Data Privacy – What the CIO and CISO Should KnowPart II

The Black Hat BriefingsLas Vegas, July 26, 2000

Eddie Schwartz, CISSPNationwideeddie_schwartz@nationwide.com

Diana KelleyLockStar, Inc.dkelley@lockstar.com

Agenda

Part I– What’s All This About? The Privacy

Landscape– Impacts

Part II– Responses and Solutions

Disclaimer: This presentation represents the personal views of the presenter, and neither represents the views of Nationwide nor describes the current or intended practices of Nationwide or its affiliates.

Impacts

“Not content with snatching her body, Starr’s deputies were now invading her mind. They had exposed her sex life and dissected her personality; now they wanted to scrutinize her very soul. It was an invasion too far.”

Monica’s Story, Andrew Morton

Lots of Potential Impact

Regulatory/Legal Brand Name Internal Process Financial Domestic and International Privacy Failure Consequences

Regulatory Domestic corporations must meet online self-

regulatory and regulatory privacy requirements Global corporations must meet international data

protection regulations GLB privacy regulations affect all financial institution

and insurance business units, marketing strategies, business relationships

Health privacy affects many organizations -- Federal financial and health information privacy regulations do not preempt state law- could mean even worse patchwork than now

Brand Name Protection A privacy failure, even a merely perceived failure to

protect customer data, could result in loss of consumer trust, affect customer retention and cause significant damage to brand and company reputation- a potential disaster for a customer-focused business strategy

Internet businesses are directly affected by e-business privacy concerns and regulatory scope of the GLBA

Online privacy practices must be consistent with offline

Internal Process Impacts

Business units, affiliates and subsidiaries will require updated privacy statements, assurance of required practices

Privacy due diligence needed for all strategic marketing agreements and strategies, joint ventures, mergers and acquisitions

Back-end information management practices must support business unit privacy policies-- practices must be consistent with content of privacy notice

Financial

Implementing defensible data privacy practices is not cheap.– Opt-out is the most expensive– Do not share is the cheapest

Bank One estimates an initial cost of $55MM to implement the privacy provisions of GLB, and annual costs in the 10’s of millions (Source: Gartner Group)

International Impacts Global entities must quickly establish processes for

international data protection regulations in Europe and Asia-Pacific

Any potential data export to the U.S. by Global entities could be interrupted under most international privacy regulations

Global corporations should consider preparing for a contractual solution for possible data transfers, or implementing practices consistent with Department of Commerce Safe Harbor Principles for its U.S. operations

Privacy Failure Consequences– Irreparable damage to brand, reputation, consumer

retention and customer-focused business strategy– Loss of revenue and new business– Interruption of transborder data flows, applicable

penalties in international jurisdictions– Possible federal, state enforcement actions- millions of

dollars spent and loss of flexibility in marketplace to implement consent decrees, irreparable damage to key business initiatives such as eBusiness

– Litigation from consumers, privacy advocates, business partners

– Civil and criminal penalties for wrongful disclosure of protected health information

The Response and Solutions

“They say it’s the price you pay for fame. But the price tag keeps changing, and it’s gotten worse.”

Christie Brinkley

Planning for Privacy

Yes, you do need a plan No, there isn’t a single solution Why a framework is essential

– It defines a set of parameters in which privacy policies, procedures, practices, and technology can be implemented, supported and audited.

The Privacy Policy

The Privacy Policy is where you start Options: short-sighted, or visionary

– Opt-out is short-sighted– Opt-in is the visionary position– Do not share is the ideal, but not a pragmatic

business position for some companies The Privacy Policy should be a value-add

proposition for customers and for companies

Framework Building Blocks -Policies An Enterprise Security or Privacy Policy Functional Security and Privacy Policies – A bit more

realistic– High level corporate policy– Functional sub-policies– Specialized and exception policies

Multiple policies does not have to mean loss of standards– Privacy officer to oversee and approve all policies

Framework Building Blocks -Policies Don’t reinvent the wheel There are many good example policies available Internal and external policies are different

– Some organizations may need to craft a customer privacy policy statement for disclosure to consumers

– Remember to have a lawyer’s input and approval

Who Clears On the Policy?

Short Answer: Everyone Better Answer:

– CEO– Business Units (Products and Operations)– General Counsel– Government Affairs– Information Security– I/T

Assess Privacy Policy Impact

Corporate Privacy

Policy

Corporate Privacy

Policy

ProcessProcess

Organization

Organization

TechnologyTechnology

ComplianceCompliance

Business UnitsBusiness UnitsOperational Operational AreasAreas

The Work Plan Approach

Start by getting a working group together, perform an assessment – Inventory and map current privacy initiatives,

practices, 3rd party sharing– Identify between current information

practices/capabilities and target policy– Identify any international issues, particularly

transborder data flow relationships

Working Group Members

General Counsel Government Affairs Office Product and Operational Leads Information Security Information Technology Human Resources Compliance Office Internal Audits

Work Plan, Phase II

Understanding your new policy and the current gaps, develop a compliance strategy and an project plan that will mitigate these risk areas:– Process– Organization– Technology– Compliance

Monitor Progress Closely

Appoint a Privacy Officer– Put someone in charge of the entire effort --

hold them accountable, but give them some help

Use a common reporting tool Track high risk areas Report to a central location There are many similarities the way Y2K

projects were handled -- use that experience

Work Plan, Phase III

Execute the Phase II Plans and Roadmap -- Actually close the gaps– Revise business processes, operational scripts,

disclosures, etc.– Change systems, databases, web sites– Training: get ready to handle customer service

aspect– Document everything carefully

Framework Building Blocks - Procedures Procedures are the rules driven from the

policies Without them, the policy is useless As much, if not more, important in the realm of

privacy as they are in ‘security’

Do the Security Work

Guidelines:– GLB Section 501(b) and recent FTC Advisory

Committee on Online Access and Security [Drafts]

– HIPAA/HHS Requirements– International Requirements (e.g., EU Data

Protection Directive 95/46/EC) More Information in Additional Slides

Security Bottom Line

The statutes are somewhat vague -- basically, you have to have a real security program in place

You need to meet a demonstrable “standard of due care”

If you don’t already have support for your security program, add this fuel to the fire

Framework Building Blocks - Tools in the Toolbox Perimeter

– Firewalls, Intrusion Detection Identification, Authentication, Authorization

– Two-factor, data segmentation, directory services, role-based access

PKI/Encryption– Digital Ids, Digital signatures, VPNs

Access Auditing– Notice, data integrity, Opt In/Opt Out

Framework Building Blocks - Architecture and Technology Policies and procedures build the foundation

for technology use practices The technology does the end work of

encrypting, storing, and transporting the data Don’t forget the legacy, be realistic about

constraints Incorporate the privacy technology, don’t bolt

it on 

Privacy Technology Landscape

P3P Customer Life-Cycle Management Anonymizer (et al) One-Off Solutions

– Cookie Pal– SiegeSurfer– WindowsWasher

Other Good “Due Care” Practices

Get serious about data classification and security certification of applications– Build Data Privacy compliance into due

diligence and standard “certification” and marketing processes

– Use a QA process (SSE-CMM) Conduct audits once a compliance program is

established

Other Good “Due Care” Practices

Typical security “general controls,” but the privacy issue lends more urgency– Require employees to sign confidentiality

agreements– Maintain warning banners on application

systems Consider the value of 3rd party assurance

(TrustE, Better Web, CPA Web Trust, etc.)

Privacy Assurance Expectations

ISO-type standards for certification of data privacy standards by 2002/3

Incorporation of Data Privacy Process Areas into the SSE-CMM

“Privacy brokers” and other electronic intermediaries

Third party assurance will become the norm especially for B2B relationships

Framework Building Blocks – Test and Train Education is essential! Deliver staff training on the issue:

– Legal and ethical requirements – no one can opt-out!

– Solicit feedback

– Management involvement and clear sponsorship Don’t expect perfection Practices that are not reasonable will not be followed Get buy-in and get it in writing Watch and learn, hone as necessary

Words to the Wise

Define roles and responsibilities up-front Don’t underestimate the work involved and the

associated costs and time to complete Use formal approaches for gap analysis, risk

assessment, planning, and risk mitigation It’s time for management (especially I/T) to get

serious about security Budget, budget, budget Training

Some Good Books “The Transparent Society”, David Brin, ISBN

020132802X “The Unwanted Gaze”, Jeffrey Rosen, ISBN 0679445463 “The Hundredth Window : Protecting Your Privacy and

Security in the Age of the Internet”, Charles Jennings, Lori Fena, ISBN 068483944X

“For the Record : Protecting Electronic Health Information”, Computer Science and Telecommunications

Board, ISBN 0309056977 “1984”, George Orwell, ISBN 0451524934 “Brave New World”, Aldous Huxley, ISBN 0060929871

A Few of Many Privacy LinksRegulatory GLB:http://www.bog.frb.fed.us/BoardDocs/Press/BoardActs/

2000/20000621 FTC:http://www.ftc.gov/acoas/papers/finalreport.htm HIPAA:http://aspe.hhs.gov/admnsimp/ EU:http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.htmlGeneral Info http://www.privacyexchange.org http://www.epic.org http://www.privacyplace.com http://www.eff.org http://www.leglnet.com/libr-priv.htm http://www.privacyalliance.org http://www.healthcaresecurity.org

More LinksTechnology and Services http://www.w3.org/P3P/ http://www.pwcglobal.com/Extweb/service.nsf/docid

/CCA86E5E9DF78C37852567A0006520E4 http://www.ibm.com/services/e-business/security.html http://www.truste.com http://www.junkbusters.com/ http://www.anonymizer.com/index.shtml http://www.siegesoft.com/products.shtml http://www.kburra.com/cpal.html http://www.privacyright.com

Questions?

dkelly@lockstar.com

eddie_schwartz@nationwide.com

Additional Slides

Regulatory Details (4 slides) Security Requirements of GLB, FTC, HIPAA,

and EU (3 slides)

Gramm-Leach-Bliley (S.900) GLB Regulates privacy practices of financial institutions,

including insurers– Requires institutions to have privacy policies and to

disclose privacy and fair information practices– Requires institutions to provide notice and opt-out

opportunity to individuals before sharing their personal data for marketing purposes with nonaffiliated third parties

– Prohibits sharing account identifying information with nonaffiliated third parties for marketing purposes

– Joint marketing agreements must require compliance by both parties

– Does not preempt stronger state laws - states are already moving to adopt stronger regulations

International Regulatory Space Global standards for privacy and fair information practices

are being set:– The Organization for Economic Cooperation and

Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

– The European Union Data Protection Directive- sets legislative floor for data protection laws in EU member states

– Other non EU member states (e.g. Poland) have created similar regulation

– Hong Kong has established its Personal Data (Privacy) Ordinance

– Data protection activity is emerging in Australia Japan, Latin America, Canada and other jurisdictions

State Regulatory Activities

Recent activity in 17 states includes:– Requiring opt-in for sharing name, address or

phone number (New Hampshire)– Requiring opt-in before financial services share

customer data (Massachusetts)– Private right of action against companies that

sell personal data (Utah)– Restricting disclosure of personal data without

consent or opt-in (California)

HIPAA Mandated compliance:

– Establishes privacy rights, including notice of information practices, access and correction, and to an accounting of disclosures

– Requires covered entities to maintain administrative and security safeguards to protect data

– Requires written individual authorization for data sharing for purposes not related to providing treatment or payment for treatment

– Requires covered entities to create a privacy office and document compliance procedures

– Does not preempt stronger state laws

GLB and FTC “Requirements”

GLB Identify and assess risks

that may threaten customer information

Develop a written plan containing policies and procedures

Implement and test the plan

Adjust the plan on a continuing basis

FTC Web sites should

maintain a security program that applies to personal data it holds

The elements of the security program should be specified

The security program should be appropriate to the circumstances.

HIPAA

Organizations must protect information against deliberate or inadvertent misuse or disclosure.

Organizations must establish clear procedures to protect patients' privacy

Organizations must designate an official to monitor that system and notify their patients about their privacy protection practices.

EU Data Protection Directive

The controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access

Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.