1 / 22

Information privacy in the United States

Information privacy in the United States. James Jones, Jason Mallory, Quentin James. U.S. Privacy Laws. Debate is centered around data privacy Very few U.S. laws or regulations about information privacy No all-encompassing law that regulates information privacy or data protection

kaemon
Download Presentation

Information privacy in the United States

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information privacy in the United States James Jones, Jason Mallory, Quentin James

  2. U.S. Privacy Laws Debate is centered around data privacy Very few U.S. laws or regulations about information privacy No all-encompassing law that regulates information privacy or data protection Problems arise out of need to transfer information to places like India or other European countries

  3. U.S. Privacy Laws(the gist) In short, anyone who wants to take down the data not only has the right to do so but also has the ability to store and use the data anyway they deem necessary regardless of how the information was obtained.

  4. Privacy Problems in the U.S. • Access to your private data can be accessed via third-party credit reports for: • Employment • Medical Care • House, Automobile payments • Any other purchases on credit

  5. U.S. Privacy Laws Privacy act of 1974 Computer Security Act of 1987 PATRIOT Act of 2001

  6. Privacy act of 1974 Mandated that all U.S. government agencies have in place an administrative and physical security to prevent unauthorized release of personal records. Allowed for individuals to review his/her personal information upon request and to even request an amendment to records pertaining to him/her. This does not apply however, to courts, executive components, or non-agency government entities.

  7. Computer Security Act of 1987 • Provided for the establishment of a computer standards program known as The National Bureau of Standards. (now known as NIST) • This new bureau was to be responsible for • developing standards, guidelines, and associated methods and techniques for computer systems. • have responsibility within the Federal Government for developing technical, management, physical, and administrative standards and guidelines

  8. Basic Principles of Data Protection in Europe.(a possible model for the U.S.) For all data collected there should be a stated purpose Information collected by an individual cannot be disclosed to other organizations of individuals unless authorized by law or by consent of the individual Records kept on an individual should be accurate and up to date

  9. Basic Principles of Data Protection in Europe.(continued) There should be mechanisms for individuals to review data about them, to ensure accuracy. This may include periodic reporting Data should be deleted when it is no longer needed for the stated purpose Some data is too sensitive to be collected, unless there are extreme circumstances (e.g., sexual orientation, religion)

  10. 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH Start date was March 1, 2010 Convinced several companies to leave Massachusetts. 46 states have data breach notification laws. Can you guess which don’t?

  11. U.S. States Without Breach Notification Laws Alabama Kentucky New Mexico South Dakota

  12. Scope “Every person who owns or licenses personal information about a resident of the commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.”

  13. What constitutes an infraction? • A breach of security. Unauthorized acquisition or unauthorized use of unencrypted data or… Encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information

  14. Legally, what is personal information? • Your first name and last name or first initial and last name and any of the following… • Social Security number • Driver’s license number • State-issued Identification card number • Financial account number or • Credit card or debit card number

  15. Legally, what isn’t protected? • Address • Phone number • Age • Sex • Any information gathered from public databases • (Take note here, it’s important.)

  16. Incentive Up to $5000 per violation and per record lost. “One stolen laptop loaded with a database containing the names and Social Security numbers of 200 Massachusetts residents puts you in the hole for a cool million.” --Randy George of Information Week

  17. Inference Problems • Inferring classified data from public data. • Name and rank within a company is public. • Salary is classified. • All members of each rank share a salary. • Therefore, salary is inferred from rank.

  18. Internal Data Privacy

  19. Inference What is inference? Inference is a data mining technique used to find information hidden from normal users. Information can be missing personal dataor new data that predicts useful information based on what is known

  20. Inference Example Name: Robert A. Pilgrim Alias: Robert Beth Pilgrim Age: 59 Phone number: (270) 527-2*** Address: *** Wilkins Rd City, State: Benton, KY Company:   CONCURRENT SOLUTIONS, LLC Phone Number:  270-752-2657     Email Address:  bob.pilgrim@concurrent.us     Web Address:  http://concurrent.us Son: Andrew Pilgrim Wife: Mary Beth Pilgrim Wife DOB: 18-Feb

  21. Inference Example Credit card companies can look at what you have purchased and know if you are going to get a divorce 95% accuracy Two years out Target uses data to infer if you are or will soon be pregnant purchase certain items at certain times Targeted marketing Long-term customer

  22. References http://en.wikipedia.org/wiki/Information_privacy_law http://www.nist.gov/cfo/legislation/Public%20Law%20100-235.pdf http://www.justice.gov/opcl/privstat.htm http://blogs.kuppingercole.com/kuppinger/2011/03/16/database-security-a-hot-topic/ http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf http://www.sqlmag.com/article/sql-server/an-update-on-new-law-that-will-change-the-way-you-build-database-applications http://www.informationweek.com/news/security/government/224400426?queryText=massachusetts+cmr http://www.acsa-admin.org/secshelf/book001/24.pdf http://www.businessinsurance.com/article/99999999/NEWS070101/399999961# http://www.almaden.ibm.com/cs/people/fagin/bucketwb.pdf

More Related