Explain privacy and sensitive data concepts in relation to security Flashcards
Organizational consequences of privacy and data breaches
Reputation damage
Identity theft
Fines
IP theft
Reputation damage
Reputation damage—data breaches cause widespread negative publicity, and customers are less likely to trust a company that cannot secure its information assets.
Identity theft
Identity theft—if the breached data is exploited to perform identity theft, the data subject may be able to sue for damages.
Fines
Fines—legislation might empower a regulator to levy fines. These can be fixed sum or in the most serious cases a percentage of turnover.
IP theft
IP theft—loss of company data can lead to loss of revenue. This typically occurs when copyright material—unreleased movies and music tracks—is breached. The loss of patents, designs, trade secrets, and so on to competitors or state actors can also cause commercial losses, especially in overseas markets where IP theft may be difficult to remedy through legal action.
Notifications of breaches
Escalation
Public notifications and disclosures
Escalation
A breach may be detected by technical staff and if the event is considered minor, there may be a temptation to remediate the system and take no further notification action. This could place the company in legal jeopardy. Any breach of personal data and most breaches of IP should be escalated to senior decision-makers and any impacts from legislation and regulation properly considered.
Public notifications and disclosures
Other than the regulator, notification might need to be made to law enforcement, individuals and third-party companies affected by the breach, and publicly through press or social media channels. For example, the Health Insurance Portability and Accountability Act (HIPAA) sets out reporting requirements in legislation, requiring breach notification to the affected individuals, the Secretary of the US Department of Health and Human Services, and, if more than 500 individuals are affected, to the media (hhs.gov/hipaa/for-professionals/breach-notification/index.html). The requirements also set out timescales for when these parties should be notified. For example, under GDPR, notification must be made within 72 hours of becoming aware of a breach of personal data (csoonline.com/article/3383244/how-to-report-a-data-breach-under-gdpr.html). Regulations will also set out disclosing requirements, or the information that must be provided to each of the affected parties. Disclosure is likely to include a description of what information was breached, details for the main point-of-contact, likely consequences arising from the breach, and measures taken to mitigate the breach.
GDPR offers stronger protections than most federal and state laws in the US, which tend to focus on industry-specific regulations, narrower definitions of personal data, and fewer rights and protections for data subjects. The passage of the California Consumer Privacy Act (CCPA) has changed the picture for domestic US legislation, however (csoonline.com/article/3292578/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html).
Data types
Classifications Personally identifiable information (PII) Health information Financial information Government data Customer data
Classifications
Public Private Sensitive Confidential Critical Proprietary
Public
Public (unclassified)—there are no restrictions on viewing the data. Public information presents no risk to an organization if it is disclosed but does present a risk if it is modified or not available.
Private
Private/personal data—information that relates to an individual identity.
Sensitive
Sensitive—this label is usually used in the context of personal data is privacy-sensitive information about a subject that could harm them if made public and could prejudice decisions made about them if referred to by internal procedures. As defined by the EU’s General Data Protection Regulations (GDPR), sensitive personal data includes religious beliefs, political opinions, trade union membership, gender, sexual orientation, racial or ethnic origin, genetic data, and health information (ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/sensitive-data/what-personal-data-considered-sensitive_en).
Confidential
Confidential (secret)—the information is highly sensitive, for viewing only by approved persons within the owner organization, and possibly by trusted third parties under NDA.
Critical
Critical (top secret)—the information is too valuable to allow any risk of its capture. Viewing is severely restricted.