Chapter 25 - Privacy

Privacy

The power to control what others know about you and how they use the information they have about you.

Data Retention

Determines which records need to be stored and for how long; keeping records longer than necessary can introduce risk.

Data Breach

Occurs when a company loses data stored on its network, indicating a failure in security measures.

Reputation Damage

The harm done to a company’s brand following a data breach.

Identity Theft

The use of stolen personal information to impersonate someone, typically for fraudulent financial gain.

Fines

Monetary penalties imposed by regulatory bodies (e.g., FTC, GDPR) for non-compliance; can reach up to 4% of a company's global revenue under GDPR.

Intellectual Property Theft

Using someone else’s work without permission, including copyrighted materials.

Data Sensitivity

Classification of data based on its required protection levels, defining handling protocols.

Public Data

Data intended for public use, such as research data, where integrity must be maintained.

Private Data

Personal data such as passwords, not meant for public access.

Sensitive Data

Data with restricted access and not intended for public release.

Confidential Data

Data that must not be disclosed to unauthorized individuals, as it could harm an organization.

Critical Data

Data whose loss or disclosure can cause extreme harm, such as trade secrets or proprietary code.

Proprietary Data

Business-owned data that offers a competitive advantage and should remain confidential.

PII (Personally Identifiable Information)

Any data that can identify an individual; mishandling can lead to severe consequences.

Notice

Principle that informs individuals that their PII is being collected and how it will be used.

Choice

Principle that gives users options to opt in or out of data collection and use.

Consent

Users’ agreement to data use, typically after reading the organization's privacy notice.

HIPAA ( Health Insurance Portability and Accountability Act.)

protects personal health information (PHI).

GLBA (Gramm-Leach-Bliley Act)

requires disclosure of data collection and sharing practices.

FERPA (

protects student education records.

FOIA

allows public access to government records with exceptions.

CFAA

prevents unauthorized access to protected systems.

COPPA

protects children under 13 and requires parental consent for PII collection.

VPPA

prevents unauthorized disclosure of video rental history and related data.

California Privacy Laws

Requires notification to Californians when their PII is lost or exposed.

PCI DSS

Payment Card Industry Data Security Standard; protects credit card transaction data.

FCRA

ensures privacy and accuracy in consumer credit reporting.

FACTA

enhances consumer protections and mandates secure data disposal.

EU GDPR

Regulation that grants broad privacy rights, requiring consent to be opt-in by default.

OECD Privacy Guidelines

Framework of fair information practices for handling personal data globally.

PIPEDA

mandates data collection for appropriate purposes only.

PCPD

oversees compliance and privacy protection in places like Hong Kong.

Data Owner

Defines data security, privacy, and retention policies for an organization.

Data Controller

Determines the purposes and means of processing personal data.

Data Processor

Processes data on behalf of the data controller.

Data Custodian/Steward

Manages day-to-day data handling to ensure policies are followed.

Data Protection Officer

Senior official responsible for overseeing privacy strategy and legal compliance.

Wiping

Overwriting data to prevent recovery; typically used for data reuse.

Purging

Removing data to reclaim storage space, such as with a circular buffer.

Degaussing

Using magnetic fields to erase data on magnetic media.

Pulverizing

Physically destroying data media into unrecoverable pieces.

Pulping

Converts shredded paper into slurry; removes ink and renders data unreadable.

Shredding

Cuts documents into small pieces to prevent data reconstruction.

Burning

Most secure method for data destruction physically on physical media.

Data Lifecycle

Stages of handling data: Collection, Use, Storage, Sharing, Protection, Destruction.

Encryption

Protects data by converting it into an unreadable format.

Data Minimization

Collecting only necessary information to reduce exposure.

Data Masking

Obscures data, replacing sensitive items with placeholders (e.g., credit card numbers as ****).

Tokenization

Replaces sensitive data with random tokens to protect information.

Anonymization

Removes identifiers from data, making individuals untraceable.

Pseudonymization

Replaces identifiers with fake data for safer processing.

Cookie Cutters

Tools that block or limit cookie tracking from web servers.

Privacy Policy

Company’s official stance on handling personal data.

Privacy Notice

Communicates to users how their data is collected and used.

Terms of Agreement

A binding agreement between parties on conditions of service.

Privacy Impact Assessment (PIA)

Analyzes risks to PII during its lifecycle to ensure proper safeguards.

Cookies

Small text files stored on a user’s device to track sessions and preferences; if containing personal data, they are considered PII.