Alive • Historical review of Privacy Law • Death of Privacy at the hands of Government & Business • The Spirit of Privacy in the Digital Age – A Look at Legal Intents • Practical Privacy Recommendations • Information Processors • Consumer Products • Legal Teams
apart from company or • Lets examine... • “Right to Privacy” – Every citizen deserves their information protected from public scrutiny. • In·for·ma · tion - Facts provided or learned about something or someone. • Observation(s) – How do we ensure that observations of our own information or information to which we are entrusted is obfuscated for the preservation of privacy? observation information
data exchanges ▪ APIs allow for data to be easily called by both individual &otgher apps ▪ Demand for data from government & commercial sectors is increasing ▪ Immature Cloud IT operations create data loss mishaps ▪ Legacy IT environments still make elementary mistakes: ▪ Lost tapes ▪ Unencrypted data ▪ Excessive data retention periods
1 year credit reporting • BA fines have been few and far between • Is increasing privacy regulation and fines going to alter practices in information management & data privacy? 275 237 4 71 1281 HIPAA OCR "Wall of Shame" Incident Totals (since 2008) # BAs # health plans # clearing house # undefined # hc provider
2009, a LOT of data has been lost and very little fines have ensued. • If you’re looking around as a BA, how likely are you to alter your data management policies and practices?
in HC should be around theft. • Incidents & threats need examination in order to determine mitigation strategy • Knowing your information assets • Followed by knowing your information flows • Legal mitigations need to aligns services to legal liabilities 15% 4% 8% 5% 43% 25% 0% HIPAA Violations by Incident Type hacking incident improper disposal loss other theft unauth access/ disclosure other
you VS control data managed by Google • As long as it doesn't personally identify you Google can share with advertisers 100% of your digital activity, connected with the places you visit and the purchases you make in the real world. Credit to Mike Nolet for his research on Google’s data management of personal records.
around their customer/ consumer behaviors; greater economic forces to abusing privacy than resurrecting it • [Legal] Terms of Services are never read b/c consumers are: • Disinterested, lazy, or value their time more • Overly trusting • Confused by the language • Inherently, ToS, Opt-X language is flawed by design for the consumer, optimized for the service provider • [Consumerism] We (consumers) want more social integrations over integrated applications that offer more “convenient” (targeted) functionality. • “Nothing is free when you are the product” • Privacy Ideology vs Privacy Pragmatism
– David H. Flaherty, Privacy in Colonial America (1972) • Flaherty observes, since people lived in towns, physical surveillance was difficult to escape • Home was ‘castle’ of one individual’s privacy • Revolutionary War: Introduced central privacy theme of freedom of government intrusion. • 1890 introduced Right to Privacy, - Warren & Brandeis • Response to media, gossiping, cameras • Harry Kalven Jr, “most influential law review article of all.” • Increase in privacy laws/ revisions in 20th century • Rise in litigation hasn’t helped, or has it? If so, who? 3/21 9/19 1790 U.S Census Formed 1600s Colonial America 1775 - 1783 Revolutionary Period Dec 1791 U.S Bill of Rights Ratified (Art 3-12) 1890 Outcry over Census asking on diseases, finances, disabilities 3/21/2018 - 4/27/2018 Copies of Census posted in public places to validate errors 1890 Warren & Brandeis Right to Privacy Birthed 1960 William Prosser recognizes 4 distinct torts 1935 Social Security System, FBI created 1946 Birth of the Computer Privacy Act of 1974 1970 FCRA Born Increase in pirvacy laws from 1980 onward
rising “…nothing to fear” beliefs • Consumerism, security trumps privacy as shown by market demand • Perception that gov’t collects info to ‘improve’ social services • Industry leaders claim to improve service, treatment, based upon access to broader information (e.g. – Medical) • Information sharing is needed in order to ‘evolve’ advancements in products, services. This rationalizes privacy law violations • Privacy terms and information considered to be private is mutating.
Violation • Threat Model should illustrate weaknesses • Correlate prior incidents experienced by organization • Threat intelligence for the sector will also help • Identify scope of systems of record by data classification • Correlate information assets to technology assets • Manage a series of DFDs for your information flows • Integrate vendor infrastructure into DFDs
Model to scope what systems to prioritize Data Privacy Impact Assessments • Understand the level of PII for components in your DFDs • Correlate State, Federal, International impacts to data systems/ interfaces • Filter out technical and process based controls for data privacy from DPIA efforts to get residual risk register of issues • Establish a cadence and governance for your DPIAs
are inflating legal liabilities for the organization • Review how legal agreements reflect inaccuracies in privacy controls and processes • Incorporate legal privacy language in all your vendor agreements and incorporate right to audit languages to support proof of privacy controls • Review governance strategy on online, offline data governance and re-calibrate based upon recommendations 1 & 2.