Protect Your Data's Privacy! Data Encryption with SQL Server Joe Kuemerle @jkuemerle .
Notes for Discussion on a Privacy Practice © Joe Cleetus.
-
Upload
joella-anderson -
Category
Documents
-
view
221 -
download
0
Transcript of Notes for Discussion on a Privacy Practice © Joe Cleetus.
![Page 1: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/1.jpg)
Notes for Discussion on Notes for Discussion on a Privacy Practicea Privacy Practice
© Joe Cleetus
![Page 2: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/2.jpg)
Security and PrivacySecurity and Privacy
Security is a wider Concept Security of Information embraces:
– Confidentiality– Integrity– Availability
Achieving Security involves People, Procedures, and Technology
The same is true for Privacy
![Page 3: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/3.jpg)
Privacy DefinitionPrivacy Definition
Privacy is the expectation that confidential personal information disclosed in a private place, will NOT be disclosed to third parties, when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities
![Page 4: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/4.jpg)
Laws and Policies govern Laws and Policies govern PrivacyPrivacy
Privacy is no longer a vague concept It has been legislated A body of case law existsFederal laws, State Laws, Supra-
national lawsEven the US Constitution has a bearingBesides, companies have Policies
![Page 5: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/5.jpg)
Topical RelevanceTopical Relevance
Massive on-line databases of people Extensive on-line interactions between
companies Millions of daily transactions between
companies and customers
Who owns all this, and who has a need to know?
![Page 6: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/6.jpg)
MotivationMotivation
Maintain competitive edge
Ensure legal compliance
Enhance company image
Privacy is a requirement – not a customer delight
![Page 7: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/7.jpg)
4 Rights4 Rights
Unreasonable intrusion on the seclusion of
another person
Misappropriation of another’s identity, or
exploitation of the name
Publication of private facts
Propagation of false information about a
person
Many older laws have been re-interpreted for IT
![Page 8: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/8.jpg)
Information Privacy PrinciplesInformation Privacy Principles
1. Collect information lawfully, fairly, and only
what is relevant for the purpose
2. If personal information is collected, state the
purpose and to whom it will be disclosed
3. If personal information is collected, make sure
all reasonable steps are taken against
unauthorized access, use, modification or
disclosure, and against other misuse
![Page 9: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/9.jpg)
Information Privacy PrinciplesInformation Privacy Principles
4. Those collecting PII (personally identifiable information)
should maintain a public record of what is kept, its
purpose, who has access, and how a person may get
access to his/her information.
5. If PII is collected, make sure the record is accurate and
targeted only for the purpose kept, and permit a person to
correct the record, or attach a note to it showing the
owner of the information contests the information
contained.
![Page 10: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/10.jpg)
Information Privacy PrinciplesInformation Privacy Principles
6. If personal information is collected for one
purpose, is to be used for another purpose, or
divulged to a party, then secure the consent of
the person, unless a an emergency exists or the
law demands it, and then make a note of such
event in the record.
![Page 11: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/11.jpg)
Many Privacy Rights are Many Privacy Rights are embedded in Criminal Statutesembedded in Criminal StatutesUS Mail
Telephone conversation
Library borrowing
Bank records
Student records
Etc.Federal and States
![Page 12: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/12.jpg)
Plethora of LawsPlethora of Laws
FERPA
– Student records
ECPA Electronic Communications Privacy Act
– Most basic act for access, use, disclosure, interception
and privacy of electronic communications
Section 208 of The E-Government Act
– Federal agencies should protect PII collected
![Page 13: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/13.jpg)
Plethora of LawsPlethora of Laws
HIPAA Health Information Portability and Accountability
Act
– Medical records
Gramm-Leach Bliley Act
– protects consumers’ personal financial information held by
financial institutions.
The (Federal) Privacy Act of 1974
– FTC approved “fair information practices” that are widely
accepted principles of privacy protection
![Page 14: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/14.jpg)
Plethora of LawsPlethora of Laws
EU Data Protection Directive of 1995
– notice
– choice
– access
– onward transfer
– security
– data integrity, and
– remedy
![Page 15: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/15.jpg)
Plethora of LawsPlethora of Laws
FTC Guidelines encompass
– Web Privacy,
– E-mail privacy,
– Spam, Spyware,
– Privacy of customer data given up on commercial transaction
sites,
– Credit reports, etc.
Complaints are against unfair or deceptive trade
practices
![Page 16: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/16.jpg)
Plethora of LawsPlethora of Laws
P3P (Platform for Privacy Preferences
Project)
– An open privacy specification developed and
administered by the W3C
– Allowing visitors to a Web site to decide what
they want to give up
![Page 17: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/17.jpg)
Plethora of LawsPlethora of Laws
California SB 1386 – Personal Information:
Privacy
– applies to state agencies, or a person or
business that conducts business in California,
and owns or licenses computerized data
containing personal information
![Page 18: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/18.jpg)
Plethora of LawsPlethora of Laws
PIPEDA Personal Information Protection and
Electronic Documents Act of Canada.
FISMA Federal Information Security Management
Act (applies to Federal agencies)
– federal agencies must develop, document and
implement a department-wide information security
program
![Page 19: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/19.jpg)
Plethora of LawsPlethora of Laws
Sarbanes-Oxley
Basel II
![Page 20: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/20.jpg)
Lastly – the anti-law of PrivacyLastly – the anti-law of Privacy
USA Patriot Act
– Negates almost every prescription heretofore stated,
under special circumstances
– The circumstances are so loosely defined that much
Governmental abuse is expected
– Not only allows the Government to violate Privacy, but
mandates that companies collude in this
![Page 21: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/21.jpg)
ISO/IEC 17799ISO/IEC 17799
Standard based on BS 7799
– Covers People, Process and Technology
– A wide-ranging document on Information
Security
– Has numerous recommendations in detail
– Companies can be certified against this
standard
![Page 22: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/22.jpg)
ProposalProposal Develop a Privacy Compliance Assessment Tool
– Cover People, Process and Technology
It will be a multi-part assessment (multiple laws, multiple
departments)
It will be embedded within the a client GUI, using the APIs
provided
It will– assign an aggregate score,
– highlight serious issues, and
– provide clear pointers for improvement
![Page 23: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/23.jpg)
Benefits to ClientsBenefits to Clients Make a complex subject simple
Provide internal consultancy for bringing company
into compliance with its own policies and laws
Reduce cost of compliance
Generate a first-cut plan for improvement
Monitor compliance on an ongoing basis
![Page 24: Notes for Discussion on a Privacy Practice © Joe Cleetus.](https://reader030.fdocuments.net/reader030/viewer/2022032605/56649e755503460f94b75e57/html5/thumbnails/24.jpg)
BenefitsBenefits Enter a new market for products and services
Obtain follow-on custom work
– Consulting
– Programming for technology to support Privacy
– Customizing the general Privacy Practice to suit
industry/company