Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things

Similar documents
National Cyber Security Month 2015: Daily Security Awareness Tips

EHS Privacy and Information Security

2012 NCSA / Symantec. National Small Business Study

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

INFORMATION SECURITY FOR YOUR AGENCY

Christos Douligeris cdoulig at unipi dot gr. Department of Informatics University of Piraeus

Business Associates and HIPAA

ONE DEVICE TO RULE THEM ALL! AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014

10 Smart Ideas for. Keeping Data Safe. From Hackers

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Big Data, Big Risk, Big Rewards. Hussein Syed

Cybersecurity Workshop

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

Security Practices for Online Collaboration and Social Media

IDENTITY & ACCESS. BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape

Cyber Security. John Leek Chief Strategist

Perception and knowledge of IT threats: the consumer s point of view

Fourth Annual Benchmark Study on Patient Privacy & Data Security

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.

BYOD At Your Own Risk Working in the BYOD Era. Shane Swilley (503)

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

1. Understanding Big Data

Cyber Security Awareness. Internet Safety Intro.

Jim Donaldson, M.S., MPA, CHC, CIPP/US, CISSP. Director of Compliance, Chief Privacy and Information Security Officer. Pensacola, Florida

CONTINUOUS MONITORING THE MISSING PIECE TO SECURITY OPERATION (SOC) TODAY

Security and Privacy

Adopting a Cybersecurity Framework for Governance and Risk Management

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Why Encryption is Essential to the Safety of Your Business

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January kpmg.com

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Network Security & Privacy Landscape

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Moving Beyond User Names & Passwords Okta Inc. info@okta.com

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO

a new approach to IT security

Cybersecurity. Are you prepared?

Enhancing Cybersecurity with Big Data: Challenges & Opportunities

POLICIES TO MITIGATE CYBER RISK

Logging In: Auditing Cybersecurity in an Unsecure World

DESTINATION MELBOURNE PRIVACY POLICY

The SMB Cyber Security Survival Guide

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

Clevertar Privacy Policy

Digital Consumer s Online Trends and Risks

2012 Endpoint Security Best Practices Survey

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Moving Beyond User Names & Passwords

Data Security in Development & Testing

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Kaspersky Security for Mobile

2011 NATIONAL SMALL BUSINESS STUDY

The Impact of HIPAA and HITECH

H&R Block Digital Tax Preparation, Online, and Mobile Application Privacy Practices and Principles

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

In 2015, just under half (43%) of the world s population has an Internet connection: 3.2 billion people, compared to 2.9 billion in July 2014.

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

Small businesses: What you need to know about cyber security

If you can't beat them - secure them

Marble & MobileIron Mobile App Risk Mitigation

Privacy Policy and Notice of Information Practices

HIPAA and Health Information Privacy and Security

Cyberprivacy and Cybersecurity for Health Data

Privacy and Security in a Connected Life: A Study of European Consumers

Privacy Rights Clearing House

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile E-Commerce: Friend or Foe? A Cyber Security Study

Best Practices for a BYOD World

Transcription:

Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things aisa.org.a u aisa.org.a u Rebecca Herold, CEO The Privacy Professor 1 rebeccaherold@rebeccaherold.com

Agenda Technology Evolution Privacy Perspectives Persistent Beliefs About Privacy Increasing Numbers of Privacy and Cybersecurity Incidents What is Privacy? Consumerization and Mobility Cloud Services Big Data Internet of Things Addressing Privacy aisa.org.a u 2 Case Studies

Things vs. More Than Things Things: Shirts and tops 3 Page 3

Things vs. More Than Things More than things: SMART Shirts and tops 4 Page 4

Things vs. More Than Things Things: Socks 5 Page 5

Things vs. More Than Things More than Things: Smart Socks 6 Page 6

Things vs. More Than Things Things: Prescription pills 7 Page 7

Things vs. More Than Things More than Things: Smart prescription pills 8 Page 8

Things vs. More Than Things Things: Tableware 9 Page 9

Things vs. More Than Things More than Things: Smart Tableware 10 Page 10

Things vs. More Than Things Things: Cars 11 Page 11

Things vs. More Than Things More than Things: Smart Cars 12 Page 12

Privacy Perspectives Real privacy threat 13 Page 13

Privacy Perspectives Versus perceived threat Attacks on those flying personal drones Drone shield clothing 14 Page 14

Privacy Attitudes/Actions Threaten Privacy There s no law against it! It s not personal information Posting about someone else Cyber attacks only are a problem for large organizations The only people talking about this are those who will profit from the scare tactics. Public Facebook post: I see you at the Train/Maroon 5 concert I m 17 rows behind you! Page 15

Persistent Beliefs Dangerous statements that have valid points, but must be balanced by considering privacy ramifications There is no personal information involved, so there are no privacy impacts. Encrypt it and you don t have to worry. If people put their personal information online they want you to have it! Too many privacy protections inhibit innovation and positive advances. There is no privacy anyway, so there s no use to spend time and effort on it. Page 16

Personal Data Sharing is Increasing Study: 75% of health wearables and apps sent personal data to 3rd parties without users' knowledge Study: Top 20 health related apps sent personal data to as many as 70 third parties 17 Page 17

Cybersecurity Incidents are Increasing Cisco 2014 Annual Security Report: Mobile apps regularly downloaded without any thought of security. 99% of all mobile malware target Android devices. Trojans targeting Java Micro Edition (J2ME)-capable devices in 2 nd place with 0.84% of all mobile malware encounters. 71% of Android users have the highest encounter rates with all forms of webdelivered malware, followed by Apple iphone users with 14%. 18 Page 18

Cybersecurity Incidents are Increasing Symantec Latin American + Caribbean Cyber Security Trends, June 2014 In total, over 552 million identities around the world were exposed in 2013, putting consumer credit card information, birth dates, government ID numbers, home addresses, medical records, phone numbers, financial information, email addresses, logins, passwords, and other personal information into the criminal underground. Stolen credit cards can be sold for as high as $100 per card on the black market, making data breaches a low risk and simple, yet profitable activity for cybercriminals. Globally, 8 breaches each exposed 10 million identities or more. 19 Page 19

Cybersecurity Incidents are Increasing 20 Page 20

Cybersecurity Incidents are Increasing But business leaders refuse to take action, or even believe there are threats. I fail to see this threat ever becoming real. Cyber attacks have always been agai nst the masses not the individuals. This is more hype than anything. The only people that support this are those that will profit from the scare tactics. 21 Page 21

Privacy Incidents are Increasing 4th Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute Criminal attacks on healthcare organizations increased 100% since 2010. 75% of organizations say employee negligence is biggest worry followed by use of public cloud services (41%), mobile device insecurity (40%) and cyber attackers (39%). Despite the concerns about employee negligence and the use of insecure mobile devices, 88% of organizations permit employees and medical staff to use their own mobile devices to connect to their organization s networks or enterprise systems such as email. 40% say they use the cloud heavily, an increase from 32% in 2013. 73% are either somewhat confident (33%) or not confident (40% ) that their business associates would be able to detect, perform an incident risk assessment and notify their organization in the event of a data breach incident as required under the business associate agreement. Page 22 22

Privacy Incidents are Increasing 3 rd Party Risks Unauthorized access by insiders Loss and theft of devices storing personal information Non-compliance with security and privacy requirements Using information in ways they are not authorized to do Malware 23 Page 23

Privacy Incidents are Increasing 24 Page 24

What is Privacy? Informational Privacy Bodily Privacy Territorial Privacy Communications Privacy Page 25

Personal Information Elements Organizational Information General Information Business and personal addresses Name Gender Age and date of birth Marital status Home address Account number Social Security number License plate number Citizenship Languages spoken Veteran status Disabled status IP address (some jurisdictions) Dozens (hundreds?) more Business and personal phone numbers Business and personal e-mail addresses Must Also Consider Internal identification numbers Sensitive Information Government-issued identification numbers New Types of Information/Data Identity verification information *ANY* Data That Can Point to an Individual And the list goes on Page 26 26

Consumerization of IT & Privacy Page 27

Mobility Benefits Page 28 Page 28

Mobility & Privacy BYOD results in BYOA Tablets & Smartphones USBs Data collected through apps Access to the customer s device Malware Phishing Securing data in transit Securing data in storage Page 29 Page 29

Cloud Services & Privacy Page 30 Page 30

Big Data Use Limitations Retention & Disposal Availability Disclosure Controls Integrity Page 31 Page 31

Big Data Privacy Risks Anonymization could become impossible Data masking could become impossible People don't realize the risks Bad actions based on incorrect interpretations Ethical issues with driving behavior Discrimination Few (if any) legal protections to involved individuals Exists infinitely Concerns for e-discovery Making patents and copyrights irrelevant Page 32

Internet of Things Privacy Risks Creates a more pervasive "Big Brother" society Individuals don't know they are sharing their data Little to no control of data collected Traditional privacy principles (e.g., FIPPs) may not be feasible Few (if any) legal protections to involved individuals No standards for building in privacy Currently no way to communicate privacy issues from/through the devices Page 33

Disclosure Controls By 2015, 25 billion devices are projected Internet of Things to be connected to the Internet; this number could double to 50 billion devices by the end of the decade. http://www.cisco.com/web/about/ac79/docs/innov/iot_ibsg_0411final.pdf Use Limitations The M2M market will expand to 24 billion smart sensors by 2020 and will be worth approximately $1.2 trillion http://newsroom.cisco.com/feature-content?type=webcontent&articleid=1158640 Retention & Disposal TRENDNet failed to employ reasonable and appropriate security during the design and testing of consumer software. TRENDNet failed to monitor third-party security vulnerability reports. Availability Integrity Page 34

Taken from http://www.privacyguidance.com/einfograph.html 35

Internet of Things: Medical Devices https://www.youtube.com/watch?v=_aqoopuwjhe

Internet of Things: Wearable Technologies

Internet of Things: Mobile Linkages Page 38

Internet of Things: Energy Usage

Internet of Things: Smart Appliances Smart meter HAN Smart Grid? HAN Smart appliance Internet? Smart meter HAN Internet? Page 40

Address Privacy Risks by Building In Privacy Controls Page 41

Privacy Principles OECD Privacy Principles Collection Limitation Principle Data Quality Principle Purpose Specification Principle Use Limitation Principle Security Safeguards Principle Openness Principle Individual Participation Principle Accountability Principle The Australian Information Privacy Principles align closely with the OECD Privacy Principles: IPP 1: manner and purpose of collection IPP 2: collecting information directly from individuals IPP 3: collecting information generally IPP 4: storage and security IPPs 5 7: access and amendment IPPs 8 10: information use IPP 11: disclosure Page 42 42

Case Studies Drones over public national park forest Accountability Individual Participation Use to determine insect damage to trees Privacy concerns: - People in park will be recorded - Adjacent property will be recorded - Other? Possible privacy mitigation actions: - Use GPS settings in drone - Establish drone flight height requirements - Use face blurring technologies - Post signs - Only use when park is closed - Other? Openness Security Safeguards Use Limitation Purpose Specification Data Quality Collection Limitation 43 Page 43

Case Studies Smart prescription pills Use to track health of patient Privacy concerns: - Inapproriate sharing of health data - Inappropriate use of health data - Health data modification - Securing the transmission of data - Other? Possible privacy mitigation actions: - Use encryption - Log access to data - Other? Accountability Individual Participation Openness Security Safeguards Use Limitation Purpose Specification Data Quality Collection Limitation 44 Page 44

Case Studies Smart Meters Use to track and control energy usage to save energy Privacy concerns: - Activities within the house will be revealed - Energy usage may be inappropriately shared - Energy usage could be controlled - Other? Possible privacy mitigation actions: - Lengthen energy usage readings - Send aggregate data to utility - Restrict data sharing - Other? http://csrc.nist.gov/publications/drafts/nistir-7628-r1/draft_nistir_7628_r1_vol2.pdf Accountability Individual Participation Openness Security Safeguards Use Limitation Purpose Specification Data Quality Collection Limitation 45 Page 45

Case Studies Use of Drones in Farming Accountability Individual Participation Openness Use to check crops and livestock Privacy concerns: - Others would obtain the images - Farmers would use inappropriately - Other? Possible privacy mitigation actions: - Establish limits via GPS settings - Require drones to be registered and logs subject to monitoring - Other? Security Safeguards Use Limitation Purpose Specification Data Quality Collection Limitation 46 Page 46

Case Studies Smart Glasses Accountability Individual Participation Manufacturer wants to include privacy protections Privacy concerns: - Those in vicinity will be recorded w/o their consent - Used to steal IP (e.g., movies, etc.) - Other? Possible privacy mitigation actions: - Have visible light/sound when it is recording - Other? Openness Security Safeguards Use Limitation Purpose Specification Data Quality Collection Limitation 47 Page 47

Managing the Risks Use most appropriate privacy principles (e.g., OECD) Assign responsibility Establish information security and privacy policies Create supporting procedures and standards Provide training and ongoing awareness Establish oversight Ask: Will the way in which you use, share, present, retain, etc. data about individuals be viewed as creepy? Page 48

Initiatives U.S. NIST Privacy Engineering Workshop Beginning to address the technical engineering issues http://cdnapi.kaltura.com/index.php/extwidget/opengraph/wid/1_hkvfzl96 http://www.nist.gov/itl/csd/privacy-engineering-workshop-webcast.cfm 49 Page 49

Questions? Rebecca Herold & Associates, LLC The Privacy Professor Des Moines, Iowa Phone 515-491-1564 Web sites: www.privacyprofessor.org www.privacyguidance.com Blog: www.privacyguidance.com/blog Rebecca Herold, CIPM, CIPP/US, CIPT, CISSP, CISM, CISA, FLMI rebeccaherold@rebeccaherold.com TwitterID: http://twitter.com/privacyprof Page 50 Page 50

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information