Privacy: State of the States (and then some) - PowerPoint PPT Presentation

About This Presentation
Title:

Privacy: State of the States (and then some)

Description:

... targeted attacks cyber ... Legislative analysis Data Collection Data Uses Marketing Analytics ISD Reviews Security Breaches Fraud & identity theft Ethics ... – PowerPoint PPT presentation

Number of Views:265
Avg rating:3.0/5.0
Slides: 40
Provided by: knh4
Category:

less

Transcript and Presenter's Notes

Title: Privacy: State of the States (and then some)


1
Privacy State of the States (and then some)
Image Area
April 2009
  • Sol Bermann
  • Privacy Director

2
Agenda
  • A Bit About Me
  • Privacy Security in Ohio
  • Privacy Security with Wal-Mart
  • Emerging Trends Using the rearview to see the
    road ahead
  • State
  • Federal
  • Global (why you should care)
  • Tools of the trade to get ahead
  • Wrap Up

3
How I Got Here
  • Sol pronounced Saul

4
How I Got Here
  • Virginia connections
  • Go Hoos

5
How I Got Here
  • Go Buckeyes

6
How I Got Here
  • The irony
  • Go Blue

7
How I Got Here
  • Go Buckeyes

8
How I Got Here
  • Go Privacy?

9
How I Got Here
  • Chief Privacy Officer, State of Ohio
  • First specifically appointed state CPO

10
How I Got Here
  • Privacy Director, Wal-Mart
  • Lead global privacy efforts 10 international
    markets, 14 countries

11
How I Got Here
  • Active in privacy security issues since 1990s
  • Co-author of Official Study Guide for Certified
    Information Privacy Professional exam (CIPP)
  • Former managing Editor of I/S Journal, which
    includes Privacy Year in Review distributed to
    Members of the International Association of
    Privacy Professionals (IAPP)
  • Chair of Supreme Court of Ohio Privacy and Public
    Access Subcommittee

12
My role with State of Ohio
  • Before joining the state, no CPO, no CISO
  • Chief Privacy Officer (part of OIT DAS)
  • Created governance model aligning state privacy
    and security practices with recognized fair
    information principles, industry standards and
    best practices, and federal state laws
  • Coordinated development, publication and
    implementation of statewide privacy/security
    policies, standards, and procedures, including
    Executive Orders, Administrative Rules, and
    legislation
  • Advised Governor, cabinet directors, agency CIOs,
    and legislature on privacy and security issues
  • Developed and implemented statewide
    privacy/security awareness and training program
  • Led Risk Management Services division, including
    network and application vulnerability testing,
    business continuity planning, disaster recovery
    statewide incident response reporting
  • Co-Chaired, multi-agency Data Protection
    Sub-committee
  • Led largest-to-date statewide purchase and
    implementation of endpoint encryption
  • Acting CISO (without title, authority, or pay)
  • Member, State of Ohio Office of Internal Audit
    Advisory Committee
  • Member, state of Ohio Health Information
    Partnership Advisory Board.

13
My role at Wal-Mart
  • Privacy Director (part of Privacy Office
    Compliance)
  • SME in national and international privacy and IT
    security issues
  • Lead development of global governance model
    aligning corporate privacy and security practices
    with intl privacy standards, recognized FIPs,
    industry standards, and best practices
  • Develop processes re data mgmt, data
    identification, cross-border data flows
  • Collaborate in development, publication and
    implementation of corporate privacy and IT
    security policies, standards, and procedures
  • Collaborate in data breach response and
    remediation
  • Collaborate in refining corporate privacy
    security training awareness program
  • Participate in relevant risk assessment,
    strategic planning and budget processes
  • Liaison to ISD Security
  • Lead cross-functional Fraud and Identity Theft
    Team

14
Wal-Mart Privacy Office Who are we What do we
do?
  • Privacy
  • Chief Privacy Officer
  • 1 Director
  • 3 Project Managers
  • Records Management
  • 1 Director
  • 1 Record Retention Facility
  • Legislative analysis
  • Data Collection
  • Data Uses
  • Marketing
  • Analytics
  • ISD Reviews
  • Security Breaches
  • Fraud identity theft
  • Ethics Investigations
  • Online Presence
  • Financial Services
  • E-Health
  • Global Privacy
  • Governance
  • Data Flows
  • RFID
  • Policy Review
  • Records Management

15
Wal-Mart Around the World
UK 348 Units
Canada 310 Units
China 212 Units
US 4,229 Units
Puerto Rico 55 Units
Japan 393 Units
Mexico 1,097 Units
Guatemala 150 Units
India (3
Franchise Units)
Brazil 325 Units
Honduras 48 Units
Nicaragua 48 Units
Argentina 24 Units
El Salvador 74 Units
Worldwide Total 7,471
US 4,229 International 3,242 (Not counting
Chile)
Costa Rica 158 Units
16
Wal-Mart International Names
Supercenter
Neighborhood Market
Nacional
TrustMart
ASDA
Bharti
Bodega
Superama
Hiper Paiz
Sams
El Porton
Vips
Despensas Familiar
Suburbia
Maxi Bodega
Max X Menos
Wal-Mart
Todo Dia
Bompreco
Pali
17
Corporate Values that translate to privacy and
security
  • Wal-Marts Privacy Programs values are the same
    as Sam Waltons three basic beliefs.
  • Respect for the Individual Wal-Mart strives to
    clearly explain how we collect and use personal
    information in policies based upon our Global
    Privacy Principles
  • Service to Our Customers Wal-Mart maintains
    up-to-date privacy policies to serve our
    customers. This includes where appropriate,
    providing customers reasonable choices about how
    we may use and share personal information and
    how they may access and amend their information
  • Strive for Excellence Wal-Mart actively works
    with government and industry associations in the
    development and implementation of privacy best
    practices that respect the dignity of the
    individual.

18
Corporate Values that translate to privacy
principles
  • Notice Provide customers with clear,
    conspicuous, easily accessible, and timely
    statements about our privacy practices. Wal-Mart
    with privacy inquiries.
  • Collection and Use Limitation Collect and use
    personal information to provide superior value
    and service and only does so using lawful and
    fair methods strive to (i) limit the collection
    of personal information to that which is relevant
    and reasonably necessary to accomplish the
    intended purpose for its collection, and (ii) use
    the information only for the core business
    purposes specified in a public privacy policy.
  • Sharing and Onward Transfer Do not sell or rent
    personal information to third parties.
  • Choice Where appropriate, seek to provide
    customers with choice regarding the collection,
    use, disclosure or other processing of their
    personal information. Choice typically applies
    to using or sharing information for marketing
    purposes.
  • Integrity, Access, and Correction Take
    reasonable steps to keep personal information
    accurate, complete and current to the extent
    necessary and appropriate for the purposes of its
    use. Where appropriate, provide individuals with
    reasonable access to their personal information
    and the opportunity to amend inaccuracies or
    omissions.
  • Security Engage in appropriate, reasonable, and
    industry-standard security practices.
  • Accountability and Oversight Be accountable for
    complying with the measures that give effect to
    these Privacy Principles and, as appropriate,
    take reasonable and timely steps to correct
    instances of noncompliance.

19
State Government v. Wal-Mart
  • More similarities than differences in the
    challenges
  • Privacy Security the right thing to do
    (Respect the individual)
  • Working with lean team budget
  • (its how we save you money so you can live
    better)
  • Connecting the right pieces and being in the
    right places in an often siloed environment
  • Business owners that need deliverables yesterday
  • Baking in privacy security into the life cycle
    development process
  • Proving ROI
  • Managing expectations
  • Governing through servant leadership
    collaboration

20
Emerging Business Trends ? Emerging Legislative
Trends
  • Online Behavioral Advertising
  • Mobile Media
  • Social Networking
  • Direct Marketing and CRM
  • RFID
  • PII protection

Revised Privacy Policy Launch
20
21
Overall Privacy Legislative Trends
  • Greater emphasis on mandating security controls
  • Greater emphasis on protecting specific types of
    information
  • Greater emphasis on regulating certain types of
    technology
  • Data Security
  • Information Protection (MA 201 CMR, NJ 40 NJR
    6926, NV NRS 597.970)
  • SSN (AR, CT pub. Act2008-167, NY Gen Bus
    399-dd)
  • Breach Notification
  • Biometrics
  • PCI
  • MN (MN Stat. 325E.64) 2007
  • IN (SB 60)
  • NJ (A2270)
  • TX (HB 345)
  • WA (SB 5564, HB 1149)
  • RFID/EPC
  • NH (HB 478)
  • NY (A276)
  • WA (HB 1044, HB 1142)
  • VA
  • EU
  • Topics to watch
  • E-Health (esp. with stimulus package)
  • Behavioral advertising
  • Biometrics
  • Mobile Marketing
  • m-SPAM Act,

22
Data Breach / Data Security Trends
  • Are data breach laws effective for their intended
    purpose?
  • Do people care?
  • Have forced organizations to adopt better
    security posture
  • Broader set of triggers for data breach
  • Health care data
  • Biometrics (once gone )
  • Reporting to a state authority (ex Attorney
    General)
  • Ecosystem can learn more about breaches
  • Movement towards more specific data security
    controls
  • Mass.
  • Nevada
  • MI (specifies ISO) not yet passed
  • Global trends towards increased data protection
    laws (India, Mexico, Malaysia, Philippines)
  • Rights to redress, breach notification, adequacy
    data flows

23
(No Transcript)
24
You Know Youre a Privacy/Security Officer If?
  • You have your Data Breach Response Plan memorized
  • You can explain tech to lawyer or law to a techie
  • You know the difference between AES and 3DES
  • You gather privacy/security prediction reports
    around budget time

25
Data Breach Headlines
26
(No Transcript)
27
Data Breach Analysis Flow
28
2009 Data Breach Investigation Report
29
You Know Youre a Privacy/Security Officer If?
  • You have your Data Breach Response Plan memorized
  • You have to explain tech to lawyer or law to a
    techie
  • You know the difference between AES and 3DES
  • You gather privacy/security prediction reports
    around budget time

30
You have to explain tech to a lawyer or law to a
techie
31
You Know Youre a Privacy/Security Officer If?
  • You have your Data Breach Response Plan memorized
  • You can explain tech to lawyer or law to a techie
  • You know the difference between AES and 3DES
  • You gather privacy/security prediction reports
    around budget time

32
You know the difference between AES and 3DES
AES
3DES
And the importance of FIPS 140-1/140-2 http//csrc
.nist.gov/groups/STM/cmvp/documents/140-1/140val-a
ll.htm
33
You Know Youre a Privacy/Security Officer If?
  • You have your Data Breach Response Plan memorized
  • You can explain tech to lawyer or law to a techie
  • You lie awake at night debating AES v. 3DES in
    your mind
  • You gather privacy/security prediction reports
    around budget time

34
You gather privacy/security prediction reports
around budget time
  • Some 2008 trends and 2009 predictions
  • Highly organized, premeditated, targeted attacks
    cyber-attacks will threaten financial systems,
    the power grid, and more.
  • Attackers will be organized crime, organized
    hacking rings, governments
  • Applications will continue to be the attack
    vector of choice.
  • Spam and Phishing still the healthiest and
    fastest growing of attacks
  • Helped by economic downturn
  • Web-based threats will increase as user-created
    content can host a number of online threats from
    browser exploits, distribution of malware/spyware
    and links to malicious websites.
  • Your own employees will continue to present an
    insider threat, whether through malicious or
    accidental acts..
  • Mobile device threats will increase as more of
    them access the web.
  • Social networks will increase as both target and
    threat vector.
  • Vulnerabilities in Cloud computing will persist.

35
What Can You Do?
36
Collaborate, Collaborate, Collaborate
  • Work across silos
  • Executive
  • Legislature
  • Individual agencies
  • Work across jurisdictions
  • Federal
  • County
  • Local
  • Even international
  • Work with associations committees
  • MS-ISAC
  • NASCIO
  • IAPP
  • Seek additional partnerships
  • Public/private opportunities
  • Grants

37
Tools of the Trade
  • Security Posture Assessments network,
    applications, controls
  • Privacy Impact Assessments
  • Required for new federal IT systems in
    E-Government Act of 2002
  • Ohio HB 46, 125.18 Ohio Revised Code
    requirement http//www.oit.ohio.gov/IGD/policy/pd
    fs_bulletins/ITB-2008.02.pdf
  • Privacy Threshold Analysis (and then PIA, as
    needed)
  • When use information technology to collect new
    information
  • When agencies develop, buy, or contract out for
    new information technology systems to handle
    collections of personally identifiable
    information, or
  • When agencies conduct ad hoc queries of
    commercial databases containing personally
    identifiable information
  • CIRT (computer incident response team)
  • Respond to attacks, breaches, forensic follow-up
  • Awareness Education
  • National International standards ISO, NIST,
    GAPP
  • Training CISSP, CIPP, CISM, CFE, etc

38
Wrap Up
  • Work to develop a culture of privacy security
  • Seek to embed privacy in planning
  • Guardian of the publics personal data
  • Simple test about privacy
  • How would you want the records of your own family
    treated?
  • Do you have the privacy and security practices in
    place that you would want for your spouse and
    children?
  • The systems you create will enable E-government,
    democracy, public services
  • Remember the HIPAA lesson systems should be
    built in a way that ensures the publics privacy
    and security of their data
  • Sol Bermann
  • Privacy Director
  • sol.bermann_at_wal-mart.com

39
Questions?
  • Sol Bermann
  • Privacy Director
  • sol.bermann_at_wal-mart.com
Write a Comment
User Comments (0)
About PowerShow.com