Privacy Requirements Engineering in an Ever-Changing World€¦ · rules/objective for a simple...
Transcript of Privacy Requirements Engineering in an Ever-Changing World€¦ · rules/objective for a simple...
Privacy Requirements Engineering in an Ever-Changing World
Fluxx®
Fluxx® Basics
Four kinds of cards: Action, Goal,
Keeper/Creeper, Rule
To win, collect K/C cards and meet the
requirements of the current Goal
Basic Rules: draw 1 card, play 1 card
Any player can change the Goal
Any player can change the Rules
Some Actions change the Rules
Non-players can join game at any time by picking
up three cards from the top of the deck
Actions
Keepers/Creepers
Goals
Rules
Fluxx® as a Metaphor
System objectives evolve – new Goals
System requirements evolve – new Rules
Some system attributes hinder achievement of
some objectives – and system objectives
sometimes compete
Actions of players (and orders of actions) are not
predictable
Non-players routinely take actions that affect the
system
Non-players can also change the rules
Traditional System Design
Game Table for Systems Fluxx®
What the Players Can Do
Change the goals
CRM database used for risk management
Customer data used for analytics, business
intelligence
Take actions
Data enhancement, consolidation, outsourcing
Have breaches
Change the rules
New security standards
New client or regulatory expectations
Basic Rule: Security Programs
Have “reasonable security”
Reasonable security requires you to assess risks, have a written program to manage the risks with administrative, technical and physical controls, and train on the program
Scope of program can vary depending on the risks, the size of the company, etc.
The New Rule Requires
Specific policies (e.g., terminated workers, discipline)
At least annual audits
Secure user authentication protocols and access control
measures, including “need to access” rules, unique IDs
and secure passwords
Encryption of data in transit, on laptops and devices
System monitoring for unauthorized access or use
Up-to-date firewalls and OS patches for all systems
connected to the Internet, up-to-date system security
agent software with malware protection on all systems
Train employees on the proper use of the computer
security system and the importance of personal
information security
New Rule: Securing PHI
The only valid encryption processes for
data in motion are those which comply,
as appropriate, with NIST SP 800-52
Guidelines for Selection and Use of
Transport Layer Security, 800-77,
Guide to IPsec VPNs, 800-113 Guide
to SSL VPNs, or FIPS 140-2
Electronic media must be cleared,
purged, or destroyed consistent with
NIST Special Publication 800-88,
Guidelines for Media Sanitation.
14
New Rule: Post It!
Basic Rule: Security Breaches
Notify individuals promptly if they are at risk of harm because their sensitive personal information has been exposed to unauthorized third parties
Understand the Basic Rule
A “breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the business
Good faith acquisition of personal information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure
New Rules: Redefine “Breach”
18
New Definition of “Breach”
The FTC’s rule defines “breach of security” as
the acquisition of identifiable information
“without the authorization of the individual”
Unauthorized acquisition is presumed from
unauthorized access, unless you have “reliable
evidence” showing otherwise
“…no breach has occurred if an unauthorized
employee inadvertently accesses a PHR and
logs off without reading, using or disclosing
anything. If the unauthorized employee read the
data… he ‘acquired’ the information, thus
triggering the notification obligation…”
These New Rules Requires
Protect paper as if it were electronic media
Guard against internal disclosures with the
same rigor as external disclosures
Protect non-sensitive data with the same
controls as sensitive data
New Rule: Speed it Up!
Proposed New Rule: Apply Expanded Breach Requirements to Everyone in Europe!
22
Update card
Basic Rule: Children’s Data
Commercial website operators that collect PI from children under 13 must obtain verifiable parental consent
Applies to websites that target kids and general interest sites if the operator knows that kids are providing PI
The New Rule
Expands the definition of "personal information"
to include persistent identifiers, device IDs,
geolocation data, images
Expands the definition of "website or online
service directed to children" to clarify that a
plug-in or ad network is covered by the Rule
when it knows or has reason to know that it is
collecting personal information through a child-
directed website or online service
Requires websites that appeal to children and
adults to age screen all users
Basic Rule: EU Data Processors
Only controllers make decisions about data processing, but…
Contractual authority of processor to subcontract could historically be reasonably inferred from the circumstances in connection with the performance of the services
25
The New Rule Limits Processor and Controller Discretion
Every instance of subcontracting by a data
processor must be approved in writing by the
EU-based data controller
New model contract terms do not differentiate
between affiliates and 3rd party processors
Controllers liability for failure to supervise sub-processing activities is increased
26
Fluxx® Expansion Decks
27
Security Expansion
Monster Mandate Pack
Additional required controls – as a matter of
law and contract
Rules vary with geography
Time to comply may be short
Standards for vendor due diligence and
management – customer security
certification requirements
Expanded definition of “breach”
Expanded liability for breaches
28
Consumer Protection Expansion
Redefining Harm Pack
Minimum necessary rules
Additional privacy and security notice rules
Specific collection/use/disclosure rules – e.g.,
for secondary uses
Additional limits on collection, use, disclosure
of marketing data, pre-employment screening
data, etc.
29
Data Protection Expansion
Geographic Considerations Pack
Consolidation efforts must account for all
possible local requirements and build to the
“most restrictive”
Additional limits on data transfers
Regulatory focus on data security
Regulatory focus on data retention
Conflicts of laws become more pronounced
Customer uncertainly about subjecting data to
foreign legal requirements
30
It’s Not Just Europe
31
RED = country with a comprehensive data protection law
ORANGE = country with a partial data protection law
YELLOW = country with a draft data protection law
BLUE = country with broad sectoral privacy regulations
Brazil is currently blue, but considering a
comprehensive data protection law
Final Thoughts
32
More Productive Final Thoughts
“Compliance by Design” has always been
complicated – users can barely articulate basic
rules/objective for a simple system on a good day
and the rules keep changing
For data-centric products:
The rules are going to continue to change, often
drastically and in real time
Non-players are going to continue to impact the
requirements
Must respond strategically – piecemeal is too hard
But that’s why the game is so much fun! 33