5.5 Explain Privacy and Sensitive data Concepts In relation to security Flashcards

1
Q

Organizational Consequences of Privacy Breaches

A

If a company suffers a data breach, there can be several repercussions. Let’s look at some of them, starting with reputation damage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Reputation Damage

A

When a company suffers a data breach and it is known to the public, it can cause their brand to become tainted as they lose the respect of the public. This could reduce sales.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Identity Theft

A

If any data held on a customer is stolen and then used for identity theft, the company will be sued for damages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Fines

A

Data breaches could result in regulatory fines. An example would be the EU GDPR, where the maximum fine is 20 million euros or 4% of the company’s annual global turnover, whichever is greater.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Intelllectual Property(IP)Theft

A

IP theft could result in copyrighted material, trade secrets, and patents being stolen by competitors, resulting in a loss of revenue. This data could be used in countries where a legal route to recover your data would be impossible. Exam TipIf a company suffers a data breach and that data is used for identity theft, the company could be sued by the individual affected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Notifications of Breaches

A

There are national laws and regulations that are laid down on how data breaches should be reported and who they should be reported to. A data breach is normally where data has been stolen or there has been an accidental breach; this means that the policies currently in place are not effective. If someone accesses a file or database server, we need to find the account used so that we can remove it to prevent further breaches. Let’s now look at the action we need to take once a breach has been discovered, starting with escalation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Escalation

A

Any data breach, no matter how small, should be reported immediately to the CEO as the company may face legal action later on. A company may face a fine if they have not been compliant with regulations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Public Notifications and Disclosures

A

We may have to contact the police, the regulator, customers, and any individuals affected by the breach. EU GDPR law allows a company 72 hours to notify those concerned. If you are in the UK, you must comply with the Data Protection Act 1988, which is statute law, and in the USA, if it is medical data, you must comply with HIPAA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Data Types

A

There are various types of data and we need to have an appreciation of each type and its characteristics; let’s start with different data classifications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Classification

A

The first stage of risk management is the classification of the asset, which determines how we handle, access, store, and destroy data. We are now going to look at the different classifications of data so that we know how to handle the data. Let’s start by looking at public data:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Public Data

A

This is data that is available to anyone, such as yesterday’s news, leaflets, or brochures that have been distributed everywhere. Anyone has access to this data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Private Data

A

Private data is data that an individual does not want to disclose; it could also be classified as sensitive data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Sensitive Data:

A

This is data that is personal to an individual, such as sexual orientation-, politics-, religion-, race-, or health-related data: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/sensitive-data/what-personal-data-considered-sensitive_en.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Confidential Data

A

Research and Development (R&D) and legal data will be classified as confidential data; disclosure would cause damage to the company. This could also be called classified data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Critical Data

A

This is data that a company does not want to disclose; it could also be classified and encrypted to prevent someone from reading it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Proprietary Data

A

This is data generated by a company, such as its trade secrets, or work done by the R&D department.

17
Q

Personally Identifiable Information (PII)

A

This is information that can identify a person, such as their date of birth, biometric information, or social security number.

18
Q

Protected Health Information (PHI)

A

This is information stored in a person’s medical records.

19
Q

Financial Information

A

This is data about a company’s bank account, share capital, and any investments that it has made. It could also be credit card information and payroll data.

20
Q

Government Data

A

This is data collected by governmental agencies, and there are strict rules on how it can be shared, normally only internally. Contractors working with the government will have strict rules that they need to follow when the contract has finished and the data used in the contract is to be disposed of.

21
Q

Customer Data

A

This is data that is held about each customer of an organization and should never be divulged; data on the account manager dealing with a customer is also classified as customer data.Exam TipWhen a government contract ends, the contractor needs to dispose of government data in accordance with the original contract. They cannot just destroy the data.

22
Q

Privacy-Enhancing Technologies

A

We are going to look at techniques that enhance the storage of PII information, making it impossible to be stolen. Let’s look at these techniques, starting with data minimization:

23
Q

Data minimization

A

Data minimization means that only necessary data should be collected. This data should only be held in accordance with regulations, and this should be reflected in the data retention policy.

24
Q

Data Masking

A

This is where only partial data is left in a data field so that the original data cannot be stolen; for example, a field holding a credit card number may only show the last four digits

25
Q

Tokenization

A

Tokenization is where meaningful data is replaced with a token that is generated randomly, and the original data is held in a vault. This is much stronger than encryption and it is stateless, and the keys are not stored locally.

26
Q

Anonymization

A

Recital 26 of the GDPR defines anonymized data as “data rendered anonymous in such a way that the data subject is not or no longer identifiable.” Identifiers such as the name of an individual should be removed, substituted, or distorted. We could use this to protect PII. For instance, we could view a social security number, but we can no longer identify the individual that it belongs to as their name has been removed.

27
Q

Pseudo-Anonymization

A

This is where data is modified or replaced by other information so that if you want to reverse the process, it would rely on another data source that is separate from the original. Article 4(5) of the EU GDPR states that the process of pseudo-anonymization is “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”Exam TipData masking is when only partial data is left in a data field. For example, a credit card could be shown as ** ** ** 1234. Tokenization is better than encryption as it replaces data with a token that is connected to a remote location where the original data is held.

28
Q

Data Roles and Responsibilities

A

There are different roles and responsibilities for dealing with data, ranging from the owners who create the data to those that store and control it. Let’s look at each of these roles and what areas they are responsible for. We will start with data owners:

29
Q

Data Owners

A

The data owners are responsible for classifying data and deciding who can access the data.

30
Q

Data Controller

A

The data controller is responsible for ensuring that all data that is collected and its storage is legal and follows compliance regulations. The data controller is responsible for investigations into data breaches.

31
Q

Data Processor

A

The data processor operates on behalf of the data controller, ensuring that the collection, storage, and analysis of data is done in accordance with regulations (GDPR Article 30).

32
Q

Data Custodian/Steward

A

The data custodian stores and manages data, ensuring that is encrypted and that regular backup tapes are kept.

The data steward is responsible for the data quality, labeling, and ensuring that it is stored in accordance with current regulations and standards.

33
Q

Data Protection Officer (DPO)

A

Privacy law or data protection laws prohibit the disclosure or misuse of information about private individuals. Under Article 37 of GDPR the Data Protection Officer (DPO) is a mandatory appointment within an organization. Article 39 lists the tasks of the DPO: https://advisera.com/eugdpracademy/gdpr/tasks-of-the-data-protection-officer/. They must ensure that the data subject is informed about their rights and that data controllers are fulfilling their duties according to regulation. It is the role of the DPO to ensure that the handling, use, retention, and disposal of PII data is in accordance with national law and regulatory frameworks.Exam TipThe Data Protection Officer ensures that data regulations are adhered to.

34
Q

Information Life Cycle

A

The information life cycle comprises the life cycle of data, from data creation to data destruction

35
Q

Impact Assessment

A

This is where you evaluate the risk of collecting large amounts of data and look at tools that would reduce that risk.

For example, say you are working in a hospital, where consent needs to be provided by patients to allow doctors to operate on them. You might collect 1,000 of these forms a week and might decide to use a SharePoint server to store them so that they are centrally located and not lost through clerical errors.

36
Q

Terms of Agreement

A

This is an agreement between the collector of data and the individual whose data is being collected; it outlines the purpose that the data is collected for.

37
Q

Privacy Notice

A

Obtaining consent means that if I allow you to collect my personal data, you can only use it for the purpose that it was intended.

For example, say someone has given you my email and their personal cell phone number to set up their account so that they can purchase goods. It is then illegal to send those details to your marketing department so that they can target that person.