Embed Size (px)
Citation preview
1
Protecting PrivacyChallenges for Higher Education
Educause Western Regional Conference - April 26, 2006
2
Outline California Office of Privacy Protection Defining Privacy Privacy Laws Privacy Practices
3
California Office of Privacy Protection CA is 1st state with such an agency Created by law passed in 2000 Mission: protect the privacy of individuals’
personal information in a manner consistent with the California Constitution by identifying consumer problems in the privacy area and facilitating…fair information practices
4
COPP Functions Consumer assistance Education and information Coordination with law enforcement Best practice recommendations
5
Why People Contact COPP
5% 5% 4% 2% 1%
12%
63%
12%
0%
13%
26%
40%
53%
66%
11/01-12/05
6
Defining Privacy
7
Classic Definition 1 The right to be let alone.
"The makers of the Constitution conferred the most comprehensive of rights and the right most valued by all civilized men—the right to be let alone." Brandeis & Warren, 1890
8
9
Classic Definition 2 The right to control one’s personal
information. “…the claim of individuals, groups, or
institutions to determine for themselves when, how, and to what extent information about them is communicated to others.” Alan Westin, 1967
10
11
Privacy & Security Information Security: protecting data from
unauthorized access, use, disclosure, modification, destruction.
Information Privacy: providing individuals with level of control over use and disclosure of their personal information
No privacy without security
12
Privacy Values Privacy – the right to control one’s personal
information – is essential to protect other important values. Confidentiality Anonymity Seclusion Fairness Liberty
13
Current Privacy Issues
14
Current Privacy Issues Security vs. Privacy Public Records &
Privacy Data Brokers Ubiquitous
Surveillance
Persistence of Data Identity &
Authentication Identity Theft
15
Security vs. Privacy “They that can give up
essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” Benjamin Franklin, 1759
A zero-sum game?
16
Public Records & Privacy Loss of “practical obscurity” – from the
county courthouse to the World Wide Web Open government – Can we keep an eye on
our government without spying on individual citizens? Limit access to sensitive data to certain purposes
Data brokers digitizing public records “Enriched” data resold to government and
businesses
17
Ubiquitous Surveillance Digital trails created by
financial transactions, digitized public records, FasTrak, security cameras, building cardkeys, Web searches, electronic health records…
18
19
The Persistence of Data Internet archive Online communities – MySpace.com,
Facebook.com Loss of “social forgiveness” in society of
digital dossiers
20
Identity & Authentication
21
Identity Theft Causal factors in identity theft
Electronic databases Instant credit Remote transactions Over-reliance on inadequate identification system
22
Identity Theft Obtaining someone’s personal information
and using it for an unlawful purpose Penal Code § 530.5
Types of identity theft Financial – existing account, new account Government benefits – employment “Criminal”
23
Incidence of Identity Theft Rate steady at about 9 million/year for past 3
years 4% of adults Including 1 million Californians
Source: BBB/Javelin, 1/06
24
How ID Thieves Get Your Info
Don't know how54%
In home6%
Lost/stolen17%
No answer 3%
Company insiders10%Transaction
4%
Online4%
Other3%
Source: BBB/Javelin, 1/06
Organizations in control 16%
Consumers in control 27%
Don’t know 57%
25
Impact of ID Theft on Victims Out-of-pocket costs
Average $422
Time spent recoveringAverage 40 hours
Source: BBB/Javelin, 1/06
26
Impact of ID Theft on Economy Total cost of identity
theft in U.S. in 2005
$56.6 Billion
Source: BBB/Javelin, 2/06
27
Protecting Personal Information State and Federal Privacy Laws and Regulations
28
Approaches to Data Protection U.S. takes sectoral
approach Laws protect personal
information in certain industry sectors (financial, health care, video rental records)
EU, Canada, APEC take comprehensive approach Laws treat privacy as
fundamental human right
29
Major Sectoral Privacy Laws Credit Reporting Government Privacy Financial Privacy Health Information
Privacy Educational Records
Information Security Commercial
Communications Identity Theft Other
30
Privacy Laws for Higher Ed Federal Laws
FERPA – Privacy of educational records
GLBA – Financial privacy & security
HIPAA – Health information privacy & security
State Laws IPA & other state
government privacy laws (public institutions)
Online privacy (CA) Information security SSN confidentiality Breach notice
31
California #1 in Privacy Protection California ranks highest in protecting its citizens
against invasions of privacy. Privacy Journal
All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy. California Constitution, Article 1, § 1
32
Social Security Number Law Prohibits public posting or display of SSN
Don’t print on ID/membership cards. Don’t mail documents with SSN to individual, unless
required by law. Don’t require sending by email or require for Web site
log-on (unless with additional password). Don’t print more than 4 digits of SSN on paystubs –
or use employee ID number
33
Online Privacy Protection Act Commercial Web sites that collect personal info of
CA residents must post privacy policy statement Categories of 3rd parties with whom personal information
may be shared How consumers may review or remove their PII (if
offered) How site will notify consumers when the privacy policy is
changed Effective date of the policy
Site operators must comply with policy
34
Online Privacy Practices in Higher Ed Survey report available from Mary Culnan, Bentley
College, [email protected] 236 doctoral universities & national liberal arts
colleges in 2004 US News & World Report list Assessed 3 types of online privacy risks
Privacy statement use Data collection forms Cookies
35
Online Privacy Practices in Higher Ed 100% of universities & colleges had at least one
instance of Web page w/out link to privacy notice Nearly 100% had 1or more data collection form
without link to privacy notice Nearly 100% had 1or more data collection forms
using GET method 100% had at 1 or more non-secure data-collection
page
36
A Few Headlines Another University Suffers Security Breach
UCB, 3/29/05 Tufts warns 106,000 alums, donors of security breach
4/12/05 FBI probes network breach at Stanford
5/25/05 University to Warn of Web Security Breach
USC, 7/10/05 7,800 linked to USD told of network security breach
12/3/05 Computer records on 197,000 people breached at UT
4/24/06
37
Security Breach Notice Law Notify individuals if unauthorized person
acquires “unencrypted computerized data,” as defined: Name plus one or more of following: SSN, DL,
or financial account number Notify promptly and without unreasonable
delay Time allowed to assess scope; may delay if would
impede law enforcement investigation
38
Security Breach Notice Law Notify individually unless >250,000 or
>$500,000 or inadequate contact information Substitute notice
Email if you have address, AND Post on Web site, AND Use mass media.
39
40
Breach Notifications CA Office of Privacy Protection learns of
breaches from individuals, companies, media Sample includes 101 breaches since 7/03 (not
all) Over 53 million notified (from 100 to 40 MM
per incident) Mean 646,723 Median 31,077
41
Where are breaches occurring?Other22%
Retail5%
Gov't11%
Medical13%
University25%
Financial24%
n=101
42
Why Universities? Culture of free flow of information Distributed IT environment More responsible about reporting?
43
How are breaches occurring?Other11%Web Site
6%
Mail4%
Hack28%
Lost or Stolen Device51%
n=101
44
Types of Information Involved
86%
33%
10% 13%
0%
30%
60%
90%
120%
SSN FinancialAcct.
DL Number Other/ DK
n=101
45
Lessons Learned - Prevention Review data collection policies
Blood bank example: Do we really need SSNs? Review data retention policies
University example: How long?
46
Lessons Learned - Prevention Remember the mobile workforce!
Protect desktops, laptops, other portables Prohibit downloads of sensitive info to PCs, laptops Use encryption – State encryption policy
BL05-32 at www.dof.ca.gov/html/budlettr/budlets.htm
47
Privacy Practices
48
COPP’s Recommended Practices Best practice recommendations, not
regulations, not legal opinions Social Security Number Confidentiality Security Breach Notice Information-Sharing Disclosure and Privacy
Policy Statements
49
Privacy Best Practices Build in privacy.
Design systems and database to limit and protect personal information.
Know where your personal information is. Conduct personal info inventory, including
portable computing & storage devices and paper records.
50
Privacy Best Practices Say what you do with personal information.
Post clear notices of privacy practices on Web sites, in offices, and whenever collecting personal info.
Do what you say in managing personal information. Monitor compliance with laws and policies,
including content monitoring of Web sites and e-mail.
51
Privacy Best Practices Limit access to personal information.
Use appropriate security measures to prevent unauthorized access, including limiting internal access to need-to-use level.
Develop a culture of respect for privacy. Provide employees and all users with ongoing
education and training in requirements and practices.
52
53
“Personal information is like toxic waste – Managing it requires a high level of skill and training.”
Phil Agre, U.C.L.A.1997
54
55
Joanne McNabb, CIPP/GChief, California Office of Privacy Protection1625 North Market Blvd., Suite N324Sacramento, CA 95834www.privacy.ca.gov866-785-9663
