Note
Studied by 2 people
Chapter 25 - Privacy
Privacy
Privacy refers to the power to control what others know about you and how they use the information they have about you.
Data Handling
Data Retention: Determines which records need to be stored and for how long. Keeping records longer than necessary can introduce risk.
Data Breach: Occurs when a company loses data stored on its network. Indicates a failure in security measures.
Reputation Damage: The harm done to a company’s brand following a data breach.
Identity Theft: The use of stolen personal information to impersonate someone, typically for fraudulent financial gain.
Fines: Regulatory bodies (e.g., FTC, GDPR in the EU) can impose fines for non-compliance. GDPR fines can reach up to 4% of a company's global revenue.
Intellectual Property (IP) Theft: Using someone else’s work without permission, including copyrighted materials.
Data Sensitivity and Classification
Data Sensitivity Labeling and Handling: Identifies which data needs protection and defines handling protocols. Includes staff training on proper procedures.
Public Data: Intended for public use (e.g., research data). Integrity must be maintained.
Private Data: Personal data such as passwords, not meant for public access.
Sensitive Data: Data with restricted access; not intended for public release.
Confidential Data: Must not be disclosed to unauthorized individuals; could harm an organization.
Critical Data: Its loss or disclosure can cause extreme harm (e.g., trade secrets, proprietary code).
Proprietary Data: Business-owned data that offers a competitive advantage and should be kept confidential.
PII (Personally Identifiable Information): Any data that can identify an individual. Mishandling can lead to severe consequences.
Privacy Principles
Notice: Inform individuals that their PII is being collected and how it will be used.
Choice: Users are given options to opt in or out of data collection and use.
Consent: Users agree to data use, typically after reading the organization's privacy notice.
Data Privacy Laws & Regulations
U.S. Privacy Laws
HIPAA (Health Insurance Portability and Accountability Act): Protects personal health information (PHI).
GLBA (Gramm-Leach-Bliley Act): Requires disclosure of data collection and sharing practices.
FERPA (Family Educational Rights and Privacy Act): Protects student education records.
FOIA (Freedom of Information Act): Allows public access to government records (with exceptions).
CFAA (Computer Fraud and Abuse Act): Prevents unauthorized access to protected systems.
COPPA (Children’s Online Privacy Protection Act): Protects children under 13; requires parental consent for PII collection.
VPPA (Video Privacy Protection Act): Prevents unauthorized disclosure of video rental history and related data.
California Privacy Laws (e.g., California Senate Bill): Requires notification to Californians when their PII is lost or exposed.
PCI DSS (Payment Card Industry Data Security Standard): Protects credit card transaction data.
FCRA (Fair Credit Reporting Act): Ensures privacy and accuracy in consumer credit reporting.
FACTA (Fair and Accurate Credit Transactions Act): Enhances consumer protections and mandates secure data disposal.
International Privacy Laws
EU GDPR (General Data Protection Regulation): Grants broad privacy rights (e.g., access, correction, deletion). Consent is opt-in by default.
OECD Privacy Guidelines: Framework of fair information practices for handling personal data globally.
Canada – PIPEDA: Personal Information Protection and Electronic Documents Act mandates data be collected for appropriate purposes only.
Asia – PCPD: Privacy Commissioner for Personal Data oversees compliance and privacy protection in places like Hong Kong.
Data Roles
Data Owner: Defines data security, privacy, and retention policies.
Data Controller: Determines the purposes and means of processing personal data.
Data Processor: Processes data on behalf of the controller.
Data Custodian/Steward: Manages day-to-day data handling, ensuring policies are followed.
Data Protection Officer: Senior official responsible for overseeing privacy strategy and legal compliance.
Data Destruction & Media Sanitization
Wiping: Overwriting data (e.g., with 1’s and 0’s) to prevent recovery; used for reuse.
Purging: Removing data to reclaim storage space (e.g., circular buffer).
Degaussing: Uses magnetic fields to erase data on magnetic media.
Pulverizing: Physically destroying data media into unrecoverable pieces.
Pulping: Converts shredded paper into slurry; removes ink and renders data unreadable.
Shredding: Cuts documents into small pieces to prevent reconstruction.
Burning: One of the most secure methods for data destruction on physical media.
Data Lifecycle
Stages of handling data:
Collection
Use
Storage
Sharing
Protection
Destruction
Privacy Enhancing Technologies (PETs)
Encryption: Protects data by converting it into unreadable format.
Data Minimization: Only collecting necessary information to reduce exposure.
Data Masking: Obscures data (e.g., credit card numbers as ****).
Tokenization: Replaces sensitive data with random tokens.
Anonymization: Removes identifiers from data, making individuals untraceable.
Pseudonymization: Replaces identifiers with fake data for safer processing.
Cookie Cutters: Blocks or limits cookie tracking from web servers.
Privacy Policies and Documents
Privacy Policy: Company’s official stance on handling personal data.
Privacy Notice: Communicates to users how their data is collected and used.
Terms of Agreement: A binding agreement between parties on conditions of service.
Privacy Impact Assessment (PIA): Analyzes risks to PII during its lifecycle to ensure proper safeguards.
Web Privacy Issues
Cookies: Small text files stored on a user’s device to track sessions and preferences. If containing personal data (e.g., shipping address), cookies are considered PII.