posted Sep 24, 2010 11:10 PM by Eddie Cox
[
updated Oct 31, 2010 12:22 PM by Michael Cox
]
Obama’s advisors include notable privacy advocates. The following was taken from Obama’s published campaign plan."Safeguard our Right to Privacy: The open information platforms of the 21st century can also tempt institutions to violate the privacy of citizens. Dramatic increases in computing power, decreases in storage costs and huge flows of information that characterize the digital age bring enormous benefits, but also create risk of abuse. We need sensible safeguards that protect privacy in this dynamic new world. As president, Barack Obama will strengthen privacy protections for the digital age and will harness the power of technology to hold government and business accountable for violations of personal privacy.” More specific positions include: - "Obama will also work to provide robust protection against misuses of particularly sensitive kinds of information, such as e-health records and location data that do not fit comfortably within sector-specific privacy laws."
- "Obama will increase the Federal Trade Commission’s enforcement budget and will step up international cooperation to track down cyber-criminals so that U.S. law enforcement can better prevent and punish spam, spyware, telemarketing and phishing intrusions into the privacy of American homes and computers."
Here is some of what we can likely expect from the Obama administration, the new congress, and state legislatures going forward: - Substantial increases in the FTC’s budget, jurisdiction, and enforcement powers, including increased civil penalties
- FTC’s final behavioral advertising principles (due out by the end of 2008) will likely be the basis for new enforcement actions
- Department of Health and Human Services (DHHS) will likely commence sanctions of HIPAA violations
- e-health records will likely be included in health care reform legislation
- Red- Flag enforcement actions after May 2009
- No federal privacy breach notification law that would pre-empt and dilute the stronger 45 state privacy breach disclosure laws
- More state privacy laws with prescriptive data security standards, such as the Massachusetts and Nevada (see next blog entry)
- More enforcement at the state levels to protect their residents (regardless of the organization’s location)
While the economy certainly adversely affects organizational budgets, the recent failures in financial markets will bring about more regulatory oversight and enforcement actions across the board. With the average privacy breach costing millions (see my “Value Proposition” web-page), organizations must invest wisely to mitigate such an impact to their bottom-line. Michael Cox, CIPP President, SoCal Privacy Consultants |
posted Sep 24, 2010 11:07 PM by Eddie Cox
[
updated Oct 31, 2010 12:23 PM by Michael Cox
]
In 2002 California became the first state to enact a privacy breach notification law. California requires notifications of persons whose "unencrypted" sensitive personal information might be compromised in the event of a security breach. While there is no specific requirement to encrypt sensitive personal information, the law basically states that there is no breach requiring notification if the data is encrypted. There are now 45 states with privacy breach disclosure laws. Some states follow the California model. Most state laws require "reasonable security standards" to protect sensitive personal information. However in October 2008, Nevada became the first state to enact a data security law mandating encryption for the transmission of customer personal information. Encryption broadly means "the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant ... (more specifics are provided)." The law is brief and vague as to whether it affects only businesses in the state. Until the law is clarified, it would be wise to assume the law applies to any organization "doing business with" Nevada residents. Extended to be effective in January 2010, a new Massachusetts state privacy law imposes a new set of information security requirements. This law covers "persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts." The law requires compliance to GLB principles and additional specific standards, such as encryption of electoncially "transmitted records" and of laptops and portable devices. There are secure user-authentication and access control requirements and many others. This law requires a close study to ensure compliance. There are currently active bills in Michigan and Washington that are variants of these two recent state laws. Also in October 2008, New York published the "Business Privacy Guide: How to Handle Personal Identifiable Information and Limit the Prospects of Identity Theft." The Guide states that "New York businesses" ... "should refer to this Guide as a resource outlining principles and best practices for privacy protection, but it is highly recommended that you continually consult a privacy professional and an attorney to ensure legal compliance with applicable state and federal laws and regulations." The New York State Attorney General, Andrew Cuomo, has been a leading enforcement activist for its residents reaching settlements with organizations located in many other states. If your organization, located in another state such as California, were to suffer a privacy breach harming New York residents, the NY State AG's Office may hold your organization accountable for violating such generally accepted standards (although the Guide refers to these as principles). With the increasing frequency of privacy breaches, we are likely to continue to see a trend for more prescriptive state laws. Disclaimer: I am not a lawyer. This blog's purpose is to raise awareness, not provide legal counsel. Michael Cox, CIPP President, SoCal Privacy Consultants |
posted Sep 24, 2010 11:05 PM by Eddie Cox
[
updated Oct 31, 2010 12:23 PM by Michael Cox
]
See the prior two blog entries regarding the differences between the privacy and information security disciplines and the risk of having IT responsible for enterprise privacy and information security programs. Many Fortune 200 companies have both a Chief Privacy Officer (CPO) and Chief Security Officer (CSO) who work together to establish comprehensive privacy and information security programs. The industry is discussing the need for convergence of the roles. However for large customer information centric organizations, the CPO role should continue to evolve into an independent, strategic, privacy risk management, and program management role. What should smaller organizations do? The CPO function could reside in the legal department. However if there is a risk management function, it would probably be a better fit for the strategic, privacy risk management program responsibilities to reside there. In this case, of course, the interpretation of privacy laws would be left to the legal department or outside expert privacy law counsel. If there must be a converged CSO role, it should retain independence. In most cases, it should probably not report solely to the CIO who could have a conflict of interest with the transparency of findings and thus could influence what is reported from an accountability perspective. Obviously, this would be to the great detriment of the organization. It could be a dual reporting role to the CFO or General Counsel. However understanding this risk, a CEO could place this responsibility with a seasoned CIO who is a direct report member of the senior management team while, as CEO, maintaining appropriate oversight of the program. Due to the bottom-line implications, preventing privacy breaches should be in the top 10 objectives of any customer information-centric organization. Placing responsibility any lower in the organization would not be recommended. Michael Cox, CIPP President, SoCal Privacy Consultants |
posted Oct 14, 2009 11:16 PM by Eddie Cox
[
updated Oct 31, 2010 12:24 PM by Michael Cox
]
See the prior blog entry regarding the differences between the Privacy and Information Security disciplines. Many CEOs place the responsibility for strategic enterprise information security management in the hands of IT and the responsibility for privacy risk management in the legal department. Typically, these two functions do not work together. Unless the legal resource is a dedicated, empowered Chief Privacy Officer with program and process management experience as well as people skills, the primary privacy objectives (discussed in the prior blog entry) will not likely be achieved. Many renown security experts agree that information security professionals often struggle to build and establish effective information security programs. As a result, their programs have gapping holes that leave their organizations vulnerable. Privacy breaches are being reported almost daily by organizations with "formal" information security programs. Why is this so? A Certified Information Systems Security Professional (CISSP) is considered one of the top information security certification credentials. It is a great certification for comprehensively understanding the tactical implementation of information security. However, the Official Guide to the CISSP CBK (Common Book of Knowledge) only devotes two of its over 700 pages of core text to privacy laws. All too often, the individual directly responsible for an organization’s information security program is a technologist who does not have a working understanding of the laws, typical enforcement actions, and privacy breach costs and impacts. Such a technologist finds it difficult to get the commitment from C-level executives for the development of the organizational privacy strategy and appropriate resources, including people and budget, to support the implementation of the strategy enterprise wide. In addition to being a CISSP (or CISA, CISM, GIAC, etc.), the technologist could also become a Certified Information Privacy Professional (CIPP) to better enable appropriate communication and engagement with C-levels to secure the top down commitment that is the foundation of every successful information security program. The CIPP text and exam devotes two of its five components to privacy law / compliance and workplace privacy (laws). However, the technologist must also have the competencies to develop and maintain policies, train people, assess and manage risks, and partner with functional (non-IT) senior managers to achieve enterprise information security. Michael Cox, CIPP President, SoCal Privacy Consultants |
posted Oct 14, 2009 11:11 PM by Eddie Cox
[
updated Oct 31, 2010 12:25 PM by Michael Cox
]
Privacy is strategic - information security is tactical Privacy is strategic in nature. The primary objective is to develop the organizational strategy to protect this sensitive personal information. This includes ensuring the “appropriate use” of personal information which is defined by law, public sensitivity, customer preferences, and circumstances or context. In this age of information marketing, this is a complex and rapidly evolving area. This involves engaging executives in the development and support of this organizational strategy which is critical to the solid establishment of information security across the enterprise. The law, regulations and standards can not keep up with this information age, the Internet, new technologies, and the bad guys. Evolving public sensitivity must be anticipated. The organizational strategy to protect this information, including appropriate use, should be forward-looking to mitigate organizational liability. Following a certain standard or set of standards does not necessarily eliminate organizational liability. Although certified compliant with PCI standards, Hannaford Grocery, a large northeastern U.S. regional supermarket, suffered a major breach. As a complement to privacy, information security is tactical in nature and addresses three objectives: information integrity, availability and confidentiality. Information security generally follows a single standard, such as ISO 17799, or a set of best practices that cuts across multiple standards. Privacy and information security professionals must work together to strategically and tactically protect sensitive customer information. An organization can have information security without privacy (appropriate use). However it can not have privacy without information security (tactical implementation). Lastly, both privacy and information security have scopes that do not overlap. Information security is not concerned about appropriate use of sensitive personal information. Privacy is not concerned about availability of information and is only concerned about integrity of information when it is used in customer decision-making. Michael Cox, CIPP President, SoCal Privacy Consultants |
|
