450 likes | 550 Views
Data Privacy – What the CIO and CISO Should Know Part II. The Black Hat Briefings Las Vegas, July 26, 2000. Diana Kelley LockStar, Inc. dkelley@lockstar.com. Eddie Schwartz, CISSP Nationwide eddie_schwartz@nationwide.com. Agenda. Part I What’s All This About? The Privacy Landscape
E N D
Data Privacy – What the CIO and CISO Should KnowPart II The Black Hat Briefings Las Vegas, July 26, 2000 Diana Kelley LockStar, Inc. dkelley@lockstar.com Eddie Schwartz, CISSP Nationwide eddie_schwartz@nationwide.com
Agenda • Part I • What’s All This About? The Privacy Landscape • Impacts • Part II • Responses and Solutions Disclaimer: This presentation represents the personal views of the presenter, and neither represents the views of Nationwide nor describes the current or intended practices of Nationwide or its affiliates.
Impacts “Not content with snatching her body, Starr’s deputies were now invading her mind. They had exposed her sex life and dissected her personality; now they wanted to scrutinize her very soul. It was an invasion too far.” Monica’s Story, Andrew Morton
Lots of Potential Impact • Regulatory/Legal • Brand Name • Internal Process • Financial • Domestic and International • Privacy Failure Consequences
Regulatory • Domestic corporations must meet online self-regulatory and regulatory privacy requirements • Global corporations must meet international data protection regulations • GLB privacy regulations affect all financial institution and insurance business units, marketing strategies, business relationships • Health privacy affects many organizations -- Federal financial and health information privacy regulations do not preempt state law- could mean even worse patchwork than now
Brand Name Protection • A privacy failure, even a merely perceived failure to protect customer data, could result in loss of consumer trust, affect customer retention and cause significant damage to brand and company reputation- a potential disaster for a customer-focused business strategy • Internet businesses are directly affected by e-business privacy concerns and regulatory scope of the GLBA • Online privacy practices must be consistent with offline
Internal Process Impacts • Business units, affiliates and subsidiaries will require updated privacy statements, assurance of required practices • Privacy due diligence needed for all strategic marketing agreements and strategies, joint ventures, mergers and acquisitions • Back-end information management practices must support business unit privacy policies-- practices must be consistent with content of privacy notice
Financial • Implementing defensible data privacy practices is not cheap. • Opt-out is the most expensive • Do not share is the cheapest • Bank One estimates an initial cost of $55MM to implement the privacy provisions of GLB, and annual costs in the 10’s of millions (Source: Gartner Group)
International Impacts • Global entities must quickly establish processes for international data protection regulations in Europe and Asia-Pacific • Any potential data export to the U.S. by Global entities could be interrupted under most international privacy regulations • Global corporations should consider preparing for a contractual solution for possible data transfers, or implementing practices consistent with Department of Commerce Safe Harbor Principles for its U.S. operations
Privacy Failure Consequences • Irreparable damage to brand, reputation, consumer retention and customer-focused business strategy • Loss of revenue and new business • Interruption of transborder data flows, applicable penalties in international jurisdictions • Possible federal, state enforcement actions- millions of dollars spent and loss of flexibility in marketplace to implement consent decrees, irreparable damage to key business initiatives such as eBusiness • Litigation from consumers, privacy advocates, business partners • Civil and criminal penalties for wrongful disclosure of protected health information
The Response and Solutions “They say it’s the price you pay for fame. But the price tag keeps changing, and it’s gotten worse.” Christie Brinkley
Planning for Privacy • Yes, you do need a plan • No, there isn’t a single solution • Why a framework is essential • It defines a set of parameters in which privacy policies, procedures, practices, and technology can be implemented, supported and audited.
The Privacy Policy • The Privacy Policy is where you start • Options: short-sighted, or visionary • Opt-out is short-sighted • Opt-in is the visionary position • Do not share is the ideal, but not a pragmatic business position for some companies • The Privacy Policy should be a value-add proposition for customers and for companies
Framework Building Blocks -Policies • An Enterprise Security or Privacy Policy • Functional Security and Privacy Policies – A bit more realistic • High level corporate policy • Functional sub-policies • Specialized and exception policies • Multiple policies does not have to mean loss of standards • Privacy officer to oversee and approve all policies
Framework Building Blocks -Policies • Don’t reinvent the wheel • There are many good example policies available • Internal and external policies are different • Some organizations may need to craft a customer privacy policy statement for disclosure to consumers • Remember to have a lawyer’s input and approval
Who Clears On the Policy? • Short Answer: Everyone • Better Answer: • CEO • Business Units (Products and Operations) • General Counsel • Government Affairs • Information Security • I/T
Assess Privacy Policy Impact Process Corporate Privacy Policy Organization Technology Compliance Operational Areas Business Units
The Work Plan Approach • Start by getting a working group together, perform an assessment • Inventory and map current privacy initiatives, practices, 3rd party sharing • Identify between current information practices/capabilities and target policy • Identify any international issues, particularly transborder data flow relationships
Working Group Members • General Counsel • Government Affairs Office • Product and Operational Leads • Information Security • Information Technology • Human Resources • Compliance Office • Internal Audits
Work Plan, Phase II • Understanding your new policy and the current gaps, develop a compliance strategy and an project plan that will mitigate these risk areas: • Process • Organization • Technology • Compliance
Monitor Progress Closely • Appoint a Privacy Officer • Put someone in charge of the entire effort -- hold them accountable, but give them some help • Use a common reporting tool • Track high risk areas • Report to a central location • There are many similarities the way Y2K projects were handled -- use that experience
Work Plan, Phase III • Execute the Phase II Plans and Roadmap -- Actually close the gaps • Revise business processes, operational scripts, disclosures, etc. • Change systems, databases, web sites • Training: get ready to handle customer service aspect • Document everything carefully
Framework Building Blocks - Procedures • Procedures are the rules driven from the policies • Without them, the policy is useless • As much, if not more, important in the realm of privacy as they are in ‘security’
Do the Security Work • Guidelines: • GLB Section 501(b) and recent FTC Advisory Committee on Online Access and Security [Drafts] • HIPAA/HHS Requirements • International Requirements (e.g., EU Data Protection Directive 95/46/EC) • More Information in Additional Slides
Security Bottom Line • The statutes are somewhat vague -- basically, you have to have a real security program in place • You need to meet a demonstrable “standard of due care” • If you don’t already have support for your security program, add this fuel to the fire
Framework Building Blocks - Tools in the Toolbox • Perimeter • Firewalls, Intrusion Detection • Identification, Authentication, Authorization • Two-factor, data segmentation, directory services, role-based access • PKI/Encryption • Digital Ids, Digital signatures, VPNs • Access Auditing • Notice, data integrity, Opt In/Opt Out
Framework Building Blocks - Architecture and Technology • Policies and procedures build the foundation for technology use practices • The technology does the end work of encrypting, storing, and transporting the data • Don’t forget the legacy, be realistic about constraints • Incorporate the privacy technology, don’t bolt it on
Privacy Technology Landscape • P3P • Customer Life-Cycle Management • Anonymizer (et al) • One-Off Solutions • Cookie Pal • SiegeSurfer • WindowsWasher
Other Good “Due Care” Practices • Get serious about data classification and security certification of applications • Build Data Privacy compliance into due diligence and standard “certification” and marketing processes • Use a QA process (SSE-CMM) • Conduct audits once a compliance program is established
Other Good “Due Care” Practices • Typical security “general controls,” but the privacy issue lends more urgency • Require employees to sign confidentiality agreements • Maintain warning banners on application systems • Consider the value of 3rd party assurance (TrustE, Better Web, CPA Web Trust, etc.)
Privacy Assurance Expectations • ISO-type standards for certification of data privacy standards by 2002/3 • Incorporation of Data Privacy Process Areas into the SSE-CMM • “Privacy brokers” and other electronic intermediaries • Third party assurance will become the norm especially for B2B relationships
Framework Building Blocks – Test and Train • Education is essential! • Deliver staff training on the issue: • Legal and ethical requirements – no one can opt-out! • Solicit feedback • Management involvement and clear sponsorship • Don’t expect perfection • Practices that are not reasonable will not be followed • Get buy-in and get it in writing • Watch and learn, hone as necessary
Words to the Wise • Define roles and responsibilities up-front • Don’t underestimate the work involved and the associated costs and time to complete • Use formal approaches for gap analysis, risk assessment, planning, and risk mitigation • It’s time for management (especially I/T) to get serious about security • Budget, budget, budget • Training
Some Good Books • “The Transparent Society”, David Brin, ISBN 020132802X • “The Unwanted Gaze”, Jeffrey Rosen, ISBN 0679445463 • “The Hundredth Window : Protecting Your Privacy and Security in the Age of the Internet”, Charles Jennings, Lori Fena, ISBN 068483944X • “For the Record : Protecting Electronic Health Information”, Computer Science and Telecommunications Board, ISBN 0309056977 • “1984”, George Orwell, ISBN 0451524934 • “Brave New World”, Aldous Huxley, ISBN 0060929871
A Few of Many Privacy Links Regulatory • GLB:http://www.bog.frb.fed.us/BoardDocs/Press/BoardActs/2000/20000621 • FTC:http://www.ftc.gov/acoas/papers/finalreport.htm • HIPAA:http://aspe.hhs.gov/admnsimp/ • EU:http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html General Info • http://www.privacyexchange.org • http://www.epic.org • http://www.privacyplace.com • http://www.eff.org • http://www.leglnet.com/libr-priv.htm • http://www.privacyalliance.org • http://www.healthcaresecurity.org
More Links Technology and Services • http://www.w3.org/P3P/ • http://www.pwcglobal.com/Extweb/service.nsf/docid/CCA86E5E9DF78C37852567A0006520E4 • http://www.ibm.com/services/e-business/security.html • http://www.truste.com • http://www.junkbusters.com/ • http://www.anonymizer.com/index.shtml • http://www.siegesoft.com/products.shtml • http://www.kburra.com/cpal.html • http://www.privacyright.com
Questions? dkelly@lockstar.com eddie_schwartz@nationwide.com
Additional Slides • Regulatory Details (4 slides) • Security Requirements of GLB, FTC, HIPAA, and EU (3 slides)
Gramm-Leach-Bliley (S.900) • GLB Regulates privacy practices of financial institutions, including insurers • Requires institutions to have privacy policies and to disclose privacy and fair information practices • Requires institutions to provide notice and opt-out opportunity to individuals before sharing their personal data for marketing purposes with nonaffiliated third parties • Prohibits sharing account identifying information with nonaffiliated third parties for marketing purposes • Joint marketing agreements must require compliance by both parties • Does not preempt stronger state laws - states are already moving to adopt stronger regulations
International Regulatory Space • Global standards for privacy and fair information practices are being set: • The Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data • The European Union Data Protection Directive- sets legislative floor for data protection laws in EU member states • Other non EU member states (e.g. Poland) have created similar regulation • Hong Kong has established its Personal Data (Privacy) Ordinance • Data protection activity is emerging in Australia Japan, Latin America, Canada and other jurisdictions
State Regulatory Activities • Recent activity in 17 states includes: • Requiring opt-in for sharing name, address or phone number (New Hampshire) • Requiring opt-in before financial services share customer data (Massachusetts) • Private right of action against companies that sell personal data (Utah) • Restricting disclosure of personal data without consent or opt-in (California)
HIPAA • Mandated compliance: • Establishes privacy rights, including notice of information practices, access and correction, and to an accounting of disclosures • Requires covered entities to maintain administrative and security safeguards to protect data • Requires written individual authorization for data sharing for purposes not related to providing treatment or payment for treatment • Requires covered entities to create a privacy office and document compliance procedures • Does not preempt stronger state laws
GLB Identify and assess risks that may threaten customer information Develop a written plan containing policies and procedures Implement and test the plan Adjust the plan on a continuing basis FTC Web sites should maintain a security program that applies to personal data it holds The elements of the security program should be specified The security program should be appropriate to the circumstances. GLB and FTC “Requirements”
HIPAA • Organizations must protect information against deliberate or inadvertent misuse or disclosure. • Organizations must establish clear procedures to protect patients' privacy • Organizations must designate an official to monitor that system and notify their patients about their privacy protection practices.
EU Data Protection Directive • The controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access • Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.