5.5 Explain privacy and sensitive data concepts in relation to security
- Organizational Consequences of Privacy and Data Breaches
- Reputation Damage
- Identity Theft
- IP Theft
- Notification of Breaches
- Public Notifications and Disclosures
- Data Types
- Personally Identifiable Information (PII)
- Health Information
- Financial Information
- Government Data
- Customer Data
- Privacy Enhancing Technologies
- Data Minimization
- Data Masking
- Roles and Responsibilities
- Data Owners
- Data Controller
- Data Processor
- Data Custodian / Steward
- Data Protection Officer (DPO)
- Information Life Cycle
- Impact Assessment
- Terms of Agreement
- Privacy Notice
Organizational Consequences of Privacy and Data Breaches
A data breach is bad. It causes irreparable harm. The four main consequences of a data breach
- Reputation Damage. The community, the customers, and the government will not trust us anymore. We will always be known as the company with the data breach, and a company that cannot be trusted to protect the data of our customers.
If we store classified data on behalf of the government, and some of it is leaked, we might lose our security clearance.
- Identity Theft. If personal information is leaked, thieves will steal the identity of our customers and employees. They may also attempt to impersonate the company itself.
- Fines. The government will fine us when personal information is leaked. People who are affected might sue us, and we might have to compensate them for the consequences of the data theft.
- IP Theft. If trade secrets are stolen, then thieves can resell the data to our competitors. This might cost us our competitive advantage.
Notification of Breaches
When we have a data breach, we must notify
- The customers and employees who are affected by the breach
- A regulatory agency if our business is regulated (for example a bank or hospital)
- Law enforcement if the breach is the result of a criminal act.
Data Sensitivity Labeling and Handling
Data should be labelled so that unauthorized disclosure does not take place. Each page of a confidential document should be labelled with its privacy level. A single document, or a single page in a document may contain information with multiple privacy levels.
A document with sensitive data must be redacted before being disclosed. When redacting a document, it is important to state why it is being redacted.
Some types of data categories
- Confidential. The information contained in the document is secret and should only be viewed by people who need it to perform their jobs. Disclosure of confidential data can cause serious harm.
- Private. Private data is like secret data but belonging to individuals. The disclosure of private data can cause harm (but potentially less harm than the disclosure of confidential data).
- Public. Data that is available to the general public. But consider that the information may have been private and made public through accidental or deliberate disclosure.
For example, if a rogue employee posted the organization’s confidential data on WikiLeaks, the organization may still consider the information to be private and take measures to protect it. The organization may refuse to confirm or deny the authenticity of the leaked information. As far as anybody knows, the data on WikiLeaks was made up.
- Proprietary. Private data such as a trade secret. The organization may have different ways of storing proprietary data depending on contractual obligations with the party that provided it.
- PII. Personally Identifying Information. This may be protected by law and includes the names, addresses, SSN/SIN numbers, and banking information of the organization’s customers or employees.
- PHI. Protected Health Information. This may be protected by law and includes healthcare records, diagnostic information, and billing information.
The law may require that certain types of information must be stored in a specific way. Each province and state has a privacy commissioner who may establish regulations governing how personal information is handled. A violation is subject to a fine and possible criminal charges.
The federal governments may also have different regulations.
An organization may be required by law to provide subjects with copies of all records it stores about them. Individuals typically have a right to know about the data that organizations store about them. They also have a right to request that inaccurate information be corrected. They may also have the right to request that the information be deleted.
There may be exceptions
- Sensitive law enforcement information should not be disclosed
- Information that could cause harm or death should not be disclosed
- An individual does not have the right to request that their credit store be deleted
- An organization may need to retain data to protect itself and its customers from fraud
Privacy Enhancing Technologies
As discussed earlier, there are several techniques for reducing the risk of data leaks. These techniques reduce the amount of data seen by a person to only what they require to do their job.
- Data Minimization. We should only collect the data that we require. We reduce the amount of data that a person sees to only what they require to perform their job.
- Data Masking. Data Masking or Data Obfuscation is when we modify sensitive data to hide its true contents. It allows a person to work with the data without seeing too much of it. That reduces the risk that too much data will be stored in the person’s brain.
- Tokenization. Data tokenization is a process of replacing a sensitive piece of data with a non-sensitive piece of data that uniquely identifies it. The token must match the data type and length. If we replace a piece of data with another that is the wrong length or type, then we might have an error in the database that stores it.
- Anonymization. We make the data anonymous by removing personal information.
- Pseudo-Anonymization. We replace real names with pseudo names.
Roles and Responsibilities
What is the responsibility of each person?
- Data Owners. The data owner is the person who created the data, or who oversees the people who created the data. In general, the data owner always has full access to the data (to read the data). An organization may choose to prohibit a data owner from modifying or deleting the data after it has been created.
- Data Controller. The controller decides how data will be processed.
- Data Processor. The data processer is the person who processes the data. The processor is different from the owner.
- Data Custodian / Steward. The custodian is the person who maintains the security of the data. He is responsible for the storage and transport of the data.
- Data Protection Officer (DPO). The DPO is responsible for setting the organization’s data protection framework.
Under the GDPR, any company that collects or processes data belonging to EU citizens must have a DPO. The DPO is responsible for educating staff, conducting audits, writing policies, and monitoring records.
Information Life Cycle
We can characterise the information life cycle into the following phases
- Creation and Receipt. The data is created by the organization or collected from customers.
- Distribution. We send the data to where it needs to go.
- Use. We use the data.
- Maintenance. We store the data, file it, move it, or transfer it.
- Disposition. We are storing data for a long time. This is data that we need to store but don’t need to access frequently.
Privacy Impact Assessment
A Privacy Impact Assessment is a review process that determines the impact of a data leak. Every organization should review its data controls to determine the impact that an inadvertent or deliberate release of information could cause.
The PIA analyses how Personally Identifiable Information travels through an organization. Who has access to it? Where is it stored? Where does it go? How was it collected?
The types of information that could be released include
- Proprietary corporate information regarding operations, trade secrets, and finance
- Personnel records
- Customer records (banking records, healthcare records, etc.)
The organization should know
- What kinds of information does the business store and where?
- Does the business share information with third parties, and how do they protect that information?
- How does the business protect sensitive information and how does it control/monitor access to this information? Do people have access to information that they do not require?
- How will the business respond to a data leak (how it will investigate the source of the leak)?
- What impact the leak will have on the business (fines, damage to reputation, etc.) and what impact it will have on its customers/employees?
- How will the business notify people who are affected by the leak?
- What can the business do to mitigate the impact of a leak?
- What can the business do to reduce the risk of a leak?
Privacy Threshold Assessment
The Threshold Assessment identifies the types of data being stored by the organization to determine their level of sensitivity. Information could be
- Personally Identifying Information
- Personal Health Information
- Law enforcement sensitive
- Information belonging to third parties
The way in which some forms of information are collected, stored, disclosed, or used may be subject to laws, regulations, or contractual obligations. For example, two organizations participating in a joint venture may have a contract to store shared trade secrets in a locked vault.
Terms of Agreement
We might (should) have an agreement between our organization and the people whose data we store. The agreement will state
- The type and quantity of data that we will store
- The methods we will use to safeguard the data
- The limitations of our liability should there be a data breach
Even if we write a great agreement that limits our liability, if we are negligent and there is a data breach, we could still be held liable for the full extent of the damages.
If we don’t take adequate measures to safeguard the data, the government could fine us or force us to compensate those who are affected.
The Privacy Notice is a document that we should provide to our customers. The Privacy Notice tells customers the following
- The type of data that we collect
- How we collect the data
- Where we store the data
- How we safeguard the data
- Who has access to the data (employees and third parties)
- How we will use the data
- When we might be required to disclose the data to third parties or to the government without the consent of the customer
- How long we will store the data
- Whether the customer has the right to view their data, or to request copies of their data, or to make corrections of their data, or to have their data deleted