The convergence of privacy security and electronic information
This presentation is the property of its rightful owner.
Sponsored Links
1 / 54

The Convergence of Privacy, Security and Electronic Information PowerPoint PPT Presentation


  • 81 Views
  • Uploaded on
  • Presentation posted in: General

Educause Enterprise 2007. The Convergence of Privacy, Security and Electronic Information. M. Peter Adler JD, LLM, CISSP, CIPP Adler InfoSec & Privacy Group LLC Director of Privacy and Cybersecurity (Interim), Montgomery College, Rockville, MD. Agenda. Legal Drivers/Applicable Laws

Download Presentation

The Convergence of Privacy, Security and Electronic Information

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


The convergence of privacy security and electronic information

Educause Enterprise 2007

The Convergence of Privacy, Security and Electronic Information

M. Peter Adler JD, LLM, CISSP, CIPP

Adler InfoSec & Privacy Group LLC

Director of Privacy and Cybersecurity (Interim), Montgomery College, Rockville, MD


Agenda

Agenda

  • Legal Drivers/Applicable Laws

    • Security Laws

      • Compliance Elements

    • Privacy Laws

      • Compliance Approach

    • Rules of Civil Procedure

      • Information Management Requirements

  • Convergence and Compliance


Legal drivers in higher education

Legal Drivers in Higher Education

Security

Privacy

Information Management


Security

Security

  • GLBA

  • HIPAA

  • FISMA

  • State Law – Notice of Security Breach and Others


Glba and information security

GLBA and Information Security

  • GLBA: Gramm-Leach-Bliley Act, 15 U.S.C. §§6801,6805


Glba and higher education

GLBA and Higher Education

  • Higher Education Institutions are “non-bank businesses” subject to GLBA

    • the university (i.e. the “financial institution”) provides a financial service, administering a financial product such as a scholarship, or dispensing financial advice to customers (students and possibly staff).

    • This includes student loans, scholarships, bursaries and emergency student aid

    • GLBA Privacy provisions are met if the institution complies with FERPA

    • The Security Regulations Do Apply Regardless

      • Standards for Safeguarding Customer Information; Final Rule: 67 Fed. Reg. 36484, codified at 16 C.F.R. Part 314 (“GLBA Safeguards”)

  • Therefore, colleges and universities have a legal obligation under the GLBA to safeguard all the students’ nonpublic financial information


Hipaa requirements security

Administrative

Security

Procedures,

Legal Compliance

Technical

Security

Physical

Security

HIPAA COMPLIANCE

Business Associate Management

HIPAA Requirements/Security

To guard the confidentiality, integrity and availability (CIA) of health information


Federal information security act of 2002 fisma

Federal Information Security Act of 2002 (FISMA)

  • FISMA: Federal Information Security Act of 2002, 44 U.S.C. §3537 et seq.

    • Requires compliance with a set of standards federal government information security

      • Federal Information Processing Standards (FIPS)

      • NIST Standards

  • Applies to Federal information System

    • An information system used or operated by an executive agency, or by another organization on behalf of an executive agency

  • May be applicable to higher education through government contracts.

    • Department of Defense and Department of Labor hold fund recipients to these standards.

    • Department of Education, National Science Foundation and National institutes of Health may do the same.


Approaching security

Approaching Security

  • Goals

  • Unified Approach

  • Risk Assessment Cycle

  • Risk Assessment Methodology

  • Risk Handling Methods

  • Controlling and Mitigating Risk

  • GLBA Example


Goal of security generally

Goal of Security Generally

Physical

To guard the confidentiality, integrity and availability (CIA) of protected information

Administrative

Protected

Information

Technical


Unified approach to security

Unified Approach To Security


Unified approach to security cont d

Unified Approach to Security (cont’d)


Risk assessment cycle

Risk Assessment Cycle

Risk = Threats x Vulnerabilities x Impact


General assessment model security

General Assessment Model: Security


Handling risk

Handling Risk


Example glba information security program

Example: GLBA Information Security Program

  • Implement, and maintain a comprehensive information security program

    • that is written in one or more readily accessible parts and

    • contains administrative, technical, and physical safeguards

  • The safeguards are to be appropriate

    • to the organization’s size and complexity,

    • the nature and scope of its activities, and

    • the sensitivity of any customer information


Roles and responsibilities

Roles and Responsibilities

  • Roles and Responsibilities:

    • Designate an employee or employees to coordinate the information security program


Glba risk assessment

GLBA Risk Assessment

  • Risk Assessment:

    • Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse alteration, destruction or other compromise of such information,

    • Assess the sufficiency of any safeguards in place to control these risks.

  • Minimal areas to be addressed:

    • Employee training and management;

    • Information systems, including network and software design, as well as information processing, storage, transmission and disposal;

    • Detecting, preventing and responding to attacks, intrusions, or other systems failures.


Implement and monitor safeguards

Implement and Monitor Safeguards

  • Safeguard Implementation:

    • Design and implement information safeguards to control the identified risks

  • Monitoring Safeguard Effectiveness:

    • Regularly test or otherwise monitor the effectiveness of the safeguards (i.e., key controls, systems and procedures)


Evaluate and modify glba information security program

Evaluate and Modify GLBA Information Security Program

  • Evaluate and adjust the GLBA information security program in light of the results of the testing and monitoring

    • any material changes to business operations or arrangements; or

    • any other circumstances that you know or have reason to know may have a material impact on your information security program


Third party service providers

Third Party Service Providers

  • Selection of Service Providers:

    • Select and retain service providers that are capable of maintaining appropriate safeguards for the customer information

  • Contractually Bind Security Safeguards:

    • Contractually require service providers to implement and maintain such safeguards to protect customer information.


Privacy

Privacy

  • Family Educational Rights and Privacy Act (FERPA)

  • Health Insurances Portability and Accountability Act

  • State Law

    • Notice of Breach Laws

    • Other state laws


Family education rights privacy act ferpa

Family Education Rights & Privacy Act(FERPA)

  • Leading federal privacy law for educational institutions.

  • Imposes confidentiality requirements over student educational records.

  • Prohibiting institutions from disclosing "personally identifiable education information" such as grades or financial aid information without the student's written permission. 

  • Provides students with the right to request and review their educational records and to make corrections to those records.

  • Law applies with equal force to electronic and hardcopy records.


Hipaa

HIPAA

  • Applies to Health Care Providers, Health Plans and Health Care Clearinghouses, e.g.,

    • Student Health Services

    • Academic medical centers

    • Business associates (through contracts)

  • Imposes confidentiality requirements on Protected Health Information (“PHI”)

    • PHI is individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.

    • PHI excludes:

      • education records covered by FERPA

      • and employment records held by a covered entity in its role as employer.

  • PHI may be used and disclosed for treatment, payment and healthcare operation, under an authorization or as permitted by regulation


State breach notification laws

State Breach Notification Laws

  • Most of the laws require notification if there has been, or there is a reasonable basis to believe the occurrence of unauthorized access that compromises personal data

    • “Notice triggering information,” e.g., name, in combination with a Social Security number, driver's license or state identification number, or financial account or debit card number plus an access code

  • Some states have some form of harm or risk threshold, under which entities need not notify individuals of a breach if an investigation by the covered entity (sometimes in conjunction with law enforcement) finds no significant possibility that the breached data will be misused to do harm to the individual

  • Most apply only to breaches of unencrypted personal information, and require written notification after a breach is discovered


State breach notice laws

State Breach Notice Laws

  • Some state laws may require compliance with security standards, e.g., California and Maryland.

    • Some provide a “safe harbor” for covered entities that maintain internal data security policies that include breach notification provisions consistent with state law.

  • Some give state’s Attorney General enforcement authority;

  • Most allow for a delay in notification if a disclosure would compromise a law enforcement investigation, except Illinois;

  • Most allow substitute notice to affected individuals via announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification would exceed $250,000 --Rhode Island, Delaware, Nebraska, Ohio set lower thresholds.


Aicpa cica privacy framework

AICPA/CICA Privacy Framework

  • AICPA/CICA Trust Services Privacy Principle

    • Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the AICPA/CICA Trust Services Privacy Criteria.


Aicpa cica privacy framework1

AICPA/CICA Privacy Framework

  • Trust Services Privacy Components and Criteria

    • The Framework contains 10 privacy components and related criteria that are essential to the proper protection and management of personal information.

    • These privacy components and criteria are based on internationally known fair information practices included in many privacy laws and regulations of various jurisdictions around the world


Aicpa cica privacy framework criteria 1 5

AICPA/CICA Privacy Framework Criteria 1-5

  • Management. The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.

  • Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.

  • Choice and Consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

  • Collection. The entity collects personal information only for the purposes identified in the notice.

  • Use and Retention. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes.


Aicpa cica privacy framework criteria 6 10

AICPA/CICA Privacy FrameworkCriteria 6-10

  • Access. The entity provides individuals with access to their personal information for review and update.

  • Disclosure to Third Parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

  • Security. The entity protects personal information against unauthorized access (both physical and technical).

  • Quality.The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.

  • Monitoring and Enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.


Privacy overlap

Privacy Overlap


As applied to u s law

…as Applied to U.S. Law…


As applied to u s law cont d

…as Applied to U.S. Law…(cont’d)


General assessment model privacy

General Assessment Model: Privacy


Information management

Information Management

  • Federal Rules of Civil Procedure (FRCP)

  • Notice of Security Breach Laws, GLBA, HIPAA


The federal rules of civil procedure

The Federal Rules of Civil Procedure (and most state law) provides the following discovery tools:

Depositions Upon Written or Oral Written Questions (Rules 30, 31 and 32)

Written Interrogatories (Rule 33)

Production of Document or Things (Rule 34)

Permission to Enter Upon Land for Inspection and Other Purposes (Rule 34)

Physical and Mental Examinations (Rule 35)

Requests for Admission (Rule 36)

Tools to Ensure or Excuse Discovery

Motion to Compel (Rule 37(a))

Sanctions (Rule 37 (b),(c)&(d))

Protective Orders (Rule 26(c))

The Federal Rules of Civil Procedure

“The pretrial devices that can be used by one party to obtain facts and information about another party in order to assist the party’s preparation for trial.” - Blacks Law Dictionary


E discovery 12 2006

E-Discovery: 12/2006

  • New and amended rules of civil procedure governing the treatment of electronically stored information (ESI) are expected by December of this year.

  • These Rules are broken into the following categories:

    • Early attention to electronic discovery issues: Rules 16 and 26(f)

    • Better management of discovery into ESI that is not reasonably accessible: Rule 26(b)(2)

    • New provision setting out procedure for assertions of privilege after production: Rule 26(b)(5)

    • Interrogatories and Requests for Production of ESI: Rules 33 and 34

    • Application of sanctions rules pertaining to ESI: Rule 37


Esi retention

ESI Retention

Balanced Against

Duty to Preserve

  • Legal Duty

    • e.g., Sarbanes–Oxley, HIPAA, FACTA and other document retention requirements

  • Lawyer’s duty to preserve evidence in discovery and litigation

Continued Operations

  • Normal system Operations

  • Data Backup

  • Data Destruction


Duty to preserve

Duty to Preserve

  • Duty attaches when a person knows or reasonably anticipates litigation involving identifiable parties and identifiable facts.

    • Encompasses potential evidence related to identifiable facts, which may shift as litigation proceeds.Stevenson v. Union Pac. R.R., 354 F.3d 739 (8th Cir. 2004)

    • Exists independent of any preservation demand letter, or court order. Wigington v. Ellis, 2003 WL 22439865 (N.D. Ill. 2003) (Wigington I); Treppel v. Biovail Corp., 233 F.R.D. 363 (S.D.N.Y 2006).

    • The fact that ESI is not reasonably accessible does not relieve a party from its duty to preserve the information if potentially relevant. Zubulake v. UBS Warburg LLC, 220 F.R.D. 212 (S.D.N.Y. 2003) (“Zubulake IV”)


Failure to preserve sanctions for spoliation

Failure to Preserve: Sanctions for Spoliation

  • Duty to monitor preservation falls on inside and outside counsel.

  • Potential sanctions will vary on intent and behavior of producing party (bad faith, gross negligence, negligence) and degree of prejudice to the requesting party caused by spoliation. Possible sanctions include:

    • Fines;

    • Adverse inference jury instruction;

    • Striking of a pleading or defense;

    • Dismissal or default; and

    • Costs for supplemental discovery.


Right to destroy

Right to Destroy

  • Courts have acknowledged that organizations have the right to destroy - whether or not it is consciously deleted - electronic information that does not meet the internal criteria of information or records requiring retention.

    • “‘Document retention policies,’ which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business …. It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances’ Arthur Andersen, LLP v. United States, 125 S. Ct. 2129, 2135 (2005).


Safe harbor rule 37 f

Safe Harbor: Rule 37(f)

  • The court will not impose sanctions parties who fail to produce ESI that was lost as a result of routine, good faith operation of an electronic information system, absent exceptional circumstances. Rule 37(f)

  • Good faith destruction of potentially relevant ESI will be difficult to establish when there is a claim pending or has received a credible threat of a claim.

    • A Committee Note to Rule 37 (f) states: “Good Faith in the routine operation of an information system may involve a party’s intervention to modify or suspend certain features of that routine operation to prevent the loss of information if that information is subject to a preservation obligation.


Esi retention risks

ESI Retention Risks

  • Spoliation and Sanction Risks. Because of retention duties, a party persuade the court that those documents that no longer exist were purged pursuant to a policy and were not willfully destroyed or spoliated.

  • Cost of Retrieval Risk. Knowing where information is stored or if it has been destroyed pursuant to document retention policies will avoid the high costs associated with e-discovery fishing expeditions.

  • Inability to Defend Risk. The loss of critical evidence potentially leads to the inability to properly defend a claim.


Esi retention destruction program

ESI Retention/Destruction Program

  • Compliance and Auditing Plan

  • Create or Amend Policy on ESI Retention and Destruction

  • Indexing and Document Naming System

  • Attorney-Client Privilege Procedures

  • Litigation Hold Procedures

  • Employee Training

  • Post-Implementation Compliance and Auditing


General assessment model esi retention and destruction

General Assessment Model: ESI Retention and Destruction


Esi retention destruction

ESI Retention/Destruction

  • Review Written vs. Actual ESI Retention Practices

    • Creation

    • Use

    • Disposal

  • Are electronic records being kept as required by law and internal procedures?

  • Are electronic records being managed over their entire lifecycle?


Esi retention destruction program1

ESI Retention/Destruction Program

  • An ESI Management Program contains many of the elements found in security and privacy programs.

  • Removal of sensitive ESI on a regular basis will enhance an organization’s privacy and security.

  • Will lower discovery costs in litigation


Convergence and compliance

Convergence and Compliance

Security

Privacy

Information Management


Electronic records management requirements

Electronic Records Management Requirements


Compliance convergence

Compliance Convergence


Compliance convergence1

Compliance Convergence


Compliance convergence2

Compliance Convergence


Approach

Approach

  • “Follow The Data” – Data classification and mapping is essential

  • Integrate security, privacy, ESI and records management planning

    • Simultaneously assess overlapping elements

    • Build privacy and security compliance Into information management

    • Safely and securely destroy all ESI, including information protected by security and privacy laws, considering legal and business constraints


The convergence of privacy security and electronic information

Contact Information

M. Peter Adler

AIPG

Adler InfoSec & Privacy Group LLC

2103 Windsor Road

Alexandria, VA 22307

Telephone: (202) 251-7600

Facsimile: (703) 997.5633

Email: [email protected]

Web: www.adleripg.com


  • Login