Add to collection(s) Add to saved
  1. Science
  2. Health Science

What is Privacy

advertisement 
Does Your Campus Need a
Chief Privacy Officer?
Dennis Devlin, Chief Information Security Officer,
Brandeis University
Steven J. McDonald, General Counsel,
Rhode Island School of Design
ICPL 2008
August 14, 2008
1
Introduction and Plan
• Steve will describe information privacy from a
legal perspective, with an overview of privacy
laws that apply to us (and not too much legalese)
• Dennis will discuss privacy (and security) from a
CISO’s perspective and some things a university
can do to begin to prepare for a privacy program
• Everyone will then participate in a discussion, and
prove that none of us is as smart as all of us when
it comes to information privacy
August 14, 2008
2
Icebreaker
• A quick quiz to test how well we all know the
subject: http://www.cdt.org/privacy/quiz/
• What are some of the top information privacy
concerns for your institution?
August 14, 2008
3
“Perhaps the biggest problem faced by all
concerned is the fact that we live today in
a world of technologically recorded,
maintained and communicated
information”
– Statement introduced during the debate on
FERPA, 120 Cong. Rec. 36,532 (Nov. 19, 1974)
August 14, 2008
4
What is Privacy (Legally)?
"[T]he right to be let alone – the most
comprehensive of rights, and the right
most valued by civilized men."
– Justice Louis Brandeis
Olmstead v. U.S.
August 14, 2008
5
5
The Legal Basis for Privacy:
A Crazy Quilt
• U.S. and state constitutions
– But no explicit reference in U.S. constitution
– Fourth amendment (and state versions)
• Statutory privacy
– FERPA, HIPAA, GLB, and other general and topical
privacy statutes
– ECPA, data breach notification, and other
computer-specific privacy statutes
– But also federal and state FOIA laws
• Contract law
•AugustThe
common law of privacy
14, 2008
6
Common Law
Invasion of Privacy
• Intrusion
– "One who intentionally intrudes, physically or
otherwise, upon the solitude or seclusion of another or
his private affairs or concerns, is subject to liability to
the other for invasion of his privacy, if the intrusion
would be highly offensive to a reasonable person."
• Public Disclosure of Private Facts
– "One who gives publicity to a matter concerning the
private life of another is subject to liability to the other
for invasion of his privacy, if the matter publicized is of
a kind that (a) would be highly offensive to a
reasonable person, and (b) is not of legitimate concern
to the public."
August 14, 2008
7
The Fourth Amendment
"The right of the people to be secure in
their persons, houses, papers, and effects,
against unreasonable searches and
seizures, shall not be violated, and no
warrants shall issue, but upon probable
cause, supported by oath or affirmation,
and particularly describing the place to be
searched, and the persons or things to be
seized."
August 14, 2008
8
The Fourth Amendment
in Cyberspace
"We are satisfied that the Constitution
requires that the FBI and other police
agencies establish probable cause to
enter into a personal and private
computer."
– U.S. v. Maxwell
August 14, 2008
9
Publics are Private,
Privates are Not
"Although individuals have a right
under the Fourth Amendment of the
United States Constitution to be free
from unreasonable searches and
seizures by the Government, private
searches are not subject to
constitutional restrictions."
– U.S. v. Hall
August 14, 2008
10
O'Connor v. Ortega
"Fourth Amendment rights are implicated
[whenever] the conduct of the [government]
officials at issue . . . infringe[s] 'an expectation
of privacy that society is prepared to consider
reasonable.'"
August 14, 2008
11
Contract Law
•
•
•
PCI-DSS: credit card transaction data
Federal grants: human subjects research data
Privacy policies
– "Your privacy is our number one priority.
We will
not share your information with any other
organization."
– Translation: "We're liars!"
– Or: "Our marketing people, who wrote this, are
idiots."
August 14, 2008
12
12
Statutes
• Gramm-Leach-Bliley: financial institution
customer information
• HIPAA: protected health information
• Electronic Communications Privacy Act:
electronic communications
August 14, 2008
13
13
ECPA
• "[A] fog of inclusions and exclusions" – Briggs v.
American Air Filter Co. (5th Cir. 1980)
• "[A] statute . . . which is famous (if not infamous) for
its lack of clarity" – Steve Jackson Games, Inc. v.
United States Secret Service (5th Cir. 1994)
• "[T]he Fifth Circuit . . . might have put the matter too
mildly." – U.S. v. Smith (9th Cir. 1998)
August 14, 2008
14
Data Breach Notification
• 44 states + D.C. to date
• "'[P]ersonal information' means an individual's first name
or first initial and last name in combination with any one or
more of the following data elements, when either the
name or the data elements are not encrypted:
– (1) Social security number;
– (2) Driver's license number or Rhode Island Identification Card
number;
– (3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that
would permit access to an individual's financial account."
August 14, 2008
15
15
Fundamental FERPA
• The Family Educational Rights and Privacy Act
of 1974
• A.K.A. the Buckley Amendment
August 14, 2008
16
We Don't Need No "Education"
• FERPA: "education records"
• Includes transcripts, exams, papers, and the like
• But it also includes:
–
–
–
–
–
–
–
–
–
Financial aid and account records
Discipline records, including complaints
SSNs and campus ID numbers
E-mail
Photographs
"Unofficial" files
Records that are publicly available elsewhere
Information that the student has publicly revealed
Virtually everything!
August 14, 2008
17
Structural Basics
• Definition/scope: what is protected
• Privacy: what rules govern its disclosure
• Safeguarding/security: what must be done to
protect it from unauthorized access and
disclosure
August 14, 2008
18
It Takes a Village
• "[G]iven that it is virtually impossible to use physical
or technological safeguards to prevent authorized
users from using their access to education records
for unauthorized purposes, it is important that an
educational agency or institution establish and
enforce policies and procedures, including
appropriate training, to help ensure that school
officials do not in fact misuse education records for
their own purposes."
August 14, 2008
19
And a "Reasonable Person"
• "[W]hen an institution is authorized to disclose information
from education records . . ., FERPA does not specify or
restrict the method of disclosure. . . . FERPA does not
mandate any specific method, such as encryption
technology, for achieving these standards with electronic
disclosure of information from education records. However,
reasonable and appropriate steps consistent with current
technological developments should be used to control
access to and safeguard the integrity of education records in
electronic data storage and transmission, including the use
of e-mail, Web sites, and other Internet protocols."
August 14, 2008
20
And a "Reasonable Person"
• "[W]hen an institution is authorized to disclose information
from education records . . ., FERPA does not specify or
restrict the method of disclosure. . . . FERPA does not
mandate any specific method, such as encryption
technology, for achieving these standards with electronic
disclosure of information from education records. However,
reasonable and appropriate steps consistent with current
technological developments should be used to control
access to and safeguard the integrity of education records in
electronic data storage and transmission, including the use
of e-mail, Web sites, and other Internet protocols."
August 14, 2008
21
Resources
• General:
– http://counsel.cua.edu/fedlaw
– http://www.educause.edu/security/16030
• GLB:
– http://counsel.cua.edu/glb
• PCI-DSS:
– http://counsel.cua.edu/fedlaw//PCI .cfm
• HIPAA:
– http://counsel.cua.edu/HIPAA
• Data breach notification:
– http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm
• Privacy policy example:
– http://privacy.ahc.umn.edu/pub_pri_info.html
August 14, 2008
22
Some Disclaimers
• “If you steal from one author, it's plagiarism; if
you steal from many, it's research.” 
– Wilson Mizner, US screenwriter (1876 - 1933)
• Many people (some in this room) contributed to
the ideas used in this part of the presentation
• If during the next 15 minutes you feel like “Noah
attending a talk about floods” please be patient
– We just want to level set everyone in the room for the
lively discussion which will immediately follow…
August 14, 2008
23
Risks to Managing Information
• Fortune 500
– Regulations
– Reputation
– Revenues
• Are risks in Higher Education different?
• Risks are mitigated by reducing vulnerabilities
– Vulnerabilities can be exploited accidentally or
intentionally – to a victim it really doesn’t matter
August 14, 2008
24
What are Vulnerabilities?
Reality
(What the system
actually does)
Specification
(What the system
should do)
“Systems”
can be
People,
Process or
Technology
Deficiencies
(What the system
doesn’t do that
it should)
August 14, 2008
Adapted from “Testing for Software Security”,
www.ddj.com, November 2002
Vulnerabilities
(What the system
shouldn’t do that
it does)
25
Information Security
• Ensuring information integrity and availability
and restricting access only to authorized users
(confidentiality)
– Focus areas
• People, Process, Technology
– Control objectives
• Protection, Detection, Response
• Emphasis on protecting enterprise information
August 14, 2008
26
How Much is Enough?
Optimum
ROSI
Cost of
Security
Investments
Cost ($)
Impact of
Security
Incidents
0%
August 14, 2008
Security Capability
100%
27
Information Privacy
• Providing individuals with general control over
disclosure and the subsequent use of their
personal information
–
–
–
–
Notice - what is being collected, how it will be used
Choice - right to opt in or opt out
Access - right to see information and correct errors
Security - expectation steward will ensure C, I, A
• Focus on empowering individual control
– Security is a major enabler to achieving privacy
August 14, 2008
28
Some Moments of Truth
• Your institution is already making privacy decisions
– Websites
http://www.upenn.edu/about/privacy_policy.php
– Libraries
http://lts.brandeis.edu/research/borrowing/privacy.html
– Learning Management Systems
http://latte.brandeis.edu/help/latte-best/latte-security.html
– Registrar Notices
http://www.brandeis.edu/registrar/catalog/introAnnualNotice.htm
– Appropriate Use Policies
http://lts.brandeis.edu/about/policies/computingpolicies.html
August 14, 2008
29
Laying the Foundation
• Build security and privacy awareness and resolve
– Spend your time outside your comfort zone educating and
evangelizing, not with converted colleagues
– Form an Information Security/Privacy Advisory Council
– Be a change agent and champion of institutional character
expression (as well as regulatory compliance) via policies
• Engage, educate, and be patient
–
–
–
–
Unconscious incompetence
Conscious incompetence
Conscious competence
Unconscious competence
August 14, 2008
30
A P&P Maturity Model
2. Proactive
· Audit Focused
· Top Down
· More Subtle
· Inconvenient
Examples:
· Separation of Duties
· Identity Management
· Auditability and Compliance
· Information Retention
Information Security
and Privacy
Policies and Procedures
1. Reactive
· Technology Focused
· Bottom-Up
· Obvious
· Not Controversial
August 14, 2008
3. “Radioactive”
· ROI ≠ ROI
· Sideways
· Sneaky
· Difficult
Examples:
· Information Classification
· Stewards and Custodians
· Incident Response (CEO)
· Information Destruction
· Information Privacy
Examples:
· Malicious Code Protection
· Patching Vulnerabilities
· Incident Response (IT)
· Appropriate Use
31
Formulating Management Intent
August 14, 2008
32
When Is The Right Time?
• “It is a bad idea to criminalize the middle class.”
– Dennis Devlin’s Criminology Professor, c. 1968
• “Unfunded mandates are also a very bad idea.”
– Dennis Devlin – c. 2000
• Policies can be effective immediately or can be
“aspirational” with a “full compliance must be
achieved by” statement
• “Begin with an end in mind.”
– Stephen Covey
• CPO’s, like CISO’s, are often appear at tipping points
August 14, 2008
33
Emerging Challenges
• The goalposts are moving - How to deal with student
and faculty privacy as we employ new technologies
for learning, teaching and scholarship
–
–
–
–
–
–
Learning management systems
Social networks
Wikis
Blogs
Folksonomies
Virtual worlds
• Can FERPA and Web 2.0 coexist?
August 14, 2008
34
Lively Discussion
August 14, 2008
35
Wrap Up
• Another Helpful Resource
– http://connect.educause.edu
• Our Contact Information
– Dennis Devlin:
–ddevlin@brandeis.edu
– Steven McDonald:
–smcdonal@risd.edu
August 14, 2008
36
Related documents
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
Privacy Confidentiality Minor
Privacy Confidentiality Minor
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Download
advertisement