Privacy Legislation and Information Security Policy: Understanding the Connection, Study notes of Computer Science

Download Privacy Legislation and Information Security Policy: Understanding the Connection and more Study notes Computer Science in PDF only on Docsity! 1 1 Privacy Legislation and Information Security Policy Giovanni Iachello College of Computing Georgia Institute of Technology Privacy Legislation - CS6725 Security Policy 2 Why Is Privacy Legislation Relevant? It is expanding to cover more and more industries Most privacy legislation includes explicit security provisions – Technical requirements – Process requirements Relation to Identity Theft – high profile, rampant increase Privacy Legislation - CS6725 Security Policy 3 Personal Privacy vs. Data Protection Personal Privacy – “Protecting one’s personal space” – E.g.: Fourth Amendment – Continuous Boundary Definition – Shelter, personal contact and invasions, wiretapping – Blocks off sharing – Altman, 1975 The Environment and Social Behavior Data Protection – Information self-determination – E.g.: Fair Information Practices (FIPS) – Set privacy policies and enforce them – Large databases, data mining – Enables sharing – Westin, 1971 Information Technology in a Democracy Privacy Legislation - CS6725 Security Policy 4 Personal Data Protection Legislation Timeline 1962-1966 discussion over the National Data Center (USA) 1966 Freedom of Information Act (USA) 1968-72 First specific data protection provisions (Germany) 1977-83 1st generation comprehensive legislation (Germany, UK) 1980 OECD Guidelines on the protection of privacy and transborder flows of information 1990 2nd generation legislation 1995 EU data protection directive 1996 Health Insurance Portability Act 1999 Gramm-Leach-Bliley Act (USA) (Financial sector) 2000 Safe harbor 2001- 3rd generation legislation Privacy Legislation - CS6725 Security Policy 5 General Data Protection Terms Personal information (PI) – Personal Data: any personally identifiable information – Sensitive Data: information pertaining to health, political and religious opinions, and any other item that may cause to discriminate individuals Informed consent Purpose for use Minimal disclosure Privacy Legislation - CS6725 Security Policy 6 Personal data management challenges New data protection laws – EU Directive 95/46 – US Privacy Act, FISMA, HIPAA (2003) Example requirements – User preferences (e.g. consent choices…) – Information access to data subject – Constraints (e.g. expiration, usage limitations…) DPA Data Processor Data Controller Data Subject 2 Privacy Legislation - CS6725 Security Policy 7 Stakeholders Data subject – whom the PI relates to Data collector – gathers and uses the PI Data processor – who is processing/managing the PI Data protection authority (DPA) – oversees regulation and administers recourse Privacy Legislation - CS6725 Security Policy 8 Two approaches: US vs. EU US Data protection legislation is embedded in various laws on a per- industry basis Government agencies have strong privacy requirements EU Comprehensive blanket legislation Applies to all industries Government agencies have in general weaker compliance requirements than industry Federal rules harmonize state legislation Other countries follow either model (most often, the EU model) Privacy Legislation - CS6725 Security Policy 9 US Data Protection Legislation Federal Trade Commission Act Gramm Leach Bliley Act (1999) Fair Credit Reporting Act / Fair and Accurate Credit Transactions Act (2003) Children’s Online Privacy Protection Act (1999) Privacy Act (1974) Family Educational Rights and Privacy Act (1975) Health Insurance Portability and Accountability Act (1996) Common Carrier Regulation Privacy Legislation - CS6725 Security Policy 10 FTC Act (1914, 1938, 1983) Prohibits unfair or deceptive practices Used to enforce privacy policies on websites FTC also challenges information practices that cause substantial consumer injury Privacy Legislation - CS6725 Security Policy 11 Gramm Leach Bliley (1999) (GLB) Covers most financial institutions Institutions must safeguard personally identifiable financial information Subjects must receive disclosure of privacy policies and practices Forbids transferring financial information to third parties Supervised by FTC and SEC Privacy Legislation - CS6725 Security Policy 12 Fair Credit Reporting Act (1996, 2002) Conditions of disclosure and use No resale / further distribution Redress Data quality Notice requirements Individual responsibility Supervised by FTC 5 Privacy Legislation - CS6725 Security Policy 25 The Cost of Privacy HIPAA Most provisions entered effect 2003 Not much hard data yet, only projections In 2004, estimate HIPAA costs $10M at Johns Hopkins Medicine But… – Complex legislation, not only privacy – Much may have been necessary anyhow – Other problems Privacy Legislation - CS6725 Security Policy 26 EU Directive 95/46 and impact on US businesses: Safe Harbor EU law disallows transfer of personal data to third countries missing “adequate protection guarantees” (e.g. the US) – Potentially disruptive for EU-US commerce (financial, health, transportation, etc.). Solution: “Safe Harbor” status granted on a per- institution basis US companies commit to manage the information by European standards Oversight by the DoC European institutions are allowed to transfer information to safe harbor organizations in the USA Privacy Legislation - CS6725 Security Policy 27 Safe Harbor Issues 1999-2003 Slow start – 2003: approx. 300 companies in the program – 2005: approx. 860 Consumers unaware of rights
no recourse Control and Enforcement by DPAs of IDT – Overly lax or too tight controls – No penalties for infringing companies (except revoking status) Simplification of the conditions for international transfers desirable Does not cover third party processors Does not extend to outsourcing countries (India)
Use of other instruments: SCC, BCR… Privacy Legislation - CS6725 Security Policy 28 Techniques for managing personal information It is hard to build privacy onto established processes – Consider all stakeholders’ requirements – Reducing need for information – Assign responsibilities – Redesign workflow – Increase security (e.g. passwords, locked cabinets) Privacy Legislation - CS6725 Security Policy 29 Tools for managing personal information Integrate privacy policies in information management, workflow automation and CRM systems – E.g. the add-ons to the IBM Tivoli system Example: on a web site provide: – policies, – opportunity to consent, – access to individual profiles to change preferences. – Expire unused profiles, – Provide contact points for questions. Privacy Legislation - CS6725 Security Policy 30 Third Party Management Requirements: – ensuring data confidentiality and integrity – tracking what information may be disclosed to external entities – verifying third party operating procedures – transmission of changes of data subjects’ preferences or data itself to third parties (in chain-like fashion) – data collector must enforce and verify that all third parties have actually deleted the data 6 Privacy Legislation - CS6725 Security Policy 31 Management Standards do not help IS17799 lacks support for privacy Security-relevant requirements in data protection laws not addressed by standard – E.g. communication of security risks to customers – Processes to access and amend personal data – … In general, this applies also to other popular security management guidelines Privacy Legislation - CS6725 Security Policy 32 Example Personal Privacy Legislation Electronic Communications Privacy Act (1986) EU directive 2002/58 Regulates – wiretapping – collection and use of telecom traffic data and content data – ECPA regulates also environmental recording Privacy Legislation - CS6725 Security Policy 33 Telecom Privacy Protection – Terms Traffic data / transaction records – call records, billing, etc. – signaling info, – cell phone location data, – Internet: HTTP headers, mail headers Content data / communication content – voice conversation, content of HTML pages, content of emails Privacy Legislation - CS6725 Security Policy 34 One-party / multiple-party consent One-party consent – Only one party taking part in conversation must consent to recording (potentially the person who is recording) (Georgia,…) Two-party consent – All parties in conversation must consent (California, Massachusetts, …) Privacy Legislation - CS6725 Security Policy 35 Katz vs. United States (1967) Use of sensing technology in public “private space” Redefinition of private space – Where the subject actively seeks to hide from the public – The Fourth Amendment protects people, not places Role of sensing technology – No physical introduction of sensing devices is necessary Privacy Legislation - CS6725 Security Policy 36 Kyllo vs. United States (2000) Use of advanced sensing technologies to search within a protected area Reasonable expectation of privacy – Use of advanced sensing technologies “not in general use” – Definition shifts over time Definition of “search” – Subject must manifest a subjective expectation of privacy 7 Privacy Legislation - CS6725 Security Policy 37 ECPA (1986) ECPA Electronic Communications Privacy Act (Federal) – Regulates wiretapping and some forms of surveillance – Prohibits third-party capture when there is a reasonable expectation of privacy – Constitutional basis: plain view rule State Laws – Some States add two-party consent (e.g. California) – Some States require audible reminder during recording Privacy Legislation - CS6725 Security Policy 38 Summing up… More legislation is being prepared Increasing communication with foreign countries Increasing regulatory impact on computing systems YOU will have to care, it will be direct responsibility of system designers and managers Privacy Legislation - CS6725 Security Policy 39 Links GLB and FTP Privacy http://www.ftc.gov/privacy/ FOIA http://www.usdoj.gov/foia/privstat.htm HIPAA critique http://www.jhu.edu/jhumag/1104web/hipaa.html HIPAA regulations http://www.hhs.gov/ocr/combinedregtext.pdf Wireless Privacy Act http://www4.law.cornell.edu/uscode/html/uscode47/usc_sec_47_00000222----000-.html Clipper http://www-cse.stanford.edu/classes/cs201/projects-95-96/clipper- chip/history.html Cybercrime treaty http://conventions.coe.int/treaty/EN/projets/cybercrime27.htm DRM Overview papers by industry http://www.w3.org/2000/12/drm-ws/ SDMI http://www.cs.princeton.edu/sip/sdmi/ Trusted Computing http://www.trustedcomputing.org/tcpaasp4/index.asp EU Privacy Directive http://europa.eu.int/comm/justice_home/fsj/privacy/index_en.htm Safe Harbor http://www.export.gov/safeharbor/ Identity Theft http://www.cacr.math.uwaterloo.ca/conferences/2002/isw- eleventh/givens.ppt