Information Management From A US Perspective Flashcards
What risks should a company consider in designing a privacy program?
Legal - compliance with laws, contracts and industry standards
Reputational - protect company reputation
Operational - ensure privacy program is administratively efficient
Investment - receive return on investments in light of privacy regulations
What are the 4 steps for information management?
Discover - what are the companies practices and goals
- determination of best practices
- issue identification and self - assessment
Build - how to meet those goals
- procedure development and verification
- full implementation
Communicate - internally and externally
- documentation and education
Evolve - review and update program based on changes in technology laws etc
- affirmation and monitoring
- adaptation
What controls / practices should orgs use for managing PI?
Data inventory - inventory PI an organization collects
**identifies risks that could affect reputation or legal compliance
Data classification - classify data to determine appropriate level of protection
** helps an org address compliance audits for a particular type of data respond to legal discovery requests and use storage resources in a cost effective manner
Documenting data flows - systems / apps / processes for handling data
- ***helps identify areas for compliance attention
Determining data accountability - ensuring compliance with privacy laws and policies
When to have one or two privacy policies?
1 - if the org has consistent set of values and practices for all its operations
2 - org that has well defined divisions of lines of business who uses data in different ways, doesn’t share data and is perceived as a different business
Privacy policy review and approval
Needs legal consultation and executive approval
If a policy needs to be revised the org should announce the change first to employees and then to customers
Companies should obtain opt-in or consent before making material retroactive changes to privacy (sharing consumer data with 3rd parties)
How to communicate privacy policies through a notice?
Make the notice available online
Make the notice accessible in places of business
Provide updates and revisions
Ensure that the appropriate personnel are knowledgeable about the policy
Policy version control best practices
Ensure all locations where policies are stored are updated systematically
Include revision dare and a version number
Save and store older versions of privacy policies and notice
What is opt-in?
Or affirmative consumer consent or expressed consent
Affirmative indication of choice based on an express act of the person giving the consent.
Selecting a checkbox.
What is opt-out?
A choice that can be implied by the failure of the person to object to the use or disclosure.
“Unless you tell us not to we will share your data”
Unchecking a box
What legal acts require opt-in?
COPPA
HIPAA
FCRA
What is no option?
No consumer choice
Companies do not need to provide choice before collecting and using consumers data for practices that are consistent with the context of the transaction, consistent with the companies relationship with the consumer, or as required by law
What are challenges for managing user preferences?
- The scope of an opt-out or another user preference can vary
- The mechanism for providing an opt-out or another user preference can also vary
- Linking a users interactions through multiple channels
- The time period for implanting user preferences
- Third party vendors processing on behalf of the company
What laws give consumers the right to access PI held about them?
FCRA HIPAA OECD guidelines APEC principles Privacy shield
What should be included in a contract with a vendor?
Confidentiality provision No further use of shared information Use of subcontractors Requirements to notify and disclose a data breach Information security provisions
What vendor due diligence standards should a company consider using?
Reputation Financial condition and insurance Information security controls Point of transfer / secure transfer Disposal of information Employee training and awareness Vendor incident response Audit rights / assessments (ISO Sox etc)
GDRP requirements
Notification of security breaches Requirements for processors Designation of a DPO Accountability obligations Rules for international transfers Sanctions of up to 4% of a companies revenue DSRs Data protection by design and default principles
What are the lawful bases for transfer between the US and EU?
Privacy shield
Standard contractual clauses
Binding corporate rules
What is privacy shield?
Commitments by US companies wishing to import personal data from the EU accept obligations on how the data can be used which are legally binding and enforceable
Standard contractual clauses
A company contractually promises to comply with EU law and submit to the supervision of an EU privacy supervisory agency
Binding corporate rules
A multinational company can transfer data between countries after certification of its practices by an EU privacy supervisory agency
What are threats to online privacy
Unauthorized access Malware Phishing Spear phishing Social engineering Technically based attacks
Unauthorized access
When there is unauthorized access to a website or computer system this access may be criminal behavior such as fraudulent use of identity credentials and related financial information.
Malware
Software that is designed for malicious purposes
Ex: provide an attacker unauthorized control over a remote computer
Phishing
Term for emails or other communications that are designed to trick a user into believing that he or she should provide a password account number or information
Spear phishing
A phishing attack that is tailored to the individual user
Ex: an email that to be from a users boss instructing the user to provide information
Social engineering
General term for how attackers can try to persuade a user to provide or create some other sort of security vulnerability. The social engineer targets a user within an org that may have access to private information
Ex: using an assumed identity in communications, eavesdropping on private convos or calls, impersonating an employee or hired worker
Technically based attacks
The attacker exploits a technical vulnerability or inserts malicious code
Examples: sql injection, cookie poisoning or use of malware, XXS
How to ensure online security
Secure Web access - multi-factor authentication
Encryption in transit with TLS
Protect online identity
- Use unique passwords, regularly change, use a password manager
- Use antivirus software, install patches
- Keep current on known Wifi vulnerabilities
- Restrict what files and directories can be accessed by the website and services
- Be cautious of public shared computers and public charging stations
- Be cautious of providing personal info unless they know the site is secure
What types of online attacks do users face
Spam email - an unsolicited commercial email
Phishing
Malware - spyware & ransomware
Whaling
Specialized type of phishing that is targeted at c-suite executives celebrities and politicians
Examples of malware
Viruses
Worms
Spyware
Ransomware
Mobile online privacy concerns
Location based service LBS is expanding quickly
How to provide notice
Geolocation data
What types of third party interactions are causing the boundaries of websites to become blurred and what should privacy professionals ensure?
Syndicated content Web services Co branded online ventures Widgets Online advertising networks
Appropriate privacy protections are in place and ensure its clear which entities are capturing or receiving personal info in these scenarios
What is cross device tracking
When advertisers map users as they move between devices such as laptops and smartphones
Cross context tracking
Where advertisers gather information as users move among different online environments such as search engines and social media sites
What is the do not track approach in digital advertising
A suggestion by the FTC which would allow individuals to make a single choice not to be subjected to targeted online advertising
What is the EU cookie directive
Requires that users give consent before having cookies placed on their computers, preventing cookie tracking of their online activities if they don’t opt in
What are some online advertising techniques
Pop-up ads
Adware - software bundled with free software which monitors end users online behavior to target advertising; without consent this may be considered spyware
What are web cookies?
Link a computing device to previous actions by the same device
What are the types of cookies
Session cookie - stored only while the user is connected to the particular web server and deleted when browser is closed. Ex: online shopping carts
Persistent cookies - is set to expire at some point in the future Ex: mechanism for authenticating visitors to a website where they have an account, social networking, personalizing sites based on a users interests
First party cookie - set by the web server hosting the application
Third part cookie - set and read by or on behalf of a party other than the web server
Flash cookie - stored and accessed by adobe flash which can’t be deleted and users aren’t notified when they are collected and stored
HTML cookie - a small text file that a web server places on the hard drive of a user, which can be deleted
Web beacon
Provides the ability to produce specific profiles of users behavior in combination with web server logs
Ex: online ad impression counting, file download monitoring, ad campaign management (click through rates, ad frequency limitation), read receipts on emails
Digital fingerprinting
Can identify a device based on information revealed to a website by the user. Certain information is provided to the website in the log files. Some information may include “fonts used by the requesting computers” which can be used to fingerprint a device. Used by financial institutions so that an account holder is asked for additional security assurances before logging in from a new device.
Privacy Concerns about digital fingerprinting techniques being used for targeted advertising instead of just security and what notice and consent is sufficient
Privacy concerns with search engines
Contents of the search may give clues about a searchers identity’s when a user looks up their own name, as may search patterns around a persons address or workplace.
Searches may include medical information, political views
Privacy concerns with online social networking
Privacy Controls are not consistent
Transmission of personal data to unwanted third parties
Personal data being sold to advertisers and intruders stealing passwords or other unencrypted data
Desktop / laptop advertising ecosystem
Cookies allow advertisers to build profiles on a devices online activities which can then be used to create targeted advertising tailored to the user of the device
Mobile advertising ecosystem
A single user on three different apps on the same device will appear as three different users ( sandboxing ), creating app specific device IDs
Rich source of location data which enables precise advertising targeting
Wi fi routers and Bluetooth offer advertisers to target ads based on the users location
EU data protection vs e-discovery
Remains challenging with no simple resolution
Hague convention on the taking of evidence
Accountability
The implementation of appropriate technical and organizational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law
APEC privacy framework
A set of non-binding principles adopted by the Asia-pacific economic cooperative that mirror the OECD fair information privacy practices. They seek to promote electronic commerce throughout the Asia-pacific region by balancing privacy with business needs.
What are the principles of the APEC framework
Preventing harm Notice collection limitation Uses of personal information Choice Integrity of personal information Security safeguards Access and correction Accountability
Ransomware
A type of malware with which the malicious actor either locks a users operating system or restricting the users access to their data and or device or encrypts the data do the user is prevented from accessing their files.
The victim is then told to pay a ransom to regain access.
Spyware
Software that is downloaded covertly without the understanding or consent of the user.
Used to fraudulently collect and use sensitive personal information
Some can take control of of the devices camera, microphone or report keystroke
Fair information practices
Guidelines for handling storing and managing data with privacy security and fairness in an information society that is rapidly evolving
Principles of fair information practices
Rights of individuals -notice - choice and consent - data subject access Controls on the information - information security and quality Information lifecycle -collection - use and retention - disclosure Management - management and administration - monitoring and enforcement
OECD guidelines
International org
The most widely recognized framework for FIPs and endorsed by the US FTC and many other government orgs
Comprehensive model of data protection
Govern the collection use and dissemination of personal information in the public and private sectors
An official or agency is responsible for overseeing enforcement
Data protection authority in the EU
Sectoral model of data protection
Used by the US
Framework protects personal information by enacting laws that address a particular industry sector.
