Essentials of RIM Are you an asset to your organization? Do you have the skills

needed to manage records and information within your

organization as a strategic component for success? ARMA

International’s Essentials of RIM Certificate is designed for entry-

level information management

professionals and other individuals

whose jobs involve records, ….

There's no travel involved - all courses are offered online for

convenient and flexible training on YOUR schedule.

www.arma.org/essentials/

Privacy and

Security

for you & yours, your organization & theirs

Objectives describe threats to security of personal data

identify regulations that affect organization’s privacy policies

list ways to protect against data breaches

explain how a RIM program can decrease threats to privacy

PRIVACY defined Merriam Webster definition:

a : the quality or state of being apart from company or observation

b : freedom from unauthorized intrusion http://www.merriam-webster.com/dictionary/privacy

Right to Privacy

the qualified legal right of a person to have reasonable privacy in not having his private affairs made known or his likeness exhibited to the public having regard to his habits, mode of living, and occupation

http://www.merriam-webster.com/dictionary/right%20of%20privacy

Privacy defined

Right to Privacy

Louis D. Brandeis photo accessed from the

Brandeis University Legacy Fund for Social Justice webpage:

http://www.brandeis.edu/legacyfund/bio.html

Samuel D. Warren photo accessed from Wikipedia,

the free encyclopedia:

http://en.wikipedia.org/wiki/Samuel_D._Warren

People have a common-law right to privacy.

4 Harvard Law Review 193 (1890) http://www.law.louisville.edu/library/collections/brandeis/node/225 Louis D. Brandeis School of Law, The University of Louisville (Kentucky)

“Privacy, in other words, involves so many

things that it is impossible to reduce them all

to one simple idea.”

Daniel J. Solove, “Why Privacy Matters Even if You Have Nothing to Hide, “ The Chronicle of Higher Education. Available at

http://chronicle.com/article/Why-Privacy-Matters-Even-if/127461/

The Internet complicates things.

There’s no global privacy standard or governance.

Global commerce and communication require mindfulness of other nations’ standards and rules.

Global commerce and communication offer an array of vendors and correspondents – and an array of opportunities for cyber attacks.

Marketing Private?

Cookies session persistent flash

Targeted marketing informs buyer of products & services

offers discounts

allows auto-fill of forms

Permission-based marketing Company must ask if customers agree to share information.

Social Media Users freely post to sites.

Users are largely inattentive to privacy considerations.

Sites collect, use and share data without informing users.

photo accessed from Honda Ridgeline interior photos page:

http://automobiles.honda.com/ridgeline/interior-photos.aspx

Opt in or opt out – Whose burden is it?

http://www.ftc.gov/

Ensure reasonable security for consumer data.

Limit collection and retention of personal data.

Make reasonable efforts to ensure personal data is accurate.

Provide customers and clients with choices about how data is collected and shared.

Compose shorter, clearer, standardized privacy policies.

Federal Trade Commission: Build protection into business records plan to ensure privacy

and security – privacy by design

Threats to privacy cyber attacks

cyber attackers’ anonymity

damage to, loss or theft of portable devices

data corruption

Many organizations just are not equipped to deal with rapidly changing technology; hackers are.

ALL electronic transmissions are vulnerable. email online purchases photo posts tweets

even encrypted data portable device is lost or stolen

portable device is hacked at a wifi location

user leaves a public or shared computer without logging off

Information technology is fast, fast-changing, and changing attitudes.

Ethics and standards are not keeping pace with technological advances.

Medical Records - Electronic Health Records (EHR)

greater storage capability = greater efficiency for patients providers payment systems

no need for patient to fill out same forms over and over

EHR stored in several places, records not lost in disaster

LOCKSS? Lots of copies. Keep stuff safe. (managed copies)

All of the above result in cost savings for providers, which may be passed on to the consumer.

“Medical identity theft refers to the misuse of another individual’s PII such as name, date of birth, SSN, or insurance policy number to obtain or bill for medical services or medical goods.”

Medical Identity Theft Environmental Scan, Booz Allen Hamilton, 2008 www.healthit.gov/sites/default/files/hhs_onc_medid_theft_envscan_101008_final_cover_note_0.pdf

To identity thieves, medical ID is worth twice as much as “regular” personal data.

Med ID can be compromised by… Financial medical identity theft:

Someone is getting medical help using your name and/or other information.

Criminal medical identity theft: You are being held responsible for the actions of another’s criminal behavior.

Government benefit fraud : Your medical benefits are being used by another person.

http://oig.hhs.gov/fraud/medical-id-theft/index.asp

Smart grid customizes power system to reflect home owners’ needs

Customers’ energy use could reveal: daily schedules; the presence of alarm systems; the presence of sophisticated, expensive electronic equipment in the residence.

Vehicle “black boxes” can save lives (think of GM’s OnStar)

Insurers can use drivers’ data to determine rates – lower or higher.

Commingling personal and business data Who is the “owner” of business records created, amended, retained on employee’s computer?

Who is the “owner” of personal records created, amended, retained on company-owned equipment?

The session study guide cites John Montaña’s recommendations for clarifying rights of access.

Employers: 1. Determine the need for

intrusive access policies based on the type of

work being done.

2. Make it clear that copies of employer-

owned data remain the employer's property.

3. Provide computers to employees for

important offsite work.

Employees: 1. Read policies and negotiate before signing.

2. Keep personal computers private.

3. Segregate and protect personal data.

Data Breaches A data breach is the unauthorized access to, disclosure of, or compromise of physical or electronic data.

Identify the breach to shorten time between attack and response

Response team members may include chief privacy officer, chief information officer, chief

IT security officer, human resources staff, public relations staff, legal counsel, and

sometimes even law enforcement.

Assess risk level Does the nature of the breach indicate criminal intent?

What kind of data is at risk?

Is personal information compromised?

Is there evidence that data is being used for identity theft?

Are lives in danger?

Can systems be damaged or affected by the breach?

Are controls in place that will minimize damage?

Assign risk low risk Criminal intent is not apparent. Controls are in place to handle the breach. Notification may do more harm than good.

medium risk Criminal intent could be involved. Controls are in place to prevent criminal success. Law enforcement, affected organizations, and affected individuals might be notified.

high risk Breach is likely criminally motivated. Controls to minimize privacy violation are ineffective. Organization likely will notify individuals involved and will provide some sort of remedy.

Disclose the breach Consult legal counsel for help in preparing the disclosure.

Business plan should contain an established data disclosure plan.

Consider state, federal and international laws & regulations.

Up-front disclosure is better than damage control.

“Destruction by Design” Destroy information appropriately.

Maintain responsibility for outsourced records services.

Enforce accountability for records decisions.

Consider that “free” may not be.

Delete delete/Delete re-write/De-duplicate

Safeguarding privacy

U.S. data protection regulations are piecemeal, and address industry-specific concerns.

CALEA - Communications Assistance for Law Enforcement Act

COPPA - Children’s Online Privacy Protection Act

DPPA - Driver Privacy Protection Act

FERPA - Family Educational Rights and Privacy Act

HITECH –Health Information Technology for Economic and Clinical Health

PIPA; SOPA - Stop Online Piracy Act; Protect IP Act (Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act)

European Union’s Data Protection Directive 95/46/EC of 24 October 1995 is broader, and standardized for all 27 member nations.

Individuals must give explicit consent for their data to be transferred to a third party, unless the third party is conducting services on behalf of the initial party.

The Directive also foresees specific rules for the transfer of personal data outside the EU to ensure the best possible protection of your data when it is exported abroad.

http://ec.europa.eu/justice/data-protection

Among proposed revisions is an extension of personal privacy rights to include law

enforcement and criminal justice systems.

Security 1 the quality or state of being secure: as

a: freedom from danger; b: freedom from fear or anxiety; c: freedom from the prospect of being laid off (job security)

2 a: something given, deposited, or pledged to make certain the fulfillment of an obligation

b: surety 3: an instrument of investment in the form of a document (as a

stock certificate or bond) providing evidence of its ownership 4 a: something that secures: protection; b (1): measures taken to guard against espionage or sabotage, crime, attack, or escape (2): an organization or department whose task is security

http://www.merriam-webster.com/dictionary/security

U.S. Regulations FCRA (Fair Credit Reporting Act) FACTA (Fair and Accurate Credit

Transactions Act) HIPAA (Health insurance Portability and

Accountability Act) GLBA (Gramm-Leach-Bliley Act )

Information Security Standards B(ritish) S(tandard) 7799 – first standard for information

security ISO 27001 - to “provide a model for establishing,

implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System.”

ISO 27002 – details specific controls that may be applied to secure information and related assets

Digital Security Standard Protection of cardholder data Encryption of data during transmission Restricted access Tracking and monitoring access Security maintenance policies

HRIS (Human Resources Information System) may contain an organization’s most sensitive data Policy: Access is allowed on a need-to-know

basis. Policy: Access is secured.

E-records security CONFIDENTIALITY Limit information access and disclosure to

authorized users and prevent unauthorized users from viewing restricted resources.

INTEGRITY Ensure the data has not been altered

inappropriately.

AVAILABILITY Networks, servers, routers, software, and desktop

machines must be reliable.

https://www.cia.gov/library/publications/the-world-factbook/

Internet use (policy) Establish ownership.

State that e-mail messages and Internet usage are not private.

Assign employees a username and a password to access the Internet, and limit Internet use to business purposes only.

Define recordkeeping requirements.

Stipulate that business must be conducted on company e-mail, and require employees to use internal IM.

State that employees cannot intentionally block the organization’s anti-virus software.

Conclude the policy by reminding employees that the organization, not the employee, owns the computer systems.

Transmission security ALL electronic transmissions can be intercepted.

Collaborate with I.T.: Encrypt all sensitive data for transmission and distribution.

Use firewalls to protect both incoming and outgoing network traffic.

Keep current on patches and updates to software.

Use virtual private networks (VPNs) for employees in remote locations.

Close hardware and software vendor default passwords.

Secure workplace wireless networks.

Secure home work environments, including wireless networks for employees who work

from home.

Cloud security Ensure that your contract with cloud vendors includes

adequate security protections.

Involve security and privacy professionals in the decision about which vendor to use.

But most importantly, have a clearly stated policy outlining what sensitive information is and how it should be handled.

Physical security of e-records Monitoring server room access is required under ISO 27002, as is protection of all associated end-user machines.

William Saffady recommends: Restrict admittance to media repositories to those with a

legitimate business reason.

Require badges to identify authorized employees.

Limit access to a single, supervised entrance. Configure other doors as emergency exits with strike bars and audible alarms.

Never leave media repositories unattended. Lock them when they are unattended.

Back up vital records at predetermined intervals and store them in secured, offsite facilities.

Records Manager’s role Some laws, e.g., HIPPA and GLBA, require organizations to have an overseer of privacy training and compliance.

ensures that personal information is not jeopardized in any of an organization’s marketing or in its online presence

monitors information systems to ensure safety of the organization’s information and the privacy of customers, employees, vendors, and suppliers

Privacy and compliance policy:

Start here.

Inventory Assess data collection

What types of data are collected?

How is the data collected?

How is the data used?

Inventory sensitive data What, where, when, how - is stored

How are accuracy and completeness verified?

Data Classification Assign data sensitivity level as it is created, revised,

stored or transmitted. Classification informs as to the extent to which the

data need to secured.

Collaborate with I.T. to identify records that are subject to privacy regulations.

Privacy Compliance David O. Stephens’s recommendations:

Enterprise-wide privacy policy No unauthorized use of data will be made that conflicts with

the policy.

Breach of the policy will result in disciplinary action.

Deliberate breaches will be considered as being gross misconduct; appropriate remedies will be applied.

Data encryption enhances security

Audit systems containing personal information systematically

illustration: http://vis.berkeley.edu/courses/cs294-10-fa08/wiki/images/d/d5/Encryption_Illustration.pdf

Determine use How many recordkeeping systems contain sensitive data?

Where are those systems?

What is the data?

Re-examine retention practices Retain only factual information for the minimum amount of time to meet business requirements and to comply with the law.

Destroy records under an approved retention policy.

Done and gone (?) Objectives met: described threats to security of personal data

identified regulations that affect organization’s privacy policies

listed ways to protect against data breaches

explained how a RIM program can decrease threats to privacy

Sources and Resources (online)

Essentials of RIM: www.arma.org/essentials/ Information Management Magazine:

content.arma.org/IMM/online/InformationManagement.aspx David O. Stephens, “Protecting Personal Privacy in the Global Business Environment,” IMJ

May/June 2007, 56-59. Available at www.arma.org/bookstore/files/Stephens1.pdf

Swartz, Nikki, “Protecting Information from Insiders,” IMJ May/June 2007, 20-23. Available at www.arma.org/bookstore/files/Swartz9.pdf

Judy Vasek Sitton, “When the Right to Know and the Right to Privacy Collide,” IMJ Sept/Oct 2006, 76-80. Available at www.arma.org/bookstore/files/Sitton.pdf

AIIM: www.aiim.org/search?q=privacy

Data Breach Watch: www.databreachwatch.org Data Loss DB: datalossdb.org

Federal Trade Commission (FTC) Bureau of Consumer Protection (BCP), Privacy and Security: business.ftc.gov/privacy-and-security Free tutorial on sensitive data: www.ftc.gov/infosecurity

Information Security Forum: www.securityforum.org

International Association of Privacy Professionals (IAPP): www.privacyassociation.org

ISO 27001: www.27000.org/iso-27001.html (links to 27002 – 27006 in navigation bar)

National Archives and Records Administration (NARA), Information Security Oversight Office (ISOO): www.archives.gov/isoo/

36 CFR Part 1228, Subpart K -- Facility Standards for Records Storage Facilities: www.archives.gov/records-mgmt/bulletins/2005/2005-07a.pdf

Sources and Resources (online) continued (p. 2)

National Association for Information Destruction (NAID) : www.naidonline.org

National Conference of State Legislatures (NCSL): www.ncsl.org/

National Institute of Standards and Technologies (NIST) Special Publications (800 Series): csrc.nist.gov/publications/PubsSPs.html

Society of American Archivists: www2.archivists.org/

American Health Information Management Association (AHIMA): www.ahima.org/

Health Privacy Foundation (University of Denver Sturm College of Law): www.privacyfoundation.org/

Office of the National Coordinator (ONC) for Health Information Technology: www.healthit.gov

Privacy Rights Clearinghouse, HIPAA Basics: Medical Privacy in the Electronic Age – Fact Sheet 8a: www.privacyrights.org/

US Department of Health and Human Services: www.hhs.gov

National Security Act: www.gpo.gov/fdsys/pkg/PLAW-110publ53/content-detail.html

Patriot Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001): www.gpo.gov/fdsys/pkg/PLAW-107publ56/pdf/PLAW-107publ56.pdf

Texas: https://www.oag.state.tx.us/consumer

Arkansas: http://ohit.arkansas.gov

Louisiana: http://www.lla.state.la.us

Oklahoma: http://www.odl.state.ok.us/lawinfo

New Mexico: http://www.cfb.state.nm.us

Sources and Resources (online) continued (p. 3)

United States House of Representatives: www.house.gov United State Senate: www.senate.gov

European Union: ec.europa.eu Canada http://www.priv.gc.ca/leg_c/leg_c_a_e.asp

Australia: www.privacy.gov.au

China (PowerPoint presentation by Yue Liu, University of Norway, Faculty of Law): www.uio.no/.../Data_privacy_law_in_Asia_pacific%2008]%20(2).pp

Ponemon Institute: www.ponemon.org/

Mondaq: www.mondaq.com “Privacy” is one of a variety of topics from which to choose.

Digital Democracy: digital-democracy.org

Future of Privacy Forum: www.futureofprivacy.org/de-identification/

Electronic Frontier Foundation: www.eff.org

On The Media: www.onthemedia.org “The Privacy Show:” www.onthemedia.org/2013/jan/04/ (a compilation of “privacy-related shows)

Pogo Was Right.org: www.pogowasright.org (may contain ranting)

Also: newspapers; colleges and universities, especially law schools; LinkedIn One of the CISPA articles below was linked to an ARMA International group discussion post.

“CISPA passes U.S. House: Death of the Fourth Amendment?” Zack Whitaker for Zero Day, at http://www.zdnet.com/cispa-passes-u-s-house-death-of-the-fourth-amendment-7000014205/

“CISPA Amendment Banning Employers from Asking for Facebook Passwords Blocked,” Sara Gates, at Huffington Post at www.huffingtonpost.com/2013/04/21/cispa-amendment-facebook-passwords-blocked_n_3128507.html

ARMA Houston www.armahouston.org

Nancy Sparrow 281 341 8683; Nancy.Sparrow@co.fort-bend.tx.us

www.arma.org