Title: Privacy: State of the States (and then some)
1Privacy State of the States (and then some)
Image Area
April 2009
- Sol Bermann
- Privacy Director
2Agenda
- A Bit About Me
- Privacy Security in Ohio
- Privacy Security with Wal-Mart
- Emerging Trends Using the rearview to see the
road ahead - State
- Federal
- Global (why you should care)
- Tools of the trade to get ahead
- Wrap Up
3How I Got Here
4How I Got Here
- Virginia connections
- Go Hoos
5How I Got Here
6How I Got Here
7How I Got Here
8How I Got Here
9How I Got Here
- Chief Privacy Officer, State of Ohio
- First specifically appointed state CPO
10How I Got Here
- Privacy Director, Wal-Mart
- Lead global privacy efforts 10 international
markets, 14 countries
11How I Got Here
- Active in privacy security issues since 1990s
- Co-author of Official Study Guide for Certified
Information Privacy Professional exam (CIPP) - Former managing Editor of I/S Journal, which
includes Privacy Year in Review distributed to
Members of the International Association of
Privacy Professionals (IAPP) - Chair of Supreme Court of Ohio Privacy and Public
Access Subcommittee
12My role with State of Ohio
- Before joining the state, no CPO, no CISO
- Chief Privacy Officer (part of OIT DAS)
- Created governance model aligning state privacy
and security practices with recognized fair
information principles, industry standards and
best practices, and federal state laws - Coordinated development, publication and
implementation of statewide privacy/security
policies, standards, and procedures, including
Executive Orders, Administrative Rules, and
legislation - Advised Governor, cabinet directors, agency CIOs,
and legislature on privacy and security issues - Developed and implemented statewide
privacy/security awareness and training program - Led Risk Management Services division, including
network and application vulnerability testing,
business continuity planning, disaster recovery
statewide incident response reporting - Co-Chaired, multi-agency Data Protection
Sub-committee - Led largest-to-date statewide purchase and
implementation of endpoint encryption - Acting CISO (without title, authority, or pay)
- Member, State of Ohio Office of Internal Audit
Advisory Committee - Member, state of Ohio Health Information
Partnership Advisory Board.
13My role at Wal-Mart
- Privacy Director (part of Privacy Office
Compliance) - SME in national and international privacy and IT
security issues - Lead development of global governance model
aligning corporate privacy and security practices
with intl privacy standards, recognized FIPs,
industry standards, and best practices - Develop processes re data mgmt, data
identification, cross-border data flows - Collaborate in development, publication and
implementation of corporate privacy and IT
security policies, standards, and procedures - Collaborate in data breach response and
remediation - Collaborate in refining corporate privacy
security training awareness program - Participate in relevant risk assessment,
strategic planning and budget processes - Liaison to ISD Security
- Lead cross-functional Fraud and Identity Theft
Team
14Wal-Mart Privacy Office Who are we What do we
do?
- Privacy
- Chief Privacy Officer
- 1 Director
- 3 Project Managers
- Records Management
- 1 Director
- 1 Record Retention Facility
- Legislative analysis
- Data Collection
- Data Uses
- Marketing
- Analytics
- ISD Reviews
- Security Breaches
- Fraud identity theft
- Ethics Investigations
- Online Presence
- Financial Services
- E-Health
- Global Privacy
- Governance
- Data Flows
- RFID
- Policy Review
- Records Management
15Wal-Mart Around the World
UK 348 Units
Canada 310 Units
China 212 Units
US 4,229 Units
Puerto Rico 55 Units
Japan 393 Units
Mexico 1,097 Units
Guatemala 150 Units
India (3
Franchise Units)
Brazil 325 Units
Honduras 48 Units
Nicaragua 48 Units
Argentina 24 Units
El Salvador 74 Units
Worldwide Total 7,471
US 4,229 International 3,242 (Not counting
Chile)
Costa Rica 158 Units
16 Wal-Mart International Names
Supercenter
Neighborhood Market
Nacional
TrustMart
ASDA
Bharti
Bodega
Superama
Hiper Paiz
Sams
El Porton
Vips
Despensas Familiar
Suburbia
Maxi Bodega
Max X Menos
Wal-Mart
Todo Dia
Bompreco
Pali
17 Corporate Values that translate to privacy and
security
- Wal-Marts Privacy Programs values are the same
as Sam Waltons three basic beliefs. -
- Respect for the Individual Wal-Mart strives to
clearly explain how we collect and use personal
information in policies based upon our Global
Privacy Principles - Service to Our Customers Wal-Mart maintains
up-to-date privacy policies to serve our
customers. This includes where appropriate,
providing customers reasonable choices about how
we may use and share personal information and
how they may access and amend their information - Strive for Excellence Wal-Mart actively works
with government and industry associations in the
development and implementation of privacy best
practices that respect the dignity of the
individual.
18 Corporate Values that translate to privacy
principles
- Notice Provide customers with clear,
conspicuous, easily accessible, and timely
statements about our privacy practices. Wal-Mart
with privacy inquiries. - Collection and Use Limitation Collect and use
personal information to provide superior value
and service and only does so using lawful and
fair methods strive to (i) limit the collection
of personal information to that which is relevant
and reasonably necessary to accomplish the
intended purpose for its collection, and (ii) use
the information only for the core business
purposes specified in a public privacy policy. - Sharing and Onward Transfer Do not sell or rent
personal information to third parties. - Choice Where appropriate, seek to provide
customers with choice regarding the collection,
use, disclosure or other processing of their
personal information. Choice typically applies
to using or sharing information for marketing
purposes. - Integrity, Access, and Correction Take
reasonable steps to keep personal information
accurate, complete and current to the extent
necessary and appropriate for the purposes of its
use. Where appropriate, provide individuals with
reasonable access to their personal information
and the opportunity to amend inaccuracies or
omissions. - Security Engage in appropriate, reasonable, and
industry-standard security practices. - Accountability and Oversight Be accountable for
complying with the measures that give effect to
these Privacy Principles and, as appropriate,
take reasonable and timely steps to correct
instances of noncompliance.
19State Government v. Wal-Mart
- More similarities than differences in the
challenges - Privacy Security the right thing to do
(Respect the individual) - Working with lean team budget
- (its how we save you money so you can live
better) - Connecting the right pieces and being in the
right places in an often siloed environment - Business owners that need deliverables yesterday
- Baking in privacy security into the life cycle
development process - Proving ROI
- Managing expectations
- Governing through servant leadership
collaboration
20Emerging Business Trends ? Emerging Legislative
Trends
- Online Behavioral Advertising
- Mobile Media
- Social Networking
- Direct Marketing and CRM
- RFID
- PII protection
Revised Privacy Policy Launch
20
21Overall Privacy Legislative Trends
- Greater emphasis on mandating security controls
- Greater emphasis on protecting specific types of
information - Greater emphasis on regulating certain types of
technology
- Data Security
- Information Protection (MA 201 CMR, NJ 40 NJR
6926, NV NRS 597.970) - SSN (AR, CT pub. Act2008-167, NY Gen Bus
399-dd) - Breach Notification
- Biometrics
- PCI
- MN (MN Stat. 325E.64) 2007
- IN (SB 60)
- NJ (A2270)
- TX (HB 345)
- WA (SB 5564, HB 1149)
- RFID/EPC
- NH (HB 478)
- NY (A276)
- WA (HB 1044, HB 1142)
- VA
- EU
- Topics to watch
- E-Health (esp. with stimulus package)
- Behavioral advertising
- Biometrics
- Mobile Marketing
- m-SPAM Act,
22Data Breach / Data Security Trends
- Are data breach laws effective for their intended
purpose? - Do people care?
- Have forced organizations to adopt better
security posture - Broader set of triggers for data breach
- Health care data
- Biometrics (once gone )
- Reporting to a state authority (ex Attorney
General) - Ecosystem can learn more about breaches
- Movement towards more specific data security
controls - Mass.
- Nevada
- MI (specifies ISO) not yet passed
- Global trends towards increased data protection
laws (India, Mexico, Malaysia, Philippines) - Rights to redress, breach notification, adequacy
data flows
23(No Transcript)
24You Know Youre a Privacy/Security Officer If?
- You have your Data Breach Response Plan memorized
- You can explain tech to lawyer or law to a techie
- You know the difference between AES and 3DES
- You gather privacy/security prediction reports
around budget time
25 Data Breach Headlines
26(No Transcript)
27Data Breach Analysis Flow
282009 Data Breach Investigation Report
29You Know Youre a Privacy/Security Officer If?
- You have your Data Breach Response Plan memorized
- You have to explain tech to lawyer or law to a
techie - You know the difference between AES and 3DES
- You gather privacy/security prediction reports
around budget time
30You have to explain tech to a lawyer or law to a
techie
31You Know Youre a Privacy/Security Officer If?
- You have your Data Breach Response Plan memorized
- You can explain tech to lawyer or law to a techie
- You know the difference between AES and 3DES
- You gather privacy/security prediction reports
around budget time
32You know the difference between AES and 3DES
AES
3DES
And the importance of FIPS 140-1/140-2 http//csrc
.nist.gov/groups/STM/cmvp/documents/140-1/140val-a
ll.htm
33You Know Youre a Privacy/Security Officer If?
- You have your Data Breach Response Plan memorized
- You can explain tech to lawyer or law to a techie
- You lie awake at night debating AES v. 3DES in
your mind - You gather privacy/security prediction reports
around budget time
34You gather privacy/security prediction reports
around budget time
- Some 2008 trends and 2009 predictions
- Highly organized, premeditated, targeted attacks
cyber-attacks will threaten financial systems,
the power grid, and more. - Attackers will be organized crime, organized
hacking rings, governments - Applications will continue to be the attack
vector of choice. -
- Spam and Phishing still the healthiest and
fastest growing of attacks - Helped by economic downturn
- Web-based threats will increase as user-created
content can host a number of online threats from
browser exploits, distribution of malware/spyware
and links to malicious websites. - Your own employees will continue to present an
insider threat, whether through malicious or
accidental acts.. - Mobile device threats will increase as more of
them access the web. - Social networks will increase as both target and
threat vector. - Vulnerabilities in Cloud computing will persist.
35What Can You Do?
36Collaborate, Collaborate, Collaborate
- Work across silos
- Executive
- Legislature
- Individual agencies
- Work across jurisdictions
- Federal
- County
- Local
- Even international
- Work with associations committees
- MS-ISAC
- NASCIO
- IAPP
- Seek additional partnerships
- Public/private opportunities
- Grants
37Tools of the Trade
- Security Posture Assessments network,
applications, controls - Privacy Impact Assessments
- Required for new federal IT systems in
E-Government Act of 2002 - Ohio HB 46, 125.18 Ohio Revised Code
requirement http//www.oit.ohio.gov/IGD/policy/pd
fs_bulletins/ITB-2008.02.pdf - Privacy Threshold Analysis (and then PIA, as
needed) - When use information technology to collect new
information - When agencies develop, buy, or contract out for
new information technology systems to handle
collections of personally identifiable
information, or - When agencies conduct ad hoc queries of
commercial databases containing personally
identifiable information - CIRT (computer incident response team)
- Respond to attacks, breaches, forensic follow-up
- Awareness Education
- National International standards ISO, NIST,
GAPP - Training CISSP, CIPP, CISM, CFE, etc
38Wrap Up
- Work to develop a culture of privacy security
- Seek to embed privacy in planning
- Guardian of the publics personal data
- Simple test about privacy
- How would you want the records of your own family
treated? - Do you have the privacy and security practices in
place that you would want for your spouse and
children? - The systems you create will enable E-government,
democracy, public services - Remember the HIPAA lesson systems should be
built in a way that ensures the publics privacy
and security of their data - Sol Bermann
- Privacy Director
- sol.bermann_at_wal-mart.com
39Questions?
- Sol Bermann
- Privacy Director
- sol.bermann_at_wal-mart.com