150 likes | 267 Vues
The Privacy Minefield Sol Bermann Legal Project Manager Technology Policy Group-OSC (614) 688-4578 bermann@osc.edu. Polarized Attitudes. Protect It. Advocates. Citizens. Protection with use. Consumers. Government. Business. Use It. Privacy Impact Areas.
E N D
The Privacy MinefieldSol BermannLegal Project ManagerTechnology Policy Group-OSC(614) 688-4578bermann@osc.edu
Polarized Attitudes Protect It Advocates Citizens Protection with use Consumers Government Business Use It
Privacy Impact Areas • Consumer Records (state & federal law) • PII • Surfing habits • Public Records (state & federal law) • SSN • Driver’s License • Real Estate • Arrest Records • Credit & Financial Records (GLB) • Health Records (HIPPA) • Children (COPPA)
Privacy Dangers • External • Privacy law violations • Privacy policy violations • Bad actors (hackers) • monitoring issues • Internal • Privacy law violations • Privacy policy violations (acceptable use) • monitoring issues
Privacy Failure Consequences • Loss of trust • Irreparable damage to reputation, user retention • Loss of revenue and new business • Interruption of transborder data flows, applicable penalties in international jurisdictions • Possible federal, state enforcement actions- millions of dollars spent and loss of flexibility in marketplace to implement consent decrees, irreparable damage to key initiatives such as eBusiness or eGovernment • Litigation from consumers, privacy advocates, etc... • Civil and criminal penalties for wrongful disclosure of protected health information
Plan for Privacy • Have a privacy/security plan • External & Internal--there is no single solution • A framework is essential • Accountability is essential • Compliance is essential • A Privacy Policy is a value-added proposition for citizens and a competitive advantage for companies • Be Honest & Create Trust • Let people know what you are doing and let them make their own decisions
Policy Framework • Where possible follow OECD guidelines • Collection Limitation Principle • Data Quality Principle • Purpose Specification Principle • Use Limitation Principle • Security Safeguards Principle • Openness Principle • Individual Participation Principle • Accountability Principle
Technological Framework • How is the data organized, labeled, and stored? • What paths does the data take when getting from point A to point B and how are these paths protected? • Is there positive control over the data at all time? • What security mechanisms surround the use of the data?
Accountability • Everyone (same for business & government) • Essential Clearances • CEO; Business Units; Marketing; H.R.; General Counsel; Government Affairs; Information Security; I/T • BUT ACCOUNTABILITY TO EVERYONE IS ACCOUNTABILITY TO NO ONE • Must have an enforcer • Chief Privacy Officer (or something similar)
Compliance • Is there a data privacy compliance strategy? • What are the elements of the compliance program? • Is there an auditor (ex: CPO) • What is the role of the auditor? • Does the compliance program have teeth?
LESSON TO REMEMBER • Create Trust • Be Honest • Have a Policy • Display Your Policy • Follow Your Policy • Develop Your Infrastructure • Audit Your Infrastructure • Be Accountable • Have a CPO or Compliance Officer
Some Good Books • “Database Nation”, Simson Garfinkel • “The Transparent Society”, David Brin • “The Unwanted Gaze”, Jeffrey Rosen • “The Hundredth Window : Protecting Your Privacy and Security in the Age of the Internet”, Charles Jennings, Lori Fena • “For the Record : Protecting Electronic Health Information”, Computer Science and Telecommunications Board • “1984”, George Orwell • “Brave New World”, Aldous Huxley
A Few of Many Privacy Links Regulatory • Gramm Leach Bliley www.bog.frb.fed.us/BoardDocs/Press/BoardActs/2000/20000621 • FTC: www.ftc.gov/acoas/papers/finalreport.htm • HIPAA: http://aspe.hhs.gov/admnsimp/ • EU: http://europa.eu.int/eur-ex/en/lif/dat/1995/en_395L0046.html • OECD: http://www.oecd.org//dsti/sti/it/secur/prod/PRIV-EN.HTM#3 General Info • www.privacyexchange.org • www.epic.org • www.privacyplace.com • www.eff.org • www.leglnet.com/libr-priv.htm • www.privacyalliance.org
More Links Technology and Services • www.w3.org/P3P/ • www.pwcglobal.com/Extweb/service.nsf/ • www.ibm.com/services/e-business/security.html • www.truste.com • www.junkbusters.com • www.anonymizer.com • www.siegesoft.com/products.shtml • www.iprivacy.com • www.privada.com • www. zeroknowledge.com • www.safemessage.com • www.privacyright.com