5.5 Explain Privacy and Sensitive data Concepts In relation to security

Question 1

Organizational Consequences of Privacy Breaches

Answer 1

If a company suffers a data breach, there can be several repercussions. Let’s look at some of them, starting with reputation damage

Question 2

Reputation Damage

Answer 2

When a company suffers a data breach and it is known to the public, it can cause their brand to become tainted as they lose the respect of the public. This could reduce sales.

Question 3

Identity Theft

Answer 3

If any data held on a customer is stolen and then used for identity theft, the company will be sued for damages.

Question 4

Fines

Answer 4

Data breaches could result in regulatory fines. An example would be the EU GDPR, where the maximum fine is 20 million euros or 4% of the company’s annual global turnover, whichever is greater.

Question 5

Intelllectual Property(IP)Theft

Answer 5

IP theft could result in copyrighted material, trade secrets, and patents being stolen by competitors, resulting in a loss of revenue. This data could be used in countries where a legal route to recover your data would be impossible. Exam TipIf a company suffers a data breach and that data is used for identity theft, the company could be sued by the individual affected.

Question 6

Notifications of Breaches

Answer 6

There are national laws and regulations that are laid down on how data breaches should be reported and who they should be reported to. A data breach is normally where data has been stolen or there has been an accidental breach; this means that the policies currently in place are not effective. If someone accesses a file or database server, we need to find the account used so that we can remove it to prevent further breaches. Let’s now look at the action we need to take once a breach has been discovered, starting with escalation:

Question 7

Escalation

Answer 7

Any data breach, no matter how small, should be reported immediately to the CEO as the company may face legal action later on. A company may face a fine if they have not been compliant with regulations.

Question 8

Public Notifications and Disclosures

Answer 8

We may have to contact the police, the regulator, customers, and any individuals affected by the breach. EU GDPR law allows a company 72 hours to notify those concerned. If you are in the UK, you must comply with the Data Protection Act 1988, which is statute law, and in the USA, if it is medical data, you must comply with HIPAA.

Question 9

Data Types

Answer 9

There are various types of data and we need to have an appreciation of each type and its characteristics; let’s start with different data classifications.

Question 10

Classification

Answer 10

The first stage of risk management is the classification of the asset, which determines how we handle, access, store, and destroy data. We are now going to look at the different classifications of data so that we know how to handle the data. Let’s start by looking at public data:

Question 11

Public Data

Answer 11

This is data that is available to anyone, such as yesterday’s news, leaflets, or brochures that have been distributed everywhere. Anyone has access to this data.

Question 12

Private Data

Answer 12

Private data is data that an individual does not want to disclose; it could also be classified as sensitive data.

Question 13

Sensitive Data:

Answer 13

This is data that is personal to an individual, such as sexual orientation-, politics-, religion-, race-, or health-related data: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/sensitive-data/what-personal-data-considered-sensitive_en.

Question 14

Confidential Data

Answer 14

Research and Development (R&D) and legal data will be classified as confidential data; disclosure would cause damage to the company. This could also be called classified data.

Question 15

Critical Data

Answer 15

This is data that a company does not want to disclose; it could also be classified and encrypted to prevent someone from reading it.

Question 16

Proprietary Data

Answer 16

This is data generated by a company, such as its trade secrets, or work done by the R&D department.

Question 17

Personally Identifiable Information (PII)

Answer 17

This is information that can identify a person, such as their date of birth, biometric information, or social security number.

Question 18

Protected Health Information (PHI)

Answer 18

This is information stored in a person’s medical records.

Question 19

Financial Information

Answer 19

This is data about a company’s bank account, share capital, and any investments that it has made. It could also be credit card information and payroll data.

Question 20

Government Data

Answer 20

This is data collected by governmental agencies, and there are strict rules on how it can be shared, normally only internally. Contractors working with the government will have strict rules that they need to follow when the contract has finished and the data used in the contract is to be disposed of.

Question 21

Customer Data

Answer 21

This is data that is held about each customer of an organization and should never be divulged; data on the account manager dealing with a customer is also classified as customer data.Exam TipWhen a government contract ends, the contractor needs to dispose of government data in accordance with the original contract. They cannot just destroy the data.

Question 22

Privacy-Enhancing Technologies

Answer 22

We are going to look at techniques that enhance the storage of PII information, making it impossible to be stolen. Let’s look at these techniques, starting with data minimization:

Question 23

Data minimization

Answer 23

Data minimization means that only necessary data should be collected. This data should only be held in accordance with regulations, and this should be reflected in the data retention policy.

Question 24

Data Masking

Answer 24

This is where only partial data is left in a data field so that the original data cannot be stolen; for example, a field holding a credit card number may only show the last four digits

Question 25

Tokenization

Answer 25

Tokenization is where meaningful data is replaced with a token that is generated randomly, and the original data is held in a vault. This is much stronger than encryption and it is stateless, and the keys are not stored locally.

Question 26

Anonymization

Answer 26

Recital 26 of the GDPR defines anonymized data as "data rendered anonymous in such a way that the data subject is not or no longer identifiable.” Identifiers such as the name of an individual should be removed, substituted, or distorted. We could use this to protect PII. For instance, we could view a social security number, but we can no longer identify the individual that it belongs to as their name has been removed.

Question 27

Pseudo-Anonymization

Answer 27

This is where data is modified or replaced by other information so that if you want to reverse the process, it would rely on another data source that is separate from the original. Article 4(5) of the EU GDPR states that the process of pseudo-anonymization is "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”Exam TipData masking is when only partial data is left in a data field. For example, a credit card could be shown as **** **** **** 1234. Tokenization is better than encryption as it replaces data with a token that is connected to a remote location where the original data is held.

Question 28

Data Roles and Responsibilities

Answer 28

There are different roles and responsibilities for dealing with data, ranging from the owners who create the data to those that store and control it. Let's look at each of these roles and what areas they are responsible for. We will start with data owners:

Question 29

Data Owners

Answer 29

The data owners are responsible for classifying data and deciding who can access the data.

Question 30

Data Controller

Answer 30

The data controller is responsible for ensuring that all data that is collected and its storage is legal and follows compliance regulations. The data controller is responsible for investigations into data breaches.

Question 31

Data Processor

Answer 31

The data processor operates on behalf of the data controller, ensuring that the collection, storage, and analysis of data is done in accordance with regulations (GDPR Article 30).

Question 32

Data Custodian/Steward

Answer 32

The data custodian stores and manages data, ensuring that is encrypted and that regular backup tapes are kept. The data steward is responsible for the data quality, labeling, and ensuring that it is stored in accordance with current regulations and standards.

Question 33

Data Protection Officer (DPO)

Answer 33

Privacy law or data protection laws prohibit the disclosure or misuse of information about private individuals. Under Article 37 of GDPR the Data Protection Officer (DPO) is a mandatory appointment within an organization. Article 39 lists the tasks of the DPO: https://advisera.com/eugdpracademy/gdpr/tasks-of-the-data-protection-officer/. They must ensure that the data subject is informed about their rights and that data controllers are fulfilling their duties according to regulation. It is the role of the DPO to ensure that the handling, use, retention, and disposal of PII data is in accordance with national law and regulatory frameworks.Exam TipThe Data Protection Officer ensures that data regulations are adhered to.

Question 34

Information Life Cycle

Answer 34

The information life cycle comprises the life cycle of data, from data creation to data destruction

Question 35

Impact Assessment

Answer 35

This is where you evaluate the risk of collecting large amounts of data and look at tools that would reduce that risk. For example, say you are working in a hospital, where consent needs to be provided by patients to allow doctors to operate on them. You might collect 1,000 of these forms a week and might decide to use a SharePoint server to store them so that they are centrally located and not lost through clerical errors.

Question 36

Terms of Agreement

Answer 36

This is an agreement between the collector of data and the individual whose data is being collected; it outlines the purpose that the data is collected for.

Question 37

Privacy Notice

Answer 37

Obtaining consent means that if I allow you to collect my personal data, you can only use it for the purpose that it was intended. For example, say someone has given you my email and their personal cell phone number to set up their account so that they can purchase goods. It is then illegal to send those details to your marketing department so that they can target that person.