The Convergence of Privacy, Security and Electronic Information M. Peter Adler JD, LLM, CISSP, CIPP Adler InfoSec & Privacy Group LLC Director of Privacy and Cybersecurity (Interim), Montgomery College, Rockville, MD Educause Enterprise 2007 Educause Enterprise 2007
54
Embed
The Convergence of Privacy, Security and Electronic Information M. Peter Adler JD, LLM, CISSP, CIPP Adler InfoSec & Privacy Group LLC Director of Privacy.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The Convergence of Privacy, Security and Electronic Information
M. Peter Adler JD, LLM, CISSP, CIPPAdler InfoSec & Privacy Group LLC
Director of Privacy and Cybersecurity (Interim), Montgomery College, Rockville, MD
Educause Enterprise 2007Educause Enterprise 2007
Educause Enterprise 2007Educause Enterprise 2007
Agenda Legal Drivers/Applicable Laws
– Security Laws Compliance Elements
– Privacy Laws Compliance Approach
– Rules of Civil Procedure Information Management Requirements
Convergence and Compliance
Legal Drivers in Higher Education
SecurityPrivacyInformation Management
Educause Enterprise 2007Educause Enterprise 2007
Security GLBA HIPAA FISMA State Law – Notice of Security
GLBA and Higher Education Higher Education Institutions are “non-bank
businesses” subject to GLBA– the university (i.e. the “financial institution”) provides a
financial service, administering a financial product such as a scholarship, or dispensing financial advice to customers (students and possibly staff).
– This includes student loans, scholarships, bursaries and emergency student aid
– GLBA Privacy provisions are met if the institution complies with FERPA
– The Security Regulations Do Apply Regardless Standards for Safeguarding Customer Information; Final
Rule: 67 Fed. Reg. 36484, codified at 16 C.F.R. Part 314 (“GLBA Safeguards”)
Therefore, colleges and universities have a legal obligation under the GLBA to safeguard all the students’ nonpublic financial information
Educause Enterprise 2007Educause Enterprise 2007
TechnicalSecurity
Business Associate Management
Administrative Security
Procedures, Legal Compliance
PhysicalSecurity
HIPAA COMPLIANCE
HIPAA Requirements/Security
To guard the confidentiality, integrity and availability (CIA) of health information
Educause Enterprise 2007Educause Enterprise 2007
Federal Information Security Act of 2002 (FISMA)
FISMA: Federal Information Security Act of 2002, 44 U.S.C. §3537 et seq.– Requires compliance with a set of standards federal government
information security Federal Information Processing Standards (FIPS) NIST Standards
Applies to Federal information System– An information system used or operated by an
executive agency, or by another organization on behalf of an executive agency
May be applicable to higher education through government contracts. – Department of Defense and Department of Labor hold
fund recipients to these standards. – Department of Education, National Science Foundation
and National institutes of Health may do the same.
Educause Enterprise 2007Educause Enterprise 2007
Approaching Security Goals Unified Approach Risk Assessment Cycle Risk Assessment Methodology Risk Handling Methods Controlling and Mitigating Risk GLBA Example
Educause Enterprise 2007Educause Enterprise 2007
Goal of Security Generally
ProtectedInformation
To guard the confidentiality, integrity and availability (CIA) of protected information
Educause Enterprise 2007Educause Enterprise 2007
Unified Approach To SecuritySecurity Practice ISO 17799 NIST
800 SeriesHIPAA GLBA Leahy-
Spector
Administrative Safeguards
Security Management Process
Assigned Security Responsibility
Workforce Security Management of Information Access
Security Incident Procedures Contingency Planning Review/Evaluation Contracts Security Awareness and Training
Educause Enterprise 2007Educause Enterprise 2007
Unified Approach to Security (cont’d)
Security Practice ISO 17799 NIST800 Series
HIPAA GLBA Leahy-Spector
Physical Safeguards
Facility Access Controls
Workstation Use and Security
Device and Media Controls
Technical Safeguards
Access Control
Audit Controls
Integrity Controls
Person or Entity Authentication
Transmission Security
Educause Enterprise 2007Educause Enterprise 2007
Risk Assessment Cycle
THREAT AGENT
THREAT
Causes or creates...
VULNERABILITY
Exploits a...
RISK
Leading to...
ASSET
Which can damage an...
EXPOSURE
Causing an...
SAFEGUARD
Which can be controlled by a...
That mitigates...
Risk = Threats x Vulnerabilities x Impact
Educause Enterprise 2007Educause Enterprise 2007
General Assessment Model: Security
Phase 0.Prepare Project Plan
Phase 1. Information Collection
Phase 2. Perform Risk and other
Analyses
Phase 3.Report of Findings and
Recommendations
Phase 4.Prepare Implementation
Plan
Documentation Review
InterviewsISO 17799 Security
Standards
Determine Applicable Laws
Requirements
Data Classification and Mapping
Educause Enterprise 2007Educause Enterprise 2007
Handling Risk
AvoidAvoid
MitigateMitigate ControlControl
TransferTransfer
AssumeAssume
RISK
Educause Enterprise 2007Educause Enterprise 2007
Example: GLBA Information Security Program Implement, and maintain a comprehensive
information security program – that is written in one or more readily
accessible parts and – contains administrative, technical, and physical
safeguards The safeguards are to be appropriate
– to the organization’s size and complexity, – the nature and scope of its activities, and– the sensitivity of any customer information
Educause Enterprise 2007Educause Enterprise 2007
Roles and Responsibilities Roles and Responsibilities:
– Designate an employee or employees to coordinate the information security program
Educause Enterprise 2007Educause Enterprise 2007
GLBA Risk Assessment Risk Assessment:
– Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse alteration, destruction or other compromise of such information,
– Assess the sufficiency of any safeguards in place to control these risks.
Minimal areas to be addressed:– Employee training and management;– Information systems, including network and software
design, as well as information processing, storage, transmission and disposal;
– Detecting, preventing and responding to attacks, intrusions, or other systems failures.
Educause Enterprise 2007Educause Enterprise 2007
Implement and Monitor Safeguards Safeguard Implementation:
– Design and implement information safeguards to control the identified risks
Monitoring Safeguard Effectiveness:– Regularly test or otherwise monitor the
effectiveness of the safeguards (i.e., key controls, systems and procedures)
Educause Enterprise 2007Educause Enterprise 2007
Evaluate and Modify GLBA Information Security Program Evaluate and adjust the GLBA
information security program in light of the results of the testing and monitoring – any material changes to business
operations or arrangements; or– any other circumstances that you know
or have reason to know may have a material impact on your information security program
Educause Enterprise 2007Educause Enterprise 2007
Third Party Service Providers
Selection of Service Providers:– Select and retain service providers that
are capable of maintaining appropriate safeguards for the customer information
Contractually Bind Security Safeguards:– Contractually require service providers to
implement and maintain such safeguards to protect customer information.
Educause Enterprise 2007Educause Enterprise 2007
Privacy Family Educational Rights and
Privacy Act (FERPA) Health Insurances Portability and
Accountability Act State Law
– Notice of Breach Laws– Other state laws
Educause Enterprise 2007Educause Enterprise 2007
Family Education Rights & Privacy Act(FERPA)
Leading federal privacy law for educational institutions.
Imposes confidentiality requirements over student educational records.
Prohibiting institutions from disclosing "personally identifiable education information" such as grades or financial aid information without the student's written permission.
Provides students with the right to request and review their educational records and to make corrections to those records.
Law applies with equal force to electronic and hardcopy records.
Educause Enterprise 2007Educause Enterprise 2007
HIPAA Applies to Health Care Providers, Health Plans and
Health Care Clearinghouses, e.g., – Student Health Services– Academic medical centers– Business associates (through contracts)
Imposes confidentiality requirements on Protected Health Information (“PHI”) – PHI is individually identifiable health information
transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.
– PHI excludes: education records covered by FERPA and employment records held by a covered entity in its
role as employer. PHI may be used and disclosed for treatment, payment
and healthcare operation, under an authorization or as permitted by regulation
Educause Enterprise 2007Educause Enterprise 2007
State Breach Notification Laws
Most of the laws require notification if there has been, or there is a reasonable basis to believe the occurrence of unauthorized access that compromises personal data– “Notice triggering information,” e.g., name, in
combination with a Social Security number, driver's license or state identification number, or financial account or debit card number plus an access code
Some states have some form of harm or risk threshold, under which entities need not notify individuals of a breach if an investigation by the covered entity (sometimes in conjunction with law enforcement) finds no significant possibility that the breached data will be misused to do harm to the individual
Most apply only to breaches of unencrypted personal information, and require written notification after a breach is discovered
Educause Enterprise 2007Educause Enterprise 2007
State Breach Notice Laws Some state laws may require compliance with security
standards, e.g., California and Maryland.– Some provide a “safe harbor” for covered entities that
maintain internal data security policies that include breach notification provisions consistent with state law.
Some give state’s Attorney General enforcement authority;
Most allow for a delay in notification if a disclosure would compromise a law enforcement investigation, except Illinois;
Most allow substitute notice to affected individuals via announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification would exceed $250,000 --Rhode Island, Delaware, Nebraska, Ohio set lower thresholds.
Privacy Principle – Personal information is collected,
used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the AICPA/CICA Trust Services Privacy Criteria.
Educause Enterprise 2007Educause Enterprise 2007
AICPA/CICA Privacy Framework
Trust Services Privacy Components and Criteria– The Framework contains 10 privacy
components and related criteria that are essential to the proper protection and management of personal information.
– These privacy components and criteria are based on internationally known fair information practices included in many privacy laws and regulations of various jurisdictions around the world
Educause Enterprise 2007Educause Enterprise 2007
AICPA/CICA Privacy Framework Criteria 1-5
1. Management. The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
3. Choice and Consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
4. Collection. The entity collects personal information only for the purposes identified in the notice.
5. Use and Retention. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes.
Educause Enterprise 2007Educause Enterprise 2007
AICPA/CICA Privacy FrameworkCriteria 6-10
6. Access. The entity provides individuals with access to their personal information for review and update.
7. Disclosure to Third Parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
8. Security. The entity protects personal information against unauthorized access (both physical and technical).
9. Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
10. Monitoring and Enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.
Information Management Federal Rules of Civil Procedure
(FRCP) Notice of Security Breach Laws,
GLBA, HIPAA
Educause Enterprise 2007Educause Enterprise 2007
The Federal Rules of Civil Procedure
The Federal Rules of Civil Procedure (and most state law) provides the following discovery tools:– Depositions Upon Written or
Oral Written Questions (Rules 30, 31 and 32)
– Written Interrogatories (Rule 33)
– Production of Document or Things (Rule 34)
– Permission to Enter Upon Land for Inspection and Other Purposes (Rule 34)
– Physical and Mental Examinations (Rule 35)
– Requests for Admission (Rule 36)
Tools to Ensure or Excuse Discovery – Motion to Compel
(Rule 37(a))– Sanctions (Rule 37 (b),
(c)&(d))– Protective Orders
(Rule 26(c))
“The pretrial devices that can be used by one party to obtain facts and information about another party in order to assist the party’s preparation for trial.” - Blacks Law Dictionary
Educause Enterprise 2007Educause Enterprise 2007
E-Discovery: 12/2006 New and amended rules of civil procedure governing
the treatment of electronically stored information (ESI) are expected by December of this year.
These Rules are broken into the following categories:– Early attention to electronic discovery issues:
Rules 16 and 26(f)– Better management of discovery into ESI that is
not reasonably accessible: Rule 26(b)(2)– New provision setting out procedure for assertions
of privilege after production: Rule 26(b)(5)– Interrogatories and Requests for Production of ESI:
Rules 33 and 34– Application of sanctions rules pertaining to ESI:
Rule 37
Educause Enterprise 2007Educause Enterprise 2007
ESI Retention
Duty to Preserve–Legal Duty
e.g., Sarbanes–Oxley, HIPAA, FACTA and other document retention requirements
–Lawyer’s duty to preserve evidence in discovery and litigation
Continued Operations–Normal system Operations
–Data Backup–Data Destruction
Educause Enterprise 2007Educause Enterprise 2007
Duty to Preserve Duty attaches when a person knows or
reasonably anticipates litigation involving identifiable parties and identifiable facts.– Encompasses potential evidence related to
identifiable facts, which may shift as litigation proceeds. Stevenson v. Union Pac. R.R., 354 F.3d 739 (8th Cir. 2004)
– Exists independent of any preservation demand letter, or court order. Wigington v. Ellis, 2003 WL 22439865 (N.D. Ill. 2003) (Wigington I); Treppel v. Biovail Corp., 233 F.R.D. 363 (S.D.N.Y 2006).
– The fact that ESI is not reasonably accessible does not relieve a party from its duty to preserve the information if potentially relevant. Zubulake v. UBS Warburg LLC, 220 F.R.D. 212 (S.D.N.Y. 2003) (“Zubulake IV”)
Educause Enterprise 2007Educause Enterprise 2007
Failure to Preserve: Sanctions for Spoliation Duty to monitor preservation falls on inside
and outside counsel. Potential sanctions will vary on intent and
behavior of producing party (bad faith, gross negligence, negligence) and degree of prejudice to the requesting party caused by spoliation. Possible sanctions include:– Fines;– Adverse inference jury instruction;– Striking of a pleading or defense;– Dismissal or default; and– Costs for supplemental discovery.
Educause Enterprise 2007Educause Enterprise 2007
Right to Destroy Courts have acknowledged that organizations
have the right to destroy - whether or not it is consciously deleted - electronic information that does not meet the internal criteria of information or records requiring retention. – “‘Document retention policies,’ which are created
in part to keep certain information from getting into the hands of others, including the Government, are common in business …. It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances’ Arthur Andersen, LLP v. United States, 125 S. Ct. 2129, 2135 (2005).
Educause Enterprise 2007Educause Enterprise 2007
Safe Harbor: Rule 37(f) The court will not impose sanctions parties who
fail to produce ESI that was lost as a result of routine, good faith operation of an electronic information system, absent exceptional circumstances. Rule 37(f)
Good faith destruction of potentially relevant ESI will be difficult to establish when there is a claim pending or has received a credible threat of a claim.– A Committee Note to Rule 37 (f) states: “Good Faith in
the routine operation of an information system may involve a party’s intervention to modify or suspend certain features of that routine operation to prevent the loss of information if that information is subject to a preservation obligation.
Educause Enterprise 2007Educause Enterprise 2007
ESI Retention Risks Spoliation and Sanction Risks. Because of
retention duties, a party persuade the court that those documents that no longer exist were purged pursuant to a policy and were not willfully destroyed or spoliated.
Cost of Retrieval Risk. Knowing where information is stored or if it has been destroyed pursuant to document retention policies will avoid the high costs associated with e-discovery fishing expeditions.
Inability to Defend Risk. The loss of critical evidence potentially leads to the inability to properly defend a claim.
Educause Enterprise 2007Educause Enterprise 2007
ESI Retention/Destruction Program Compliance and Auditing Plan Create or Amend Policy on ESI Retention
and Destruction Indexing and Document Naming System Attorney-Client Privilege Procedures Litigation Hold Procedures Employee Training Post-Implementation Compliance and
Auditing
Educause Enterprise 2007Educause Enterprise 2007
General Assessment Model: ESI Retention and Destruction
Phase 1.
Information Collection
Phase 3.Data Classification
Phase 4.Implement Modifications to
Indexing and Retrieval
Phase 6.Implement Litigation Hold
Procedures
ISO 15489
Determine Applicable
Retention Laws
Requirements
Phase 7.
Training
Document Review
Interviews
Phase 2. Asset Assessment
Key Systems Identified
Assess Indexing & Retrieval
Capabilities
Phase 7.
Review Evaluate and Modify
Privacy-Protected
Phase 5.Retention and Destruction
Program
Educause Enterprise 2007Educause Enterprise 2007
ESI Retention/Destruction Review Written vs. Actual ESI Retention
Practices– Creation– Use– Disposal
Are electronic records being kept as required by law and internal procedures?
Are electronic records being managed over their entire lifecycle?
Educause Enterprise 2007Educause Enterprise 2007
ESI Retention/Destruction Program
An ESI Management Program contains many of the elements found in security and privacy programs.
Removal of sensitive ESI on a regular basis will enhance an organization’s privacy and security.
Will lower discovery costs in litigation
Convergence and Compliance
SecurityPrivacyInformation Management
Educause Enterprise 2007Educause Enterprise 2007
Electronic Records Management Requirements
System Characteristics
Notice of Breach Law
GLBA HIPAA FERPA
Protected Information Notice Triggering
Information
Customer Information
Electronic PHI Education Records
Identify, sort and store
Yes Yes Yes Yes
Access, retrieve and use
Yes Yes Yes Yes
CIA Protections Yes Yes Yes Yes
Authentication Yes Yes Yes Yes
Retention and Disposition
Yes Yes Yes Yes
Accountability Yes Yes Yes Yes
Audit Trail Yes Yes Yes Yes
Compliance Yes Yes Yes Yes
Breach Notice Capable Yes Yes No No
Educause Enterprise 2007Educause Enterprise 2007
Compliance Convergence
Element Examples Security Privacy ESI Management
Planning, Governance and Management
Roles and Responsibilities
Yes Yes Yes
Coordination with Multiple Department
Yes Yes Yes
Data Classification
Map Data Flow Yes Yes Yes
Key System (Asset) Identification
Yes Yes Yes
Educause Enterprise 2007Educause Enterprise 2007
Compliance ConvergenceElement Examples Security Privacy ESI
Management
Shared Security Functions
Protection of CIA Yes Yes Yes
Roles and responsibilities
Yes Yes Yes
Access controls Yes Yes Yes
Management of email
Yes Yes Yes
Disaster Recovery and Contingency Planning
Yes Yes Yes
System Backup Yes Yes Yes
Educause Enterprise 2007Educause Enterprise 2007
Compliance ConvergenceElement Examples Security Privacy ESI
Management
Third Party Contracts
Yes Yes Yes
Incident Response Yes Yes Yes
Formal technology standards (AICPA, EU Data Directive)
Yes Yes Yes
Compliance with specific legal or private contractual requirements
Yes Yes Yes
Training Yes Yes Yes
Educause Enterprise 2007Educause Enterprise 2007
Approach “Follow The Data” – Data classification
and mapping is essential Integrate security, privacy, ESI and
records management planning– Simultaneously assess overlapping elements – Build privacy and security compliance Into
information management– Safely and securely destroy all ESI, including
information protected by security and privacy laws, considering legal and business constraints