1

Keeping Your Eye on Privacy

Mike Gurski, Director: Bell Privacy Centre of Excellence

April, 2008NY. NY.

Background Privacy ThreatsCanadian Privacy LawSample of University Privacy PosturesSolutions for Privacy Management

Bell Restricted3 Date

Background: How Soon We Forget

On August 1, 2006, USA Today reported that, "in the past 18 months, colleges were the source of one-third to half of all publicly disclosed (privacy) breaches. By reviewing 109 privacy breaches at 76 campuses, USA Today found that 70 percent of the incidents involved hacking."

What does this tell us?

Bell Restricted4 Date

U.S. to Ease Privacy Rules

Federal Education Department proposed new regulations to clarify when Universities may release confidential student information after Virginia Tech shootings.

NY Times, March 25th, 2008

Bell Restricted5 Date

Privacy Threat Models Reviewed

The ‘duh’ factorThe infinite information appetite syndrome: including HackersThe privacy policy riddleThe attacker models: and willing participants in a University setting

Reporter, Marketer, InsiderThe ‘balancing rights’ conundrumThe proportional response problemThe save us from disaster misconception

Examining the Risks: Probabilities and Outcomes

Bell Restricted6 Date

A Special University Privacy Challenge

A Hot Bed of Early Adopters

Web 2.0/3.0

Social Networks

Software as a Service

Bell Restricted7 Date

A Different Privacy Landscape in Canada?

Provincial OCIO bans instant messaging and file sharing after privacy breaches in NFLD:

Memorial University CSO mirrors ban:

March 28, 2008 NFLD

Question: How is the University Responding?

Primary Focus on tactical PIA’s for BANNER and Laptops

Bell Restricted8 Date

The Canadian Particulars

Legislative Landscape: Fair Information Practices Based

A Digression to GWU and Daniel Solove

A Privacy Maturity Model for Universities

The Role of Strategy as opposed to Tactics

The Role of Technology and New Tools

Bell Restricted9 Date

Daniel Solove

A taxonomy of privacy attacks

A new way to think about privacy legislation and technology

Bell Restricted10 Date

Organization’s Privacy Management Maturity

Level 1

Ad-Hoc

Level 2

Focused

Level 3

Standardized

Level 4

Integrated

• Privacy processes are not defined or documented

• Privacy processes are partially documented• Minimal automation for privacy automation• Training policy with event based training

• Processes, roles, and workflows are defined•Privacy Management is broad based to serve strategic goals•Training ongoing

• Processes fully defined and audited• Privacy management fully integrated with bus.

Bell Restricted11 Date

A Strategic Approach

• The key steps:

– Build a business case for strategic investment in privacy management

– Build Internal Privacy Management Capacity (reducing cost and reliance on outside consultants)

– Use tools that allow non-specialists to manage privacy

– Set out a strategy and planning roadmap

– Develop a vulnerability assessment/gap analysis of personal information management within the University

– Engage all levels in privacy management

– Reduce resources needed to manage privacy

– Provide a new focus on system design for personal information banks

Bell Restricted12 Date

New Tools

Compliance and Assessment Tools

Internal Capacity Workshops

Data repository for knowledge transfer

Training Curriculum geared to privacy management capacity

Enterprise Privacy Strategy/Roadmap

Privacy Enhancing Technologies

Bell Restricted14 Date

Contact Information

Mike Gurski, Director: Bell Privacy Centre of Excellence905-751-4310mike.gurski@bell.ca