RIM_07_Privacy and Security in RIM (Class)
(07_S-3_6a) Assigning Risk to Breaches 1
low risk score indicates no probable criminal intent, and controls are in place to handle it. If the risk is low, notification might do more harm than good. A medium risk score indicates the breach could involve criminal intent, but controls are in place to prevent criminal success. If risk is medium, your company might notify law enforcement, affected organizations, and affected individuals. A high risk score indicates the breach was likely criminally motivated or the breach was substantial and any controls are ineffective. If risk is high, then notify all individuals involved and provide some sort of remedy.
(07_S-2_1b) FACTA
In 2003, the Fair and Accurate Credit Transactions Act (FACTA) added sections to the FCRA, intended to help consumers fight the growing crime of identity theft. FACTA contains language on accuracy, privacy, limits on data sharing, and new consumer rights to disclosure. It also requires companies to disclose any use of credit bureau data in their employment decisions.
(07_S-3_14b) Lessons from the XY Case : Three Key points _ 2
2. Business owners should anticipate changes in business circumstances and carefully weigh the interests of their investors and creditors, as well as the consumers they wish to serve.
(07_S-3_12e) Clarifying Rights of Access: steps for employees _2
2. Keep personal computers private. Your actions may indicate an expectation of privacy or of the lack of one. Consider the implications of such things as permitting other employees to access a personal machine and its data; linking a personal computer to an employer network or keeping it on employer premises; and installing employer-owned software on a personal computer.
(07_S-3_12b) Clarifying Rights of Access: steps for employers _2
2. Manage employee expectations. Employees may well assume they own a copy of employer data maintained on their personal computers. As part of the information policy, make it clear that copies of employer-owned data remain the employer's property, regardless of who owns the media or equipment upon which the data are stored.
(07_S-3_14c) Lessons from the XY Case : Three Key points _ 3
3. Destruction of PII must be complete and done in a way to continue to protect the individuals' personal details.
(07_S-3_12c) Clarifying Rights of Access: steps for employers _3
3. Provide computers to employees for important offsite work. If the employer relies heavily on work performed off-site by employees and if the resulting work product is of high value, it may be prudent to provide employees with laptops or home computers.
(07_S-3_12f) Clarifying Rights of Access: steps for employees _3
3. Segregate and protect personal either physically or through a remote connection such as a network. Protect personal data with file-sharing restrictions, passwords, encryption, or other security devices.
(07_S-2_2i) Privacy by Design
A concept that originated in Canada with the Canadian Information & Privacy Commissioner is Privacy by Design. This privacy framework promotes the following foundational principles, each of which is described on the site: 1. Proactive, not Reactive; Preventive, not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality—Positive Sum, not Zero Sum 5. End-to-End Security—Full Lifecycle Protection 6. Visibility and Transparency—Keep it Open 7. Respect for User Privacy—Keep it User-Centric
(07_S-1_3f) Cookies
A cookie is a small file of information that a website places on a hard drive when someone visits the site. Browsers store cookies to track user preferences. Session cookies are erased when the browsing session ends. Persistent cookies are stored until they expire or until the user deletes them. Persistent cookies can be used for various purposes, such as to track someone's online behavior and to provide identifying information to marketers.
(07_S-2_1f2) Case Example: Health Net _ 2
A couple of conclusions can be drawn from the Health Net case. 1. Sometimes, relatively simple practices can improve privacy protection. We'll discuss this in more depth later, but encryption and limiting or banning use of portable devices for storing sensitive information are easy fixes. 2. Data breach notification laws, systems, and policies are important. They won't prevent breaches, but they allow organizations to react quickly when they identify one. Quick action can lessen penalties from legal authorities and avoid a public relations backlash.
(07_S-2_2j1) OECD Guidelines 1
A longtime obstacle to managing data privacy around the world has been, of course, the disparities among national laws and their inconsistent enforcement. The risks of allowing the free flow of information across borders are indeed acute. In a global effort to safeguard personal data, the Organisation for Economic Co-operation and Development (OECD) sought in 1980 to harmonize its member states' privacy legislation by declaring seven principles for the legal drafting process. The result is called the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data—commonly called the OECD Guidelines.
(07_S-2_2f4) Safe Harbor Seven Principles: 4 - Access
Access. Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.
(07_S-1_1d) Other Definitions of Privacy
Alan Westin's definition of privacy is particularly applicable to RIM. Westin, in his book Privacy and Freedom, defines it as "the claims of individuals, groups, or institutions, to determine for themselves, when, how, and to what extent information about themselves is communicated to others." Duff, Smieliauskas, and Yoos, in their Information Management article "Protecting Privacy," write that "Individuals differ as to the types of information they want to protect, because ultimately privacy is personal and subjective."
(07_S-1_4a2) Targeted Marketing 2
An offshoot of targeted marketing is the renting of consumer lists to third parties. Current efforts at privacy legislation have mostly been aimed at holding the original companies responsible for what their partners do with the consumer data. The FTC has cited gaps in the regulation of large data brokers. Consumers are far removed from such brokers and have no idea of what the brokers are doing with their personal information. On the negative side, providing targeted advertising requires a level of information surveillance, collection, and use that can lead to identity theft and other risks.
(07_S-2_2k) APEC Privacy Framework
Another treatment on privacy guidelines was published in 2004 by the Asian Pacific Economic Cooperation (APEC). Its privacy framework sets out to "promote a flexible approach to information privacy protection across APEC member economies, while avoiding the creation of unnecessary barriers to information flows."
(07_S-2_2a) International Implications
Any agreement regarding privacy must take into account the laws of any countries you do business with or the laws governing any international employees your organization might hire. Many countries have enacted laws affecting the transfer and management of PII. While Canada and Australia have made some processes voluntary, the European Union (EU) strictly enforces that anyone wishing to do business with any of their member states must follow strict privacy measures. For the next several screens we discuss international laws and frameworks.
(07_S-2_2b) Article 8 of the Directive
Article 8 of Directive 95/46/EC expressly forbids processing and collecting personal information that could be characterized as sensitive. Sensitive information is defined as a person's: + Racial or ethnic origin + Political opinions Religious and philosophical beliefs Trade union membership Health status Sexual preference Individuals must give explicit consent for their data to be transferred to a third party, unless the third party is conducting services on behalf of the initial party
(07_S-1_4a3) Targeted Marketing 3
As a records manager, you can help your organization find an acceptable balance between using targeted marketing and protecting the personal privacy of your customers. Work with the legal, marketing, customer relations, and security departments to: + Understand how your organization and its partners use cookies and other tactics to capture, use, and distribute personal information about employees and customers + Ensure that your practices are consistent with your organization's privacy obligations and pronouncements + Give your customers and employees sufficient choice on how their data is collected and used
(07_S-1_4b1) Do-Not-Track List 1
As marketers continue to use buyers' personal information for targeted advertising, the FTC and the U.S. Senate are questioning their right to do so and discussing the safeguards that must be in place to ensure adequate protection. Though the FTC doesn't have power to implement one, it is recommending the Internet industry or the U.S. Congress consider a do-not-track list similar to the do-not-call list that limits telemarketing calls. As stated above, one complexity is that some tracking is needed to make a user's experience on an internet site valuable, by enabling efficient navigation of the site. Another type of tracking is needed in order to adhere to users' choices. If, for instance, a customer no longer wants to receive solicitations, identifying that person is necessary.
(07_S-2_2c) Proposed Revisions to the Directive
As this training course is being developed, the European Commission is reviewing the EU legal framework on the protection of personal data. The main policy objectives for the Commission are to: + Modernize the EU legal system for the protection of personal data, in particular to meet the challenges resulting from globalization and new technologies + Strengthen individuals' rights and reduce administrative formalities to ensure a free flow of personal data within the EU and beyond + Improve the clarity and coherence of the EU rules for personal data protection Achieve a consistent and effective application of the fundamental right to the protection of personal data in all areas of the Union's activities. Among the specific recommendations are (1) to boost the rights of individuals so that collection and use of personal data are limited to the minimum necessary, and (2) extend privacy safeguards to police and criminal justice systems.
(07_S-3_9) Mingling Personal and Corporate Data
As we work longer days, often taking work home in the evenings or on weekends, privacy issues again come into play. Some organizations provide computers for employees' at-home work, but when employees use their personal computers for substantive amounts of work on the employer's behalf, who has a right to access the information? The bottom line: Be sure there is a clear policy that explains the organization's rights to access work-related records and that clarifies the employee's right to privacy.
(07_S-1_3b) U.S. Takes a Piecemeal Approach _ Baker & McKenzie's Global Privacy Handbook 2014
Baker & McKenzie state every business in the United States is subject to some privacy laws: Although the United States does not have a comprehensive federal data protection law, every business in the United States is subject to privacy laws at the federal and/or state level. These privacy laws and other privacy requirements are actively enforced by federal and state authorities and are aggressively enforced via class-action lawsuits and privacy- related litigation (p. 514).
(07_S-0_1b) Privacy Issues Overview 2
Big data aggregators can gather enormous quantities of data about individuals in order for companies to deliver products tailored to a customer's interests. But with rapid technological advances—and their associated benefits—come an increased number of privacy issues and security breaches. For instance, personal medical data that's gathered to provide individuals with enhanced care can be compromised. And, in the absence of do-not-track legislation, marketers are tracking online behavior and mining data about consumers' every move. They are tracking Internet usage, buying habits, and social networking activity. They also often combine data from diverse sources and sell it—without the consumer's knowledge.
(07_S-2_2h2) Canadian Laws 2
Canada has anti-spam legislation that became law in 2014. It established "onerous requirements" for the transmission of electronic messages if a computer system in Canada is used to send or access the message. Penalties can be as high as $10 million Canadian dollars for organizations. In 2017, a private right-of-action will go into effect, exposing organizations to potential class action suits. In addition, the Supreme Court of Canada released a 2013 decision in R v Vu, which established that police officers may not search a computer found in a place covered by a search warrant unless they have specific prior authorization to do so.
(07_S-2_2h1) Canadian Laws 1
Canada has two federal privacy laws, overseen by the Privacy Commissioner, that cover a broad spectrum of issues, contrary to the case-by-case basis used in the United States. Canadian privacy laws vary by province. The Privacy Act imposes obligations on 250 federal government departments and agencies by limiting collection, use, and disclosure of PII. It gives individuals the right to access and request correction of PII. The Personal Information Protection and Electronic Documents Act (PIPEDA) sets ground rules for how private organizations may collect, use, or disclose PII in the course of commercial activities. It gives individuals the right to access and request correction of the PII these organizations may have collected.
(07_S-2_2f2) Safe Harbor Seven Principles: 2 - Choice
Choice. Organizations must give individuals the opportunity to choose (opt out) whether their personal information is to be disclosed to a third party or to be used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual.
(07_S-2_2f6) Safe Harbor Seven Principles: 6 - Data Integrity
Data Integrity. Personal information must be relevant for the purposes for which it is to be used.
(07_S-3_6b) Assigning Risk to Breaches 2
Depending on your industry and the business your organization conducts, your organization may be required to respond to the breach in a very specific way, including exact time requirements for notification. Legal counsel should help the response team when preparing to disclose a data breach. All organizations must follow an established data disclosure plan that considers all state, federal, and international laws and regulations governing data breach disclosure. If an organization has its own data breach policy beyond existing regulations, legal counsel should ensure it is followed to the letter. Most organizations find that up-front disclosure is a better route than running damage control later.
(07_S-3_5a) Identifying a Data Breach 1
Different organizations use different systems to identify breaches, depending on their industry and size. Most, though, have the shared goals of stopping a breach before it happens and, if one happens, of shortening the response time. Data breach response teams generally include the chief privacy officer, chief information officer, chief IT security officer, records manager, risk management staff, human resources staff, public relations staff, legal counsel, and sometimes even law enforcement. While you might not be directly responsible for identifying a breach, you could be called on for help with records-related information. First, an organization must spot the breach and figure out where it occurred. Quick action is key, whether your organization uses software that notifies you of a potential breach or uses manually created incident reports.
(07_S-2_2f7) Safe Harbor Seven Principles: 7 - Enforcement
Enforcement. In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles.
(07_S-3_3) Sharing of Data
For efficiency purposes, data is often shared among those who collect it. In the private sector, acquired data is often shared or sold. Acquisitions and mergers also provide personal information to various business sectors. In the government sector, data is often shared among agencies to speed up processes and to decide whose eligible for many programs and benefits. In fact, the EGovernment Act of 2002 encourages some federal agencies to share information when it's appropriate.
(07_S-2_1e) HIPAA and HITECH
HIPAA was updated by the Health Information Technology for Economic and Clinical Health Act (HITECH), which was a part of the American Recovery and Reinvestment Act of 2009 (ARRA). The legislation was enacted in anticipation (and encouragement) of the likely massive expansion in the exchange of electronic protected health information and in an attempt to organize health data nationally. HITECH imposes mandatory penalties for "willful neglect" of privacy laws, with civil penalties extending up to $250,000 and repeat violations extending up to $1.5 million. While HITECH doesn't allow an individual to bring a cause of action against a provider, it does allow an attorney general to bring an action on behalf of state residents. The first such case was filed shortly after HITECH was introduced.
(07_S-3_7) Data Breach Case
Here's one case to drive home the importance of protecting personal information. The U.S. Department of Health and Human Services and the FTC opened an investigation of Rite Aid after seeing video of pharmacy employees disposing of prescriptions and labeled pill bottles that contained PII in trash cans that were accessible to the public. Rite Aid agreed to a $1 million settlement for potential violations of HIPAA. Rite Aid promised to protect the data it previously failed to protect; create and document security procedures; educate employees; improve policies to safeguard customer privacy when disposing of identifying information; identify personnel to be accountable for information security; send progress and updated reports to the FTC; and more.
(07_S-3_2) Threats in a Global Information Society
Howard Lipson, Ph.D., in Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, states: "The anonymity enjoyed by today's cyber attackers poses a grave threat to the global information society, the progress of an information-based international economy, and the advancement of global collaboration and cooperation in all areas of human endeavor." WikiLeaks, a site that anonymously publishes highly classified documents, provides a perfect illustration of Lipson's point. In response to WikiLeaks' 2010 release of sensitive U.S. State Department documents, many multinational companies cut off services to the site. As a result, "cyber anarchists" attacked their websites. Many organizations are simply not equipped to deal with the ramifications of continuously evolving technology. In the meantime, hackers and marketers will take advantage of the lack of uniform safeguards and regulations.
(07_S-3_13b) Case Example: XY Magazine _ 2
However, because XY's privacy policy clearly stated, "[we] never give your info to anybody" and, "our privacy policy is simple: we never share your information with anybody," the FTC said the privacy policy was unambiguous and the parties must be held to honor the terms. A consent order called for destruction of the personal information in a manner that would make the information "unreadable, undecipherable, or non-reconstructable through generally available means."
(07_S-1_5a) Opt In or Out
If you opt in on a website, you are agreeing to receive products, services, and/or marketing information from that site and its "partners." However, many websites are carefully designed to hide the fact that you are agreeing to share your personal information with sites other than the site on which you are opting in. If you opt out on a website, you are an existing customer who is choosing not to receive marketing information from that site or its partners or not to have your personal information used in a certain manner or shared with third parties.
(07_S-2_1d2) HIPAA and EHRs 2
Imagine this. You're having frequent, severe headaches. You visit your family doctor who runs tests, refers you to a neurologist, and recommends an MRI. You, in an emotional state, agree to go through the testing and the subsequent costs associated with all the appointments. The tests show nothing, you're out a thousand dollars, and your head still hurts. A week after the inconclusive MRI, you go for your regular dental cleaning. The dentist discovers your upper molar is cracked clear through and says, "Have you been getting headaches? You have to be grinding your teeth pretty hard at night for this to happen!" And you then probably wish there was more use of EHRs.
(07_S-2_2d) Safe Harbor
In 2000, the European Parliament and the EU Commission determined that privacy protection in the United States and many other countries did not meet the EU's standards. As a result, the EU now prohibits release of personal data to companies in these countries unless special agreements are reached. Agreements are generally private contracts or participation in the U.S. Department of Commerce's Safe Harbor program.
(07_S-2_1g) Case Example: Largest HIPAA Settlement to Date
In 2014, two New York-based entities were sanctioned for breaches involving private medical data. The U.S. Department of Health and Human Services had initiated its investigation of New York and Presbyterian Hospital and Columbia University after a 2010 notice of a data breach affecting 6,800 individuals. The breach was caused when a physician tried to deactivate a personally owned computer server on a network that contained patient data. Because of a lack of technical safeguards, the personal data became accessible to Internet searches. The entities learned of the breach after receiving a complaint by an individual who found the personal data of a deceased partner on the Internet. The organizations were eventually fined $4.8 million.
(07_S-2_1a) Major U.S. Privacy Laws
In Section 1 we discussed how the United States takes a sectoral or piecemeal approach to privacy. On the next several screens we'll look at the U.S. privacy laws that have the most impact on RIM. Later we'll cover some prominent laws and guidelines from other countries and regions.
(07_S-2_1h) The Right to Know _FOIA
In the United States, "right to know" is the idea that individuals have a right or a need to know what's in certain records. Hand in hand with right to know comes the Freedom of Information Act (FOIA), which requires that public documents from federal and many state governments be made readily available to the public. The Act applies specifically to government agencies in the executive branch. All U.S. states and some territories have their own form of freedom of information legislation.
(07_S-2_1n) Other Significant U.S. Federal Privacy Laws
In the following list are additional federal laws that concern privacy: + Wiretap Act + Electronic Communication Privacy Act + Right to Financial Privacy Act + Privacy Protection Act + Foreign Intelligence Surveillance Act + Stored Communications Act + Pen Register and Trap and Trace Device Act + Communications Assistance to Law Enforcement Act + U.S. Patriot Act + Bank Secrecy Act + Federal Trade Commission Act + Video Privacy Protection Act
(07_S-1_3a) U.S. Takes a Piecemeal Approach _ 1
Many countries (and some regions) have comprehensive privacy laws that govern the collection, use, and dissemination of personal information. These countries commonly have an oversight body that ensures compliance. The United States, however, takes a "sectoral" (or piecemeal) approach to privacy. Regulators of industry sectors (such as health care, finance, and education) and related industry groups often create or promote legislation in response to specific needs. For instance, new legislation often stems from advances in technology.
(07_S-1_4b2) Do-Not-Track List 2
Marketers argue that a do-not-track list would merely make advertising messages less relevant, not less abundant. The FTC, however, believes the common business practice of not disclosing data-collection techniques is deceptive. Users deserve transparency and to be given a choice about the information that is collected and distributed about them and how it is used. The FTC also believes that having lengthy, incomprehensible privacy policies is deceptive. There must be transparency and full disclosure regarding the use and disclosure of PII.
(07_S-2_1d1) HIPAA and EHRs 1
Medical records provide a great privacy challenge because they typically include names, addresses, employer information, financial account information, insurance information, diagnosis data, and more, which all make medical identification theft a worthwhile risk for criminals. Privacy concerns are a key focus in the transition to EHRs, and with good reason. A 2010 Ponemon Institute study found that data breaches cost hospitals billions of dollars and put patient privacy in jeopardy. Very disturbing to privacy advocates is the trend toward electronic health records (EHRs)—that is, having all medical records stored on a central database.
(07_S-3_12d) Clarifying Rights of Access: steps for employees _1
Montaña recommends the following steps for employees: 1. Read policies before signing. Consider the language and importance of any information or intellectual property ownership policy you sign. If the language is too broad on ownership, renegotiate the agreement and avoid subsequent actions that might be construed as broadening the rights granted by it. 2. Keep personal computers private. Your actions may indicate an expectation of privacy or of the lack of one. Consider the implications of such things as permitting other employees to access a personal machine and its data; linking a personal computer to an employer network or keeping it on employer premises; and installing employer-owned software on a personal computer. 3. Segregate and protect personal either physically or through a remote connection such as a network. Protect personal data with file-sharing restrictions, passwords, encryption, or other security devices.
(07_S-3_12a) Clarifying Rights of Access: steps for employers _1
Montaña recommends the following steps for employers: 1. Determine the need for intrusive access policies based on the type of work being done. Consider the kinds of data employees are sending home or creating there as part of their work-related activities.
(07_S-3_5b) Identifying a Data Breach 2
Next, assess the level of risk by asking these questions: + Does the nature of the breach indicate criminal intent? + What kind of data is at risk? + Is personal information compromised? + Is there evidence that data is being used for identity theft? + Are lives in danger? + Can systems be damaged or affected by the breach? + Are controls in place that will minimize damage?
(07_S-2_2l) Relevance of Privacy Frameworks and Guidelines
OECD, APEC, Privacy by Design, and other privacy frameworks generally set out to address the following concerns: + Internal privacy policies and notices + Collection and use of PII + Choice (opt in/opt out) + Data integrity + Security safeguards + Accountability + Onward transfer of data to third parties + Enforcement An organization's privacy program should address all of these elements in an holistic manner, with special attention to its regulatory environment.
(07_S-2_2f3) Safe Harbor Seven Principles: 3 - Onward
Onward Transfer. To disclose information to a third party, organizations must apply the notice and choice principles.
(07_S-1_2) personally identifiable information : PII
PII The issue of privacy largely concerns PII. There are several definitions of PII in U.S. federal law, and they're based on the one published by the FTC in "Online Profiling: A Report to Congress," as follows: Data that can be linked to specific individuals, and includes but is not limited to such information as name, postal address, phone number, e-mail address, social security number and driver's license number. Depending on the law, PII might also include financial and medical information, educational records, political affiliation, video records, and religious affiliation.
(07_S-1_1b) Definitions of Privacy in the U.S. : Context
Part of the challenge is the lack of a single, standard definition of privacy. Prior to 1890, there was no official definition. In 1890, Louis Brandeis and Samuel Warren published "The Right to Privacy" in the Harvard Law Review, which contended that individuals have a common-law right to privacy. Brandeis, a U.S. Supreme Court justice from 1916-1939, articulated in Olmstead v. United States, a 1928 wire-tapping case, that people have a general constitutional right "to be let alone," which he described as the most comprehensive and valued right of civilized people. In Public Law 93-579, enacted in 1974 as the Privacy Act, Congress found that the right to privacy is a personal and fundamental right protected by the Constitution of the United States.
(07_S-3_2) Personal Data
People who buy anything online, participate in social networking, or post photos on any photo-sharing websites, are making their personal information readily available to those who know how to access it, absent sufficient safeguards on the part of companies storing or having access to the information. Even encrypted, confidential data, like online banking, credit card purchases, or electronic funds transfers, puts people at risk. Private personal information on laptops or flash drives is vulnerable if the devices are left unattended, or are lost, or are hacked at a coffee house or library.
(07_S-3_4) What is a Data Breach?
Perhaps the most significant type of threat to privacy is the data breach. A data breach is the unauthorized access to, disclosure of, or compromise of physical or electronic data. One can cause an organization a great amount of financial and reputational damage. If clients don't perceive your organization as trustworthy, they might choose to take their business elsewhere. Multiply that by millions of skeptical customers and the reputational damage can cause a firm to go out of business.
(07_S-1_4f) Permission-Based Marketing
Permission-based marketing is a response to privacy concerns about misuse of personal information. It is built on a consenting relationship with customers. A company asks first if customers agree to share their personal information. At the center of permission-based marketing is the choice to opt in or opt out of receiving marketing information. This is further explained on the next screen.
(07_S-3_15a) Case Example: Packing Materials 1
Pittsburgh reporter Rick Earle got a call from a viewer who said she received a box of plants in the mail and discovered the material they were packaged in contained people's personal and confidential information. The viewer said the pots were wrapped in newspaper, too, but other materials used to protect the delivery contained sensitive bank account information, including shredded bank checks.
(07_S-1_4c2) Case Example: Octopus Holdings 2
Privacy Commissioner Roderick Woo began an investigation into Octopus's practices that his successor, Allan Chiang, continued. Prudence Chan, CEO of Octopus, resigned amid intense criticism for how data-privacy issues were handled. The Hong Kong government has since been working with privacy experts to update legislation that will better protect the public. The Octopus incident in Hong Kong served as a lesson for organizations worldwide. Stakeholders and the general public began paying closer attention to how personal data was being shared.
(07_S-0_1c) Privacy Issues Overview 3
Privacy and information security are tightly integrated. Thus, failures in information security that result in privacy breaches are increasingly being considered "unfair practices" by the U.S. Federal Trade Commission (FTC), and resulting in sanctions. In 2013, nearly 58 million records were reported compromised in the United States, according to the Identity Theft Resource Center. The high-profile breaches of the Target and Nordstrom stores are just two examples of such breaches in data security. Privacy and information security are key components of RIM, as indicated in ISO 15489, but neither can be achieved without effective information governance controls
(07_S-2_2f5) Safe Harbor Seven Principles: 5 - Security
Security. Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration, and destruction.
(07_S-1_3e) Privacy vs. Marketing
Should an individual have a right to privacy when transacting business online? Imagine you're looking for a stuffed toy for a child's birthday. You type the name of the toy into the search window and click the first hopeful-looking link. It takes you to a type of business you would never set foot in. Mortified, you scramble to exit the site. But, guess what? Through cookies, your inadvertent visit to the site could haunt you in the form of unsolicited advertising and e-mail, or in the more detrimental form of malware—computer contaminants such as viruses, spyware, and worms.
(07_S-2_2b) Data Protection Directive 94/46/EC
The farthest reaching international privacy law is the EU's Data Protection Directive 95/46/EC. The directive applies to the collection, transmission, and processing of personal data, which is defined as "any information relating to an identified or identifiable natural person" residing within a member state of the EU. The directive specifically applies to information that directly or indirectly identifies an individual: a person's name, address, telephone number, or other personal information.
(07_S-3_8) Smart Grid and Privacy
Smart grids could pose a threat to privacy as well. They use digital technology to customize power systems based on the specifics of energy use. The concern is that data collected about customers' energy use could reveal their personal daily schedules, whether they have alarm systems, whether they have expensive electronics or other kinds of equipment that draw power, and so on. A 2010 Department of Energy (DOE) report focuses on the privacy issues related to smart grid technologies. The DOE recommends energy companies obtain customer authorization for releasing data, use data only in specifically authorized ways, and provide a clear means for withdrawing the authorization. Keep an eye out for additional requirements for privacy-related recordkeeping practices to be sure that your organization remain in compliance.
(07_S-1_4d) Social Networking and Privacy
Social networking sites are a target marketer's dream, offering a massive, captive audience that freely shares demographic information in posts, "likes," Tweets, and blogs. In 2010, the news came out that some social networking sites were gleaning and sharing users' personal information for targeted marketing purposes without letting users know. The information shared was sufficient to allow advertisers to identify distinct user profiles, leaving many people feeling violated and betrayed.
(07_S-1_5b) Who Bears the Burden?
Some laws require opt-in for certain activities. Other laws state that users must be allowed to opt-out. Others do not state a requirement. Marketers argue that it's up to users to opt out. Privacy advocates say the burden to make it clear to users when they are giving permission for use of their personal information is on those who want to use that information for their own gain. As technology continues to infiltrate society, further threats to privacy will surface. In Section 2 we look in more depth at the challenges of protecting information in a digital age.
(07_S-3_10) Organization-Owned Equipment
Some organizations grant employees "private" or "personal" folders on the employer's system. Others state they will limit review or monitoring of employee communications or data on company systems. Most companies understand that, unless explicitly stated in a privacy policy, employees who use employer-owned equipment at home presume they may use it for personal purposes. In legal cases, however, employer ownership often trumps employees' privacy rights.
(07_S-2_1l) Drivers' Privacy Protection Act
Some privacy laws address the selling or disclosure of personal data. The Driver's Privacy Protection Act, for example, allows an authorized recipient of personal information in a motor vehicle record to resell or disclose the information only for a use permitted under the act, such as for sharing safety, theft, emissions, and recall data, for instance. Highly restricted PII cannot be disclosed without the subject's permission. The Act mandates that any authorized recipient that resells motor vehicle information must keep for five years all records identifying the recipients and the permitted purpose for which the information will be used. The Act was passed in 1994 partly in response to several cases where criminals copied license plate numbers and then used Department of Motor Vehicles records to track down victims' addresses. In the case of actress Rebecca Schaeffer, the readily available information led to her being stalked and killed.
(07_S-1_4a1) Targeted Marketing 1
Targeted marketing uses cookies and other identifying information to "personalize an individual's experience" on a website. It is the practice of advertising a specific service or product to users who are known to be customers or are likely to become customers; and who—as evidenced by their expressed interests, demographics, and buying history—are likely to buy specific products and services From an organizational marketing perspective, targeting is successful and generates a healthy return on investment. From a user's standpoint, targeted marketing offers several benefits. It introduces people to products and services they might not otherwise know about, informs them of limited-time specials, provides alerts to discounts, allows automatic fill-in on forms so that identifying information doesn't need to be retyped, and even suggests complementary items or services.
(07_S-0_1a) Privacy Issues Overview 1
Technological advances over the past century have transformed the world. Medical technology saves lives every day that would have been lost even a decade ago. Manufacturing technology produces at a rate beyond early business leaders' wildest dreams. Microtechnologies let us store on one tiny chip information about a person's entire being: contact names and numbers, bank statements, demographic data, personal photos, business documents, health insurance information, and more.
(07_S-3_1) Introduction
Technology is racing ahead of ethics and standards, and even the best corporate computer minds are being caught off guard by the ingenuity of hackers. For records managers, getting clarity and commitment from senior management on how to handle privacy issues is a continuing challenge. In this section, we'll look at the threats facing privacy in an increasingly technology-dependent economy.
(07_S-2_1m) Children's Online Privacy Protection Act
The Children's Online Privacy Protection Act, or COPPA, applies to the online collection of personal data from a child under the age of 13. Personal data, defined broadly, includes virtually all online and offline contact information. The FTC amended the rule in 2013 to tighten controls around the third-party collection of minors' data and to assert that the PII of children cannot be collected without parental consent. Among the types of personal data cited were geolocation information, videos, photos, and more.
(07_S-2_2g) EU Permits the "Right to be Forgotten"
The Court of Justice of the European Union shook up the privacy landscape in May 2014 with its ruling that Google must delete links to personal information when an individual requests it. The concept is informally referred to as "the right to be forgotten." According to Reuters, Google was receiving takedown requests by the very next day. The longer term ramifications of such an historic ruling have yet to play out, but, unsurprisingly, many full-throated opinions are being expressed from both sides of the Atlantic. Those in favor of the ruling often say that a piece of negative news from many years past—such as a foreclosure— should not continue to impact an individual all of his or her life. Opponents tend to worry that the public will have a less rounded view of political candidates, job seekers, contractors, vendors, and more.
(07_S-2_1j) FOIA Exemptions
The FOIA entitles the following exemptions on documents being requested by the public: + Documents classified as secret in the interest of defense or foreign policy + Documents related solely to internal personnel rules and practices + Documents specifically exempted by other statutes + Documents containing privileged or confidential commercial or financial information obtained from a person + Privileged inter-agency or intra-agency memoranda + Personnel, medical, or similar files, the release of which would constitute a clearly unwarranted invasion of privacy + Documents compiled for certain law enforcement purposes + Documents contained in or related to reports about financial institutions that the SEC regulates or supervises + Documents containing exempt information about gas or oil wells
(07_S-1_4e) Embedding Privacy
The FTC wants organizations to build privacy protections into their everyday business practices. It wants them to: + Ensure reasonable security for consumer data + Limit collection and retention of personal data + Make reasonable efforts to ensure personal data is accurate + Provide customers with choices about how data is collected and shared + Delete personal information when it is no longer needed for the purpose collected + Write shorter, clearer, standardized privacy policies Yet, in a 2010 report on protecting consumer privacy, the FTC does not suggest that organizations should have to seek consumer permission to collect data for commonly accepted practices, such as product shipping, internal operations, and fraud prevention.
(07_S-3_14a) Lessons from the XY Case : Three Key points _ 1
The FTC's actions in the XY case highlight three key points for records managers. 1. Privacy promises hold major legal significance due to the section of the FTC Act related to deceptive practices—and the FTC's heightened enforcement of this section of the Act—whether they're made within an actual privacy policy or are characterized on a website or other publication distributed to a subscriber base. The promises remain in effect even when the business closes.
(07_S-2_1a) FCRA
The Fair Credit Reporting Act (FCRA) regulates collection, dissemination, and use of consumer credit information. The law covers not only financial credit information but also information related to a person's lifestyle.
(07_S-2_1c) GLBA
The Gramm-Leach-Bliley Act (GLBA) obligates companies involved in financial transactions to establish privacy policies, and it specifies how customer financial information can be shared. Financial institutions are nearly always required to provide an opt-out notice for customers to prevent disclosure of personal data to third parties. Exceptions are when disclosure is needed to perform the transaction or where the disclosure is permitted by law.
(07_S-2_1d3) HIPAA and EHRs 3
The Health Insurance Portability and Accountability Act (HIPAA) establishes regulations for the use and disclosure of protected health information (PHI). It was enacted in 1996. As with FCRA, HIPAA allows individuals to correct inaccurate information. In 2003, HIPAA security standards were established. Administrative safeguards include designation of a privacy officer and an information breach procedure. Physical safeguards include access controls to hardware and software, work screens moved from high-traffic areas, and employee access to training. Among the technical safeguards are controlling access to computer systems, documenting the systems, and protecting communication of PHI.
(07_S-2_1k) Personal Privacy Act
The Privacy Act of 1974 established a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of PII that is held in systems of record by U.S. federal agencies. The act requires agencies to give public notice of their systems of records by publication in the Federal Register. The act also prohibits the disclosure of information from a system of records without the written consent of the individual, unless the disclosure is pursuant to a statutory exception. Many states have enacted privacy laws that are similar to the Privacy Act of 1974.
(07_S-2_2e) Participating in Safe Harbor
The Safe Harbor plan is a voluntary, annual self-certification. Participating organizations must put in writing their agreement to abide by its requirements and must state in their published privacy statement that they adhere to the Safe Harbor. To qualify, an organization can: + Join a self-regulatory privacy program that adheres to the Safe Harbor's requirements + Develop its own self-regulatory privacy policy that conforms to the Safe Harbor + Be subject to a statutory regulatory, administrative, or other body of law (or rules) that effectively protects personal privacy
(07_S-1_1c) The U.S. Supreme Court's Ruling : Context
The U.S. Supreme Court has since ruled that citizens have a limited constitutional right of privacy based on a number of provisions in the Bill of Rights and subsequent amendments. Court rulings continue to uphold the "reasonable expectation of privacy," but records held by third parties, such as financial records or telephone calling records, are generally not protected by the Constitution. Thus, a patchwork of federal and state laws and regulations has been enacted in the United States.
(07_S-3_13) Inadequate Policies and Safeguards
The bottom line is, when it comes to tackling the privacy threats that accompany rapidly developing technology, organizations cannot afford to wait. RIM must partner with IT/Information Security, Risk Management, Legal, and Privacy to address ongoing risks and must keep threats to individuals' privacy at the forefront of their concerns. Does your organization have safeguards in place to avoid ending up as the defendant in cases like those we'll see on the next few screens?
(07_S-2_1f1) Case Example: Health Net _ 1
The first action by a state attorney general under the HITECH Act was filed in January 2010. In what he described as a "sadly historic" case, Connecticut's Richard Blumenthal sued Health Net of Connecticut, Inc. for allegedly failing to secure private patient medical records and financial information involving hundreds of thousands of enrollees and for failing to promptly notify consumers endangered by the security breach. Health Net learned in May 2009 that a portable disk drive containing unencrypted protected health information, Social Security numbers, and bank account numbers for approximately 1.5 million enrollees disappeared from one of its offices. Health Net waited six months before notifying the affected individuals.
(07_S-2_2j2) OECD Guidelines 2
The principles in the OECD Guidelines state that personal information must be: 1. Collected fairly and lawfully 2. Used only for the purpose specified during collection 3. Adequate, relevant, and not excessive to that purpose 4. Accurate and up-to-date 5. Accessible 6. Kept secure 7. Subject to disposal after the purpose is completed While the principles are not binding, they serve as models for many privacy laws and are of great value to records managers everywhere
(07_S-1_3d) The Internet's Effect
The proliferation of the Internet worldwide has forced us to rethink the concept of privacy. Sites like Google Earth let anyone with Internet access, anywhere in the world, see your business, your house, and, in some cases, even you. Increasingly fast search engines identify millions of links to organizations and individuals— and their related records—worldwide in seconds. The Internet blurs countries' borders, and there's a resulting lack of clearly defined governance and enforcement of privacy laws. Practices related to transborder data flow of personal information are seriously impacted.
(07_S-2_2f1) Safe Harbor Seven Principles : 1 - Notice
There are seven required Safe Harbor principles. Roll your cursor over each one for a description. 1. Notice 2. Choice 3. Onward 4. Access 5. Security 6. Data Integrity 7. Enforcement Notice. Organizations must notify individuals about the purposes for which they collect and use information about them.
(07_S-0_2) Privacy Issues: your role
There are steps you can take to help ensure your organization has privacy and information security practices that will protect customer and employee data. As an information management professional, you can work to support these initiatives in your organization. An information security program extends beyond the concept of privacy to protect the organization's intellectual assets and proprietary information. Both RIM and security fall under the information governance umbrella, along with disaster recovery, business continuity, and more.
(07_S-1_4c1) Case Example: Octopus Holdings 1
There is no doubt that selling consumers' personal information to marketers is a lucrative business. In Hong Kong, Octopus Holdings Ltd. earned millions when it sold its cardholders' personal information to six insurance companies for direct marketing purposes. The Octopus card, an electronic, stored-value payment card Hong Kong residents use for public transportation, restaurants, parking, and shopping, gave customers the option of enrolling in a rewards program. To enroll, customers had to supply a broad range of personal information, including income and personal interests. There was an opt-out provision, but to opt out customers first had to opt in, and the opt-out took several days to complete. During those few days, Octopus could release customers' personal data.
(07_S-1_3c) a "sectoral" (or piecemeal) approach or method
This sectoral method means that protection is inconsistent and will suffer from gaps as legislation lags the technology. California and Massachusetts have passed privacy legislation that affects any business with customers from those states. In the age of online commerce and common travel, these state laws impact many thousands of organizations. Further, these individual laws might serve as models for an eventual federal law. In 2014, the U.S. Senate began committee hearings that could move in that direction—hearings that were driven largely by the high-profile security breaches.
(07_S-1_3g) Flash Cookies
Unlike traditional cookies, one can't remove flash cookies with a browser's privacy controls. Some companies use this secretly stored information to reinstate the traditional cookies that an individual deleted, in a practice known as "re-spawning." In August 2010, a group of minors and their parents filed a federal suit against Clearspring Technologies, a software company that uses flash cookies to track web users for advertising purposes. Disney, Warner Brothers Records, and other Clearspring flash cookie affiliates were implicated for knowing that cookies were secretly tracking Web use well beyond the originally visited sites.
(07_S-0_3) Privacy and Security
What can information managers do to protect organizational and individual privacy while keeping records secure? This graphic broadly illustrates the integration of privacy and security and their distinctions.
(07_S-3_11) Personal Equipment
What if an employee creates a work-related file on a personal computer at home? Does the employer have any rights to that information? Most employees presume ownership of the contents of their own computers, at least of data relating to personal matters. Most would also want to avoid giving employers any legal justification for perusing personal data under the pretext of finding employer-owned data. In the article "Who Owns Business Data on Personally Owned Computers?" John Montaña recommends an employment agreement for how to handle privacy issues surrounding intellectual property.
(07_S-2_1i) FOIA
When FOIA was enacted in 1966, publicly available data was difficult to find. One had to search through boxes of records, microforms, and databases at the actual county clerk's office, city hall, or library. Now, private data is commonly available in court proceedings or other public records, such as deeds, mortgages, death certificates that contain health-related data, Social Security and Medicare numbers, birth dates, bank account information, and more. Through the Internet and the digitalization of government records, personal information is available almost instantly to anyone, anywhere in the world—including identity thieves.
(07_S-1_1a) Introduction
Who has a right to know anything about you? Who has a legitimate need? Most of us expect to share personal information with the government, with our organization's human resources department, and with our doctors. But many of us are caught off guard when we end up on unsolicited e-mail lists or direct mailing lists. We don't expect to share our personal information with complete strangers unwittingly. Likewise, your customers too.
(07_S-3_13a) Case Example: XY Magazine _ 1
XY Magazine was published sporadically between 1996 and 2009, eventually closing its doors due to bankruptcy. Court proceedings sparked a battle among creditors for the organization's assets. As one of its assets, XY claimed its subscriber list and online profile database, which contained readers' personal information. Because XY Magazine was targeted to young, gay males, the personal profile information was particularly sensitive. As it would be if the major social networking sites sold user profile information, the implications of sharing XY's profile database were huge.