protecting privacy in state government l.
Skip this Video
Loading SlideShow in 5 Seconds..
Protecting Privacy in State Government PowerPoint Presentation
Download Presentation
Protecting Privacy in State Government

Loading in 2 Seconds...

play fullscreen
1 / 63

Protecting Privacy in State Government - PowerPoint PPT Presentation

  • Uploaded on

Protecting Privacy in State Government Basic Privacy & Security Training for State of Ohio Employees Objectives & Agenda Overview: privacy & security What is privacy? Privacy and security, what is the difference? Defining sensitive data Why protect privacy? Best Practice Perspectives

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Protecting Privacy in State Government' - Philip

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
protecting privacy in state government

Protecting Privacy in State Government

Basic Privacy & Security Training

for State of Ohio Employees

objectives agenda
Objectives & Agenda

Overview: privacy & security

What is privacy?

Privacy and security, what is the difference?

Defining sensitive data

Why protect privacy?

Best Practice Perspectives

Good information-handling practices

Security incident response

Privacy Quiz


what is privacy
What is Privacy?

“The right to be left alone -- the most comprehensive of rights, and the right most valued by civilized men.” ~ Louis Brandeis

“Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” ~ Alan Westin

“You have no privacy, get over it.” ~ Scott McNealy


what is privacy t hat was then this is now
What is Privacy: That was Then & This is Now


Practical Obscurity

No internet; no cell phones; marketing less pervasive; sense of “ain’t nobody’s business”


Information Age

More data gathering across government & business

Smart phones, Camera phones

Mobile & wireless computing

24/7 access

Technological Developments (surveillance cameras & software, RFID, biometrics)


changing threat landscape
Changing Threat Landscape


  • Amateur hackers
  • Web site defacement
  • Viruses
  • Infrequent attacks


  • Organized crime
  • SQL Injections
  • Identity theft
  • Constant threat


  • Amateur hackers
  • Web site defacement
  • Viruses

342 data breaches in the first half of 2008: more than 69% greater than the same time period in 2007

privacy and security what is the difference
Privacy and Security, what is the difference?

Privacy & Security are flipsides of a coin


Broadly speaking, how data is defined and used

Laws, regulations, and policies that define and classify data and date usage

  • Security
    • Securing the data, both physically and technologically, per its definition to ensure its
      • Confidentiality (limited access)
      • Integrity (authentic & complete)
      • Availability (accessible)


defining sensitive data
Defining Sensitive Data

Personally Identifiable Information (PII)

Broad definition: any information that is maintained by an entity that identifies or describes an individual.

Sensitive PII

Name, when associated with:

Social Security number


Health & Medical

ID Card (driver’s, state identification card)



defining sensitive data con t
Defining Sensitive Data (con’t.)

Sensitive data is more than PII, it is also information your organization classifies as sensitive

Data mandated by law to be confidential

Case numbers

Security plans & reports

Intellectual property

Economic forecasts



sensitive data money
Sensitive Data = Money

Handle sensitive data like cash!


why protect privacy world view
Why Protect Privacy? – World View

European Union

EU Data Protection Directive and Member States, Safe Harbor Principles

US Federal

HIPAA, GLBA Safeguards Rule, COPPA,



South Korea

Act on Promotion of Information and Communications Network Utilization and Data Protection


Personal Information Protection Act, METI Guidelines

Hong Kong

Personal Data Privacy Ordinance


Data Privacy Law proposed by ITECC


SB 1, SB 1386,

SB 27, AB 1950


Computer-Processed Personal Data Protection Law


Law pending currently under discussion


Law for the Protection of Private Life

South Africa

Electronic Communications and Transactions Act


Personal Data Protection Law, Confidentiality of Information Law


Federal Privacy Amendment Bill State Privacy Bills in Victoria, New South Wales and Queensland, new email spam and privacy regulations

October 10, 2007


New Zealand

Privacy Act

why protect privacy public trust
Why Protect Privacy? - Public Trust

Citizens have no option to shop around – they are required to provide personal information to government.

We have an obligation to protect the information entrusted to us.


why protect privacy u s
Why protect privacy? – U.S.

Federal Laws

HIPAA, GLBA, COPPA, FERPA, FCRA, genetic privacy, and more laws in works


Data Breach notification

Credit freeze

PII in public records




why protect privacy ohio
Why protect privacy? - Ohio

It’s a best practice and rapidly becoming statewide law and policy!

Executive Order 13S (2007): Improving State Agency Data Privacy and Security

Ohio IT Bulletin ITB-2007.02: Data Encryption and Securing Sensitive Data

ITP-B.11: Data Classification Policy

HB 104: Data Breach Notification Law

HB13: No SSN - Vehicle Registration Renewal Notice

HB 46: Credit Freeze & SSN Redaction

And more to come…


why protect privacy con t
Why protect privacy? (con’t.)

Increasing citizen & consumer sensitivity

Security breaches

Almost daily occurrence

Data Breaches Hit 8.3 Million Records in First Quarter 2008*

167 data breaches First Quarter 2008

448 incidents in 2007

Identity theft

Low-risk, high-reward crime

Becoming more and more organized

*Source - The Identity Theft Resource Center


identity theft

Identity Theft

What It is and Its Impact


what is identity theft
What is identity theft?
  • A crime to intentionally use another person’s identifying information to fraudulently obtain credit, property or services.
    • Ohio Rev. Code Ann. §2913.49
  • Types:
    • Financial
      • Access to existing accounts
      • Creation of new accounts
    • Services: Employment, Medical
    • Criminal


incidence impact of identity theft
Incidence & Impact of Identity Theft
  • 8.1 million incidents (2007)
    • 3.6% of adults
  • Out-of-pocket costs (2007)
    • Average $691
  • Time spent recovering (2006)
    • Average 25 hours


Source: Javelin, 2/07 & 2/08

impact of id theft on economy
Impact of ID Theft on Economy
  • Total cost of identity theft in U.S. in 2007

$45 Billion

Source: Javelin, 2/08


beware of social engineering schemes
Beware of Social Engineering Schemes

Identity thieves may try to trick employees into disclosing personal information

Phishing e-mails, phone calls

Verify identity and authority of anyone requesting sensitive data


public records and sensitive data
Public Records and Sensitive Data

Most records agencies handle are public records, but they may also contain sensitive information. Employees must employ protective measures to ensure the information is not improperly released.

The Ohio’s Public Records Act is based upon the concept that records produced by government are the people’s records.

Other laws require state government to protect sensitive information.

basic privacy principles
Basic Privacy Principles
  • Minimization/Collection Limitation: only collect that data for which you have a business need.
  • Notice/Awareness: clear and complete disclosure to individuals on the specifics of how the data they submit is to be collected, used, and shared with other organizations, in addition to the steps taken to preserve the data’s confidentiality, integrity, and quality.
  • Choice/Consent: where applicable, give individuals the choice of what data they submit, how it can be used, and with whom it can be shared.
  • Access: where applicable, give reasonable access to an individual’s personal data for review, modification, correction, and, where appropriate, deletion.
  • Integrity/Security: ensure that personal information is relevant, accurate, and consistent throughout the enterprise; and that reasonable security precautions are taken to protect data from unauthorized use, access, or transfer
  • Accountability/Enforcement: specify an individual(s) to ensure the integrity and security of the data, and to enforce applicable law and policy.


international privacy principles
International Privacy Principles

Openness: There should be a general policy of openness about the practices and policies with respect to personal information.

Purpose Specification: The purposes for which personal information is collected should be specified at the time of collection. Further uses should be limited to those purposes.

Collection Limitation: Minimize the data you collect. Only the data necessary for the stated purpose should be collected. Personal information should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the individual.

Data Quality: Personal information should be accurate, complete and kept up-to-date, and relevant to the purposes for which it is to be used, .

Use Limitation: Personal information should not be used for purposes other than those specified, except with the consent of the data subject or by the authority of law.

Individual Participation: Individuals should have the right to inspect and correct their personal information

Security Safeguards: Personal information should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure.

Accountability: Someone in the organization should be accountable for compliance with the organization’s privacy policies.

~Based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (


the life cycle of sensitive data
The Life Cycle of Sensitive Data

Data is an asset. The value associated with a piece of data is determined by its attributes, context within the agency, and associated risk…all are key factors in data classification.

Data Value




Data LifeCycle

October 10, 2007







handling sensitive data overview
Handling Sensitive Data - Overview

Take stock

What is PII & Other Sensitive Data

Where is it in your organization

Scale down

Only collect what you need

Lock it

Secure, encrypt, protect

Proper Disposal

Securely dispose of documents per your retention schedule – remember the Sunshine Laws!

Plan ahead

Know your security incident response procedure


take stock
Take Stock

Know Where Sensitive Data Lives

Learn where sensitive data is stored in your office and systems

PCs, workstation file drawers, laptops, BlackBerrys, and other portable devices

Sensitive PII: Employee data, as well as data of citizens/consumers, licensees, and others

Other data classified as sensitive

HB 46 calls for all agencies to engage in Privacy Impact Assesments for new data systems.


Data Minimization is Your Friend – less is more

Data quantity (only take what is necessary for a particular function)

Access Levels (only give access to those that need it)

Everything you take is something you have to retain

Everything you retain is something that can be breached

Everything that can be breached is something for which you are liable

Less data collected = less liability


Comply with Ohio Sunshine laws and your agency’s records retention policy

Scale Down


scale down cont
Scale Down (cont.)

Collect & Retain only what you need and keep it only for the time you need it.

Regularly purge documents with sensitive data from individual file folders (unless required to keep per public records law)

Avoid downloading sensitive data unless necessary.

Regularly cleanse sensitive data from PCs, laptops, other portable devices.


Comply with Ohio Sunshine laws and your agency’s records retention policy

lock it
Lock It

Protect Sensitive Data from Unauthorized Access

Limit access to sensitive data (especially PII) to those who need to use it to perform their duties

Minimum necessary access

Passwords & other access controls


lock it desks
Lock It - Desks

Protect Sensitive Data on Your Desk

“Clean-desk policy”

Don’t leave documents with sensitive data out when away from your workstation

Lock up documents w/ sensitive data overnight and on weekends

Lock PC when away from your workstation


lock it workstations
Lock It – Workstations

Protect Sensitive Data in Workstations

Make sure you have a timed lock-out

Don’t download “free” software onto PC – it may contain spyware or other malware

Angle your monitor away from prying eyes or ask for a “privacy screen” for your monitor if you enter sensitive data in a public place


lock it passwords
Lock It - Passwords

Your password is like your toothbrush - Don’t share it!

Password “Don’ts”

Do not reveal your password over the phone

Do not send your password in an e-mail message

Do not reveal your password to a supervisor or manager

Do not talk about your password in front of others

Do not hint at the format of your password (e.g., "my family name")

Do not reveal your password on questionnaires or security forms

Do not share your password with family members

Do not reveal your password to co-workers while on vacation

Use strong passwords

8+ characters, including numerals and symbols

Ohio IT Policy ITB-B.3: Password-PIN Security


lock it laptops sensitive data
Lock It – Laptops & Sensitive Data

All laptops must be encrypted.

Do not place sensitive data on portable devices (thumb drives and other portable devices), unless the placement has been authorized following agency policy and procedures, and the device is encrypted.


lock it e mail mail
Lock It – E-mail & Mail

Don’t send or receive sensitive data – SSN, DL number, financial account number, medical info – via email (in text or via attachments) unless allowed by agency and it is encrypted

Mail securely

Don’t leave incoming or outgoing mail in unlocked or unattended receptacles

Make sure mailings are not exposing sensitive data

CalPERS & State of Wisconsin


lock it faxes voicemail
Lock It - Faxes & Voicemail

Don’t send sensitive data by fax unless security procedures are used

Confirm accuracy of number before keying in

Arrange for and confirm prompt pick-up

Don’t leave sensitive data in voice mail messages

lock it at home
Lock It – At Home?

Do Not Take State Sensitive Data Home



dispose of records safely
Dispose of Records Safely

Shred documents with sensitive data and other confidential info before throwing away

CDs and floppy disks too

Have computers and hard drives properly “wiped” or overwritten when discarding


Comply with Ohio Sunshine laws and record retention policy


handling sensitive data bottom line
Handling Sensitive Data – Bottom Line

Take stock

Scale down

Lock it

Proper Disposal

Plan ahead

Remember the Sunshine Laws

How would you want someone handling your data?


report info security incidents
Report Info Security Incidents


Reportable incidents might include:

Loss or theft of laptop, BlackBerry, disk, etc.

Loss or theft of paper records

Unauthorized acquisition of protected info

Unauthorized release, modification, or destruction of protected info

Interfering with state computers or data systems

Any activity involving illegal activity or serious wrongdoing


what is an incident

E-mail viruses

E-mail harassment


Other malicious code

Denial of service attacks


Stolen hardware

Network or system sabotage

Website defacements Stolen Sensitive Data

Unauthorized access to files or systems

Loss of system availability

Misuse of service, systems or information

Physical damage to computer systems, networks, or storage media

Illegal Activity

Serious Wrongdoing

What is an Incident?
incident response guidance
Incident Response Guidance

Ohio HB 104: Data Breach Notification

ITP – B.7: Security Incident Response

OIT IT Bulletin No: ITB-2007.02

Governor’s Memo on Illegal Activity & Serious Wrongdoing

Incident Response Management Guide

Incident Response Training Presentation


why protect privacy public trust43
Why Protect Privacy? - Public Trust

Citizens have no option to shop around – they are required to provide personal information to government.

We have an obligation to protect the information entrusted to us.

privacy protection bottom line
Privacy Protection: Bottom Line

Privacy and security are everyone’s responsibility

some privacy resources
(Some) Privacy Resources

Ohio Privacy & Security Information Center

Federal Citizen Information Privacy Resources

Federal Trade Commission Privacy Initiatives

Onguard Online

Identity Theft Resource Center

Center for Democracy & Technology

privacy quiz

Privacy Quiz

Just for Fun – Test Your Knowledge


quiz question 1
Quiz Question 1
  • If you believe that incoming mail containing sensitive data has been stolen from your office, where should you report it?


options for q1
Options for Q1
  • To your mailroom supervisor.
  • To your department’s information security point of contact, supervisor, legal office, director’s office
  • To the U.S. Postal Inspection Service.
  • To the local police department.


correct answer to q1
Correct Answer to Q1
  • To your department’s information security point of contact, supervisor, legal office, director’s office


quiz question 2
Quiz Question 2
  • Which of the following is the strongest – most secure – password for access to your PC?


options for q2
Options for Q2
  • 9151950
  • HmW1cWC&


correct answer to q2
Correct Answer to Q2
  • HmW1cWC&

5 steps for a a strong, memorable password

  • Think of a sentence that you can remember. This will be the basis of your strong password or pass phrase. Use a memorable sentence, such as "My dog Steve is three years old.“
  • If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each word of the sentence that you've created to create a new, nonsensical word. Using the example above, you'd get: “mdsityo".
  • Add complexity by mixing uppercase and lowercase letters and numbers. It is valuable to use some letter swapping or misspellings as well. This might yield a password like “MdSi3yo".
  • Finally, substitute some special characters and/or add back some characters. You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, you create a password (using the first letter of each word) "Md$i3y0ld".
  • Test your new password with a Password Checker ( Password Checker is a non-recording feature on Microsoft provides that helps determine your password's strength as you type.


quiz question 3
Quiz Question 3
  • Which of the following is the most secure way to get the SSNs of seven people to a co-worker, who is on a business trip, is authorized to have the information, and needs it to do his job?


options for q3
Options for Q3
  • Send the information in an e-mail.
  • Call your co-worker and give him the information over the phone.
  • Leave the information in a voice mail message on your co-worker’s cell phone.
  • Fax the information to your co-worker at his hotel.


correct answer to q3
Correct Answer to Q3
  • Call your co-worker and give him the information over the phone.


quiz question 4
Quiz Question 4
  • TRUE OR FALSE: If you delete files from your PC – and empty the recycle bin – that means the data in the files is erased.


quiz question 5
Quiz Question 5
  • Which of the following would NOT be an information security incident that needs to be reported?


options for q5
Options for Q5
  • Loss of a laptop containing unencrypted sensitive data.
  • Accidental mailing of an individual’s medical records to the wrong person.
  • Theft of your purse, which contained a CD with state data on it.
  • Theft of a state-owned computer monitor.


correct answer to q5
Correct Answer to Q5
  • Theft of a state-owned computer monitor.
    • This is a trick question - remember the Gov’s Memo on Illegal Activity & Serious Wrongdoing. Report this to your Chief Legal Counsel!


quiz question 6
Quiz Question 6
  • Which of the following should you do before leaving your workstation for a meeting?


options for q6
Options for Q6
  • Put documents, disks, other records containing personal information in a locked drawer or otherwise out of sight.
  • Hit “control-alt-delete” and lock your computer.
  • Call your best friend and have a long chat.
  • Both a and b.


correct answer to q6
Correct Answer to Q6
  • Both a and b above.
    • Put documents, disks, other records containing personal information (including your purse) in a drawer or otherwise out of sight.
    • Hit “control-alt-delete” and lock your computer.