What about privacy issues? Security issues? Legal issuess? With the growth of the blogosphere and the need for authenticity these are not only on the table, but being served in every soup tureen in the customer ecosystem. What are the risks and how do you deal with them?

 

Number of Pages: 10

 

 

What Should Be Included and Why?

 

KWabst:

A few ideas, but probably too much for 10 pages

 

Basics - Privacy vs. security.

  • Definition(s) of privacy and security.
  • Compare & contrast roles within corporations & relationship to customer concerns
  • Related, but separate issues.
  • Roles & responsibilities for privacy & security (management vs. IT & physical security + legal responsibility)
  • H.R. issues (employee screening for genetics, pre-hire, health care, etc. Security policies - physical and logical, mobile devices)
  • Reputation issues (e.g. affect on stock price, investor/customer perceptions)
  • Customer issues (financial ramifications of identity theft, medical identity theft, loss of privacy as data is sold and traded by corporations)
  • What is reasonable security?
  • How do you decide what to protect & how to protect it?

 

What is covered (types of data) under privacy laws? This is confusing stuff to almost everyone.

Types of data varies by country, within trading blocs, by business sector, etc. There are some constants, but many differences - especially in & between the U.S. and E.U. For example, the E.U. currently doesn't have breach reporting requirements, but is modeling new requirements from U.S. laws (although the E.U. doesn't consider U.S. privacy law adequate). The U.S. has approximately 45 separate privacy/data breach/credit freeze laws but the U.S. Federal branch cannot come to agreement on a unified law due to disagreement whether the law should set a floor or a ceiling.

 

Sources for information, since this changes rapidly. (e.g. 2008 alone: CA privacy law recently expanded to include medical and insurance data, GLBA may be extended to include a breach reporting component, several states adopted privacy breach laws)

 

Who should be concerned?

Corporations

  • Sr. Management,
  • legal,
  • HR,
  • IT,
  • Boards,
  • investors

Customers

Legal teams

Legislators

Bloggers (considerations over release of PII or trade secrets in employee blogs, legal responsibility for slander or damages to corporate reputation, legal responsibility for fact checking)

 

Legal Issues

Current privacy landscape:

There are currently:

  • approximately 45 US States with privacy laws on the books, and more on the way.
  • different triggers and definitions of what information/data is considered private.
  • multiple bills under consideration at the Federal level.

 

Summary of current laws (Appendix?).

 

Educational links:

 

OECD Privacy Principles - Developing a Privacy Policy and Statement: www.oecd.org/document/1/0,3343,fr_2649_34255_28863233_1_1_1_1,00.html

 

 

Interactive tutorial available from the FTC. Protecting Personal Information - A Guide for Business: http://www.ftc.gov/infosecurity/

 

 Web 2.0 and eDiscovery

Enterprise employees frequently use social networking tools, most notably Web-based applications. It's no surprise more organizations are wondering what happens if social networking data becomes relevant to an e-discovery investigation.

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1319551,00.html?track=NL-430&ad=649686&asrc=EM_NLT_3966236&uid=226727

 

 

Legal approaches & attitudes toward privacy/security in the U.S. and abroad.

 

Conflict brewing over EU - US deal to release EU data to US government:

http://www.scmagazineuk.com/Exclusive-Privacy-campaigners-may-sue-EC-over-provision-of-citizens-personal-data-to-the-FBI/article/111924/

 

 

State Department contractors under investigation for accessing passport files without authorization

http://www.darkreading.com/document.asp?doc_id=148940

 

Obama urges inquiry into passport snooping

http://www.cnn.com/2008/POLITICS/03/21/obama.passport/index.html

 

Celebrity Passport Records Popular

State Dept. Audit Finds Snooping Was Frequent

http://www.washingtonpost.com/wp-dyn/content/article/2008/07/03/AR2008070303799.html?wpisrc=newsletter

 

One Subpoena Is All It Takes to Reveal Your Online Life

http://bits.blogs.nytimes.com/2008/07/07/the-privacy-risk-from-the-courts/

 

When does a privacy breach cause harm?

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9066958&pageNumber=1

 

 

The EU and Asia have differing privacy related laws, with central ideas that run counter to those in the U.S., making life for multi-national corporations interesting (The Clash Of European Union And United States Data Privacy Laws: http://www.metrocorpcounsel.com/current.php?artType=view&artMonth=April&artYear=2008&EntryNo=8146).

 

The E.U. Data Directive requires that E.U. nations have privacy laws but creates a floor, rather than a ceiling. The U.S. takes a sectoral approach to privacy, creating laws as necessary, by business sector. This creates a confusing array of, potentially conflicting regulation.

 

  Resources for Privacy news & breaches:

 

Podcast: Consumers Cut Ties After a Data Breach

According to "The Consumer's Report Card on Data Breach Notification," a study by the Ponemon Institute released in April 2008, 31 percent of respondents cut ties with the organization responsible for the breach of their personally-identifiable information. Larry Ponemon, founder and CEO of Ponemon Institute, goes on record via podcast about the study, with some insightful recommendations for organizations at risk of a data breach.

To listen now, click here. http://www.idexpertscorp.com/Breach/podcast/

 

State Privacy Laws 

http://www.csoonline.com/article/217082 (check out the interactive map) and/or

 

PIRG list of State Privacy/Freeze laws (a bit out of date)

 

http://www.uspirg.org/financial-privacy-security/identity-theft-protection/summary-of-state-laws.

An interview with lawyer and breach notification expert Tanya Forsheit on why the United States still doesn’t have a federal breach notification law.

http://www.csoonline.com/article/217027

 

Google Supports Federal Privacy law:

http://www.reuters.com/article/technologyNews/idUSN1038231320080610

 

 

Information Security and Privacy (WPISP)develops policy options to sustain trust, information security and privacy in the global networked society. This page is directly accessible at www.oecd.org/sti/security-privacy.

 

Safe Harbor program allows U.S. corporations to self-certify their compliance with E.U. style compliance:

http://www.export.gov/safeharbor/SH_Documents.asp

 

I thought this survey from Gartner, published in the U.K., about U.S. business compliance with breach reporting was interesting although the sample size was low. http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=9278

 

MSNBC series on privacy:

http://www.msnbc.msn.com/id/15221095/

 

IAPP News:

https://www.privacyassociation.org/index.php?option=com_content&task=view&id=13&Itemid=204

 

SC Magazine list of security/privacy breaches:

http://breach.scmagazineblogs.com/

 

Privacy Rights Clearing House:

http://www.privacyrights.org/

 

 US News story on Medical identity theft:

http://health.usnews.com/articles/health/living-well-usn/2008/02/29/medical-identity-theft-turns-patients-into-victims.html

 

 //KWabst <end>

 

 

 

 

 

Content Chats

 

 

 

 

 

Chapter Library

 

 

 

 

Documents

 

 

Video

 

 

 

Audio

 

 

 

Vendors Who Could Be Showcased in this Chapter

 IAPP, ISACA, ISC2, Vontu, Accuvant, Facetime Unified Security Gateway

 

 

Schedule A Demo or Phone Call


Page Information

  • 1 month ago [history]
  • View page source
  • You're not logged in
  • No tags yet learn more

Wiki Information

Recent PBwiki Blog Posts