Protecting Privacy in State Government

1
Protecting Privacy in State Government
Basic Privacy Security Training for State of
Ohio Employees
2
Objectives Agenda

• Overview privacy security
• What is privacy?
• Privacy and security, what is the difference?
• Defining sensitive data
• Why protect privacy?
• Best Practice Perspectives
• Good information-handling practices
• Security incident response
• Privacy Quiz

2
3
What is Privacy?

• The right to be left alone -- the most
  comprehensive of rights, and the right most
  valued by civilized men. Louis Brandeis
• Privacy is the claim of individuals, groups or
  institutions to determine for themselves when,
  how, and to what extent information about them is
  communicated to others Alan Westin
• You have no privacy, get over it. Scott
  McNealy

3
4
What is Privacy That was Then This is Now

• Then
• Practical Obscurity
• No internet no cell phones marketing less
  pervasive sense of aint nobodys business
• Now
• Information Age
• More data gathering across government business
• Smart phones, Camera phones
• Mobile wireless computing
• 24/7 access
• Technological Developments (surveillance cameras
  software, RFID, biometrics)

4
5
Changing Threat Landscape

• 1997
• Amateur hackers
• Web site defacement
• Viruses
• Infrequent attacks

• 2007
• Organized crime
• SQL Injections
• Identity theft
• Constant threat
• Amateur hackers
• Web site defacement
• Viruses

342 data breaches in the first half of 2008 more
than 69 greater than the same time period in 2007
6
Privacy and Security, what is the difference?

• Privacy Security are flipsides of a coin
• Privacy
• Broadly speaking, how data is defined and used
• Laws, regulations, and policies that define and
  classify data and date usage

• Security
• Securing the data, both physically and
  technologically, per its definition to ensure its
• Confidentiality (limited access)
• Integrity (authentic complete)
• Availability (accessible)

6
7
Defining Sensitive Data

• Personally Identifiable Information (PII)
• Broad definition any information that is
  maintained by an entity that identifies or
  describes an individual.
• Sensitive PII
• Name, when associated with
• Social Security number
• Financial
• Health Medical
• ID Card (drivers, state identification card)
• Biometric

7
8
Defining Sensitive Data (cont.)

• Sensitive data is more than PII, it is also
  information your organization classifies as
  sensitive
• Data mandated by law to be confidential
• Case numbers
• Security plans reports
• Intellectual property
• Economic forecasts
• Passwords

8
9
Sensitive Data Money

• Handle sensitive data like cash!

9
10
Why Protect Privacy? World View
European Union EU Data Protection Directive and
Member States, Safe Harbor Principles
US Federal HIPAA, GLBA Safeguards Rule, COPPA,
Canada PIPEDA
South Korea Act on Promotion of Information and
Communications Network Utilization and Data
Protection
Japan Personal Information Protection Act, METI
Guidelines
Hong Kong Personal Data Privacy Ordinance
Philippines Data Privacy Law proposed by ITECC
California SB 1, SB 1386, SB 27, AB 1950
Taiwan Computer-Processed Personal Data
Protection Law
India Law pending currently under discussion
Chile Law for the Protection of Private Life
South Africa Electronic Communications and
Transactions Act
Argentina Personal Data Protection Law,
Confidentiality of Information Law
Australia Federal Privacy Amendment Bill State
Privacy Bills in Victoria, New South Wales and
Queensland, new email spam and privacy regulations
October 10, 2007
10
New Zealand Privacy Act
11
Why Protect Privacy? - Public Trust

• Citizens have no option to shop around they are
  required to provide personal information to
  government.
• We have an obligation to protect the information
  entrusted to us.

11
12
Why protect privacy? U.S.

• Federal Laws
• HIPAA, GLBA, COPPA, FERPA, FCRA, genetic privacy,
  and more laws in works
• State
• Data Breach notification
• Credit freeze
• PII in public records
• Biometrics
• RFID

12
13
Why protect privacy? - Ohio

• Its a best practice and rapidly becoming
  statewide law and policy!
• Executive Order 13S (2007) Improving State
  Agency Data Privacy and Security
• Ohio IT Bulletin ITB-2007.02 Data Encryption and
  Securing Sensitive Data
• ITP-B.11 Data Classification Policy
• HB 104 Data Breach Notification Law
• HB13 No SSN - Vehicle Registration Renewal
  Notice
• HB 46 Credit Freeze SSN Redaction
• And more to come

13
14
Why protect privacy? (cont.)

• Increasing citizen consumer sensitivity
• Security breaches
• Almost daily occurrence
• Data Breaches Hit 8.3 Million Records in First
  Quarter 2008
• 167 data breaches First Quarter 2008
• 448 incidents in 2007
• Identity theft
• Low-risk, high-reward crime
• Becoming more and more organized
• Source - The Identity Theft Resource Center

14
15
Identity Theft

• What It is and Its Impact

15
16
What is identity theft?

• A crime to intentionally use another persons
  identifying information to fraudulently obtain
  credit, property or services.
• Ohio Rev. Code Ann. 2913.49
• Types
• Financial
• Access to existing accounts
• Creation of new accounts
• Services Employment, Medical
• Criminal

16
17
Incidence Impact of Identity Theft

• 8.1 million incidents (2007)
• 3.6 of adults
• Out-of-pocket costs (2007)
• Average 691
• Time spent recovering (2006)
• Average 25 hours

17
Source Javelin, 2/07 2/08
18
Impact of ID Theft on Economy

• Total cost of identity theft in U.S. in 2007
• 45 Billion

Source Javelin, 2/08
18
19
Beware of Social Engineering Schemes

• Identity thieves may try to trick employees into
  disclosing personal information
• Phishing e-mails, phone calls
• Verify identity and authority of anyone
  requesting sensitive data

19
20
Basic Data Handling for State Employees
20
21
Public Records and Sensitive Data

• Most records agencies handle are public records,
  but they may also contain sensitive information.
  Employees must employ protective measures to
  ensure the information is not improperly
  released.

The Ohios Public Records Act is based upon the
concept that records produced by government are
the peoples records.
Other laws require state government to protect
sensitive information.
22
Basic Privacy Principles

• Minimization/Collection Limitation only collect
  that data for which you have a business need.
• Notice/Awareness clear and complete disclosure
  to individuals on the specifics of how the data
  they submit is to be collected, used, and shared
  with other organizations, in addition to the
  steps taken to preserve the datas
  confidentiality, integrity, and quality.
• Choice/Consent where applicable, give
  individuals the choice of what data they submit,
  how it can be used, and with whom it can be
  shared.
• Access where applicable, give reasonable access
  to an individuals personal data for review,
  modification, correction, and, where appropriate,
  deletion.
• Integrity/Security ensure that personal
  information is relevant, accurate, and consistent
  throughout the enterprise and that reasonable
  security precautions are taken to protect data
  from unauthorized use, access, or transfer
• Accountability/Enforcement specify an
  individual(s) to ensure the integrity and
  security of the data, and to enforce applicable
  law and policy.

22
23
International Privacy Principles

• Openness There should be a general policy of
  openness about the practices and policies with
  respect to personal information.
• Purpose Specification The purposes for which
  personal information is collected should be
  specified at the time of collection. Further
  uses should be limited to those purposes.
• Collection Limitation Minimize the data you
  collect. Only the data necessary for the stated
  purpose should be collected. Personal
  information should be obtained by lawful and fair
  means and, where appropriate, with the knowledge
  or consent of the individual.
• Data Quality Personal information should be
  accurate, complete and kept up-to-date, and
  relevant to the purposes for which it is to be
  used, .
• Use Limitation Personal information should not
  be used for purposes other than those specified,
  except with the consent of the data subject or by
  the authority of law.
• Individual Participation Individuals should have
  the right to inspect and correct their personal
  information
• Security Safeguards Personal information should
  be protected by reasonable security safeguards
  against such risks as loss, unauthorized access,
  destruction, use, modification or disclosure.
• Accountability Someone in the organization
  should be accountable for compliance with the
  organizations privacy policies.
• Based on the OECD Guidelines on the Protection
  of Privacy and Transborder Flows of Personal Data
  (www.oecd.org)

23
24
The Life Cycle of Sensitive Data

• Data is an asset. The value associated with a
  piece of data is determined by its attributes,
  context within the agency, and associated
  riskall are key factors in data classification.

Data Value
Attributes
Context
Risk
Data LifeCycle
October 10, 2007
24
Collection
Storage
Use
Sharing
Destruction
25
Handling Sensitive Data - Overview

• Take stock
• What is PII Other Sensitive Data
• Where is it in your organization
• Scale down
• Only collect what you need
• Lock it
• Secure, encrypt, protect
• Proper Disposal
• Securely dispose of documents per your retention
  schedule remember the Sunshine Laws!
• Plan ahead
• Know your security incident response procedure

25
26
Take Stock

• Know Where Sensitive Data Lives
• Learn where sensitive data is stored in your
  office and systems
• PCs, workstation file drawers, laptops,
  BlackBerrys, and other portable devices
• Sensitive PII Employee data, as well as data of
  citizens/consumers, licensees, and others
• Other data classified as sensitive
• HB 46 calls for all agencies to engage in Privacy
  Impact Assesments for new data systems.

26
27
Scale Down

• Data Minimization is Your Friend less is more
• Data quantity (only take what is necessary for a
  particular function)
• Access Levels (only give access to those that
  need it)
• Everything you take is something you have to
  retain
• Everything you retain is something that can be
  breached
• Everything that can be breached is something for
  which you are liable
• Less data collected less liability
• REMEMBER
• Comply with Ohio Sunshine laws and your agencys
  records retention policy

27
28
Scale Down (cont.)

• Collect Retain only what you need and keep it
  only for the time you need it.
• Regularly purge documents with sensitive data
  from individual file folders (unless required to
  keep per public records law)
• Avoid downloading sensitive data unless
  necessary.
• Regularly cleanse sensitive data from PCs,
  laptops, other portable devices.
• REMEMBER
• Comply with Ohio Sunshine laws and your agencys
  records retention policy

29
Lock It

• Protect Sensitive Data from Unauthorized Access
• Limit access to sensitive data (especially PII)
  to those who need to use it to perform their
  duties
• Minimum necessary access
• Passwords other access controls

29
30
Lock It - Desks

• Protect Sensitive Data on Your Desk
• Clean-desk policy
• Dont leave documents with sensitive data out
  when away from your workstation
• Lock up documents w/ sensitive data overnight and
  on weekends
• Lock PC when away from your workstation

30
31
Lock It Workstations

• Protect Sensitive Data in Workstations
• Make sure you have a timed lock-out
• Dont download free software onto PC it may
  contain spyware or other malware
• Angle your monitor away from prying eyes or ask
  for a privacy screen for your monitor if you
  enter sensitive data in a public place

31
32
Lock It - Passwords

• Your password is like your toothbrush - Dont
  share it!
• Password Donts
• Do not reveal your password over the phone
• Do not send your password in an e-mail message
• Do not reveal your password to a supervisor or
  manager
• Do not talk about your password in front of
  others
• Do not hint at the format of your password (e.g.,
  "my family name")
• Do not reveal your password on questionnaires or
  security forms
• Do not share your password with family members
• Do not reveal your password to co-workers while
  on vacation
• Use strong passwords
• 8 characters, including numerals and symbols
• Ohio IT Policy ITB-B.3 Password-PIN Security

32
33
Lock It Laptops Sensitive Data

• All laptops must be encrypted.
• Do not place sensitive data on portable devices
  (thumb drives and other portable devices), unless
  the placement has been authorized following
  agency policy and procedures, and the device is
  encrypted.

33
34
Lock It E-mail Mail

• Dont send or receive sensitive data SSN, DL
  number, financial account number, medical info
  via email (in text or via attachments) unless
  allowed by agency and it is encrypted
• Mail securely
• Dont leave incoming or outgoing mail in unlocked
  or unattended receptacles
• Make sure mailings are not exposing sensitive
  data
• CalPERS State of Wisconsin

34
35
Lock It - Faxes Voicemail

• Dont send sensitive data by fax unless security
  procedures are used
• Confirm accuracy of number before keying in
• Arrange for and confirm prompt pick-up
• Dont leave sensitive data in voice mail messages

36
Lock It At Home?

• Do Not Take State Sensitive Data Home
• NUFF SAID

36
37
Dispose of Records Safely

• Shred documents with sensitive data and other
  confidential info before throwing away
• CDs and floppy disks too
• Have computers and hard drives properly wiped
  or overwritten when discarding
• REMEMBER
• Comply with Ohio Sunshine laws and record
  retention policy

37
38
Handling Sensitive Data Bottom Line

• Take stock
• Scale down
• Lock it
• Proper Disposal
• Plan ahead
• Remember the Sunshine Laws
• How would you want someone handling your data?

38
39
Incident Response
39
40
Report Info Security Incidents

• KNOW YOUR ORGANIZATIONS SECURITY INCIDENT
  RESPONSE POLICY AND PROCEDURE
• Reportable incidents might include
• Loss or theft of laptop, BlackBerry, disk, etc.
• Loss or theft of paper records
• Unauthorized acquisition of protected info
• Unauthorized release, modification, or
  destruction of protected info
• Interfering with state computers or data systems
• Any activity involving illegal activity or
  serious wrongdoing

40
41
What is an Incident?

• Unauthorized access to files or systems
• Loss of system availability
• Misuse of service, systems or information
• Physical damage to computer systems, networks, or
  storage media
• Illegal Activity
• Serious Wrongdoing

• Viruses
• E-mail viruses
• E-mail harassment
• Worms
• Other malicious code
• Denial of service attacks
• Intrusions
• Stolen hardware
• Network or system sabotage
• Website defacements Stolen Sensitive Data

42
Incident Response Guidance

• Ohio HB 104 Data Breach Notification
• http//www.legislature.state.oh.us/bills.cfm?ID12
  6_HB_104
• ITP B.7 Security Incident Response
• http//www.oit.ohio.gov/IGD/policy/pdfs_policy/ITP
  -B.7.pdf
• OIT IT Bulletin No ITB-2007.02
• http//oit.ohio.gov/IGD/policy/pdfs_bulletins/ITB-
  2007.02.pdf
• Governors Memo on Illegal Activity Serious
  Wrongdoing
• http//www.governor.ohio.gov/GovernorsOffice/Polic
  ies/SuspectedWrongdoing/tabid/800/Default.aspx
• Incident Response Management Guide
• http//privacy.ohio.gov/resources/OITIncidentRespo
  nseGuide.doc
• Incident Response Training Presentation
• http//privacy.ohio.gov/resources/Incident_Respons
  e_Training.ppt

42
43
Why Protect Privacy? - Public Trust

• Citizens have no option to shop around they are
  required to provide personal information to
  government.
• We have an obligation to protect the information
  entrusted to us.

44
Privacy Protection Bottom Line

• Privacy and security are everyones
  responsibility

45
(Some) Privacy Resources

• Ohio Privacy Security Information Center
• http//www.privacy.ohio.gov/
• Federal Citizen Information Privacy Resources
• http//www.pueblo.gsa.gov/privacy_resources.htm
• Federal Trade Commission Privacy Initiatives
• http//www.ftc.gov/privacy/index.html
• Onguard Online
• http//onguardonline.gov/index.html
• Identity Theft Resource Center
• http//www.idtheftcenter.org/
• Center for Democracy Technology
• http//www.cdt.org/privacy/

46
Privacy Quiz

• Just for Fun Test Your Knowledge

46
47
Quiz Question 1

• If you believe that incoming mail containing
  sensitive data has been stolen from your office,
  where should you report it?

47
48
Options for Q1

• To your mailroom supervisor.
• To your departments information security point
  of contact, supervisor, legal office, directors
  office
• To the U.S. Postal Inspection Service.
• To the local police department.

48
49
Correct Answer to Q1

• To your departments information security point
  of contact, supervisor, legal office, directors
  office

49
50
Quiz Question 2

• Which of the following is the strongest most
  secure password for access to your PC?

50
51
Options for Q2

• FLUFFY
• 9151950
• ERICKSON
• HmW1cWC

51
52
Correct Answer to Q2

• HmW1cWC
• 5 steps for a a strong, memorable password
• Think of a sentence that you can remember. This
  will be the basis of your strong password or pass
  phrase. Use a memorable sentence, such as "My dog
  Steve is three years old.
• If the computer or online system does not support
  pass phrases, convert it to a password. Take the
  first letter of each word of the sentence that
  you've created to create a new, nonsensical word.
  Using the example above, you'd get mdsityo".
• Add complexity by mixing uppercase and lowercase
  letters and numbers. It is valuable to use some
  letter swapping or misspellings as well. This
  might yield a password like MdSi3yo".
• Finally, substitute some special characters
  and/or add back some characters. You can use
  symbols that look like letters, combine words
  (remove spaces) and other ways to make the
  password more complex. Using these tricks, you
  create a password (using the first letter of each
  word) "Mdi3y0ld".
• Test your new password with a Password Checker
  (http//www.microsoft.com/protect/yourself/passwor
  d/checker.mspx). Password Checker is a
  non-recording feature on Microsoft provides that
  helps determine your password's strength as you
  type.

52
53
Quiz Question 3

• Which of the following is the most secure way to
  get the SSNs of seven people to a co-worker, who
  is on a business trip, is authorized to have the
  information, and needs it to do his job?

53
54
Options for Q3

• Send the information in an e-mail.
• Call your co-worker and give him the information
  over the phone.
• Leave the information in a voice mail message on
  your co-workers cell phone.
• Fax the information to your co-worker at his
  hotel.

54
55
Correct Answer to Q3

• Call your co-worker and give him the information
  over the phone.

55
56
Quiz Question 4

• TRUE OR FALSE If you delete files from your PC
  and empty the recycle bin that means the data
  in the files is erased.

56
57
Correct Answer to Q4

• FALSE

57
58
Quiz Question 5

• Which of the following would NOT be an
  information security incident that needs to be
  reported?

58
59
Options for Q5

• Loss of a laptop containing unencrypted sensitive
  data.
• Accidental mailing of an individuals medical
  records to the wrong person.
• Theft of your purse, which contained a CD with
  state data on it.
• Theft of a state-owned computer monitor.

59
60
Correct Answer to Q5

• Theft of a state-owned computer monitor.
• This is a trick question - remember the Govs
  Memo on Illegal Activity Serious Wrongdoing.
  Report this to your Chief Legal Counsel!

60
61
Quiz Question 6

• Which of the following should you do before
  leaving your workstation for a meeting?

61
62
Options for Q6

• Put documents, disks, other records containing
  personal information in a locked drawer or
  otherwise out of sight.
• Hit control-alt-delete and lock your computer.
• Call your best friend and have a long chat.
• Both a and b.

62
63
Correct Answer to Q6

• Both a and b above.
• Put documents, disks, other records containing
  personal information (including your purse) in a
  drawer or otherwise out of sight.
• Hit control-alt-delete and lock your computer.

63