Upload
mark-edward-stirling-bernard
View
2.315
Download
0
Embed Size (px)
DESCRIPTION
Title: Protecting Children’s PII under the Care Of Volunteer Organizations. I created this presentation after I discovered that the local minor hockey association and the local minor baseball association did not have personal information policy or handling procedures in place. I want to share my knowledge and experience as Privacy and Security Compliance Officer with these volunteer groups so that they can do a better job. The alarming thing is that they seemed completely unaware of the risks associated with breach of security for personal information even with studies that show children’s personal information is actually stolen to commit fraud 50% more than adults. Another alarming fact is that credit institutions grand Children credit based on their parent’s credit record. In one case a 16 year old girl in the United States had $650k racked up against her credit record.
Citation preview
Compiled by Mark E.S. Bernard, CRISC, CGEIT, CISM, CISSP, CISA, ISO 27001 Lead Auditor, PM, PA, CNA
BBB Watch: Watch out for child ID theft
The Better Business Bureau is alerting parents their child may be at risk
of identity theft. Crime stats show last year more than 9.9 million
Americans were victims of ID theft, costing them about $5 billion. The
Federal Trade Commission also received more than 19,000 complaints
about child identity theft last year.
Many parents have no idea that their child is a victim, and this crime may
go undetected until the child applies for a job, loan or rents their first
apartment. Major reasons for the identity theft of minors include illegal
immigration (to obtain false IDs for employment), organized crime (to
engage in financial fraud) and friends and family (to offset bad personal
credit ratings).
Source; http://www.the-leader.com/community/blogs/biz-bits/x1035957048/BBB-Watch-Watch-out-for-child-ID-theft
There are a number of places where children’s personal information, including
Social Security numbers, may be vulnerable. Realize that the following places
typically request detailed personal information.
• Hospitals and physicians’ offices, through patient records.
• Schools, through student records.
• Daycare centers, through enrolment records.
• Libraries, through member records.
• Sports team organizations, through athlete applications.
• Online social networks, through personal pages or via e-mails as thieves
coax information from teens.
Source; http://www.parentguidenews.com/Catalog/Parenting/ChildIdentityTheft
Because most parents do not consider that their child has a credit report, or the need to check a
child’s report, the crime of identity theft and resulting damage can continue for years. In 2007, an
Experian-Gallup survey polled 3,029 adults ages 18 and older on the topic of child identity theft.
The results showed that many consumers are unaware of the dangers of child identity theft. Here
are some statistics the survey revealed:
• 68 percent of respondents knew “only a little” to “nothing at all” about child identity theft.
• 11 percent knew “a great deal” about child identity theft.
• 5 percent felt it would be “very difficult” to steal a child’s identity.
• 39 percent of parents with children under the age 18 felt it was “not too likely” that their
own child’s identity could be stolen.
• 11 percent of parents thought that it was “very likely” that their own child’s identity could
be stolen.
Source; http://www.parentguidenews.com/Catalog/Parenting/ChildIdentityTheft
Web link; http://laws-lois.justice.gc.ca/eng/charter/
•Guarantee of Rights and Freedoms
•Fundamental Freedoms
•Democratic Rights
•Mobility Rights
•Legal Rights
•Equality Rights
•Official Languages of Canada
•Minority Language Educational Rights
•Enforcement
Web link; http://laws-lois.justice.gc.ca/eng/charter/
Legal Rights
7. Everyone has the right to life, liberty and security of
the person and the right not to be deprived thereof
except in accordance with the principles of fundamental
justice.
8. Everyone has the right to be secure against
unreasonable search or seizure.
•Policy 1 – Collecting Personal Information
•Policy 2 – Consent
•Policy 3 – Using and Disclosing Personal Information
•Policy 4 – Retaining Personal Information
•Policy 5 – Ensuring Accuracy of Personal Information
•Policy 6 – Securing Personal Information
•Policy 7 – Providing Constituent’s with Access to Personal
Information
•Policy 8 – Questions and Complaints: The Role of the Privacy
Officer or designated individual
• Classification labeling
• Access restriction
• Classified information authorization list
• Information input/output validation
• Protection of spooled/printed information
• Storage complies with manufactures specifications
• Keep distribution to a minimum
• Clear Marking of recipient/sender
• Review distribution list
•Granting Access Rights
•Network Access Control
•Storage on Servers
•Storage on Removable Media
•Physical Removal
•Duplicating/Copying
•Faxing
•Transmission over Internet
•Transmission over FTP
•Transmission over email
•Transmission over wireless
•Disposal/Destruction
•Third-party / External-party
Disclosure
•US Personnel Disclosure
•Electronic Media Labeling
•Hardcopy Labeling Required
•Physical Mail Handling
•Tracking Process by Log
•Human Resources
•Remote Access
•Desktop
•Laptop
The Government Response to the Report of the Standing Committee on
Access to Information, Privacy and Ethics on the Statutory Review of the
Personal Information Protection and Electronic Documents Act (PIPEDA)
indicated the government’s intention to consult on the manner of
implementing a legislative requirement for data breach reporting and
notification.
The document builds on a previous working paper (Proposed Model, March
27, 2008) and reflects views from stakeholders provided at a roundtable
meeting held April 11, 2008 in Ottawa, as well as written comments
provided subsequent to the meeting. It is presented solely as a working
model to provide additional background to assist in framing and
considering the proposed legislative amendments to PIPEDA.
“Data breach” means an incident
involving loss of, unauthorized access to,
or disclosure of, personal information as
a result of a breach of an organization’s
security safeguards pursuant to Principle
7 of Schedule 1 of PIPED Act.
• In the event of a data breach, where it is reasonable to consider
in the circumstances that there exists a substantial risk of
significant harm to affected individuals, the organization will
notify affected individuals as a matter of course, and other
organizations as required, as soon as is reasonably possible after
detection, confirmation and assessment of the scope and extent
of the breach.
• Notification to affected individuals will be provided in a clear
and conspicuous manner using a direct means of communication,
and will include information that is sufficient for the individual to
understand the significance of the breach, and to take steps to
mitigate harm resulting from it.
• Factors that are relevant to the determination of substantial
risk include (i) the sensitivity of the information involved in the
data breach and (ii) the probability that the information could be
misused, or that harm to the affected individuals might result.
• Factors that are relevant to the determination of which other
organizations should be notified are (i) whether an organization
has a role in the mitigation or prevention of harm to the affected
individuals; or (ii) whether an organization could reasonably be
expected to suffer direct harm as a result of the data breach.
• The organization will also report to the Privacy Commissioner
any material data breach, as soon as is reasonably possible
following detection, confirmation, and an assessment of scope
and extent of the breach.
• Factors relevant to the determination of material data breach
include (i) the sensitivity of the information involved in the
breach, (ii) the number of individuals affected, and (iii) if it
constitutes a pattern, or provides evidence of a systemic root-
cause, outside of commercially acceptable operating standards.
•The organization having control of the information will be
responsible for determining the need for notification to affected
individuals and organizations and for reporting to the Privacy
Commissioner.
The threat of Child Identity Theft has raised a concern not just
for the protection of children’s personal information but has also
shed light on the need for a higher standard of care within
volunteer organizations.
CVOs believe in there fiduciary responsibility and wants to
demonstrate a higher standard of care.
CVOs are also guided by morals and community values, so its in
the best interest of our members to demonstrate that higher
standard of care starting now.