A Model for When Disclosure Helps Security
advertisement
“Privacy in America: Your Role as Guardians of the Public’s Data” Professor Peter P. Swire Moritz College of Law The Ohio State University Ohio Digital Government Summit October 1, 2008 Theme for Today You are the guardians of the public’s personal data The systems you create will enable Egovernment, democracy, public services The systems should do it in a way that ensures the public’s privacy and security It is a proud responsibility to build these systems for the benefit of our fellow citizens Overview My background You are the guardians: HIPAA: why privacy & security matter Public records: don’t cause theft Data breach: the most important current regulation on data holders Privacy Impact Assessments: being thoughtful about data uses Big privacy issues today What McCain & Obama have said on privacy Swire Background Now Ohio State law professor, live in D.C. Active in many privacy & security activities Senior Fellow, Center for American Progress Chief Counselor for Privacy, 1999-2001 U.S. Office of Management & Budget WH coordinator, HIPAA privacy rule Public records & privacy Federal government’s own data Computer security Other: financial, Internet, national security & FISA Background Since 2001: Many writings and presentations • www.peterswire.net • www.americanprogress.org “Privacy Year in Review” distributed to all members of the International Association of Privacy Professionals Lead author of book that is official study guide for Certified Information Privacy Professional exam Guardians I: HIPAA The 1996 history “Administrative simplification” in Health Insurance Portability & Accountability Act Half the $ in medical system are federal No more payments by paper Standardized “transaction and code set” rule Save many billions with electronic & standardized payment formats for health care HIPAA History If all health payments become electronic, what would happen to privacy & security? No previous federal standards for health privacy & security Congress said should build privacy & security in at the same time as shift to electronic payments HIPAA History Congress didn’t pass legislation HHS proposed rule in 1999 Over 53,000 public comments Final rule December, 2000 Bush Administration modest changes 2002 In effect since 2003 Lessons from HIPAA Privacy & security should be built in to new IT systems Patching later won’t work as well, often won’t happen & will cost a lot more HIPAA far from perfect Implementation & guidance budget cut way back from original plans Significant success to date & clearly better than not having these protections in place Next in Health Care Electronic How to connect providers into a National Health Information Network Personal health records (EHRs) health records (PHRs) Individuals/families manage health records the way they do personal finances Microsoft HealthVault, Google Health, Dossia & others How to build privacy & security into these? Guardians II: Public Records Strong Ohio tradition of open public records Freedom of information & transparency lead to better government, lower costs for citizens to get information & many other benefits Not every record should become public Especially records that can lead to theft or identity theft Bankruptcy Study 2000 When in White House, I helped lead a study on a federal records system – bankruptcy records Proposal was pending – simply put all records on line History of open access to these court records New system less expensive if simply shift to electronic Bankruptcy Study Key data fields: Bankruptcy records contain details on financial assets, so creditors know the claims on the estate Bank account numbers, security brokerage account numbers, etc., and amount in each account (often $$$) A tempting target for pretexting Is it a good idea to put those up on the Internet? Lessons on Public Records For data fields that lead to pretexting and identity theft, there is significant risk from simply posting to the Internet As Ohio has done, work through the risks of these key data fields in managing your public records See Swire NACO presentation, at www.peterswire.net Guardians III: Data Breaches California history on data breaches SSNs and other personal data compromised for all/most state of California employees in 2002 California passed the data breach law, requiring notice for breaches in both public and private sectors The idea swept the nation – almost all states have such laws today Correcting a Market Failure Data is held by government agency or corporation If breach happens, the cost is mostly on the individuals whose data is put at risk Under-investment in protecting the data Could have liability on data holder for breach (currently none) Instead, have publicity on data holder – data breach laws The Future of Data Breach Trend toward broader set of triggers for data breach Health care data Biometrics (once gone …) Required/encouraged encryption Trend A toward reporting to a state authority Ecosystem can learn more about breaches major responsibility for you as data guardians, and that will continue Guardians IV: PIAs Privacy Impact Assessments Best practice for feds by 2000 Required for new federal IT systems in EGovernment Act of 2002 & HB 46, § 125.18 Ohio Revised Code Ohio New requirement of Privacy Impact Assessments PIAs for Cities & Counties PIA process for federal and state, now Emerging best practice for government at all levels Ohio memo at http://www.oit.ohio.gov/IGD/policy/pdfs_bu lletins/ITB-2008.02.pdf The HIPAA lesson – build it right from the start for privacy and security August 13 Memo on State PIAs Edmondson memo requiring state of Ohio agencies to do privacy assessments Privacy Threshold Analysis (and then PIA, as needed): When use information technology to collect new information When agencies develop, buy, or contract out for new information technology systems to handle collections of personally identifiable information, or When agencies conduct ad hoc queries of commercial databases containing personally identifiable information Views of the Candidates McCain released privacy policy paper on Aug. 14 – on campaign site My analysis, http://wonkroom.thinkprogress.org/2008/0 8/15/swire-mccain-internet-policy/ Limited Role for Government For private sector data, basic approach is “selfregulation” – limited role for government “Government -- Government must promote a culture of personal security through consumer education initiatives, incentives for the development of secure technologies, and stronger enforcement of laws to protect our citizens, particularly children.” Obama and Private Sector Data Cautious about regulation, but believes common-sense measures may be appropriate for emerging areas of concern Location information (cell phones) Electronic health records Social networking Similar to Clinton approach – act first on medical, financial, kids Similar contrast as the two candidates’ views on financial regulation Government Surveillance The other major privacy area concerns rules for government surveillance, for law enforcement and national security McCain has supported Bush approach – major focus on anti-terrorism, few stated limits on executive power, support for Patriot Act Obama – former constitutional law prof – has called for more checks & balances and oversight Obama pushed for broader FISA reform, but voted for final passage as better than not having authorities in place Concluding Thoughts Guardians of the public’s data HIPAA – build privacy & security in from the start Public records – avoid theft & related harms Data breach – a major feature in the future PIAs – an expected practice from now on Finally FOIA and open records are crucial values That said, here is a simple test about privacy: How would you want the records of your own family treated? Do you have the privacy and security practices in place that you would want for your spouse and children? If you meet that test, you can be proud in your role of guardian of the public trust Good luck in your efforts
