IT Risk Management

Lecture 7
Sensitive Data Management
 Privacy

Privacy
The rights of an individual to trust that others will appropriately and respectfully
use, store, share and dispose of his/her associated personal and sensitive
information within the context, and according to the purposes, for which it was
collected or derived

Scope Notes: What is appropriate depends on the associated circumstances,

laws and the individual’s reasonable expectations. An individual also has the
right to reasonably control and be aware of the collection, use and disclosure
of his\her associated personal and sensitive information.

Source: ISACA Glossary

3
 Data Privacy Laws - Overview
• Privacy protection laws vary from country to country in both scope and
application (for example, European Union privacy and security laws are
more comprehensive than US privacy laws).
• In the US there is no single comprehensive federal law regulating the
collection and use of personal data, but rather a patchwork of federal and
state laws.
• There are also guidelines developed by government organizations and
industry groups that are part of self-regulatory guidelines and frameworks
that are considered best practices
• Companies operating in multiple jurisdictions should familiarize themselves
with privacy laws in all jurisdictions in which they operate
• Company’s privacy policy should provide a framework for required data
protection activities
• It is also imperative that companies have a Data Breach Incident Response
procedure in place, which clearly specifies the plan of action in case of a
breach

Source: International Law News, Volume 41, No 4, 2012, Data Privacy Protection: A Serious Business for Companies

4
 Data Privacy Laws – Federal Laws
• The Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C.
1301 et seq.) regulates medical information. It applies broadly to health
care providers, data processors, pharmacies and other entities that come
into contact with medical information.
• The HIPAA Omnibus Rule revised the Security Breach Notification Rule (45
C.F.R. Part 164) which requires covered entities to provide notice of a
breach of protected health information.
• The Financial Services Modernization Act (Gramm-Leach-Bliley Act (GLB))
(15 U.S.C. 6801-6827) regulates the collection, use and disclosure of
financial information. It can apply broadly to financial institutions such as
banks, securities firms and insurance companies, and to other businesses
that provide financial services and products.
• The Federal Trade Commission Act (15 U.S.C. 41-58) (FTC Act) is a
federal consumer protection law that prohibits unfair or deceptive practices
and has been applied to offline and online privacy and data security
policies. The FTC has brought many enforcement actions against
companies failing to comply with posted privacy policies and for the
unauthorized disclosure of personal data.

5
 Data Privacy Laws – State Laws

• Many federal privacy laws do not pre-empt state laws, which means that a
company can find itself in the position of trying to comply with federal and
state privacy laws that regulate the same types of data or types of activity.
• California leads the way in the privacy arena, having enacted multiple
privacy laws, some of which have far-reaching effects at a national level.
• California was the first state to enact a security breach notification law
(California Civil Code 1798.82). The law requires any person or business
that owns or licenses computerized data that includes personal information
to disclose any breach of the security of the system to all California
residents whose unencrypted personal information was acquired by an
unauthorized person.

6
 Data Privacy Laws – State Laws (cont.)

• Most of the early state security breach notification laws mirrored

California's law. More recently, a number of states laws have enacted more
prescriptive and preventative laws, that is, these laws are more stringent
and actually establish requirements to avoid a security breach. The best
example of a preventative-type of law is the Massachusetts Regulation
(201 CMR 17.00), which prescribes in considerable detail an extensive list
of technical, physical and administrative security protocols aimed at
protecting personal information that affected companies must implement
into their security architecture, and describe in a comprehensive written
information security program.
• As of April 2016, 47 states, as well as the District of Columbia, Puerto Rico
and the US Virgin Islands all have enacted laws requiring notification of
security breaches involving personal information.

7
 California Online Privacy Protection Act

• The California Online Privacy Protection Act defines personally identifiable

information as individually identifiable information about an individual
consumer collected online by the operator from that individual and
maintained by the operator in an accessible form, including any of the
following:
• A first and last name.
• A home or other physical address, including street name and name of
a city or town.
• An e-mail address.
• A telephone number.
• A social security number.
• Any other identifier that allows the physical or online contacting of a
specific individual.
• Information concerning a user that the website or online service
collects online from the user and maintains in personally identifiable
form in combination with an identifier described above.

8
 California Security Breach Notification Law
• The California Security Breach Notification Law regulates personal
information, which means an individual's first name or first initial and last
name in combination with any one or more of the following data elements,
when either the name or the data elements are not encrypted:
• Social security number.
• Driver's license number or California Identification Card number.
• Account number, credit or debit card number, in combination with
any required security code, access code or password that allows
access to an individual's financial account
• Medical information.
• Health insurance information.
• Personal information also includes a user name or email address, in
combination with a password or security question and answer that would
permit access to an online account.
• Personal information does not include publicly available information that is
lawfully made available to the general public from federal, state or local
government records.
Source: https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf

9
 Security/Third-Party Disclosure Requirements - FTC

• The FTC's Behavioral Advertising Principles suggest that website operators

that collect and/or store consumer data for behavioral advertising should
provide reasonable security for that data and should retain data only as long
as is necessary to fulfil a legitimate business or law enforcement need.
Consumer data protection should be based on the:
• Sensitivity of the data.
• Nature of the company's business operations.
• Types of risk a company faces.
• Reasonable protections available to a company.
• The FTC has issued several rules, including the Safeguards Rule, the
Affiliate Sharing Rule, and the Affiliate Marketing Rule, that limit the sharing
and use of financial information and credit report information with affiliates.

Source: Federal Trade Commission

10
 Security Requirements - GLB
• The GLB Safeguards Rule requires companies to develop a written information
security plan that describes their customer information protection program. The
plan must be appropriate to the company's size and complexity, the nature and
scope of its activities, and the sensitivity of the customer information it handles.
As part of its plan, each company must:
• Designate one or more employees to co-ordinate its information security
program.
• Identify and assess the risks to customer information in each relevant area
of the company's operation, and evaluate the effectiveness of the current
safeguards for controlling these risks.
• Design and implement a safeguards program, and regularly monitor and
test it.
• Select service providers that can maintain appropriate safeguards, ensure
contracts require them to maintain safeguards, and oversee their handling
of customer information.
• Evaluate and adjust the program in light of relevant circumstances,
including changes in the firm's business or operations, or the results of
security testing and monitoring.

11
 Third-Party Disclosure Requirements - GLB
• Under GLB, a financial institution can disclose an individual's non-public
personal information with a non-affiliated entity without providing the individual
the right to opt out if:
• The disclosure is to a third party that uses the information to perform
services for the financial institution.
• The financial institution provides notice of this practice to the individual
before sharing the information.
• The financial institution and the third party enter into a contract that
requires the third party to maintain the confidentiality of the information
and to use the information only for the prescribed purpose.

Source: Federal Trade Commission

12
 Security Requirements – HIPAA
• The Privacy Rule protects all "individually identifiable health information" held or
transmitted by a covered entity or its business associate, in any form or media,
whether electronic, paper, or oral. The Privacy Rule calls this information
"protected health information (PHI).“
• “Individually identifiable health information” is information, including demographic
data, that relates to:
• the individual’s past, present or future physical or mental health or
condition
• the provision of health care to the individual
• the past, present, or future payment for the provision of health care to
the individual,
and that identifies the individual or for which there is a reasonable
basis to believe can be used to identify the individual. Individually
identifiable health information includes many common identifiers
(e.g., name, address, birth date, Social Security Number).
• The Privacy Rule excludes from protected health information employment
records that a covered entity maintains in its capacity as an employer and
education and certain other records subject to, or defined in, the Family
Educational Rights and Privacy Act, 20 U.S.C. 1232g.

13
Third-Party Disclosure Requirements – HIPAA

• The HIPAA Privacy Rule allows covered entities to disclose PHI to business
associates if the parties enter into an agreement that requires the business
associate to agree to use the information only for the purposes for which it
was engaged by the covered entity, to safeguard the information from
misuse, and to assist the covered entity comply with certain of the covered
entity's duties under the Privacy Rule.
• When a covered entity knows of a material breach or violation by the
business associate of the agreement, the covered entity must take
reasonable steps to cure the breach or end the violation, and if these steps
are unsuccessful, to terminate the arrangement. If termination of the
agreement is not feasible, a covered entity must report the problem to the
Department of Health and Human Services Office for Civil Rights.

Source: OCR, Summary of the HIPAA Privacy Rule, https://www.hhs.gov/sites/default/files/privacysummary.pdf

14
 PCI DSS

• The payment card industry, including the powerhouses of MasterCard and

Visa, through its PCI Security Standards Council designed a private-sector
initiative to protect payment card information between banks and merchants.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of
contractual rules governing how credit card data is to be protected (see the
Tech Tip sidebar “PCI DSS Objectives and Requirements”).
• The current version is 3.1, which was released in April 2015. This is a
voluntary, private-sector initiative that is proscriptive in its security guidance.
• Merchants and vendors can choose not to adopt these measures, but the
standard has a steep price for noncompliance; the transaction fee for
noncompliant vendors can be significantly higher, fines up to $500,000 can be
levied, and in extreme cases the ability to process credit cards can be
revoked.

15
 PCI DSS Objectives and Requirements
PCI DSS v3 includes six control objectives containing a total of 12 requirements:
1. Build and Maintain a Secure Network
• Requirement 1 - Install and maintain a firewall configuration to protect
cardholder data
• Requirement 2 - Do not use vendor-supplied defaults for system
passwords and other security parameters
2. Protect Cardholder Data
• Requirement 3 - Protect stored cardholder data
• Requirement 4 - Encrypt transmission of cardholder data across open,
public networks
3. Maintain a Vulnerability Management Program
• Requirement 5 - Protect all systems against malware and regularly
update antivirus software or programs
• Requirement 6 - Develop and maintain secure systems and applications

16
PCI DSS Objectives and Requirements (Cont.)

4. Implement Strong Access Control Measures

• Requirement 7 - Restrict access to cardholder data by business
need-to-know
• Requirement 8 - Identify and authenticate access to system
components
• Requirement 9 - Restrict physical access to cardholder data
5. Regularly Monitor and Test Networks
• Requirement 10 - Track and monitor all access to network resources
and cardholder data
• Requirement 11 - Regularly test security systems and processes
6. Maintain an Information Security Policy
• Requirement 12 - Maintain a policy that addresses information
security for all personnel

Source: Payment Card Industry (PCI) Data Security Standard, v 3.2,

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time=1499099574145

17
 GDPR Objectives

The aim of the General Data Protection Regulation (GDPR) is to

protect all EU citizens from privacy and data breaches in an
increasingly data-driven world that is vastly different from the time in
which the 1995 directive was established. Although the key principles
of data privacy still hold true to the previous directive, many changes
have been proposed to the regulatory policies.

Enforcement date: 25 May 2018 - at which time those organizations in

non-compliance will face heavy fines.
Source: EUGDPR.org

18
 GDPR Summary
Increased Territorial Scope (extra-territorial applicability)
• It applies to all companies processing the personal data of data subjects residing in the Union,
regardless of the company’s location. (previously, territorial applicability of the directive was
ambiguous and referred to data process 'in context of an establishment'.) This topic has arisen
in a number of high profile court cases.

Penalties
• Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20
Million (whichever is greater).
• There is a tiered approach to fines e.g. a company can be fined 2% for not having their records
in order (article 28), not notifying the supervising authority and data subject about a breach or
not conducting impact assessment.
• These rules apply to both controllers and processors -- meaning 'clouds' will not be
exempt from GDPR enforcement.

Consent
• The request for consent must be given in an intelligible and easily accessible form, with the
purpose for data processing attached to that consent.
• Consent must be clear and distinguishable from other matters and provided in an intelligible
and easily accessible form, using clear and plain language. It must be as easy to withdraw
consent as it is to give it.

19
 GDPR – Data Subject Rights
Ø Breach Notification
• Mandatory in all member states where a data breach is likely to “result in a risk for
the rights and freedoms of individuals”. This must be done within 72 hours of first
having become aware of the breach.
• Data processors will also be required to notify their customers, the
controllers, “without undue delay” after first becoming aware of a data breach.

Ø Right to Access
• The right for data subjects to obtain from the data controller confirmation as to
whether or not personal data concerning them is being processed, where and for
what purpose.
• The controller shall provide a copy of the personal data, free of charge, in an
electronic format. This change is a dramatic shift to data transparency and
empowerment of data subjects.

Ø Right to be Forgotten
• Entitles the data subject to have the data controller erase his/her personal data,
cease further dissemination of the data, and potentially have third parties
halt processing of the data (also known as Data Erasure)
• The conditions for erasure include the data no longer being relevant to original
purposes for processing, or a data subjects withdrawing consent.
20
 GDPR – Data Subject Rights (Cont.)

Ø Data Portability
• GDPR introduces data portability - the right for a data subject to receive the personal
data concerning them, which they have previously provided in a 'commonly use and
machine readable format' and have the right to transmit that data to another
controller.
Ø Privacy by Design
• At it’s core, privacy by design calls for the inclusion of data protection from the onset
of the designing of systems, rather than an addition. Article 23 calls for controllers to
hold and process only the data absolutely necessary for the completion of its duties
(data minimization), as well as limiting the access to personal data to those needing
to act out the processing.

21
 GDPR – Data Subject Rights (Cont.)
Ø Data Protection Officers
• Under GDPR it will not be necessary to submit notifications / registrations to each
local DPA of data processing activities, nor will it be a requirement to notify / obtain
approval for transfers based on the Model Contract Clauses (MCCs). Instead, there
will be internal record keeping requirements, as further explained below.
• DPO appointment will be mandatory only for those controllers and processors whose
core activities consist of processing operations which require regular and systematic
monitoring of data subjects on a large scale or of special categories of data or data
relating to criminal convictions and offences.
• The DPO:
ü Must be appointed on the basis of professional qualities and, in particular,
expert knowledge on data protection law and practices
ü May be a staff member or an external service provider
ü Contact details must be provided to the relevant DPA
ü Must be provided with appropriate resources to carry out their tasks and
maintain their expert knowledge
ü Must report directly to the highest level of management
ü Must not carry out any other tasks that could results in a conflict of
interest.

22