1 / 55

Protecting Privacy

Protecting Privacy. Challenges for Higher Education. Educause Western Regional Conference - April 26, 2006. Outline. California Office of Privacy Protection Defining Privacy Privacy Laws Privacy Practices. California Office of Privacy Protection. CA is 1st state with such an agency

violet-ward
Download Presentation

Protecting Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Privacy Challenges for Higher Education Educause Western Regional Conference - April 26, 2006

  2. Outline • California Office of Privacy Protection • Defining Privacy • Privacy Laws • Privacy Practices

  3. California Office of Privacy Protection • CA is 1st state with such an agency • Created by law passed in 2000 • Mission: protect the privacy of individuals’ personal information in a manner consistent with the California Constitution by identifying consumer problems in the privacy area and facilitating…fair information practices

  4. COPP Functions • Consumer assistance • Education and information • Coordination with law enforcement • Best practice recommendations

  5. Why People Contact COPP 11/01-12/05

  6. Defining Privacy

  7. Classic Definition 1 • The right to be let alone. • "The makers of the Constitution conferred the most comprehensive of rights and the right most valued by all civilized men—the right to be let alone." Brandeis & Warren, 1890

  8. Classic Definition 2 • The right to control one’s personal information. • “…the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.” Alan Westin, 1967

  9. Privacy & Security • Information Security: protecting data from unauthorized access, use, disclosure, modification, destruction. • Information Privacy: providing individuals with level of control over use and disclosure of their personal information • No privacy without security

  10. Privacy Values • Privacy – the right to control one’s personal information – is essential to protect other important values. • Confidentiality • Anonymity • Seclusion • Fairness • Liberty

  11. Current Privacy Issues

  12. Security vs. Privacy Public Records & Privacy Data Brokers Ubiquitous Surveillance Persistence of Data Identity & Authentication Identity Theft Current Privacy Issues Most of these affect higher ed.

  13. Security vs. Privacy • “They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” Benjamin Franklin, 1759 • A zero-sum game?

  14. Public Records & Privacy • Loss of “practical obscurity” – from the county courthouse to the World Wide Web • Open government – Can we keep an eye on our government without spying on individual citizens? • Limit access to sensitive data to certain purposes • Data brokers digitizing public records • “Enriched” data resold to government and businesses

  15. Ubiquitous Surveillance • Digital trails created by financial transactions, digitized public records, FasTrak, security cameras, building cardkeys, Web searches, electronic health records…

  16. The Persistence of Data • Internet archive • Online communities – MySpace.com, Facebook.com • Loss of “social forgiveness” in society of digital dossiers

  17. Identity & Authentication

  18. Identity Theft • Causal factors in identity theft • Electronic databases • Instant credit • Remote transactions • Over-reliance on inadequate identification system

  19. Identity Theft • Obtaining someone’s personal information and using it for an unlawful purpose • Penal Code § 530.5 • Types of identity theft • Financial – existing account, new account • Government benefits – employment • “Criminal”

  20. Incidence of Identity Theft • Rate steady at about 9 million/year for past 3 years • 4% of adults • Including 1 million Californians Source: BBB/Javelin, 1/06

  21. How ID Thieves Get Your Info Organizations in control 16% Don’t know 57% Consumers in control 27% Source: BBB/Javelin, 1/06

  22. Impact of ID Theft on Victims • Out-of-pocket costs • Average $422 • Time spent recovering • Average 40 hours Source: BBB/Javelin, 1/06

  23. Impact of ID Theft on Economy • Total cost of identity theft in U.S. in 2005 $56.6 Billion Source: BBB/Javelin, 2/06

  24. Protecting Personal Information State and Federal Privacy Laws and Regulations

  25. U.S. takes sectoral approach Laws protect personal information in certain industry sectors (financial, health care, video rental records) EU, Canada, APEC take comprehensive approach Laws treat privacy as fundamental human right Approaches to Data Protection

  26. Credit Reporting Government Privacy Financial Privacy Health Information Privacy Educational Records Information Security Commercial Communications Identity Theft Other Major Sectoral Privacy Laws

  27. Federal Laws FERPA – Privacy of educational records GLBA – Financial privacy & security HIPAA – Health information privacy & security State Laws IPA & other state government privacy laws (public institutions) Online privacy (CA) Information security SSN confidentiality Breach notice Privacy Laws for Higher Ed

  28. California #1 in Privacy Protection • California ranks highest in protecting its citizens against invasions of privacy. • Privacy Journal • All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy. • California Constitution, Article 1, § 1

  29. Social Security Number Law • Prohibits public posting or display of SSN • Don’t print on ID/membership cards. • Don’t mail documents with SSN to individual, unless required by law. • Don’t require sending by email or require for Web site log-on (unless with additional password). • Don’t print more than 4 digits of SSN on paystubs – or use employee ID number

  30. Online Privacy Protection Act • Commercial Web sites that collect personal info of CA residents must post privacy policy statement • Categories of 3rd parties with whom personal information may be shared • How consumers may review or remove their PII (if offered)   • How site will notify consumers when the privacy policy is changed • Effective date of the policy • Site operators must comply with policy

  31. Online Privacy Practices in Higher Ed • Survey report available from Mary Culnan, Bentley College, mculnan@bentley.edu • 236 doctoral universities & national liberal arts colleges in 2004 US News & World Report list • Assessed 3 types of online privacy risks • Privacy statement use • Data collection forms • Cookies

  32. Online Privacy Practices in Higher Ed • 100% of universities & colleges had at least one instance of Web page w/out link to privacy notice • Nearly 100% had 1or more data collection form without link to privacy notice • Nearly 100% had 1or more data collection forms using GET method • 100% had at 1 or more non-secure data-collection page

  33. A Few Headlines • Another University Suffers Security Breach • UCB, 3/29/05 • Tufts warns 106,000 alums, donors of security breach • 4/12/05 • FBI probes network breach at Stanford • 5/25/05 • University to Warn of Web Security Breach • USC, 7/10/05 • 7,800 linked to USD told of network security breach • 12/3/05 • Computer records on 197,000 people breached at UT • 4/24/06

  34. Security Breach Notice Law • Notify individuals if unauthorized person acquires “unencrypted computerized data,” as defined: • Name plus one or more of following: SSN, DL, or financial account number • Notify promptly and without unreasonable delay • Time allowed to assess scope; may delay if would impede law enforcement investigation

  35. Security Breach Notice Law • Notify individually unless >250,000 or >$500,000 or inadequate contact information • Substitute notice • Email if you have address, AND • Post on Web site, AND • Use mass media.

  36. Breach Notifications • CA Office of Privacy Protection learns of breaches from individuals, companies, media • Sample includes 101 breaches since 7/03 (not all) • Over 53 million notified (from 100 to 40 MM per incident) • Mean 646,723 • Median 31,077

  37. Where are breaches occurring? n=101

  38. Why Universities? • Culture of free flow of information • Distributed IT environment • More responsible about reporting?

  39. How are breaches occurring? n=101

  40. Types of Information Involved n=101

  41. Lessons Learned - Prevention • Review data collection policies • Blood bank example: Do we really need SSNs? • Review data retention policies • University example: How long?

  42. Lessons Learned - Prevention • Remember the mobile workforce! • Protect desktops, laptops, other portables • Prohibit downloads of sensitive info to PCs, laptops • Use encryption – State encryption policy • BL05-32 at www.dof.ca.gov/html/budlettr/budlets.htm

  43. Privacy Practices

  44. COPP’s Recommended Practices • Best practice recommendations, not regulations, not legal opinions • Social Security Number Confidentiality • Security Breach Notice • Information-Sharing Disclosure and Privacy Policy Statements

  45. Privacy Best Practices • Build in privacy. • Design systems and database to limit and protect personal information. • Know where your personal information is. • Conduct personal info inventory, including portable computing & storage devices and paper records.

  46. Privacy Best Practices • Say what you do with personal information. • Post clear notices of privacy practices on Web sites, in offices, and whenever collecting personal info. • Do what you say in managing personal information. • Monitor compliance with laws and policies, including content monitoring of Web sites and e-mail.

More Related