5.5 Explain privacy and sensitive data concepts in relation to security

• Data ___—a senior (executive) role with *ultimate responsibility *for maintaining the confidentiality, integrity, and availability of the information asset. The owner is responsible for labeling the asset (such as determining who should have access and determining the asset's criticality and sensitivity) and ensuring that it is protected with appropriate controls (access control, backup, retention, and so forth). The owner also typically selects a steward and custodian and directs their actions and sets the budget and resource allocation for sufficient controls.

Data owners

• Data ____—an entity engaged by the data controller to assist with technical collection, storage, or analysis tasks. A data processor foll

Data processor

• Data ____—this role is responsible for *oversight of any personally identifiable information (PII) *assets managed by the company. The privacy officer ensures that the processing, disclosure, and retention of PII complies with legal and regulatory frameworks.

Data protection officer (DPO)

.Data Types A type schema applies a more detailed label to data than simple classification. //(PPI,,PHI,consumer data,government data,financial information)

Data types

Internally, government agencies have complex data collection and processing *requirements.(legislative requirements) *In the US, federal laws place certain requirements on institutions that collect and process data about citizens and taxpayers. This data may be shared with companies for analysis under strict agreements to preserve security and privacy.

Government data

*___ (top secret)*—the information is too valuable to allow any risk of its capture. Viewing is severely restricted.

Critical

A fully *anonymized* data set is one where* individual subjects can no longer be identified,* even if the data set is combined with other data sources. *Identifying information is permanently removed.(irreversible)* Ensuring full anonymization and preserving the utility of data for analysis is usually very difficult, however. Consequently, pseudo- anonymization methods are typically used instead.......It is important to note that given sufficient contextual information, a data subject can be reidentified, so great care must be taken when applying deidentification methods for distribution to different sources. A *reidentification attack *is one that combines a deidentified data set with other data sources, such as public voter records, to discover how secure the deidentification method used is. *K-anonymous information* is data that can be linked to two or more individuals.

Anonymization

Data classification and typing schemas tag data assets so that they can be managed through the information life cycle. A data classification schema is a decision tree for applying one or more tags or labels to each data asset. Many data classification schemas are based on the degree of confidentiality required:

Classifications

*___(secret)(subject to administrative and or technical access controls)*—the information is highly sensitive, for viewing only by approved persons within the owner organization, and possibly by trusted third parties under NDA.

Confidential

___can be *institutional information, but also personal information about the customer's employees*, such as sales and technical support contacts. This personal customer data should be treated as PII. Institutional information might be shared under a nondisclosure agreement (NDA), placing contractual obligations on storing and processing it securely.

Customer data

• Data ___—the entity responsible for determining why and how data is stored, collected, and used and for ensuring that these purposes and means are lawful. The data controller has ultimate responsibility for privacy breaches, and is not permitted to transfer that responsibility.

Data controller

• Data ___—this role handles *managing the system(Information systems management) *on which the data assets are stored. This includes responsibility for enforcing access control, encryption, and backup/recovery measures.• Data ____—this role is primarily responsible for *data quality(Data quality and oversight). *This involves tasks such as ensuring data is labeled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations.

Data custodian/steward

___is the principle that *data should only be processed and stored if that is necessary to perform the purpose for which it is collected*.In order to prove compliance with the principle of data minimization, each process that uses personal data should be documented. The workflow can supply evidence of why processing and storage of a particular field or data point is required. Data minimization affects the data retention policy. It is necessary to track how long a data point has been stored for since it was collected and whether continued retention supports a legitimate processing function. Another impact is on test environments, where the minimization principle forbids the use of real data records. Counterintuitively, the principle of minimization also includes the principle of sufficiency or adequacy. This means that you should collect the data required for the stated purpose in a single transaction to which the data subject can give clear consent. Collecting additional data later would not be compliant with this principle.Large data sets are often shared or sold between organizations and companies, especially within the healthcare industry. Where these data sets contain PII or PHI, steps can be taken to *remove the personal or identifying information. These deidentification processes* can also be used internally, so that one group within a company can receive data for analysis without unnecessary risks to privacy.

Data minimization

A breach may be detected by technical staff and if the event is considered minor, there may be a temptation to remediate the system and take no further notification action. This could place the company in legal jeopardy. Any breach of personal data and most breaches of IP should be escalated to senior decision-makers and any impacts from legislation and regulation properly considered.

Escalation

____ refers to *data held about bank and investment accounts, plus information such as payroll and tax returns*. Payment card information comprises the card number, expiry date, and the three-digit card verification value (CVV). Cards are also associated with a PIN, but this should never be transmitted to or handled by the merchant. Abuse of the card may also require the holder's name and the address the card is registered to. The Payment Card Industry Data Security Standard (PCI DSS) defines the safe handling and storage of this information

Financial information

___—legislation might empower a regulator to levy fines. These can be fixed sum or in the most serious cases a percentage of turnover.

Fines

Personal health information (PHI)—or protected health information—refers to *medical and insurance records, plus associated hospital and laboratory test results*....

Health information

____—loss of company data can lead to loss of revenue. This typically occurs when copyright material—unreleased movies and music tracks—is breached. The loss of patents, designs, trade secrets, and so on to competitors or state actors can also cause commercial losses, especially in overseas markets where IP theft may be difficult to remedy through legal action.

IP theft

—if the breached data is exploited to perform identity theft, the data subject may be able to sue for damages.

Identity theft

Tracking consent statements and keeping data usage in compliance with the consent granted is a significant management task. In organizations that process large amounts of personal data, technical tools that perform tagging and cross-referencing of personal data records will be required. A data protection *impact assessment is a process designed to identify the risks of collecting and processing personal data* in the context of a business workflow or project and to identify mechanisms that mitigate(make less severe, serious) those risks.

Impact assessment

An information life cycle model identifies discrete steps to assist security and privacy policy design. Most models identify the following general stages:• *Creation/collection*—data may be generated by an employee or automated system, or it may be submitted by a customer or supplier. At this stage, the data needs to be classified and tagged. • *Distribution/use—*data is made available on a need to know basis for authorized uses by authenticated account holders and third parties. • *Retention*—data might have to be kept in an archive past the date when it is still used for regulatory reasons. • *Disposal*—when it no longer needs to be used or retained, media storing data assets must be sanitized to remove any remnants.

Information life cycle

The requirements for different types of breach are set out in law and/or in regulations. The requirements indicate who must be notified. A data breach can mean the loss or theft of information, the accidental disclosure of information, or the loss or damage of information. Note that there are substantial risks from accidental breaches if effective procedures are not in place. If a database administrator can run a query that shows unredacted credit card numbers, that is a data breach, regardless of whether the query ever leaves the database server.

Notifications of breaches

Organizational consequences of privacy and data breaches

Organizational consequences of privacy and data breaches

___is *data that can be used to identify, contact, or locate an individual*. A Social Security Number (SSN) is a good example of __. Others include name, date of birth, email address, telephone number, street address, biometric data, and so on. Some bits of information, such as a SSN, may be unique; others uniquely identify an individual in combination (for example, full name with birth date and street address). Some types of information may be ___depending on the context. For example, when someone browses the web using a static IP address(, A static IP address is simply an address that doesn't change. Once your device is assigned a static IP address, that number typically stays the same until the device is decommissioned or your network architecture changes. Static IP addresses generally are used by servers or other important equipment.),the IP address is__. An address that is dynamically assigned by the ISP may not be considered__.___ is often used for password reset mechanisms and to confirm identity over the telephone. For example, __may be defined as responses to challenge questions, such as "What is your favorite color/pet/movie?" These are the sort of complexities that must be considered when laws are introduced to control the collection and storage of personal data.

Personally identifiable information (PII)

16BPrivacy Enhancing Technologies • Data minimization • Only collect sufficient data to perform the specific purpose that consent was obtained for • Deidentification • Removing personal information from shared data sets • Anonymization • Irreversible deidentification techniques • Pseudo-anonymization • Reidentification is possible using a separate data source • Reidentification attacks • K-anonymous information

Privacy enhancing technologies

Informed consent means that the data must be collected and processed only for the stated purpose, and that *purpose must be clearly described to the user *in plain language, not legalese. This *consent statement(consent to declared uses and storage) *is referred to as a privacy notice. Data collected under that consent statement cannot then be used for any other purpose.

Privacy notice

Data Roles and Responsibilities A data governance policy describes the security controls that will be applied to protect data at each stage of its life cycle. There are important institutional governance roles for *oversight and management of information assets within(within an organization)* the life cycle:

Roles and responsibilities

*___/personal data—Information that relates to an individual identity.*

Private

___—___information or intellectual property (IP) is *information created and owned by the company*, typically about the products or services thatthey make or perform. IP is an obvious target for a company's competitors, and IP in some industries (such as defense or energy) is of interest to foreign governments. IP may also represent a counterfeiting opportunity (movies, music, and books, for instance).

Proprietary

. ___modifies or replaces identifying information so that *reidentification depends on an alternate data source, *which must be kept separate. With access to the alternated data, pseudo- anonymization methods are reversible.

Pseudo-anonymization

*__(unclassified)(no confidentiality but integrity and availability are important)*—there are no restrictions on viewing the data. Public information presents no risk to an organization if it is disclosed but does present a risk if it is modified or not available.

Public

Other than the regulator, notification might need to be made to law enforcement, individuals and third-party companies affected by the breach, and publicly through press or social media channels. For example, the Health Insurance Portability and Accountability Act (HIPAA) sets out reporting requirements in legislation, requiring breach notification to the affected individuals, the Secretary of the US Department of Health and Human Services, and, if more than 500 individuals are affected, to the media. The requirements also set out timescales for when these parties should be notified. For example, under GDPR, notification must be made within 72 hours of becoming aware of a breach of personal data Regulations will also set out disclosing requirements, or the information that must be provided to each of the affected parties. Disclosure is likely to include a description of what information was breached, details for the main point-of- contact, likely consequences arising from the breach, and measures taken to mitigate the breach. GDPR offers stronger protections than most federal and state laws in the US, which tend to focus on industry-specific regulations, narrower definitions of personal data, and fewer rights and protections for data subjects. The passage of the California Consumer Privacy Act (CCPA) has changed the picture for domestic US legislation, however

Public notifications and disclosures

___—data breaches cause widespread negative publicity, and customers are less likely to trust a company that cannot secure its information assets.

Reputation damage

___—This label is usually used in the context of personal data. Privacy- sensitive information about a person could harm them if made public and could prejudice decisions made about them if referred to by internal procedures. As defined by the EU's General Data Protection Regulations (GDPR),*___ personal data includes religious beliefs*, political opinions, trade union membership, gender, *sexual orientation*, racial or *ethnic origin*,*(// These are special categories of personal data)* genetic data, and health information

Sensitive

___means that all or part of data in a *field is replaced with a randomly generated token. The token is stored* with the original value on a token server or *token vault*, separate to the production database. An authorized query or app *can retrieve the original value from the vault,(Reversible with access the vault) *if necessary, so tokenization is a reversible technique.____ is used as a substitute for encryption, because from a regulatory perspective an encrypted field is the same value as the original data.

Tokenization

The following types of agreements are common: • *Service level agreement (SLA)*—a contractual agreement setting out the detailed terms under which a service is provided. This can include terms for *security access controls and risk assessments* plus processing requirements for confidential and private data. • *Interconnection security agreement (ISA)—ISAs are defined by NIST's SP800-47 "Security Guide for Interconnecting Information Technology Systems". *Any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship*. An ISA sets out a security risk awareness process and commits the agency and supplier to implementing security controls. • *Nondisclosure agreement (NDA)—legal basis for protecting information assets. *NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and does share such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them. • *Data sharing and use agreement*—under privacy regulations such as GDPR or HIPAA, personal data can only be collected for a specific purpose. Data sets can be subject to pseudo-anonymization or deidentification to remove personal data, but there are risks of reidentification if combined with other data sources. A data sharing and use agreement is a legal means of preventing this risk. It can *specify terms for the way a data set can be analyzed* and proscribe (prohibit by law) the use of reidentification techniques

Terms of agreement