Data Privacy – What the CIO and CISO Should Know Part II The Black Hat Briefings Las Vegas, July...
-
Upload
meryl-bennett -
Category
Documents
-
view
213 -
download
0
Transcript of Data Privacy – What the CIO and CISO Should Know Part II The Black Hat Briefings Las Vegas, July...
Data Privacy – What the CIO and CISO Should KnowPart II
The Black Hat BriefingsLas Vegas, July 26, 2000
Eddie Schwartz, [email protected]
Diana KelleyLockStar, [email protected]
Agenda
Part I– What’s All This About? The Privacy
Landscape– Impacts
Part II– Responses and Solutions
Disclaimer: This presentation represents the personal views of the presenter, and neither represents the views of Nationwide nor describes the current or intended practices of Nationwide or its affiliates.
Impacts
“Not content with snatching her body, Starr’s deputies were now invading her mind. They had exposed her sex life and dissected her personality; now they wanted to scrutinize her very soul. It was an invasion too far.”
Monica’s Story, Andrew Morton
Lots of Potential Impact
Regulatory/Legal Brand Name Internal Process Financial Domestic and International Privacy Failure Consequences
Regulatory Domestic corporations must meet online self-
regulatory and regulatory privacy requirements Global corporations must meet international data
protection regulations GLB privacy regulations affect all financial institution
and insurance business units, marketing strategies, business relationships
Health privacy affects many organizations -- Federal financial and health information privacy regulations do not preempt state law- could mean even worse patchwork than now
Brand Name Protection A privacy failure, even a merely perceived failure to
protect customer data, could result in loss of consumer trust, affect customer retention and cause significant damage to brand and company reputation- a potential disaster for a customer-focused business strategy
Internet businesses are directly affected by e-business privacy concerns and regulatory scope of the GLBA
Online privacy practices must be consistent with offline
Internal Process Impacts
Business units, affiliates and subsidiaries will require updated privacy statements, assurance of required practices
Privacy due diligence needed for all strategic marketing agreements and strategies, joint ventures, mergers and acquisitions
Back-end information management practices must support business unit privacy policies-- practices must be consistent with content of privacy notice
Financial
Implementing defensible data privacy practices is not cheap.– Opt-out is the most expensive– Do not share is the cheapest
Bank One estimates an initial cost of $55MM to implement the privacy provisions of GLB, and annual costs in the 10’s of millions (Source: Gartner Group)
International Impacts Global entities must quickly establish processes for
international data protection regulations in Europe and Asia-Pacific
Any potential data export to the U.S. by Global entities could be interrupted under most international privacy regulations
Global corporations should consider preparing for a contractual solution for possible data transfers, or implementing practices consistent with Department of Commerce Safe Harbor Principles for its U.S. operations
Privacy Failure Consequences– Irreparable damage to brand, reputation, consumer
retention and customer-focused business strategy– Loss of revenue and new business– Interruption of transborder data flows, applicable
penalties in international jurisdictions– Possible federal, state enforcement actions- millions of
dollars spent and loss of flexibility in marketplace to implement consent decrees, irreparable damage to key business initiatives such as eBusiness
– Litigation from consumers, privacy advocates, business partners
– Civil and criminal penalties for wrongful disclosure of protected health information
The Response and Solutions
“They say it’s the price you pay for fame. But the price tag keeps changing, and it’s gotten worse.”
Christie Brinkley
Planning for Privacy
Yes, you do need a plan No, there isn’t a single solution Why a framework is essential
– It defines a set of parameters in which privacy policies, procedures, practices, and technology can be implemented, supported and audited.
The Privacy Policy
The Privacy Policy is where you start Options: short-sighted, or visionary
– Opt-out is short-sighted– Opt-in is the visionary position– Do not share is the ideal, but not a pragmatic
business position for some companies The Privacy Policy should be a value-add
proposition for customers and for companies
Framework Building Blocks -Policies An Enterprise Security or Privacy Policy Functional Security and Privacy Policies – A bit more
realistic– High level corporate policy– Functional sub-policies– Specialized and exception policies
Multiple policies does not have to mean loss of standards– Privacy officer to oversee and approve all policies
Framework Building Blocks -Policies Don’t reinvent the wheel There are many good example policies available Internal and external policies are different
– Some organizations may need to craft a customer privacy policy statement for disclosure to consumers
– Remember to have a lawyer’s input and approval
Who Clears On the Policy?
Short Answer: Everyone Better Answer:
– CEO– Business Units (Products and Operations)– General Counsel– Government Affairs– Information Security– I/T
Assess Privacy Policy Impact
Corporate Privacy
Policy
Corporate Privacy
Policy
ProcessProcess
Organization
Organization
TechnologyTechnology
ComplianceCompliance
Business UnitsBusiness UnitsOperational Operational AreasAreas
The Work Plan Approach
Start by getting a working group together, perform an assessment – Inventory and map current privacy initiatives,
practices, 3rd party sharing– Identify between current information
practices/capabilities and target policy– Identify any international issues, particularly
transborder data flow relationships
Working Group Members
General Counsel Government Affairs Office Product and Operational Leads Information Security Information Technology Human Resources Compliance Office Internal Audits
Work Plan, Phase II
Understanding your new policy and the current gaps, develop a compliance strategy and an project plan that will mitigate these risk areas:– Process– Organization– Technology– Compliance
Monitor Progress Closely
Appoint a Privacy Officer– Put someone in charge of the entire effort --
hold them accountable, but give them some help
Use a common reporting tool Track high risk areas Report to a central location There are many similarities the way Y2K
projects were handled -- use that experience
Work Plan, Phase III
Execute the Phase II Plans and Roadmap -- Actually close the gaps– Revise business processes, operational scripts,
disclosures, etc.– Change systems, databases, web sites– Training: get ready to handle customer service
aspect– Document everything carefully
Framework Building Blocks - Procedures Procedures are the rules driven from the
policies Without them, the policy is useless As much, if not more, important in the realm of
privacy as they are in ‘security’
Do the Security Work
Guidelines:– GLB Section 501(b) and recent FTC Advisory
Committee on Online Access and Security [Drafts]
– HIPAA/HHS Requirements– International Requirements (e.g., EU Data
Protection Directive 95/46/EC) More Information in Additional Slides
Security Bottom Line
The statutes are somewhat vague -- basically, you have to have a real security program in place
You need to meet a demonstrable “standard of due care”
If you don’t already have support for your security program, add this fuel to the fire
Framework Building Blocks - Tools in the Toolbox Perimeter
– Firewalls, Intrusion Detection Identification, Authentication, Authorization
– Two-factor, data segmentation, directory services, role-based access
PKI/Encryption– Digital Ids, Digital signatures, VPNs
Access Auditing– Notice, data integrity, Opt In/Opt Out
Framework Building Blocks - Architecture and Technology Policies and procedures build the foundation
for technology use practices The technology does the end work of
encrypting, storing, and transporting the data Don’t forget the legacy, be realistic about
constraints Incorporate the privacy technology, don’t bolt
it on
Privacy Technology Landscape
P3P Customer Life-Cycle Management Anonymizer (et al) One-Off Solutions
– Cookie Pal– SiegeSurfer– WindowsWasher
Other Good “Due Care” Practices
Get serious about data classification and security certification of applications– Build Data Privacy compliance into due
diligence and standard “certification” and marketing processes
– Use a QA process (SSE-CMM) Conduct audits once a compliance program is
established
Other Good “Due Care” Practices
Typical security “general controls,” but the privacy issue lends more urgency– Require employees to sign confidentiality
agreements– Maintain warning banners on application
systems Consider the value of 3rd party assurance
(TrustE, Better Web, CPA Web Trust, etc.)
Privacy Assurance Expectations
ISO-type standards for certification of data privacy standards by 2002/3
Incorporation of Data Privacy Process Areas into the SSE-CMM
“Privacy brokers” and other electronic intermediaries
Third party assurance will become the norm especially for B2B relationships
Framework Building Blocks – Test and Train Education is essential! Deliver staff training on the issue:
– Legal and ethical requirements – no one can opt-out!
– Solicit feedback
– Management involvement and clear sponsorship Don’t expect perfection Practices that are not reasonable will not be followed Get buy-in and get it in writing Watch and learn, hone as necessary
Words to the Wise
Define roles and responsibilities up-front Don’t underestimate the work involved and the
associated costs and time to complete Use formal approaches for gap analysis, risk
assessment, planning, and risk mitigation It’s time for management (especially I/T) to get
serious about security Budget, budget, budget Training
Some Good Books “The Transparent Society”, David Brin, ISBN
020132802X “The Unwanted Gaze”, Jeffrey Rosen, ISBN 0679445463 “The Hundredth Window : Protecting Your Privacy and
Security in the Age of the Internet”, Charles Jennings, Lori Fena, ISBN 068483944X
“For the Record : Protecting Electronic Health Information”, Computer Science and Telecommunications
Board, ISBN 0309056977 “1984”, George Orwell, ISBN 0451524934 “Brave New World”, Aldous Huxley, ISBN 0060929871
A Few of Many Privacy LinksRegulatory GLB:http://www.bog.frb.fed.us/BoardDocs/Press/BoardActs/
2000/20000621 FTC:http://www.ftc.gov/acoas/papers/finalreport.htm HIPAA:http://aspe.hhs.gov/admnsimp/ EU:http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.htmlGeneral Info http://www.privacyexchange.org http://www.epic.org http://www.privacyplace.com http://www.eff.org http://www.leglnet.com/libr-priv.htm http://www.privacyalliance.org http://www.healthcaresecurity.org
More LinksTechnology and Services http://www.w3.org/P3P/ http://www.pwcglobal.com/Extweb/service.nsf/docid
/CCA86E5E9DF78C37852567A0006520E4 http://www.ibm.com/services/e-business/security.html http://www.truste.com http://www.junkbusters.com/ http://www.anonymizer.com/index.shtml http://www.siegesoft.com/products.shtml http://www.kburra.com/cpal.html http://www.privacyright.com
Additional Slides
Regulatory Details (4 slides) Security Requirements of GLB, FTC, HIPAA,
and EU (3 slides)
Gramm-Leach-Bliley (S.900) GLB Regulates privacy practices of financial institutions,
including insurers– Requires institutions to have privacy policies and to
disclose privacy and fair information practices– Requires institutions to provide notice and opt-out
opportunity to individuals before sharing their personal data for marketing purposes with nonaffiliated third parties
– Prohibits sharing account identifying information with nonaffiliated third parties for marketing purposes
– Joint marketing agreements must require compliance by both parties
– Does not preempt stronger state laws - states are already moving to adopt stronger regulations
International Regulatory Space Global standards for privacy and fair information practices
are being set:– The Organization for Economic Cooperation and
Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
– The European Union Data Protection Directive- sets legislative floor for data protection laws in EU member states
– Other non EU member states (e.g. Poland) have created similar regulation
– Hong Kong has established its Personal Data (Privacy) Ordinance
– Data protection activity is emerging in Australia Japan, Latin America, Canada and other jurisdictions
State Regulatory Activities
Recent activity in 17 states includes:– Requiring opt-in for sharing name, address or
phone number (New Hampshire)– Requiring opt-in before financial services share
customer data (Massachusetts)– Private right of action against companies that
sell personal data (Utah)– Restricting disclosure of personal data without
consent or opt-in (California)
HIPAA Mandated compliance:
– Establishes privacy rights, including notice of information practices, access and correction, and to an accounting of disclosures
– Requires covered entities to maintain administrative and security safeguards to protect data
– Requires written individual authorization for data sharing for purposes not related to providing treatment or payment for treatment
– Requires covered entities to create a privacy office and document compliance procedures
– Does not preempt stronger state laws
GLB and FTC “Requirements”
GLB Identify and assess risks
that may threaten customer information
Develop a written plan containing policies and procedures
Implement and test the plan
Adjust the plan on a continuing basis
FTC Web sites should
maintain a security program that applies to personal data it holds
The elements of the security program should be specified
The security program should be appropriate to the circumstances.
HIPAA
Organizations must protect information against deliberate or inadvertent misuse or disclosure.
Organizations must establish clear procedures to protect patients' privacy
Organizations must designate an official to monitor that system and notify their patients about their privacy protection practices.
EU Data Protection Directive
The controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access
Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.