LAB3-R04 A Hard Privacy Impact Assessment. Post conference summary

Transcription

1 LAB3-R04 A Hard Privacy Impact Assessment Post conference summary John Elliott

2 Table of Contents THANK YOU... 3 WHAT IS PRIVACY?... 3 The European Perspective... 3 The US Perspective... 4 WHAT IS PRIVACY RISK?... 4 Privacy Harms... 4 PRIVACY IMPACT ASSESSMENTS... 5 When to do a PIA... 5 PIA Process... 5 Privacy Solutions... 6 CASE STUDY AUTOMATIC RISK ANALYSIS OF ONLINE CHAT... 6 RESOURCES

3 Privacy Impact Assessments This post-session summary is a re-cap of the Learning Lab. The main aim of the Lab was to help information security professionals understand the what, when, why and how of a privacy impact assessment. Hopefully now when you have to work with a privacy professional, you will at least know what they re talking about! Thank you Before going into a recap of the session which I hope you ll find really useful as a reminder of the material we covered (because I ll be the first to acknowledge that doing this in two hours was a bit of a sprint), I wanted to say thanks for attending and participating; both Joanne and I really enjoyed running the session. What is Privacy? Hopefully you ll remember the fun discussion you had about how much you all earned! The generally accepted definition of privacy is: The ability of a person to control, edit, manage and delete information about themselves and to decide how, and to what extent, such information is communicated to others. There was a brilliant talk all about privacy at RSA Conference 2017 from IAPP President and CEO, Trevor Hughes. If you want to get a better understanding of the nuances of privacy you can watch the recording at: There are contrasting viewpoints however in Europe and the US about whether privacy is a (fundamental) right or a legal tort. The European Perspective The European view is that privacy is a right. It s enshrined in Article 8 of the European Convention on Human Rights. Everyone has the right to respect for his private and family life, his home and his correspondence. The latest pan-european legislation, the General Data Protection Regulation (GDPR) starts off by stating: The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the Charter ) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her And the first Article states: 1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. 3

4 2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. So, any interpretation of a privacy matter in Europe will be rights based. And this is important even if you re a US-based company and you process the data of people resident in the EU. Because the GDPR is extra-territorial in application. The US Perspective In the US, privacy has been established as a tort since Judge Brandeis wrote his paper on the right to be let alone when the portable camera was invented (for more about this see Trevor Hughes presentation, linked above). Privacy is not an explicit general right but in the US is contained in separate bits of legislation. Some examples are GLBA, HIPAA, COPPA, and FERPA The previous administration produced a review entitled Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation that described a move to a more rights-based view of privacy in the US, however where privacy sits within the new administration s priorities is yet to be seen. What is Privacy Risk? Privacy Risk is the risk of harm arising through an intrusion into privacy. Privacy Harms Privacy harms can affect both individuals and organizations. The types of events that give rise to privacy harms are: Unauthorized disclosure o Data breach o Over-sharing Keeping someone s data for too long Doing something the person wouldn t expect Drawing conclusions from multiple data points Using inaccurate data And the harms that can affect an individual are typically broken down into two areas, direct harms (which are easily measured) and indirect harms (that are harder to measure). Direct harms include loss of employment, financial loss, disruption of relationships and harm to both physical and mental health for an example think of what happened when there was a breach at the affairs website Ashley Madison where people who were included in the leaked database lost their jobs, marriages and in some cases committed suicide. Indirect harms include self-censorship (because people are afraid that their privacy will not be maintained, and in the EU this is also closely related to the right to Freedom of Expression), a loss of personal dignity and a loss of personal autonomy The harm to an organization can be reputational, which can affect both individual and institutional trust (think Yahoo!); regulatory which can result in fines or an expensive audit regime (e.g. from the FTC) and legal, as the organization can be subject to direct legal action (e.g. for damages) from data subjects. 4

5 Privacy Impact Assessments A Privacy Impact Assessment (PIA) is also called a Privacy Risk Assessment and (for some unknown reason) in the EU they are called Data Protection Impact Assessments (DPIA). And although privacy pros tend to talk about Privacy Impact they really mean Privacy Risk and as InfoSec professionals we know how to do risk assessments. So when you hear PIA think Privacy Risk Assessment or simply, what is the Impact and Probability of the Privacy Harms identified above of happening to individuals and to the corporation. Once you ve done a PIA then just as with a traditional information security risk assessment you can apply solutions to bring the privacy risk back with the organization s risk appetite. When to do a PIA The simple answer is as early as possible in any project. The earlier you do a PIA, the sooner you can influence the design to reduce privacy risks. Just as with information security, it s easier to fix risks by design early on rather than trying to apply controls afterwards. There s also some statutory requirements where a PIA (or DPIA) is required: In the US, the E-Government Act of 2002 Section 208 requires U.S. government agencies to do PIAs for electronic information systems and collection. It s also recommended as best practice for all organizations processing personal data and would be useful in defending legal privacy-related claims. The GDPR in the EU requires organizations to undertake a DPIA when an organization plans: 1. A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; 2. Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or 3. A systematic monitoring of a publicly accessible area on a large scale. PIA Process There are six steps in a typical PIA process: 1. Document the information flows (and also volumes) which is what you ll be familiar doing when carrying out information security risk assessments. However, for a PIA it is important to also consider the nature of the data being processed, there s different levels of privacy harm attached to different sorts of personal data. 2. Identify all the entities that could be affected by a privacy harm and this could be individuals, organizations and other third parties. 3. Identify states and countries where the individuals reside this is important so that you can capture all the relevant compliance requirements. 4. Identify the privacy risks (harms/impacts and probability) and the compliance obligations. 5. Develop privacy solutions to minimize the privacy risk (or bring them within the organization s risk appetite) and meet compliance requirements. 6. Talk to stakeholders about the risks and how they will be addressed it s often very useful to talk with the data subjects (users, employees) about what you ve discovered. 5

6 Privacy Solutions There are four main ways to address privacy risks: 1. Data minimization by far the most powerful way of reducing risk is not to collect data, and if you have collected data then only collect the minimum you need and delete it as soon as you can. 2. Anonymization and pseudononymization so that data is no longer related to an individual. 3. Encryption which we know is hard to do well but good encryption of data can prevent it being used or accessed improperly. 4. Technical controls which are the same as you know about from your information security experience. Case Study Automatic Risk Analysis of Online Chat In the case study, we considered the privacy harms that could come to Alice, Bob, ANDY and the chat provider. The most interesting aspect I hope you found was that the greatest privacy risk to all of four of the entitles was the same unauthorized disclosure of the contents of Alice s (and Bob s) chat messages. All the working groups came to the same conclusion which was to just store that data in memory and as soon as chat session was finished, to forget the data and not store it. This is a great example that data minimization is often the most powerful privacy solution we have. Resources If you enjoyed this journey into privacy which I ll acknowledge was pretty high speed then you ll find lots of great resources on the International Association of Privacy Professionals (IAPP) website at They have a great qualification for IT professionals who want to demonstrate their privacy credentials which is the CIPT - Joanne would of course like to direct you to the TRUSTe website where again you ll find lots of useful privacy information And sometimes I write about privacy things as well as payments (PCI) and cyber security at John Elliott March

7 SESSION ID: LAB3-R04 A Hard Privacy Impact Assessment: Monitoring and Protecting Children Online John Elliott LLM CIPP/E Head of Payment Security Joanne B. Furtsch CIPP/US/C Director, Policy and Data Governance

8 Agenda Theory What is Privacy What is a Privacy Impact Assessment? Why do one? US View EU /GDPR View Practice - Detecting grooming online What are the privacy risks? Who do they affect? How could they be reduced / managed? 2

9 What we hope you ll take away Basic privacy principles Why do a PIA (or a DPIA) How to conduct a PIA Where next?

10 What is privacy?

11 Introduce yourselves to each other Name Where you come from What you want to get out of this session How much you earn

12 What is privacy?

13 the ability of a person to control, edit, manage and delete information about themselves and to decide how and to what extent such information is communicated to others.

14 EU Perspective European Convention on Human Rights (ECHR) Article 8: 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law, and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health and morals, or for the protection of the rights and freedoms of others. 8

15 EU Perspective Recital 1: The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the Charter ) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her General Data Protection Regulation (GDPR) 9

16 In the EU privacy is a fundamental human right European Convention on Human Rights (ECHR) General Data Protection Regulation (GDPR) GDPR Article 1 1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. 2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

17 Why is GDPR important? Extra-territorial application GDPR Article 3(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union. Will you process the data of any EU citizens? 11

18 US Perspective Privacy is more than just, as Justice Brandeis famously proclaimed, the right to be let alone. It is the right to have our most personal information be kept safe by others we trust. It is the right to communicate freely and to do so without fear. It is the right to associate freely with others, regardless of the medium. In an age where so many of our thoughts, words, and movements are digitally recorded, privacy cannot simply be an abstract concept in our lives; privacy must be an embedded value. Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation. White House, January 17,

19 US Perspective U.S paradigm shift viewing privacy as a right Financial crisis Evolving technology and growth Sectorial approach to privacy laws Industries or individual types where data misuse can cause a high level of harm GLBA, HIPAA, COPPA, and FERPA Self-regulation or voluntary frameworks fill the gaps Questions around where the U.S. approach is headed Recent Executive Order removing privacy protections for non-u.s. citizens Policies around government surveillance and impact on US businesses EU-U.S. Privacy Shield agreement remains intact Does not rely on protections under the Privacy Act 13

20 What is privacy risk?

21 Privacy Risk is the risk of harm arising through an intrusion into privacy.

22 What could be privacy harm?

23 What can cause harm to individuals? Unauthorized disclosure Data breach Over-sharing Keeping data for too long Doing something the person wouldn t expect Drawing conclusions from multiple data points Using inaccurate data

24 Direct harm Loss of employment Financial loss Disruption of relationships Harm to mental and physical health

25 Indirect Harm Self-censorship Loss of personal dignity Loss of personal autonomy Fear of something happening

26 It s just like any infosec risk likelihood (probability) impact 20

27 Privacy risk to corporations Adverse publicity Regulatory censure Trust / distrust Existential risk Direct action from data subjects (consumers) + Explicit compliance requirements 21

28 Privacy risk assessment Privacy Impact Assessment (PIA) Data Protection Impact Assessment (DPIA)

29 Process Document information flows (and volumes) Identify entities (inc 3 rd Parties) Identify geographies (states/countries) Identify privacy risks and compliance obligations Develop privacy solutions Consult with stakeholders 23

30 Privacy solutions Data minimization Anonymization, pseudonymization Encryption Other technical protection

31 When - generally Type of data Quantity of data Doing something new New technology And at what stage in the process? 25

32 USA when to do a PIA E-Government Act of 2002 Section 208 U.S. government agencies required to do PIAs for electronic information systems and collection Documented assurances privacy issues have been identified and addressed early in the development lifecycle Conducting PIAs is an industry best practice Government PIAs and process serve as examples

33 What GDPR says: Do DPIA when 1. A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; 2. Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or 3. A systematic monitoring of a publicly accessible area on a large scale. 27

34 Tips Minimize data Types Length of storage Storage locations Pseudonymization, Anonymize 28

35 (D)PIAs in InfoSec work Network monitoring monitoring Endpoint monitoring 29

36 International Association of Privacy Professionals Resources for privacy pros iapp.org Certification for technologists working in privacy Certified Information Privacy Technologist (CIPT) 30