governor’s Memo on Illegal Activity & Serious Wrongdoing http://www.governor.ohio.gov/GovernorsOffice/Policies/SuspectedWrongdoing/tabid/800/Default.aspx Incident Response Management Guide http://privacy.ohio.gov/resources/OITIncidentResponseGuide.doc Incident Response Training Presentation http://privacy.ohio.gov/resources/Incident_Response_Training.ppt 42
Why Protect Privacy? - Public Trust Citizens have no option to shop around – they are required to provide personal information to government. We have an obligation to protect the information entrusted to us.
Privacy Protection: Bottom Line Privacy and security are everyone’s responsibility
(Some) Privacy Resources Ohio Privacy & Security Information Center http://www.privacy.ohio.gov/ Federal Citizen Information Privacy Resources http://www.pueblo.gsa.gov/privacy_resources.htm Federal Trade Commission Privacy Initiatives http://www.ftc.gov/privacy/index.html Onguard Online http://onguardonline.gov/index.html Identity Theft Resource Center http://www.idtheftcenter.org/ Center for Democracy & Technology http://www.cdt.org/privacy/
Privacy Quiz Just for Fun – Test Your Knowledge 46
Quiz Question 1 • If you believe that incoming mail containing sensitive data has been stolen from your office, where should you report it? 47
Options for Q1 • To your mailroom supervisor. • To your department’s information security point of contact, supervisor, legal office, director’s office • To the U.S. Postal Inspection Service. • To the local police department. 48
Correct Answer to Q1 • To your department’s information security point of contact, supervisor, legal office, director’s office 49
Quiz Question 2 • Which of the following is the strongest – most secure – password for access to your PC? 50