350 likes | 535 Views
Data Privacy in the Age of Cybersecurity, Smart Cities, and Data Analytics. GINA BUSBY, CITY OF SURPRISE JOSH DOOLITTLE, CITY OF TOLLESON LESTER GODSEY, CITY OF MESA TIM ROEMER, STATE OF ARIZONA. Premise. What does data privacy, cybersecurity and smart cities all have in common?
E N D
Data Privacy in the Age of Cybersecurity, Smart Cities, and Data Analytics GINA BUSBY, CITY OF SURPRISE JOSH DOOLITTLE, CITY OF TOLLESON LESTER GODSEY, CITY OF MESA TIM ROEMER, STATE OF ARIZONA
Premise What does data privacy, cybersecurity and smart cities all have in common? They all touch upon data privacy In an age where technology seems to be outpacing personal privacy, government needs to find a balance between delivering services to its constituents and defining where privacy lines need to be drawn.
Introduction • Josh Doolittle - System Administrator, City of Tolleson • Gina Busby – Chief Information Security Officer, City of Surprise • Lester Godsey – Chief Information Security and Privacy Officer, City of Mesa • Tim Roemer – Chief Information Security Officer, State of Arizona
Is Data Privacy Really a Concern? • According to a SAS survey 73% of respondents said their concern over privacy has increased these past few years. • Perhaps surprisingly, 67% of those respondents think the US government should do more to protect data privacy. BUT . . . .
People don’t Trust the Federal Government . . . How do we as municipalities build and retain this trust with citizens that seems to be missing? Pew Research Center link
Is Data Privacy Really a Concern?, contd. • The onus of data privacy, apart from certain industries like financial services or healthcare, falls upon the private sector and state/local government • The United States doesn’t have federal-level privacy laws • Unlike GDPR in the European Union
Is Data Privacy Really a Concern?, contd. • As municipalities, some of the data privacy concerns we all share are: • HIPAA (Health Insurance Portability and Accountability Act) • PCI (Payment Card Industry) • CJIS and ACJIS (Criminal Justice Information Services/Arizona CJIS) • ARS 18-551 and 18-552, Arizona Breach and Breach Notification Statutes • Personally-Identifiable Information – SSNs, bank routing numbers
Presentation Format Today • We will share, at a high level, concerns about cybersecurity and data privacy • Each of us will provide examples of projects our respective organizations are working on that touch upon data privacy/cybersecurity concerns • We will talk about the risks and steps we are taking to minimize these risks • We will provide some thoughts for you to consider from a policy perspective • Finally, Tim Roemer will share the State of Arizona’s insights and perspective on cybersecurity and the rise of ransomware hitting government agencies
City of Tolleson • What are some of the general challenges around cybersecurity and data privacy for the City of Tolleson?
City of Tolleson, contd. • Waste Water Treatment Plant • Moving from manual operation to SCADA-controlled operation for its 17.5 million gallon per day capacity system • Benefits include improved operations, greater efficiency and improved service to residents
City of Tolleson, contd. • Risks to the City of Tolleson • Although Tolleson has 200 employees, 5 of which are in IT, we still have the same responsibilities as all other cities • Citizens want the same amenities as other larger cities • Free downtown Wi-Fi • Main street music system • Public Library • How are these services monitored and to what level are they secured? • Free downtown wi-fi compared to waste water treatment plant
City of Tolleson, contd. • Examples of steps taken to address risk • Writing and maintaining SOPs and policies, specifically around cybersecurity and data privacy • Collaboration – e.g. neighboring municipalities, ASCI (Arizona Cyber Security Initiative), and other governmental agencies
City of Surprise • What are some of the general challenges around cybersecurity and data privacy for the City of Surprise?
City of Surprise, contd. • In-House Medical and Ambulance Response Services • Providing in-house Electronic Medical Records and Billing • Benefits to Surprise: • Increased city revenue • Improved service to citizens • Patient Data Security
City of Surprise, contd. • Risks associated with In-House Medical and Ambulance Response Services • HIPAA and PII (personally identifiable information) • Negative return on investment • Lack of compliance with federal laws could result in fines
City of Surprise, contd. • Some steps taken to mitigate/minimize these risks include, but are not limited to: • Critical infrastructure protection • Cyber risk management • Consistent training • HIPAA and ambulance compliance adherence • Increased physical security
City of Mesa • What are some of the general challenges around cybersecurity and data privacy for the City of Mesa?
City of Mesa, contd. • Mesa Smart City Initiative – individual projects that make up our Mesa Smart City initiative include, but aren’t limited to: • Communications infrastructure • Data privacy • Creation of an Innovation District • Parking sensors • Facilities Automation • And more!
City of Mesa, contd. • One of the biggest risks we’ve identified is centered around data privacy • Smart City projects lead to questions around data privacy and security • The City of Toronto in partnership with Google has garnered a lot of criticism • Technical controls around data can be challenging • What about our organization’s stance around data privacy?
City of Mesa, contd. • Ways we are addressing data privacy and security concerns: • Communication/transparency – public meetings, public website, social media, etc. • Data privacy principles - https://www.mesaaz.gov/about-us/smart-city/privacy-principles • Internal staff data privacy policy • Chief Privacy Officer • This role is aligned with my cybersecurity role • Defined data classifications and security controls that match
Overall Concerns and Recommendations While cybersecurity is a major concern there are other data concerns of a less nefarious nature: • What data do you have and how is it handled? • What initiatives exist that might pose challenges to a mature data privacy stance? How many of us have defined what data privacy means to our organizations?
What does hold? • Greater emphasis on data privacy • Greater scrutiny applied to the private sector re: data privacy – this will come around to cities • New technologies will make data privacy more challenging (e.g. AI and advanced data analytics) • More attacks based on collecting personal information or restricting access to it . . . Such as
Recent Examples • May 29th - City of Riviera Beach, FL • Paid ransom of $600,000 • Had insurance, covering all but $25,000 of the cost • May 7th – City of Baltimore, MA • Refused to pay $76,000 ransom • Estimated losses were more than $18 million • $8 million from lost/deferred revenues • Had no cyber insurance • June 10th – Lake City, FL • Paid ransom of nearly $500,000 • Had insurance, covering all but $10,000 of the cost
Most Recent Example 22 municipalities in the State of Texas were hit by ransomware this week: • Evidence points to a single responsible person/group • They are asking for a collective ransom of $2.5 million • It appears they got in through an application that is managed by an outsourced company
Arizona’s 6th C - Cybersecurity • Copper • Cattle • Cotton • Citrus • Climate • Cybersecurity
What The State Is Doing • 17 Statewide Information Security Policies and Standards • National Institute of Standards and Technology (NIST) 800-53 • NIST Cybersecurity Framework • Arizona Risk and Authorization Management Program (AZRamp) • Used to evaluate Cloud services • ESP Advisory Council (ESPAC)
Governor Ducey Created ACT • Arizona committed to securing information/protecting citizens • Bringing together elected officials • Breaking down silos • Arizona aims to be the most cyber exercised state in the nation • Information sharing between public and private sector
We Are Here To Help • Cybersecurity Risk Insurance • Who here has it? • If you don’t, why don’t you? • National Governor’s Association Election Security Policy Academy • Protect 2020 • December 12th in Phoenix • We have resources to help you.
Arizona Cyber Security Initiative (ACSI) • Ilene Klein, Cybersecurity Program Coordinator • Ilene.Klein@phoenix.gov • Desk: 602-644-5698 • Mobile: 847-894-8298 • Arizona Counter Terrorism Information Center (ACTIC) • State, Local, and Tribal Cybersecurity Outreach • 90: contacts on statewide ACSI list • >300: contacts on government cybersecurity information distro • >200: contacts on private companies and organizations distro
Multi-State Information Sharing & Analysis Center (MS-ISAC) • $0 • CIS SecureSuite Membership • Computer Emergency Response Team - Incident Response • Conferences including one paid local government seat • Threat notification and information sharing, , vulnerability assessment, malicious code analysis, cybersecurity awareness, • Network security monitoring (Albert, cost associated) • Other ISAC organizations include: • Elections Infrastructure (EI-ISAC), Health (H-ISAC), Electricity (E-ISAC), Water (Water-ISAC) and many more.
Questions? • Thank you!