Privacy and Freedom of Information in the New Work World

1
Privacy and Freedom of Information in the New
Work World

• Abigail Carter, CIPP/C
• University Health Network
• Donald E. Sheehy, CACISA, CIPP/C
• Deloitte Touche LLP

2
This session will cover

• Privacy what is it
• What legislations are we facing
• World of work today
• Current privacy issues
• Possible Future Issues

3
What is privacy

• Right to be left alone (1890, Harvard Business
  Review)
• Freedom from intrusion or public attention
• The protection of the collection, storage,
  destruction and dissemination of personal
  information (EU and US Safe Harbor)

Collection, use and disclosure
4
AICPA/CICA Privacy task force
Privacy encompasses the rights and obligations
of individuals and organizations with respect to
the collection, use, disclosure and retention of
personal information.
5
What are we facing
6
Managing privacy in Canada

• Federal Privacy Act (1980s)
• Provincial Freedom of Information and Privacy
  Legislation (1990s)
• Q830 The CSA Model Code (1996)
• Personal Information Protection and Electronic
  Documents Act (2000)
• Existing provincial private sector privacy
  legislation in certain provinces
• Quebec (Bill 68 and Bill 75)
• Alberta (Bill 44)
• British Columbia (Bill 38)

7
Managing Privacy in Ontario

• Freedom of Information and Privacy Legislation (
  1990) (FIPPA)
• Personal Health Information Protection Act
  (PHIPA)
• Personal Information Protection and Electronic
  Documents Act (PIPEDA)

8
Mandatory Breach Notification

• Since California took the lead in 2003, more than
  30 US states have breach notification laws
• 49 million Americans have been notified of
  security breaches over the the last three years
  (Harris Interactive Poll)
• Ontario health sector only jurisdiction with
  mandatory breach notification
• Per PrivacyRights.org there have been breaches
  impacting over 167,000

9
Some current headlines and stats

• Oct 2007
• Massachusetts Division of Professional
  Licensure450,000 professionals had social
  security released
• GAP 800,000 online applicants stolen laptop
• Aug/Sept 2007
• Phizer security breach 34,000
• TD Ameritrade Holding Corp. 6.3 million potential
  on hack
• Monster.com 1.6 million
• California Public Employees' Retirement System
  445,000 mailing with exposed social security
  numbers

10
More privacy headlines

• Ontarios Chair of Management Board of Cabinet
  apologized on behalf of the Ontario government
  for a cheque printing error that led to the
  disclosure of personal information of some
  recipients of the Ontario Child Care Supplement
  (OCCS).
• Medical records found scattered across Toronto
  streets ( for film shoot)
• Financial institutions privacy problems
  (misdirected faxes and microcomputers)
• Prudential Insurance records in Manitoba
• Credit Card Numbers Stolen From State Government
  Web Site Rhode Island officials said they
  planned to notify affected credit card customers
  whose information was stolen from a government
  web site

11
Marketplace Some current headlines

• Fears of identity theft have forced more than
  half of web users to cease online purchases
• Local government officials in Japan are refusing
  to disclose personal information intended to be
  used for legitimate purposes
• 2006 - The Fusepoint/Sun Microsystems/Leger
  Marketing survey has found that 55 percent of
  Canadian companies say their confidential and
  private data is at risk of an attack . . . 98
  percent of the Canadian business leaders said
  that it is important for companies to safeguard
  private data
• Accounting firms not immune.. laptop was stolen
  from an . employee's car in January. .IBM
  workers who have been stationed overseas at one
  time or another during their careers. As a result
  of the theft, the names, dates of birth, genders,
  family sizes, SSNs and tax identifiers exposed.
  . Last month, another firm laptop theft had
  exposed the social security number and other
  personal information of Sun Microsystems CEO
  Scott McNealy and an unknown number of other
  people

12
Current Issues
13
What does the World of Work look like today?

• In 2005 workers devoted between 9 and 10 hours a
  day to paid employment (StatsCan)
• 25 worked 10 hours
• More than 80 million workers worldwide worked
  from home at least one day per month in 2005, up
  from 38 million in 2000 (Gartner)
• In US almost a quarter of all corporate workers
  telecommuted one day a month in 2005, twice the
  number from 2000
• 40 of all workers in US Canada are mobile
  (Info-Tech Research Group)
• Routinely do at least 20 of core business
  functions remotely
• Executive-level workers represent just 1/3 or
  corporate mobile staff in US companies (Mobility
  Market Monitor)
• of firms with mobile administrative personnel
  expected to rise to 46 at end of 08
• Growth of telecommuting is slowing, but is still
  on the rise.

14
Key issues

• Global
• Third party outsourcing
• Problems of trans-border information flows
• Business level
• Device and Data Theft

15
Introduction

• Organizations are
• Increasingly focusing on their core competencies
• Strategically outsourcing non-core activities to
  reduce costs and increase margins
• Business models are becoming complex and
  extending beyond the four walls of the enterprise
• But many privacy violations have occurred at the
  third party level

16
Privacy Concerns in Offshoring Arrangements

• Offshoring arrangements may involve many cross
  border and inter-organization transfers of PII.
  Different country specific laws may exist making
  the regulatory environment complex
• Traditional contractual mechanisms may not be
  sufficient or enforceable in countries without
  appropriate legal framework for dealing with
  global information technology issues
• Use of encryption technology may be hampered by
  specific country laws limiting the use of
  encryption
• Data subjects may be concerned with the onward
  transfer or offshoring of PII to other entities
• The privacy and information security policies of
  the organizations involved may conflict or be
  inconsistent
• Service Provider may have opportunity and motive
  to defraud
• Service Provider does not safeguards in place to
  protect private and/or sensitive information

17
10 Questions for Outsourcing

• An organization wanting to minimize its privacy
  risk and implement a best practices approach to
  outsourcing should consider the following
  critical questions
• Who are the outsourcing organizations we contract
  with and where are they located?
• Precisely what data are we sending to, and
  receiving from, outsourcing organizations?
• Is the data personal information, and have we
  given notice to our customers of this data
  transfer?
• What are our exposures if the data is improperly
  accessed or used?
• What data protection clauses do we have in these
  contracts?

18
10 Questions for Outsourcing (contd)

• What evidence do we have that these outsourcing
  organizations protect our data as outlined in
  these data protection clauses?
• What processes are in place to monitor the
  outsourcing organizations?
• Do these organizations outsource any of their
  processes in which our data may be further
  transferred to another organization?
• What processes do the outsourcing organizations
  we contract with use to verify the data
  protection practices followed by their
  outsourcing partners?
• What are the applicable privacy laws and
  regulations?

19
Transborder Information Flows

• Which act /where is our information going?
• Responsibilities and accountabilities

20
The face of privacy security today?
21
Device Data Theft

• Incident
• Laptop stolen from parked SUV containing health
  information of 2,900 patients
• Lessons
• Staff need tools to accommodate the way they work
• Standards change over time
• Quick reporting and careful incident management
  is critical

22
Device Data Theft

• Incident
• Laptop stolen from parked SUV containing health
  information of 2,900 patients
• Lessons
• Staff need tools to accommodate the way they work
• Standards change over time
• Quick reporting and careful incident management
  is critical

Change takes time!!!
23
Technological Failure

• Incident
• Unsecured wireless camera used for surveillance
  in healthcare facility
• Lessons
• A record is not just paper, or even tangible
  electronic data
• Shift from protecting records to safeguarding
  information
• Technology is tool to enhance security when
  correctly implemented
• Outsourcing service not accountability!

24
Inappropriate Behaviour

• Incident
• Patients estranged husband gains access to
  medical records through girlfriend (employee of
  the hospital)
• Lessons
• Systems are more reliable than employees
• Act quickly and decisively
• Balance of obligation to client ( reputation)
  vs./ labour obligations
• Zero tolerance?

25
Inappropriate Behaviour

• Incident
• Patients estranged husband gains access to
  medical records through girlfriend (employee of
  the hospital)
• Lessons
• Systems are more reliable than employees
• Act quickly and decisively
• Balance of obligation to client ( reputation)
  vs./ labour obligations
• Zero tolerance?

26
Improper disposal

• Incident
• Researchers able to retrieve data from 65 per
  cent of randomly purchased used disk drives from
  dealers in several provinces
• 18 per cent contained personal medical
  information
• Lessons
• Ensure procedures in place through the lifecycle
  of the device

27
Improper disposal

• Incident
• Researchers able to retrieve data from 65 per
  cent of randomly purchased used disk drives from
  dealers in several provinces
• 18 per cent contained personal medical
  information
• Lessons
• Ensure procedures in place through the lifecycle
  of the device
• Involve outsourced service providers
• Dont forget the paper

28
Common Trend

• 91 percent of participants are concerned about
  employee security weaknesses
• 79 percent of participants cite the human factor
  as the root cause of information security failures

If our staff are the problem, whats the solution?
29
What do your staff need from you?

• Usable alternatives to storing PI on mobile
  devices (e.g. VPN)
• Never lose sight of usability when implementing
  security tools
• Enforced password protection
• Power-on, screensaver, account layer
• Corporately maintained encryption tools
• Personal firewall, anti-virus, anti-spyware
  encryption tools available for home use if needed
• Enabled time-out locks
• Security assessments before devices are deployed
• Strategies for device redeployment retirement
• Regular recurring training
• Be creative e.g. screensavers as training tools

30
What do your staff need to know?

• Business data (client, employee, corporate) is a
  valued corporate asset
• Culture of privacy
• Basic options
• Secure mobile devices at all times
• Back seat of the car under a sweater not secure
• How to report issues
• Balance of accountability with voluntary
  reporting
• Resources IPC Safeguarding Privacy in a Mobile
  Workplace Brochure

31
Current Future Drivers
32
Enterprise privacy drivers

• Branding and positioning
• Risk to brand from privacy breach
• Potential inconsistencies between policies and
  practices

• Sensitivity to aggressive marketing practices
• Existing privacy policies and client
  expectations
• Differing perspectives and expectations
• Procedures for responding to privacy complaints

• Relationships with partners, vendors and service
  providers
• Inconsistent implementation of privacy practices
  among independent organizations
• Who has responsibility and associated liability
  for privacy?

Extended enterprise
Customer sensitivity
Brand risk

• Multiple jurisdictions of privacy regulations
• Country specific compliance
• Legal solutions for EU data transfers such as
  Safe Harbor or model contracts
• Industry specific privacy codes of conduct

• Web-based e-commerce applications interact with
  clients online
• Use of personalization technologies such as
  cookies, smart tags, unique identifiers, client
  profiles, etc.

Advances in technology
Increased regulation
Globalization
Employee data mgmt

• Employee privacy in multinational companies
• Requires localized and tailored approach

• Information exchange economy
• CRM and HRIS systems centralizes client and
  employee data from around the world

33
Business needs and privacy requirementsFinding
the balance

• Business needs and privacy requirements may be
  opposing or supporting forces in dictating your
  data management practices

• Direct and viral marketing initiatives
• Centralized vs. decentralized databases (ERP,
  CRM, Legacy)
• Data mining and business intelligence
• Replication and synchronization of information
• Personalized client/employee experiences

• Processed fairly and lawfully
• Collected for specific, explicit and legitimate
  purposes
• Adequate, relevant and not excessive
• Accurate and secure
• Not kept longer than necessary
• Processed in accordance with data subjects
  rights
• Not transferred to countries with inadequate
  protection
• Source EU Data Protection Directive 95/46/EC

Business Needs
Privacy requirements
Business needs

34
The privacy-security paradox

• Privacy
• Strong privacy requires protecting a users
  identityfrom unauthorized access and use.

Individual privacy and personal freedom

• Security
• Strong security requires binding a users
  identity to their behavior to allow for
  authentication, authorization, non-repudiation
  and identity management.

Identity management and non-repudiation
Security is necessary for privacy, however the
closer an individuals identity is bound to
his/her behavior, the greater the potential
threat to the individuals privacy.
35
Some privacy technologies

• Platform for privacy preferences
• Privacy policy manager
• Identity management
• Biometric encryption
• Anonymity/Pseudonymity tools
• Trust management
• PKI

36
Assessments Trust me
37
Types of Assessments

• Self Assessment
• Questionnaires, interviews
• Least cost
• Deal with low risk situations
• Staff availability can be an issue
• Internal Audit
• Independent from group being audited but employed
  by company
• Operate under defined standards
• Reports can be very comprehensive
• Can be used for all risks levels depending on
  company tolerance
• No independent audit opinion for external use of
  needed
• Independent Assessment
• By qualified third party auditor or assessor
• Performance of assessment
• Performance of audit/examination
• The latter should be considered for significant
  risk areas
• More cost as move to audit

Lowest
Level of Assurance
Highest
38
Conclusions

• As fallible as technology is, humans are worse
• Information is valuable commodity
• Cost of breach high
• Weight business cost of implementing safeguards
• Need invest in assessment