5.5 Privacy and Sensitive Data Flashcards
the stage through which every (Written or computerized) record goes through from its creation to its final archiving or destruction. These stages may include change of format or recording media for easier access or more secure storage.
• Creation and receipt
– Create data internally or receive data
from a third-party
• Distribution - Records are sorted and stored
• Use
– Make business decisions, create products
and services
• Maintenance
– Ongoing data retrieval and data transfers
• Disposition
– Archiving or disposal of data
Information life cycle
Consequences
• Reputation damage - the loss to financial capital, social capital and/or market share resulting from damage to a firm’s reputation.
– Opinion of the organization becomes negative
– Can have an impact on products or services
– Can impact stock price
• Identity theft - the fraudulent acquisition and use of a person's private identifying information, usually for financial gain. – Company and/or customers information becomes public – May require public disclosure – Credit monitoring costs
• Fines
– Uber
• Data breach in 2016 wasn’t disclosed • Uber paid the hackers $100,000 instead • Lawsuit settlement was $148 million – Equifax • 2017 data breach • Government fines were approximately $700 million
• Intellectual Property (IP) theft
– Stealing company secrets
– Can put an organization out of business
Consequences
Notifications - requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
• Internal escalation process
– Breaches are often found by technicians
– Provide a process for making those findings known
• External escalation process
– Know when to ask for assistance from
external resources
– Security experts can find and stop an active breach
• Public notifications and disclosures
– Refer to security breach notification laws
– All 50 US states, EU, Australia, etc.
– Delays might be allowed for criminal investigations
Notification
a process to help you identify and minimize the data protection risks of a project. You must do a DPIA for processing that is likely to result in a high risk to individuals.
• Almost everything can affect privacy
– New business relationships, product updates, website
features, service offering
• Privacy risk needs to be identified in each initiative
– How could the process compromise customer privacy?
• Advantages
– Fix privacy issues before they become a problem
– Provides evidence of a focus on privacy
– Avoid data breach
– Shows the importance of privacy to everyone
Privacy impact assessment (PIA)
Notices
• Terms of service - a type of document stating details about what a service provider is responsible for as well as user obligations that must be adhered to for continuation of the service.
– Terms of use, terms and conditions (T&C)
– Legal agreement between service provider and user
– User must agree to the terms to use the service
• Privacy notice, privacy policy - a public document from an organization that explains how that organization processes personal data and how it applies data protection principles.
– May be required by law
– Documents the handling of personal data
– May provide additional data options and
contact information
Notices
a means to classify your organization’s data in a way that shows how sensitive the data is. This helps you reduce risks in sharing information that shouldn’t be accessible to anyone outside your organization or department. Applying sensitivity labels allows you to protect all your data easily.
• Not all data has the same level of sensitivity
– License tag numbers vs. health records
• Different levels require different security and handling
– Additional permissions
– A different process to view
– Restricted network access
Labeling sensitive data
Data classifications • Proprietary – Data that is the property of an organization – May also include trade secrets – Often data unique to an organization
• PII - Personally Identifiable Information
– Data that can be used to identify an individual
– Name, date of birth, mother’s maiden name,
biometric information
• PHI - Protected Health Information
– Health information associated with an individual
– Health status, health care records, payments for
health care, and much more
• Public / Unclassified
– No restrictions on viewing the data
• Private / Classified / Restricted / Internal use only
– Restricted access, may require a non-disclosure
agreement (NDA)
- Sensitive - Intellectual property, PII, PHI
- Confidential - Very sensitive, must be approved to view
- Critical - Data should always be available
• Financial information
– Internal company financial information
– Customer financial details
• Government data
– Open data
– Transfer between government entities
– May be protected by law
• Customer data
– Data associated with customers
– May include user-specific details
– Legal handling requirements
Data classifications
the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.
• Replace sensitive data with a non-sensitive placeholder
– SSN 266-12-1112 is now 691-61-8539
• Common with credit card processing
– Use a temporary token during payment
– An attacker capturing the card numbers can’t use
them later
• This isn’t encryption or hashing
– The original data and token aren’t
mathematically related
– No encryption overhead
Tokenization
Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
• Minimal data collection
– Only collect and retain necessary data
• Included in many regulations
– HIPAA has a “Minimum Necessary” rule
– GDPR - “Personal data shall be adequate, relevant
and not excessive in relation to the purpose or
purposes for which they are processed.”
• Some information may not be required
– Do you need a telephone number or address?
• Internal data use should be limited
– Only access data required for the task
Data minimization
the process of removing identifying information such that the remaining data does not identify any particular individual. This is an important step to render the resultant data, which is no longer personal data, suitable for use in research and data mining. that you cannot restore the original information, and such data is out of scope of the GDPR.
• Make it impossible to identify individual data
from a dataset
– Allows for data use without privacy concerns
• Many different anonymization techniques
– Hashing, masking, etc.
• Convert from detailed customer purchase data
– Remove name, address, change phone number
to ### ### ####
– Keep product name, quantity, total, and sale date
• Anonymization cannot be reversed
– No way to associate the data to a user
Anonymization
a way to create a fake, but a realistic version of your organizational data. The goal is to protect sensitive data, while providing a functional alternative when real data is not needed—for example, in user training, sales demos, or software testing.
• Data obfuscation
– Hide some of the original data
• Protects PII
– And other sensitive data
• May only be hidden from view
– The data may still be intact in storage
– Control the view based on permissions
• Many different techniques
– Substituting, shuffling, encrypting, masking out, etc.
Data masking
an individual can still be identified through indirect or additional information. This means that pseudonymized personal data is still in scope.
• [this]
– Replace personal information with pseudonyms
– Often used to maintain statistical relationships
• May be reversible
– Hide the personal data for daily use or in case of breach
– Convert it back for other processes
• Random replacement
– James Messer -> Jack O’Neill -> Sam Carter -> Daniel Jackson
• Consistent replacements
– James Messer is always converted to George Hammond
Pseudo-anonymization
Data responsibility
• High-level data relationships
– Organizational responsibilities, not always technical
• Data owner - individuals or teams who make decisions such as who has the right to access and edit data and how it’s used. Owners may not work with their data every day, but are responsible for overseeing and protecting a data domain.
– Accountable for specific data, often a senior officer
– VP of Sales owns the customer relationship data
– Treasurer owns the financial information
Data responsibility
Data roles
• Data controller
– Manages the purposes and means by which
personal data is processed
• Data processor
- a person or organization who controls the purpose of and means by which personal data is processed. So, if you (as an individual) collect and store personal data, you are a data controller. If your business collects and stores personal data, your business is a data controller.
– Processes data on behalf of the data controller
– Often a third-party or different group
• Payroll controller and processor -
– Payroll department (data controller) defines
payroll amounts and timeframes
– Payroll company (data processor) processes payroll
and stores employee information
Data roles
Additional data roles
• Data custodian/steward - responsible for the safe custody, transport, storage of the data and implementation of business rules.
– Responsible for data accuracy, privacy, and security
– Associates sensitivity labels to the data
– Ensures compliance with any applicable laws
and standards
– Manages the access rights to the data
– Implements security controls
• Data protection officer (DPO) - monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO)
– Responsible for the organization’s data privacy
– Sets policies, implements processes and procedures
Additional data roles
