Risk management, information security and privacy compliance. new meeting of minds or ships in the night?

Transcription

1 Risk management, information security and privacy compliance new meeting of minds or ships in the night? Peter Leonard September 2015 page 1

2 ships in the night + narrowly focussed conversations reasonable steps to protect security of personal information (APP 12) + OAIC enforcement inadvertent internal leaks and external intrusions + different paradigms, different languages + conversation now needs to change: 1. reasonable practices, procedures and systems = privacy by design 2. growing gap between what entities say and do = scope for FTC style enforcement action 3. big data pressure on reasonable steps to delete or de-identify requirement (APP 11.2) 4. managing end to end risk cloud and other outsourcings 5. data analytics, de-identification techniques and re-identification risk but now a new journey with a new common language, being page 2

3 page 3 Source: Harvard Business Review, October 2012

4 How Target Knew a High School Girl Was Pregnant Before Her Parents Did and Ashley Madison + just because you can doesn t mean you should + mannequins that see, terminals that talk and other snoops + Bloomberg Terminal Scandal Makes Bunga Bunga Parties Seem Quaint The Daily Beast 13 May 2013 page 4

5 Privacy scope information about an individual who is reasonably identifiable whether sensitive or private (non-public) or not + control: identity and data right to know right to anonymity right to be forgotten + notices: transparency terms form and substance breach and notification + consent: sensitive notices (incl. mobile) opt-in / opt-out just in time notifications + privacy by design + cloud + security + cross-border + data retention, codes and contracts page 5

6 Saying everything and anything to anyone page 6

7 Privacy By Design (APP 1) + Absence of compliance framework (e.g. internal policies and training etc.) may be a breach of the APP 1 + Privacy by design: practices, procedures and systems to identify, assess and manage privacy risks and monitor and assure compliance training, not (only) policies security systems for protecting personal information (e.g. IT systems, internal access control and audit trails) conducting Privacy Impact Assessments for new projects or when a change is proposed to information handling practices governance mechanisms to ensure compliance with the APPs (e.g. privacy officers and regular reporting to the entity s governance body) a program of proactive review and audit of the adequacy and currency of the entity s privacy policy and of the practices, procedures and systems implemented under APP 1.2. page 7

8 Boring bits: APPs APP 1: open and transparent management of personal information APP 2: anonymity and pseudonymity APP 3: collection of solicited personal information APP 4: dealing with unsolicited personal information APP 5: notification of the collection of personal information APP 6: use or disclosure of personal information APP 7: direct marketing APP 8: cross-border disclosure of personal information APP 9: adoption, use or disclosure of government related identifiers APP 10: quality of personal information APP 11: security of personal information APP 12: access to personal information APP 13: correction of personal information page 8

9 [##] INFORMATION SECURITY Steps and strategies that may be reasonable to take include: Governance Robust information asset management Dedicated individual or body responsible for managing personal information Governance arrangements to: implement and maintain information security plans and measures promote awareness and compliance ICT security Whitelist and/or black list entities, content or applications Up to date software security User authentication Policies to prevent inappropriate or unauthorised access Point of access logs and audit trails Encryption Network security measures Testing ICT systems and processes Back ups Communications security measures Data breach Develop data breach response plan Train staff about how to respond to data breaches If your are facing a data breach use the OAIC s Data breach notification guide Physical security Security and alarm systems Access logs Workplace design Secure work and storage spaces Clean desk policy Storage and movement of files audited and monitored Personnel security and training Appropriate security clearances Staff training (including contractors and service providers) Employee exit procedures Workplace policies Policies documenting security matters, such as physical and ICT security Conflict of interest policy addressing handling of personal information of person known to staff member Policies addressing use of portable/mobile devices, and staff s own devices PSD, BYOD and offsite work policies SOURCE: OAIC, SUMMARY GUIDE TO INFORMATION SECURITY, MARCH 2013 Information life cycle PIAs and information security risk assessments conducted for new or changed acts or practices Collection practices periodically reviewed Personal information protected: during system upgrades when passed to/handled by a third party Policies for data retention and destruction Outsourcing contracts address handling of personal information Standards Relevant international, Australian and industry/sector standards on information security Compliance with standards tested internally or by third party Monitoring and review Operation and effectiveness of information security measures monitored and reviewed regularly Changes implemented as a result of monitoring and review page 9

10 More boring bits: threading data maps page 10

11 Still more boring bits: PIAs + Privacy impact assessment (PIA) tells the privacy story of a project to assist in managing privacy impacts + 5 key PIA stages: 1. describe the project 2. map the information flows and privacy framework 3. assess impact on privacy 4. privacy management/risk mitigation 5. recommendations + part of a broader project risk management process + AS/NZS ISO 31000:2009 (Risk Management); ISO 29100:2011 (IT - security privacy); UB167:2006 (Security Risk Management); Aust. Govt. Protective Security Policy Framework (PSPF) and Information Security Management (ISM) manual; NIST Standards; PCI Guidelines; industry requirements page 11

12 10 Steps to Undertaking a PIA page 12

13 Getting Grubb(y): info security and notoriety Source: page 13

14 Comms Alliance on the Ben Grubb case + The decision by the Privacy Commissioner in relation to the metadata request from the journalist, Mr Ben Grubb, has disturbing ramifications for the telecommunications sector and for its millions of customers throughout Australia. + Asserting that every single trace of network data - no matter how obscure, unintelligible or remote it is, or whether it reveals anything about a person at all - is captured under the Privacy Act is impractical, unnecessary and will be very costly for industry to manage. + This is a stark example of regulatory overreach. In making this decision the Privacy Commissioner has stepped into the realm of setting policy, without any consultation with industry and seemingly without a mandate from Government to extend the reach of regulatory obligations deep into the operations of communications service providers. Media Release by Communications Alliance 4 May 2015 page 14

15 How was Ben Grubb s identity reasonably ascertainable? + complexity of inquiries needed to ascertain the information and the degree of certainty with which possible connections could be made between information and an individual s identity + Per Telstra: Network data is spread out across many different network elements and systems where it is mixed with information generated from the use of those networks by other users. Data such as destination and source IP addresses, as well as cell tower information is recorded, but could take up to 3 weeks to retrieve due to the complexities involved in interrogating the network system. + Per Privacy Commissioner: I accept that the process of extracting some of the metadata falling within the scope of the complainant s request may require interrogation of several of Telstra s information systems by a group of specifically qualified personnel. I also accept that the process of ascertaining this information may take some time to obtain. However this process of ascertainment needs to be considered in a practical context, in this case relative to Telstra s resources and operational capacities. page 15

16 Out of the Shadows a U.S. View page 16

17 De-identification of data and information + De-identification of personal information can enable information to be shared or published without jeopardising personal privacy. This enables organisations to maximise the utility and value of information assets while safeguarding privacy and confidentiality. + De-identification involves removing or altering information that identifies an individual or is reasonably likely to do so. Generally, de-identification includes two steps: 1. removing personal identifiers, such as an individual s name, address, date of birth or other identifying information, and 2. removing or altering other information that may allow an individual to be identified, for example, because of a rare characteristic of the individual, or a combination of unique or remarkable characteristics that enable identification. + De-identification can be effective in preventing re-identification of an individual, but may not remove that risk altogether. There may, for example, be a possibility that another dataset or other information could be matched with the de-identified information. The risk of re-identification must be actively assessed and managed to mitigate this risk. This should occur both before an information asset is deidentified and after disclosure of a de-identified asset. OAIC Privacy Business Resource 4 page 17

18 De-identification risk assessment + Apply a motivated intruder test could a reasonably competent motivated person with access to internet and all public documents and making reasonable enquiries to gain more information identify the individual? + Look at re-identification in the round assess all relevant circumstances including technical, operational and contractual safeguards. + Per Australian Privacy Commissioner: The risk of re-identification will depend on the nature of the information asset, the de-identification techniques used and the context of the disclosure. Relevant factors to consider when determining whether an information asset has been effectively de-identified could include the cost, difficulty, practicality and likelihood of re-identification. Depending on the outcome of the risk analysis and the de-identification process, information and data custodians may need to engage an expert to undertake a statistical or scientific assessment of the information asset to ensure the risk of re-identification is low. page 18

19 UK ICO on limited access safeguards + purpose limitation + training, e.g. on security and data minimisation principles + personnel background checks + other arrangements for technical and organisational security e.g. staff confidentiality agreements; + controls over other data brought into the environment + limitation to particular project(s) + restriction on disclosure + prohibition on attempts at re-identification + measures for destruction of any accidentally re-identified personal data + encryption and key management + penalties a pre-defined list of risk mitigations cannot be exhaustive. Data controllers must conduct their own risk assessment, e.g. using their organisation s normal data security risk assessment processes Source: UK ICO, Anonymisation Code of Practice, Nov 2012 page 19

20 One model for re-identification risk assessment Level 5: aggregate data that cannot identify individuals e.g. k-anonymity and nonstratified counts Level 4: actively manage transactional data using safeguards that meet established benchmarks = risk is low Level 3: also mask variables that are quasi-identifiers (e.g. at level 2 mask gender but fail to mask date of pregnancy test. Level 2: data that is masked or obscured e.g. by randomization or perturbation or pseudonyms Level 1: data that is clearly identifiable Source: adapted from Greg Nelson Thotwave Technologies LLC page 20

21 ## Source: UK ICO, Anonymisation Code of Practice, Nov 2012 DOING BIG DATA BUSINESS IN CUSTOMER DATA ANALYTICS 2013 page page 21 21

22 Hybrid (IP, Privacy and Security Risk Management) Confidentiality Integrity security Availability Accessibility Permissibility Sensitivity Transparency Quality IP Ownership IP Protection privacy IP Implement protection steps and counter-measures (policies, processes, tech) page 22

23 Engineering Privacy in Practice COLLECTION MECHANISMS controls terms transparency INFORMATION ASSET INVENTORY asset accessibility personal? sensitive? quality security POSSIBLE USES AND DISCLOSURES outfacing services internal users cross-group stakeholder expectations cross-border combinatorial and matching OUTCOMES how where how much training implementation and review MITIGATION MEASURES how where how much how effective REQUIREMENTS ASSESSMENT rules standards good practice candidate security controls technical operational contractual page 23

24 IoT: the problem cubed page 24

25 + SYDNEY Level 37 2 Park Street Sydney NSW 2000 T F MELBOURNE Level Collins Street Melbourne VIC 3000 T F PERTH 1202 Hay Street West Perth WA 6005 T F page 25