information security’s new partner: privacy - isaca.org · pdf file... data ethics llc...

Information Security’s New Partner: Privacy

A Presentation for:

ISACA WNY Controls and Compliance Conference 2017

by:

Brandan Keaveny, Ed.D., CIPM

Copyright 2017, Data Ethics LLC 1

Objectives

Participants will

1) be able to identify where privacy and security processes overlap and where they are different.

2) be able to identify different types of privacy management considerations.

3) relate the concepts of privacy to a reality based scenario.

4) be introduced to the IAPP, and be knowledgeable about the efforts occurring to form a regional chapter.


Privacy in Context, A Video Scenario


Privacy in Context-Things to Consider

• Is this situation a privacy issue or a security issue or both?

• What are the differences between privacy and security?


Defining privacy

• 1a : the quality or state of being apart from company or observation : SECLUSION

1b : freedom from unauthorized intrusion <one's right to privacy>

• 2 archaic : a place of seclusion

• 3a : SECRECY

3b : a private matter : SECRET

Source: Privacy. (n.d.). Retrieved February 8, 2017, from https://www.merriam-webster.com/dictionary/privacy


https://www.merriam-webster.com/dictionary/seclusion

https://www.merriam-webster.com/dictionary/secrecy

https://www.merriam-webster.com/dictionary/private

https://www.merriam-webster.com/dictionary/secret

Further refining the definition:

• General: the right to be free from secret surveillance and to determine whether, when, how, and to whom, one's personal or organizational information is to be revealed.

• In specific, privacy may be divided into four categories

1. Physical: restriction on others to experience a person or situation through one or more of the human senses;

2. Informational: restriction on searching for or revealing facts that are unknown or unknowable to others;

3. Decisional: restriction on interfering in decisions that are exclusive to an entity;

4. Dispositional: restriction on attempts to know an individual's state of mind.

Source: privacy. BusinessDictionary.com. Retrieved February 04, 2017, from BusinessDictionary.com website: http://www.businessdictionary.com/definition/privacy.html


Classes of Privacy

As defined by Banisar and Davies:

• Information privacy, involving the establishment of rules governing the collection and handling of personal data such as credit information and medical records;

• Bodily privacy, concerning the protection of people's physical beings against invasive procedures such as drug testing and cavity searches;

• Privacy of communications, covering the security and privacy of mail, telephones, email and other forms of communication; and

• Territorial privacy, concerning the setting of limits on intrusion into the domestic and other environments such as the workplace or public space.

Source: Banisar, D. & Davies, S. (1999). Global trends in privacy protection: An International survey of privacy, data protection, and surveillance laws and developments. John Marshall Journal of Computer & Information Law 18.


What is the relationship between privacy and security?

Security aims to ensure the confidentiality, integrity and availability of data as stored, transmitted and used

Privacy addresses the rights of individuals to control how and to what extent information about them—is collected and further processed.


Source: Densmore, R (2013). Privacy Program Management: Tools for Managing Privacy Within Your Organization. Portsmouth, NH: International Association of Privacy Professionals.

Privacy Depends on Security

Condition Privacy Security

The server is not secure.

Someone with legitimate access provided information to someone else

✓

Someone with legitimate access at the time obtains information and then shares information at a later date.

✓

• A network environment can be secure, however how the information obtained may lead to the disclosure of private information.

• If a network environment is not secure, there is no way privacy can be assured.

• Hacking v. Leaking


What is the relationship between privacy and security?

Information security and privacy practices exist within a mutual space of data protection.


Back to the Scenario: Privacy in Context

Problem: Several days after the debate records are leaked to the media showing that the young candidate was suspended as a sophomore in high school for cyber bullying.

Situation: An attorney for the candidate contacts you for consultation as to how this information could have been obtained.

Question: How do you respond?


Are these valid questions?

• Were the school district databases hacked?

• Did someone from the school district have legitimate access to the database?

• Did someone at one time have legitimate access, archive information locally, and then lost a copy of the data?


NYS Information Security Breach and Notification Act

• The NYS Information Security Breach and Notification Act is comprised of section 208 of the State Technology Law and section 899-aa of the General Business Law.

• State entities and persons or businesses conducting business in New York who own or license computerized data which includes private information must disclose any breach of the data to New York residents (state entities are also required to notify non-residents)

Source: New York State Office of Information Technology Services (https://its.ny.gov/eiso/breach-notification)


NYS Information Security Breach and Notification Act§899-aa of the General Business Law

• Personal Information shall mean any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such a natural person.

• Private Information shall mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:• Social Security number• Driver’s license number or non-driver identification card number • Account number, credit or debit card number, in combination with any required security

code, access code, or password that would permit access to an individual’s financial account.



NYS Information Security Breach and Notification Act§899-aa of the General Business Law

• Under section 899-aa of the General Business Law, a person or business conducting business in New York must also notify three (3) NYS offices: the NYS Attorney General; the NYS Division of State Police; and the Department of State's Division of Consumer Protection.

• Notification Requirements to those individuals affected by the breach



Taking the first step to implementing a Privacy Program

• Does your organization/business have a privacy statement that is derived from a privacy policy?

• Components of a Privacy Policy


www.iapp.org

About the IAPP

• A global community for privacy professionals to connect, share best practices, advance privacy management issues and exchange ideas

• More than 26,000 members spanning 88 countries

• A resource that provides services, education, networking, conferences and certification addressing the latest privacy trends and challenges

www.iapp.org

KnowledgeNet ChaptersMeet other privacy pros in your area, network and learn something new.

• 75+ chapters worldwide

• 200+ chapter activities held worldwide per year

• Free for members, guests and non-members are allowed to attend one meeting as space allows

• Earn free CPE credits

Learn more: www.iapp.org/connect/communities/chapters

www.iapp.org

http://www.iapp.org/connect/communities/chapters

Contact Information

• www.DataEthics.net

• 585-270-1981

• [email protected]


http://www.dataethics.net/

mailto:[email protected]

information security’s new partner: privacy - isaca.org · pdf file... data ethics llc...

Documents