Keeping Your Eye on Privacy

1
Keeping Your Eye on Privacy

• Mike Gurski,
• Director Bell Privacy Centre of Excellence
• April, 2008
• NY. NY.

2
Background Privacy Threats Canadian Privacy
Law Sample of University Privacy
Postures Solutions for Privacy Management
3
Background How Soon We Forget

• On August 1, 2006, USA Today reported that, "in
  the past 18 months, colleges were the source of
  one-third to half of all publicly disclosed
  (privacy) breaches. By reviewing 109 privacy
  breaches at 76 campuses, USA Today found that 70
  percent of the incidents involved hacking."
• What does this tell us?

4
U.S. to Ease Privacy Rules

• Federal Education Department proposed new
  regulations to clarify when Universities may
  release confidential student information after
  Virginia Tech shootings.
• NY Times, March 25th, 2008

5
Privacy Threat Models Reviewed

• The duh factor
• The infinite information appetite syndrome
  including Hackers
• The privacy policy riddle
• The attacker models and willing participants in
  a University setting
• Reporter, Marketer, Insider
• The balancing rights conundrum
• The proportional response problem
• The save us from disaster misconception
• Examining the Risks Probabilities and Outcomes

6
A Special University Privacy Challenge

• A Hot Bed of Early Adopters
• Web 2.0/3.0
• Social Networks
• Software as a Service

7
A Different Privacy Landscape in Canada?

• Provincial OCIO bans instant messaging and file
  sharing after privacy breaches in NFLD
• Memorial University CSO mirrors ban
• March 28, 2008 NFLD
• Question How is the University Responding?
• Primary Focus on tactical PIAs for BANNER and
  Laptops

8
The Canadian Particulars

• Legislative Landscape Fair Information Practices
  Based
• A Digression to GWU and Daniel Solove
• A Privacy Maturity Model for Universities
• The Role of Strategy as opposed to Tactics
• The Role of Technology and New Tools

9
Daniel Solove

• A taxonomy of privacy attacks
• A new way to think about privacy legislation and
  technology

10
Organizations Privacy Management Maturity

• Processes fully defined and audited
• Privacy management fully integrated with bus.

• Processes, roles, and workflows are defined
• Privacy Management is broad based to serve
  strategic goals
• Training ongoing

• Privacy processes are partially documented
• Minimal automation for privacy automation
• Training policy with event based training

• Privacy processes are not defined or documented

11
A Strategic Approach

• The key steps
• Build a business case for strategic investment in
  privacy management
• Build Internal Privacy Management Capacity
  (reducing cost and reliance on outside
  consultants)
• Use tools that allow non-specialists to manage
  privacy
• Set out a strategy and planning roadmap
• Develop a vulnerability assessment/gap analysis
  of personal information management within the
  University
• Engage all levels in privacy management
• Reduce resources needed to manage privacy
• Provide a new focus on system design for personal
  information banks

12
New Tools

• Compliance and Assessment Tools
• Internal Capacity Workshops
• Data repository for knowledge transfer
• Training Curriculum geared to privacy management
  capacity
• Enterprise Privacy Strategy/Roadmap
• Privacy Enhancing Technologies

13
(No Transcript)
14
Contact Information
Mike Gurski, Director Bell Privacy Centre of
Excellence 905-751-4310 mike.gurski_at_bell.ca