Essentials of RIM€¦ · E-records security CONFIDENTIALITY Limit information access and...
Transcript of Essentials of RIM€¦ · E-records security CONFIDENTIALITY Limit information access and...
Essentials of RIM Are you an asset to your organization? Do you have the skills
needed to manage records and information within your
organization as a strategic component for success? ARMA
International’s Essentials of RIM Certificate is designed for entry-
level information management
professionals and other individuals
whose jobs involve records, ….
There's no travel involved - all courses are offered online for
convenient and flexible training on YOUR schedule.
www.arma.org/essentials/
Privacy and
Security
for you & yours, your organization & theirs
Objectives describe threats to security of personal data
identify regulations that affect organization’s privacy policies
list ways to protect against data breaches
explain how a RIM program can decrease threats to privacy
PRIVACY defined Merriam Webster definition:
a : the quality or state of being apart from company or observation
b : freedom from unauthorized intrusion http://www.merriam-webster.com/dictionary/privacy
Right to Privacy
the qualified legal right of a person to have reasonable privacy in not having his private affairs made known or his likeness exhibited to the public having regard to his habits, mode of living, and occupation
http://www.merriam-webster.com/dictionary/right%20of%20privacy
Privacy defined
Right to Privacy
Louis D. Brandeis photo accessed from the
Brandeis University Legacy Fund for Social Justice webpage:
http://www.brandeis.edu/legacyfund/bio.html
Samuel D. Warren photo accessed from Wikipedia,
the free encyclopedia:
http://en.wikipedia.org/wiki/Samuel_D._Warren
People have a common-law right to privacy.
4 Harvard Law Review 193 (1890) http://www.law.louisville.edu/library/collections/brandeis/node/225 Louis D. Brandeis School of Law, The University of Louisville (Kentucky)
“Privacy, in other words, involves so many
things that it is impossible to reduce them all
to one simple idea.”
Daniel J. Solove, “Why Privacy Matters Even if You Have Nothing to Hide, “ The Chronicle of Higher Education. Available at
http://chronicle.com/article/Why-Privacy-Matters-Even-if/127461/
The Internet complicates things.
There’s no global privacy standard or governance.
Global commerce and communication require mindfulness of other nations’ standards and rules.
Global commerce and communication offer an array of vendors and correspondents – and an array of opportunities for cyber attacks.
Marketing Private?
Cookies session persistent flash
Targeted marketing informs buyer of products & services
offers discounts
allows auto-fill of forms
Permission-based marketing Company must ask if customers agree to share information.
Social Media Users freely post to sites.
Users are largely inattentive to privacy considerations.
Sites collect, use and share data without informing users.
photo accessed from Honda Ridgeline interior photos page:
http://automobiles.honda.com/ridgeline/interior-photos.aspx
Opt in or opt out – Whose burden is it?
http://www.ftc.gov/
Ensure reasonable security for consumer data.
Limit collection and retention of personal data.
Make reasonable efforts to ensure personal data is accurate.
Provide customers and clients with choices about how data is collected and shared.
Compose shorter, clearer, standardized privacy policies.
Federal Trade Commission: Build protection into business records plan to ensure privacy
and security – privacy by design
Threats to privacy cyber attacks
cyber attackers’ anonymity
damage to, loss or theft of portable devices
data corruption
Many organizations just are not equipped to deal with rapidly changing technology; hackers are.
ALL electronic transmissions are vulnerable. email online purchases photo posts tweets
even encrypted data portable device is lost or stolen
portable device is hacked at a wifi location
user leaves a public or shared computer without logging off
Information technology is fast, fast-changing, and changing attitudes.
Ethics and standards are not keeping pace with technological advances.
Medical Records - Electronic Health Records (EHR)
greater storage capability = greater efficiency for patients providers payment systems
no need for patient to fill out same forms over and over
EHR stored in several places, records not lost in disaster
LOCKSS? Lots of copies. Keep stuff safe. (managed copies)
All of the above result in cost savings for providers, which may be passed on to the consumer.
“Medical identity theft refers to the misuse of another individual’s PII such as name, date of birth, SSN, or insurance policy number to obtain or bill for medical services or medical goods.”
Medical Identity Theft Environmental Scan, Booz Allen Hamilton, 2008 www.healthit.gov/sites/default/files/hhs_onc_medid_theft_envscan_101008_final_cover_note_0.pdf
To identity thieves, medical ID is worth twice as much as “regular” personal data.
Med ID can be compromised by… Financial medical identity theft:
Someone is getting medical help using your name and/or other information.
Criminal medical identity theft: You are being held responsible for the actions of another’s criminal behavior.
Government benefit fraud : Your medical benefits are being used by another person.
http://oig.hhs.gov/fraud/medical-id-theft/index.asp
Smart grid customizes power system to reflect home owners’ needs
Customers’ energy use could reveal: daily schedules; the presence of alarm systems; the presence of sophisticated, expensive electronic equipment in the residence.
Vehicle “black boxes” can save lives (think of GM’s OnStar)
Insurers can use drivers’ data to determine rates – lower or higher.
Commingling personal and business data Who is the “owner” of business records created, amended, retained on employee’s computer?
Who is the “owner” of personal records created, amended, retained on company-owned equipment?
The session study guide cites John Montaña’s recommendations for clarifying rights of access.
Employers: 1. Determine the need for
intrusive access policies based on the type of
work being done.
2. Make it clear that copies of employer-
owned data remain the employer's property.
3. Provide computers to employees for
important offsite work.
Employees: 1. Read policies and negotiate before signing.
2. Keep personal computers private.
3. Segregate and protect personal data.
Data Breaches A data breach is the unauthorized access to, disclosure of, or compromise of physical or electronic data.
Identify the breach to shorten time between attack and response
Response team members may include chief privacy officer, chief information officer, chief
IT security officer, human resources staff, public relations staff, legal counsel, and
sometimes even law enforcement.
Assess risk level Does the nature of the breach indicate criminal intent?
What kind of data is at risk?
Is personal information compromised?
Is there evidence that data is being used for identity theft?
Are lives in danger?
Can systems be damaged or affected by the breach?
Are controls in place that will minimize damage?
Assign risk low risk Criminal intent is not apparent. Controls are in place to handle the breach. Notification may do more harm than good.
medium risk Criminal intent could be involved. Controls are in place to prevent criminal success. Law enforcement, affected organizations, and affected individuals might be notified.
high risk Breach is likely criminally motivated. Controls to minimize privacy violation are ineffective. Organization likely will notify individuals involved and will provide some sort of remedy.
Disclose the breach Consult legal counsel for help in preparing the disclosure.
Business plan should contain an established data disclosure plan.
Consider state, federal and international laws & regulations.
Up-front disclosure is better than damage control.
“Destruction by Design” Destroy information appropriately.
Maintain responsibility for outsourced records services.
Enforce accountability for records decisions.
Consider that “free” may not be.
Delete delete/Delete re-write/De-duplicate
Safeguarding privacy
U.S. data protection regulations are piecemeal, and address industry-specific concerns.
CALEA - Communications Assistance for Law Enforcement Act
COPPA - Children’s Online Privacy Protection Act
DPPA - Driver Privacy Protection Act
FERPA - Family Educational Rights and Privacy Act
HITECH –Health Information Technology for Economic and Clinical Health
PIPA; SOPA - Stop Online Piracy Act; Protect IP Act (Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act)
European Union’s Data Protection Directive 95/46/EC of 24 October 1995 is broader, and standardized for all 27 member nations.
Individuals must give explicit consent for their data to be transferred to a third party, unless the third party is conducting services on behalf of the initial party.
The Directive also foresees specific rules for the transfer of personal data outside the EU to ensure the best possible protection of your data when it is exported abroad.
http://ec.europa.eu/justice/data-protection
Among proposed revisions is an extension of personal privacy rights to include law
enforcement and criminal justice systems.
Security 1 the quality or state of being secure: as
a: freedom from danger; b: freedom from fear or anxiety; c: freedom from the prospect of being laid off (job security)
2 a: something given, deposited, or pledged to make certain the fulfillment of an obligation
b: surety 3: an instrument of investment in the form of a document (as a
stock certificate or bond) providing evidence of its ownership 4 a: something that secures: protection; b (1): measures taken to guard against espionage or sabotage, crime, attack, or escape (2): an organization or department whose task is security
http://www.merriam-webster.com/dictionary/security
U.S. Regulations FCRA (Fair Credit Reporting Act) FACTA (Fair and Accurate Credit
Transactions Act) HIPAA (Health insurance Portability and
Accountability Act) GLBA (Gramm-Leach-Bliley Act )
Information Security Standards B(ritish) S(tandard) 7799 – first standard for information
security ISO 27001 - to “provide a model for establishing,
implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System.”
ISO 27002 – details specific controls that may be applied to secure information and related assets
Digital Security Standard Protection of cardholder data Encryption of data during transmission Restricted access Tracking and monitoring access Security maintenance policies
HRIS (Human Resources Information System) may contain an organization’s most sensitive data Policy: Access is allowed on a need-to-know
basis. Policy: Access is secured.
E-records security CONFIDENTIALITY Limit information access and disclosure to
authorized users and prevent unauthorized users from viewing restricted resources.
INTEGRITY Ensure the data has not been altered
inappropriately.
AVAILABILITY Networks, servers, routers, software, and desktop
machines must be reliable.
https://www.cia.gov/library/publications/the-world-factbook/
Internet use (policy) Establish ownership.
State that e-mail messages and Internet usage are not private.
Assign employees a username and a password to access the Internet, and limit Internet use to business purposes only.
Define recordkeeping requirements.
Stipulate that business must be conducted on company e-mail, and require employees to use internal IM.
State that employees cannot intentionally block the organization’s anti-virus software.
Conclude the policy by reminding employees that the organization, not the employee, owns the computer systems.
Transmission security ALL electronic transmissions can be intercepted.
Collaborate with I.T.: Encrypt all sensitive data for transmission and distribution.
Use firewalls to protect both incoming and outgoing network traffic.
Keep current on patches and updates to software.
Use virtual private networks (VPNs) for employees in remote locations.
Close hardware and software vendor default passwords.
Secure workplace wireless networks.
Secure home work environments, including wireless networks for employees who work
from home.
Cloud security Ensure that your contract with cloud vendors includes
adequate security protections.
Involve security and privacy professionals in the decision about which vendor to use.
But most importantly, have a clearly stated policy outlining what sensitive information is and how it should be handled.
Physical security of e-records Monitoring server room access is required under ISO 27002, as is protection of all associated end-user machines.
William Saffady recommends: Restrict admittance to media repositories to those with a
legitimate business reason.
Require badges to identify authorized employees.
Limit access to a single, supervised entrance. Configure other doors as emergency exits with strike bars and audible alarms.
Never leave media repositories unattended. Lock them when they are unattended.
Back up vital records at predetermined intervals and store them in secured, offsite facilities.
Records Manager’s role Some laws, e.g., HIPPA and GLBA, require organizations to have an overseer of privacy training and compliance.
ensures that personal information is not jeopardized in any of an organization’s marketing or in its online presence
monitors information systems to ensure safety of the organization’s information and the privacy of customers, employees, vendors, and suppliers
Privacy and compliance policy:
Start here.
Inventory Assess data collection
What types of data are collected?
How is the data collected?
How is the data used?
Inventory sensitive data What, where, when, how - is stored
How are accuracy and completeness verified?
Data Classification Assign data sensitivity level as it is created, revised,
stored or transmitted. Classification informs as to the extent to which the
data need to secured.
Collaborate with I.T. to identify records that are subject to privacy regulations.
Privacy Compliance David O. Stephens’s recommendations:
Enterprise-wide privacy policy No unauthorized use of data will be made that conflicts with
the policy.
Breach of the policy will result in disciplinary action.
Deliberate breaches will be considered as being gross misconduct; appropriate remedies will be applied.
Data encryption enhances security
Audit systems containing personal information systematically
illustration: http://vis.berkeley.edu/courses/cs294-10-fa08/wiki/images/d/d5/Encryption_Illustration.pdf
Determine use How many recordkeeping systems contain sensitive data?
Where are those systems?
What is the data?
Re-examine retention practices Retain only factual information for the minimum amount of time to meet business requirements and to comply with the law.
Destroy records under an approved retention policy.
Done and gone (?) Objectives met: described threats to security of personal data
identified regulations that affect organization’s privacy policies
listed ways to protect against data breaches
explained how a RIM program can decrease threats to privacy
Sources and Resources (online)
Essentials of RIM: www.arma.org/essentials/ Information Management Magazine:
content.arma.org/IMM/online/InformationManagement.aspx David O. Stephens, “Protecting Personal Privacy in the Global Business Environment,” IMJ
May/June 2007, 56-59. Available at www.arma.org/bookstore/files/Stephens1.pdf
Swartz, Nikki, “Protecting Information from Insiders,” IMJ May/June 2007, 20-23. Available at www.arma.org/bookstore/files/Swartz9.pdf
Judy Vasek Sitton, “When the Right to Know and the Right to Privacy Collide,” IMJ Sept/Oct 2006, 76-80. Available at www.arma.org/bookstore/files/Sitton.pdf
AIIM: www.aiim.org/search?q=privacy
Data Breach Watch: www.databreachwatch.org Data Loss DB: datalossdb.org
Federal Trade Commission (FTC) Bureau of Consumer Protection (BCP), Privacy and Security: business.ftc.gov/privacy-and-security Free tutorial on sensitive data: www.ftc.gov/infosecurity
Information Security Forum: www.securityforum.org
International Association of Privacy Professionals (IAPP): www.privacyassociation.org
ISO 27001: www.27000.org/iso-27001.html (links to 27002 – 27006 in navigation bar)
National Archives and Records Administration (NARA), Information Security Oversight Office (ISOO): www.archives.gov/isoo/
36 CFR Part 1228, Subpart K -- Facility Standards for Records Storage Facilities: www.archives.gov/records-mgmt/bulletins/2005/2005-07a.pdf
Sources and Resources (online) continued (p. 2)
National Association for Information Destruction (NAID) : www.naidonline.org
National Conference of State Legislatures (NCSL): www.ncsl.org/
National Institute of Standards and Technologies (NIST) Special Publications (800 Series): csrc.nist.gov/publications/PubsSPs.html
Society of American Archivists: www2.archivists.org/
American Health Information Management Association (AHIMA): www.ahima.org/
Health Privacy Foundation (University of Denver Sturm College of Law): www.privacyfoundation.org/
Office of the National Coordinator (ONC) for Health Information Technology: www.healthit.gov
Privacy Rights Clearinghouse, HIPAA Basics: Medical Privacy in the Electronic Age – Fact Sheet 8a: www.privacyrights.org/
US Department of Health and Human Services: www.hhs.gov
National Security Act: www.gpo.gov/fdsys/pkg/PLAW-110publ53/content-detail.html
Patriot Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001): www.gpo.gov/fdsys/pkg/PLAW-107publ56/pdf/PLAW-107publ56.pdf
Texas: https://www.oag.state.tx.us/consumer
Arkansas: http://ohit.arkansas.gov
Louisiana: http://www.lla.state.la.us
Oklahoma: http://www.odl.state.ok.us/lawinfo
New Mexico: http://www.cfb.state.nm.us
Sources and Resources (online) continued (p. 3)
United States House of Representatives: www.house.gov United State Senate: www.senate.gov
European Union: ec.europa.eu Canada http://www.priv.gc.ca/leg_c/leg_c_a_e.asp
Australia: www.privacy.gov.au
China (PowerPoint presentation by Yue Liu, University of Norway, Faculty of Law): www.uio.no/.../Data_privacy_law_in_Asia_pacific%2008]%20(2).pp
Ponemon Institute: www.ponemon.org/
Mondaq: www.mondaq.com “Privacy” is one of a variety of topics from which to choose.
Digital Democracy: digital-democracy.org
Future of Privacy Forum: www.futureofprivacy.org/de-identification/
Electronic Frontier Foundation: www.eff.org
On The Media: www.onthemedia.org “The Privacy Show:” www.onthemedia.org/2013/jan/04/ (a compilation of “privacy-related shows)
Pogo Was Right.org: www.pogowasright.org (may contain ranting)
Also: newspapers; colleges and universities, especially law schools; LinkedIn One of the CISPA articles below was linked to an ARMA International group discussion post.
“CISPA passes U.S. House: Death of the Fourth Amendment?” Zack Whitaker for Zero Day, at http://www.zdnet.com/cispa-passes-u-s-house-death-of-the-fourth-amendment-7000014205/
“CISPA Amendment Banning Employers from Asking for Facebook Passwords Blocked,” Sara Gates, at Huffington Post at www.huffingtonpost.com/2013/04/21/cispa-amendment-facebook-passwords-blocked_n_3128507.html