More Content - Including Podcasts

Friday, February 17, 2012

Policing in the Digital Revolution

Session 13 - Keynote Speaker

Dale McFee, President, Canadian Association of Chiefs of Police

The police of Canada are active players in the digital revolution.
There are four goals here for the CACP:
Quality of service
The public right and responsibility and right tomparticipate
Innovative solutions to crime and public order
Community partnerships

The CACP is not a privacy advocate, but a very interested party in access to information in alignment with those four goals.

Four areas of the CACP relate to privacy and security:
Counter terrorism and national security
Electronic crime
Emergency management and informatics
Law amendments committee

"... The police are the public and the public are the police."
Sir Robert Peele was quoted to make the point that policing the electronic domain is not exclusively the domain of the police, but the public must contribute and participate. Case in point is the wide spread use of portable digital recording devices such as phones and cameras.

Digitally recorded information from the public shifted the perspective of the police as to who were the instigators of the Stanley Cup riots.
Hackers recently outed NeoNazi groups in Canada to the RCMP and prevented hate crimes.

Court acceptance of digital evidence varies by region and by individual judge, as the law is vague and open to interpretation. Police will continue to test the bounds of digital privacy in the interest of keeping peace and preventing crime, while respecting the Canadian charter of rights and freedoms. This document is silent on the right to privacy, or at the best, vague.

PI is not defined in the criminal code of Canada.

Information is claimed as the lifeblood of policing, so the plea is for access to the information desired. The police are asking for checks and balances but not roadblocks. The need for privacy is acknowledged, but the need for information is vital. Lawful access debates have been going on for 10 years, and the police are asking for a balance between privacy and safety.

- Posted using BlogPress from my iPad

Location:13th Privacy and Security Conference

Privacy, accountability and the digital revolution

Luncheon Keynote Address
(Salon AB)

Elizabeth Denham, Privacy and Information Commissioner of British Columbia

Privacy, accountability and the digital revolution
Just as the computer revolutionized how we work and the internet revolutionized how we connect with people, we must revolutionize the way we think about privacy in today’s digitized world.
Join B.C.’s Information and Privacy Commissioner Elizabeth Denham for an engaging discussion about how we fuse privacy with technology as the digital revolution unfolds, including case examples and practical tools to help organizations demonstrate their compliance with B.C.’s privacy laws.

This year marks the 20th anniversary of our privacy legislation. It was not predicted how the technologies have transformed our lives. June 1993 had 130 websites, Mosaic was brand new as a graphic browser, the Apple Newton was released, and the US White House had 2 email addresses.

Today 1/3 of the world population is online, and the number of people seeking to mine the data of our online transactions is growing rapidly.

Privacy is not an add on or upgrade, nor is it a lens applied to data moving across borders. Privacy must be part of an organisations DNA.

The encouragement is for us all to become proactive to privacy, not reactively. Last year, her team was split into an investigatory group, and a development team that looks forward to guide organisations and individuals as well help the Office be proactive.

The topic of SmartMeters was discussed; the investigation led to the discovery that Hydro did not provide their customers with adequate notice of their intent. The question was not only is Hydro complying with privacy laws, but can they manage the data they collect. BC Hydro is complying with all 13 recommendations.

The Playoff Riot is the next topic, and ICBCs offer to leverage facial recognition to identify rioters. This led to a realisation that most BC citizens did not know ICBC had and used this technology. The data matching offer was denied because it did not align with the original intended use of the technology. ICBCs data and privacy management program was subsequently reviewed, and recommendations have been reported.

Both of these show the value of strong data governance.

BC's movement into IDM is exciting in our national leadership, but the people, policies, and practices to ensure privacy is baked in has been and continues to be essential to this effort.

Tools are coming available to all organisations for the development of privacy policies and incident response. This relates to the workshop I attended Wednesday morning. In all situations the bottom line to privacy protection is accountability.

An accountability tool is announced. "getting accountability right for privacy management frameworks" is a document that will be publicly available in two to three weeks.

Bill C-30, which combines previous bills that failed to pass the house. Police and other authorities are granted access to private information with much lower thresholds of access controls than ever before, and Canadians fundamental rights to privacy and confidentiality is at risk, and concerns about lawful access need to be brought to bear against your MPs. Elizabeth clarified that she has concerns about the bill as it stands, and that should be a consideration for us all.

- Posted using BlogPress from my iPad

Location:13th Privacy & Security Conference

Cyber Security Panel Debate

Panel B: Cyber Security

Privacy and security are truly symbiotic, yet because each has its own focus and proponents, there is often contention. This esteemed panel of experts will work towards ending some of that conflict. We will begin with a simple question: What are the top 3 things that security experts can offer the privacy sector that have not yet been adopted or integrated? Why are they so important and how can they benefit the goals of privacy professionals? In a PowerPoint free setting, this issues-oriented panel is designed to be highly interactive, encouraging audience questions and spirited debate so attendees come away with new insights and approaches.

Moderator: Winn Schwartau, President, Interpact Inc. Author of Information Warfare, Cyber Shock, Time Based Security & Internet & Computer Ethics for Kids
1. John Engels, Group Product Manager, Enterprise Mobility Group, Symantec
2. Robert Dick, Director General, National Cyber Security Directorate
3. Steve Hutchens, Director, Global Government Industry, HP
4. Paul Laurent, Public Sector Director of Cybersecurity Strategy, Oracle Canada
5. Eddie Schwartz, Chief Security Officer, RSA

Our moderator starts with a position on the critical infrastructure interdependencies between nation states, and the related privacy issues.

Robert rebuts the moderator's proposal that the US invade Canada to protect power reserves with a reference to the 100th anniversary of the war of 1812.
Robert moves on to note the seriousness of command and control infrastructure and the protection thereof, in addition to the protection of Canadian citizens privacy. The solution proposed is to not go alone as a nation state, but to partner wisely to protect national security. Suspects are national state actors as well as private criminal organisations, and failures to infrastructure that may be out of the direct control of Ottawa require clarity of communications between business and government, not draconian gov't actions. Debate on these topics to find collaborative opportunities is encouraged. Need to understand where the responsibility lines are drawn between public and private sectors for the protection against risk to all the infrastructures that support the functioning of our nation.

It is proposed that 70-80% of successful attacks can be defended against by proper infrastructure maintenance (patch management, security controls, audit, etc), but there is a small but vital percentage of very determined and well backed attackers where there is no easy defence, so we need a capable and prepared response.

John spoke to the risk of mobility to not just the PI of average citizens, but to those in positions of pow and leadership in industry and government - consider the risk of the bad guys knowing where the PMs kids are or will be.
There is also a need to be able to manage and secure not only what information is taken, but what information leaks due to unaware consumers of mobile platforms using the technology improperly. Tools and applications are great, but awareness and education are core. John claims that as an industry we must be more advanced in how we manage mobile devices and the data that moves back and forth to them; an auto delete button at central control is great, but not an ideal solution for the consumer.

Steve brings a different perspective, and states that the soft part of IT security is around policy and must be kept in context of the need to use or populate that information in a crisis to maximise the well being of citizens. Understand who are your customers and consumers, and who might might to obtain that information, and why. Steve considers that this is at the root of the risk analysis and management. Balance all of this with appropriate access to the information for the right people at the right time, be prepared to do this with minimal interference in a critical situation. Steve cites the examples of physicians bypassing network security for ease of access when working remotely from the site where the EMR systems are, and that our policies must bridge the need for access with the need for privacy. Steve proposed the concept of "secret shoppers" as employees who will share their feedback on the security of the operational infrastructure and the availability of the information they need.

Paul feels that data classification is the starting point of calculating risk, as you must know what you have before you determine how best to protect it. The extension nationally is how much effort we should place on critical infrastructure versus how much we protect the civil liberties of Canadians. Paul states that in the privacy discussion, the people involved should be outward facing, as public trust is at core.

Eddie has three points to share, to consider security from a perspective of control and visibility.
The first point is that security is broken. The more you invest in technology, you don't really move the security level higher. The prevention game is a game of catch up, but detection and response is a far more useful place to invest. Step back and say what do I have today that was relevant 10 years ago, and what is relevant today? Rethink information security.
Second, if we think there are changes needed in the doctrine of security management, make them. How do we measure usefully our risk level? Almost all metrics available are arbitrary, and don't consider all assets at relative values to the organisation. Eddie cites the recent RSA breach, and asks what was the actual objective? What are your high value assets to you, to your customers, and to the attackers? What is your ability to collaborate outside your organisation in response and in preparation? What is your ability to take what you learn about an adversary or the value of your assets and apply that knowledge dynamically to improve your security stance?
This segues to the third, how do you evaluate your performance metrics? Rate yourself in your effectiveness and continue to move that bar. We cant have compliance be the driver for security and privacy programs; we have to get security right first.

The topic of graceful degradation was brought up by Winn; how much can we consider shooting back as a mechanism of protection. The answer proposed is layers and segregation as a defence concept. Adaptive networking defense is also brought up, but that is at a risk of creating your own DoS on yourself. The rush to shut down, re-image, and other reactive actions is a risk to your business continuity; you need to understand the attack vector and respond accordingly to balance protection and service delivery. Paul brings up a really valid point, which is "what does normal look like?" as a necessary understanding of our own enterprises so that we can not only detect, but understand the scope, impact, and assess the correct response to any information incident.

- Posted using BlogPress from my iPad

Location:13th Privacy & Security Conference

The Elements of a Data Governance Program: People, Practices, Policies and Technology

Joe Alhadeff, Vice President for Global Public Policy, Chief Privacy Officer, Oracle Corporation
The Elements of a Data Governance Program: People, Practices, Policies and Technology
This keynote will focus on the evolving needs of organizational governance and accountability. Governance and accountability are multifaceted concepts that must be applied in ways that are accessible to the individual, credible at the level of the organization and extensible across the ecosystem. The elements of such a program are based in organizational policies and processes, the technology that supports them and people that oversee and implement them. Today’s accountability and governance program must be developed collaboratively across disciplines to assure that each element supports and underpins the other. Where technology may have limitations to secure data beyond the transaction; policies, processes and contracts may supplement. Technology may support policies and processes through identity management, rights allocation, audit and other tools. When all of these elements function together the whole is greater than the sum of its parts. As part of this keynote we will also consider trends in Canadian law and practice as well as specific applications of technology in identity and privilege management

Global data flows and big data can be "something really cool and marvellous that happens when you get enough data together" or they can be Big Brother.

Privacy questions span generations, but change as they do; again, theme of the continuously moving target of privacy definitions and requirements that legal bodies are continually playing catch-up with.

"Canada has the PhD on accountability" when it comes to privacy leadership worldwide. We are moving from a compliance of objects to an accountability and governance approach.

At the core of privacy and data management, we are tasked with getting the right data to the right people at the right time. This is reflective of the Wednesday morning workshop I attended at the conference.

Reference made to the TAS3 project in the EU. Trusted Architecture for Securely Shared Services. This is a PPP project where technology, governance, law, and policy were co-developed in support of privacy and security. Technolgy assures the first hop, but law, and policy fill the ecosystem and value chain gaps.

Visual shared, a sign from Quebec that states fair-play SVP. Being prepared means being a good neighbour, playing fair, and successful preparation for information management involves:
Stewardship of information
Information lifecycle
Learning organisation

We are encouraged to look at compliance as an opportunity; privacy impact assessments must be user friendly to be valuable. Make it an opportunity to learn, and teach. Security and privacy are visualised as a Venn diagram, and we want to operate in the sweet spot, which is compliance, which optimises operational costs in the long term. Have the backend understand compliance, and governance bodies understand security.

- Posted using BlogPress from my iPad

Location:13th Privacy & Security Conference

Know Your Enemy: Understanding the Threat Landscape, Challenges, and Best Practices

Cheri F. McGuire, Vice President, Global Government Affairs & Cybersecurity Policy, Symantec Corporation
Know Your Enemy: Understanding the Threat Landscape, Challenges, and Best Practices
Sensitive information under attack from a wide variety of sources, including well-meaning insiders, organized crime rings, nation states and advanced persistent threats (APT’s). Private and Public Sector are facing a changing information technology landscape that sees more information stored on smart phones, tablets and cloud services. Tiffany Jones will discuss the current global threat landscape, identify key security challenges apply critical best practices and solutions to protect your environment.

Key trends and security drivers
1. Sophisticated attacks
97% 2009 breaches used customised malware
75% of enterprises reported a cyber attack
2. Complex and changing infrastructure
More than 1B mobile devices connected tonthe Internet
Cloud computing expected to double by 2014, enterprise architectures at greater risk
3. Information explosion
Corporate info grows by 66% each year
4. Consumerisation of IT
BYOD, telecommuting, and the opening of corporate and public service networks to greater risks

Trends changing the threat landscape
1. Moving from a signature model to a reputational model
2. Desktop to mobile
3. Physical to virtual

Security must move from being system centric approaches to information centric to adapt and protect.

Threat landscape trends, as noted in report to be published in two months:
1. Targeted attacks continue to evolve
2. Social networking leveraged via social engineering
3. Hide and seek or 0 day vulns and rootkits
4. Attack kits are becoming more easily leveraged and accessed and complexity of attack is simplified in delivery
5. Mobile threats are increasing dramatically, as the PI on mobile devices is a high value target

Symantec is proposing that hacking remIns the highest impact breach type, and the average resolving cost is $7.2M. I think these numbers are inflated by a small number of high profile attacks, and think that insider attacks deserve far more attention. This smells of marketing scare tactics to sell security tools.

Mobile devices are noted as being primarily subject to trojans as the preferred attack vector, and often these are tied into social media avenues to gain access to PII and PCI; this I agree with.

Critical infrastructure attacks (SCADA) is cited by Symantec as an increasing risk area. In reality these have always been high risk, it's simply increased awareness of this now, I would suggest.

Device management, device security, content security, and identity & access are the defences against mobile threats proposed by Symantec. I wonder if they sell any products that do this? Yes, that was sarcasm.

The bottom line was to present a layered and clear security technology approach, to which I can agree, but I would have an increased focus on in parallel with the technologies, building both awareness and governance.

And at the tail end of the discussion, Cheri comes to plans and policies, so now we are in agreement. She suggests we start with governance with policies and plans socialised and established in the enterprise, including security requirements being built into acquisition contracts, buying from trusted sources, effective backup and recovery plans, and support for setting and enforcing security policies from the top of the organisation.,, are cited as useful sources for preparedness and practice planning.

The suggestion came for collaboration between the public and private sectors to increase visibility, adaptability, and optimisation of plans, policies, and preparedness.

- Posted using BlogPress from my iPad

PII & the Law

Session 9 – Keynote Speaker

Daniel J. Solove, Professor of Law, George Washington University Law School
and Paul Schwartz, Professor of Law at the University of California, Berkeley School of Law.

Personally identifiable information (PII) is one of the most central concepts in information privacy regulation. The scope of privacy laws typically turns on whether PII is involved. The basic assumption behind the applicable laws is that if PII is not involved, then there can be no privacy harm. At the same time, there is no uniform definition of PII in information privacy law. Moreover, computer science has shown that the very concept of PII can be highly malleable. Because PII defines the scope of so much privacy regulation, the concept of PII must be rethought. Professors Paul Schwartz (Berkeley Law School) and Daniel Solove (George Washington University Law School) will argue that PII cannot be abandoned; the concept is essential as a way to define regulatory boundaries. Instead, they will propose a new conception of PII, one that will be far more effective than current approaches.

Daniel is the founder of the organisation TeachPrivacy

Introduced themselves as Bert & Ernie of the Privacy world.

Technology changes the meaning of PII, it is a moving target. It plays a central concept in privacy law, and is often the trigger for when privacy law applies. Unfortunately, there is not a consistent definition or approach to PII in the law.

The three approaches to PII in the US

Tautological approach
PII is information that identifies a person. Not particularly useful as it is circular logic. Then the aspect of the answer being indentified versus indentifiable, means the burden of proff is upon the claimant to prove that the information clearly identified, not is at risk of indentifying.

Non public approach
the problem here is that there is actually not a clear definition of what non public actually means. There is a huge grey area, and this becomes an ineffective trigger.

Specific types approach
This is a rule, as opposed to the prior twomstandards. It attempts to enumerate the specific PII types and list them. The childrens PII act does this in the US. The problem here is that this is a static and inflexible approach being applied to a moving target. Many of these statues become under inclusive when it comes to information that actually could identify a person.

PIPEDA uses the term identifiable data, and is fairly broad in its application for PII. The problem becomes less the definition now rather the approach becomes all or nothing under Cdn legislation. This is reflective of EU legislation.

Problems of de-identification.
Case in point is the NetFlix survey contents, where supposedly anonymous data in the survey was readily identified by a third party research group, by cross correlating against data publicly available in IMDB.

We are seeing more and more data about people out there, and the ability to link it up to create correlations is becoming easier. The more information you have on the Internet, the harder it is to remain anonymous. The calim is that the combination of a zip code, birthdate and gender can identify 80% of the US population, my seatmate, a seasoned privacy expert calls BS on that claim quietly at our table.

The scholars provide us with a spectrum of risk of identification based on their theory.

U of Colorado prof is quoted as comparing PII to a game of whack a mole, and states that we should instead regulate the flow of information. However, without some concept of PII, privacy law has to regulate all data, not just the sensitive data.

Google flue trends cited as an example of the use of deidentified PII in the medical field as a public service.

PII 2.0 is the proposed solution to these dilemmas based on three tenents:
Identifiability is a continuum of risk.
Approach should be as a standard, not a rule.
Privacy should not be a hard on/off switch, but a tailored solution.

There are three categories of PII in this theory, moving from the current two categories.
Identified - the PII has been ascertained and the information must be protected. Plus identifiable data when significant probability of linkage to a specific person can occur.
Identifiable - specific identification is possible, has not yet occurred, And this data must also be protected and audited.
Non identifiable - only a remote risk of identification, need for protection of data is minor.

The speakers cite the dangers of the "release and forget" approach, and agree that there is a need for a track and audit approach coupled with risk assessments for identified and identifiable data.

This approach is compatible with the methodology of privacy by design, embedding privacy constraints and models into technological design and business practices.

Summing up, the presenters state that there is still great legal uncertainty about the concept of PII on a world-wide basis, and it is hard to predict the impact of privacy law on business, and therefore it is a source of business risk.

In the end, the PII 2.0 concept is about the taxonomy of PII, intended to help organisations to understand if they are subject to privacy laws or not per geo-political boundaries and constraints.

One delegate challenged that creating these categories in a vacuum from practical application is of limited value. The response was that the first two categories put the onus on the regulatory regimes and business to be responsible about how they classify data.

Questions were raised on the practicality of data moving from one category to the other over time, and how this could be managed from a track and audit purpose. The response was de-identification should be the rule, not the option for organisations holding data that is to be published. I'm uncertain this really answered the question.

The discussion was fairly esoteric, and likely provides something of use within legal circles, but moderate to low value in practical application in the technology world until legislation applies clearer boundaries to the PII containers, which, is what these gents are trying to encourage.

- Posted using BlogPress from my iPad

Location:13th Privacy & Security Conference

Thursday, February 16, 2012

20 in 2012: The Top Privacy Issues to Watch

Trevor Hughes, President and CEO, International Association of Privacy Professionals
(Salon AB)

20 in 2012: The Top Privacy Issues to Watch
Privacy has long been an important part of any information protection program; however, new potential laws and shifts in the landscape are creating new challenges and business imperatives for privacy, security, IT and legal professionals. Organizations and companies are under more pressure than ever to develop and explain strong privacy practices. From calls for a ”Do Not Track” tool to requiring concepts of Privacy by Design and new potential new data breach notification rules, there are many new priorities to consider. J. Trevor Hughes, president and CEO of the world’s largest association of privacy professionals, will cover the top privacy policy and technical developments to watch in the coming year.

EU proposed regulations
First major review of the existing regulations.
First aspect of this is the right to be forgotten, including data portability to take it from a vendor and move it with you. This is a challenge to implement. There is also the right to delete, or expunge their data from any place it might be stored.
Europe is looking for streamlined jurisdiction; the european main site of your business will be authoritative for the regulations you must comply with.

E-Privacy Directive
This EU directive (the cookie directive) says if you set or read information on a client device you need to get consent for that. This will be untenable for the end user with today's web browsing technologies. The regulators are debating still what this will actually mean. Browser controls permitting cookies may be the loophole for this.

FTC Staff Report
The US has been struggling with their privacy regulator, and an analysis of privacy issues (including online privacy but not exclusively) has resulted in a draft framework report. It should be released in the next 6 weeks, and is expected to include the idea of operational privacy; it becomes a business concern, it is baked into business controls in each enterprise/organisation. This accepts that there are implied consent items, within the boundaries of reasonable privacy expectations between the consumer and the enterprise.

Do not track is hugely accepted, switching off online tracking being an option for all browsers. Browser manufacturers are already on this, and we can see more of this available later this year.

The FTC accepts that there is a new type of data called consumer data; data that relates to a particular consumer, but is not identifiable. The definition of this will be in the paper.

The US Dept of Commerce has a white paper report coming (called a green paper until it is released in 6 weeks) and are playing chicken with the FTC on who will release first. The Obama administration is willing to consider a privacy bill of rights, and a recognition that law cannot answer every question, therefore industry needs a code of conduct.

Notice of security breach is catching on like wildfire since it started in California. The current state of this provides a patchwork quilt of responses because each state legislation is unique. Industry is pushing for a standardised approach to simplify. The strong aspects of this policy is that it is consequential, rather than prescriptive, and therefore has increased the use of encryption, for example.

Art called FaceOff by italian artist illustrates the layers of persona that social media encourages of the populace.

facebooks IPO listed privacy more times than any other risk, showing that social media giants recognise the risks, but aren't yet really doing anything because we are not voting with our fingers.

Online behavioural advertising where via cookies you are cross site tracked for your interests and behaviours. Self regulatory efforts are starting to see some traction. The digital advertising alliance is starting to see some maturity.
Consumers value privacy, but we have trouble setting that value to more than 50 cents off a cheeseburger.

Mobile devices, and the privacy considerations for mobile apps. Industry must accept and respect privacy because people are begining to vote with their fingers, and it easy to delete an app that violates our trust.

Geo-data sensitivity is an awareness that is growing with the consumer marketplace. Most devices that deliver your geo-data to other parties do so with no knowledge of the device user.

Cloud computing continues to be a controversial topic, because the information economy knows no jurisdictional boundaries. The issues are not de facto compatible with data transfer and privacy expectations and needs to make functional use of the cloud concept.

Emerging markets introducing privacy laws, mexico, brazil, argentina, india are all creating privacy laws that face outwards more so than inwards, to protect the outsource business processing industry.

Regulatory risk is where the rubber hits the road for privacy and security. Regulators around the world are seeking and obtaining more powers than they have ever had to enforce data protection. The FTC is becoming more aggressive in going after privacy violating organisations.

Class action risk also grows, NetFlix settled for $9M in the US this week, for their data collection practices. The barrier has been the issue of harm, but a number of judges are starting to show a willingness to close their eyes to allow the cases to progress to the point where a settlement occurs. Watch the US market and the reactions to these law suits.

Brand risk is more amorphous but it is growing in awareness, as most major publications are establishing beat reporters for privacy topics specifically. As many as 500 stories per day globally are published with respect to privacy issues, so the brand risk is growing as media is slavering for the next big story.

Privacy by design and default is necessary because of these risks. Privacy cannot be an option, or an after thought placed on the infrastructure to hold responsibility for.

Accountability is necessary through metrics, audits, controls, and generally taking information and managing the data in your enterprise seriously.

Everyone is talking about big data because it is solidly in place, and every role dealing with big data is on some respect a privacy role. privacy needs to have complete oversight over big data collection, storage, use, and management. big data is driving big jobs that require privacy knowledge and awareness.

we are all privacy professionals: if you touch data, information security, or systems that touch data, you need to understand privacy to an adequate level to react correctly when any issue arises.

Stay aware, track the EU framework, FTC report, and the risk environment. Build privacy before launch, operationalise privacy into your organisation. Build response plans, and train your organisation.

- Posted using BlogPress from my iPad

Location:13th Privacy & Security Conference

Mobile Privacy and Security – The Perfect Storm

Panel A: Mobile Privacy and Security – The Perfect Storm
(Salon AB)
Moderator: Jill Clayton, Information & Privacy Commissioner, Province of Alberta
1. Chris Conley, Technology and Civil Liberties Fellow, ACLU of Northern California
2. Alex Manea, Security Product Manager. Global Security Group, Research In Motion
3. Kofi ???, Sales Systems Engineer, McAfee, Inc.
4. Stewart Cawthray, Chief Security Architect, IBM Global Technology Services

The were opening statements from each of them.

Chris began by sharing that smart phones have a unique set of data to them that make them a different paradigm than computers or cell phones. It was designed as a communications device that is constantly connected and constantly sharing information.

Example, Angry Birds (Rovio) has complete access to your iOS contact list. This was undisclosed and is an issue of transparency and control. I need to now if my information is being accessed, and stored, and used. Apple has a responsibility for providing an API that allowed this, Rovio for leveraging it, and the users for unwittingly consenting. Organisations should be held responsible for clear declaration and transparency of their intentions and actions. As a developer you need user trust to be long-term successful.

Alex thanked Chris for going after Apple. RIM experienced A paradigm shift in their security policies as they began as a corporate service provider, and had to shift to be more consumer risk and concern aware.

Your mobile device management strategy should start with what you do for your non-mobile assets and laptops. The additional key considerations are physical security and loss, and the fact that usage of mobile devices is not often contiguous, so security credentials often get simplified for convenience of device use.

Consider the platform itself, the basis of all security should be imbedded in the platform itself. You users want to download applications, and in some cases need to, have a strategy for optimising the use of applications. Third, how are you going to manage the deployment of the devices. The more you mix deployment strategies to more overhead you create and risk of something going wrong.

Kofi noted that a bridge from user experience to security policy is one of the greatest challenges in BYOD.

Stewart opened with the dichotomy between mobile devices and laptops, in so much that BYOD didn't really kick in until the prevalence of smartphones and other related tablet technologies became consumerised. The desktop and laptop market is primarily one OS, Windows, some Apple, and a tiny bit of Linux. The mobile platforms are far more diverse, not necessarily in over-all count of players, but more so in the equal distribution of platforms and increased percentage likelihood you will need to support four OSs.

You don't plan to have a security breach, but when it happens you need to have planned. The question asked is what do we have to do to stay out of the news? The reality is that we wont stay out of the news, but more how do we mitigate that story so that it is less "news worthy" and we can control the story, instead of the exploiters.

Fundamentally, your policy will dictate your security. Rely less on protecting the device, and more on protecting the data.

While the EULA may technically grant access to your personal information, expectations around transparency and reasonable use make this a legal grey area in Canada and the US. The app developers and platform developers have a responsibility, but not legal obligation, to provide that balance.

Question arose of whether there is a comprehensive online list of what apps leverage what data from your devices. The answer is that not really, but the App Genome Project was a start on this that may have fizzled out by now. A different approach to this issue is to encourage the platform developers to provide the option for the users to restrict information access by app, by information type (i.e.: contacts, location, call history, etc.). This is a more likely technological scenario and the platform vendors should be marshalled in this direction by consumer demand.

The concept of protecting the data more than the device was challenged well from the floor, based on the assumption that people don't have the level of insight on what data is where, and what data is at risk, it is a much simpler approach to lock the device itself. Debate ensued around the dilemma of balancing usability of personal devices with protection of corporate and private data.

My personal opinion here is that if users secured the devices to protect their own personal data as much as we'd like our corporate data protected, then there would be much less of an issue. It needs to be a multi-pronged solution, including educating our BYOD users about the risks to their own data as well as the private data they become couriers of, and encouraging the OS vendors to enable security management functionality and control to the API level for the device owners, and lastly, leveraging presentation and virtualisation technologies to keep the actual information in the data centre.

- Posted using BlogPress from my iPad

Location:13th Privacy & Security Conference

The impact of mobility, social networking, data breaches and intelligent analysis on privacy and organizational security

Michael Argast, Director, Western Canada, TELUS Security Solutions
The impact of mobility, social networking, data breaches and intelligent analysis on privacy and organizational security
In a whirlwind 30-minute session, Michael will cover a wide ranging set of topics and talk about their impact on privacy, security and risk management. He will provide practical, straight forward advice on how to orient your organization’s policies and security investments to ensure privacy needs are met, while balancing open access, security and fiscal considerations. Topics covered will include bring your own device strategies, flexible workstyles, social networking, data breaches, change in threat profiles and more. This session targets those interested in privacy and security from a business or operational perspective.

Four trends Telus sees in the business environment:
Consumeraisation of IT
Evolution of personal workstyles and employee mobility
Need to provide enterprise employees with access to data that is behind and beyond the firewall
Unequalled customer service quality

Privacy in mobility and security...
Who should get to know who your friends are?
Xinga is facebooks biggest customer, you are the commodity facebook sells them.
Overall, all organisations allow employees access to facebook for personal use.
IOS applications have full access to your address book with no controls, other than access to publish in the app store. Security controls are being provided to consumers to control this, but the individuals need to stay on top of these threats to our privacy.

Who should get to know where you are and where you've been?
Again we discuss the location tracking concepts that are either published and acknowledged or not. Are there positive aspects to this information being available? Certainly, but consumer need to control the access that data.

Bill C-30
With a warrant requires backdoors to be built for browsing history and Skype, GoogleTalk, etc. may limit availability of tech services and applications into Canada due to cost.
Without a warrant, law enforcement wants a long list of PII.
The ALPR Automatic License Plate Recognition systems allow an officer to grab a license plate and do a system lookup. It leverages an MC grabber which grabs all cell phone information in a geographic area. Leveraged with Bill c-30, this gives police the ability to track the movement of all private citizens.

About 90% of IT security breaches are not discovered by the company breached, but by third parties who are using big data correlation to build socio economic profiles. What else are they doing with this data though? Corollary, that people with more security technology in place, report more breaches. They don't actually have more breaches, they are just more aware of the breaches occurring. So are you not only aware of who is coming in, but what data is going out to third parties?

- Posted using BlogPress from my iPad

Location:13th Privacy & Security Conference

Richard Thieme - "Living in a Glass House when Everyone Has Stones"

Session 5 - Keynote Speaker

Richard Thieme, Author, Media Commentator and Speaker
"Living in a Glass House when Everyone Has Stones"
Identity-shift is well under way. When the context of our lives changes, all of the contents are jumbled, including who we think we are and meta-national structures. We can’t help thinking inside paradigms that emerged from prior technologies but we also can’t help acting as new paradigms demand. The end of secrecy and the end of privacy are two sides of the same coin. Hackers appoint themselves as a Fifth Estate, while security and intelligence professionals tell themselves a story that filters out as much reality as it allows in. But reality won’t go away, and protocols, policies, and legalities lag behind. Add “biohacking” to the mix and the weird turn pro, pros feel weird, and ... what can we do to stay in the game?

Richard introduced the importance of cross-disciplinary learning, and the networking concepts that support this, and that we don't need to know everything, but just how to get that knowledge.

A checklist of everything in the "cyber arsenal" and motivations that should scare us was worked through,

A black hat hacker is a hacker. A grey hat hacker is a wily hacker who will manipulate the truth. A white hat hacker is one who put the truth down somewhere and forgot where it was.

Nation state no longer means what it once did, the boundaries were drawn for purposes that have since disintegrated, as the speed of information flow and complexity of socio-economic boundaries have shifted dramatically.

Human rights did not exist until it became an emergent property that the majority agreed upon; the same is the case with individual intellectual property rights. This was projected as a cognitive artefact that we accept as a reality because we were raised with the concept. The masses become religious about those who provide them the cognitive artefacts - see Steve Jobs as an example.

The new technologies will continue to stretch us and allow us to be redefined in new ways and improve ourselves. New social attacks don't require the technology, but as the majority becomes more dependent on technology and social networks. Inference attacks can move people unwittingly to a conclusion they don't hold, because analysis of vast quantities of data the 80% has provided has given the information to be analysed and concluded in a new social attack.

We need to allow ourselves to shift to the first 10% of the bell curve and see what is coming down the road before the 80% in the hump. We need to not be stuck in the cognitive artefacts we grew up with, to protect ourselves and those we care about from the threats shared in the beginning.

The DYIBio is the next revision of social engineering, and it only takes someone with the mental state of a suicide bomber to create a

We need to keep the cognitive dissonance at the right level to use the real fears to motivate us, and the unreal ones from crippling us; even if the unreal ones occur we can be prepared to adapt.

We need to not be afraid to be honest about where we are, where we need to go, and get business and government leaders to accept this and commit the funds to move us to the right places to manage the risks. Be mindful, be supremely aware, and be vigilant.

- Posted using BlogPress from my iPad

Location:13th Privacy & Security Conference

Telus - The Impact of Disruptive Technologies on Data Protection

Keynote Luncheon Address
(Salon AB)

Ken Haertling, Chief Security Officer, TELUS

The Impact of Disruptive Technologies on Data Protection
In 2011, the industry witnessed an unprecedented year of security incidents and privacy breaches. In 2012, organizations are faced with the further proliferation of mobile devices/tablets and initiation of bring your own device (BYOD) policies. This will lead to the further co-mingling of personal and private data on joint-use devices. Meanwhile, with the addition of these devices and the erosion of the traditional network security perimeter, the enterprise network is no longer as trusted as it once was. Organizations cannot ignore other disruptors such as off-shoring, cloud computing, and virtualization that may further expose sensitive data. Ken will explore popular coping strategies and discuss which, if any, are likely to succeed.

Core to the disruptors is the movement of data outside the traditional geopolitical boundaries, outsourcing and offshoring. Commerce will drive work toward least cost providers, and businesses take an open view toward what is considered core.

Another core disruptive technology to security and privacy is employee mobility, and the advent of device mobility.

BYOD or tablet grows the concern of more personal information risking transport over potentially risky networks outside the workplace and being saved amongst personal data on a mobile device.

Last disruptor is the concept of cloud computing and storage. Centralising should provide economies of scale, but there is an increased loss of control over data and information.

All in all, data is moving outside of organisational control and into areas of greater exposure to risk of compromise.

You can't start your strategy with picking tools, but instead understand your data. Understand the threat, data, and people; this is data classification which helps understand what is critical data.
A surgical application of data security controls is key to success in this initiative. Pick the key systems and data flows, and focus on those. Use encryption, but also tokenization and obfuscation. The latter two can be more effective. Study internally by Telus indicated that 10% of the organisation needed 80% of the critical data, allowing a focus for policy and governance work.

Network segmentation and perimeter hardening is important from an architectural perspective. Most networks today are quite flat, and must be better segmented. Internal employee networks should not be fully trusted to allow unfettered access to core systems. The focus on privacy and security should be on the data centre first, and include an architectural philosophical extension beyond the network to the data and application layers.

The question was asked how many in attendance have some form of security solution enabled on their mobile device. The response was a very small percentage.

There are two approaches Telus uses to securing mobile devices.
Containerised and non-containerised. Containerised separates personal and corporate data, corporate data being in a secured container. Remote policy enforcement is leveraged, and device full capabilities are limited. Non means that the entire device is encrypted and managed centrally. In either case there is a strong push at the data and application layers to ensure that data is not pushed to the mobile device if at all possible.

A virtualised environment provides the ability to greater control where the data resides, and give views into the data for classification purposes. However, the risk is that much more importance needs to be placed on credentials and user identity, as the keys to the kingdom are more widely distributed, and the data is more centralised.

- Posted using BlogPress from my iPad

Location:13th Privacy & Security Conference

Sensitive Data: The Electronic Health Record

Panel B: Sensitive Data: The Electronic Health Record
Moderator: David Flaherty, former Privacy Commissioner of British Columbia
1. Mimi Lepage, Executive Director, Information & Privacy Policy Chief Information Officer Branch, Treasury Board of Canada Secretariat
2. Khaled El Emam, Canada Research Chair in Electronic Health Information, University of Ottawa
3. Marc Smith, Senior Information Management Specialist, SAS
4. Lorraine Dixon, Senior Manager/Privacy Officer, Oracle Canada
5. Leroy Brower, Assistant Commissioner for Policy and Adjudication, Office of the Information and Privacy Commissioner, Province of British Columbia

Started with a vote as to who is a fan of the electronic health record, the audience was evenly split.

9 institutions at the federal level have legitimised access to your EHR.

Secondary uses of the data is big data processing for optimising health care delivery, data is released and shared, and we trust it is done responsible. The data should be anonymised or de-identified, but how do we know this is done with our data?

Mimi LePage cited an example in Ottawa of how effectively health information flowed from an MRI to the correct health practitioners from primary care to specialists.

Closer to home, an example of a cancer patient had excellent service while the attending was dealt with within the BC Cancer Agency, but information did not flow well to other health care services, so when there was a complication there was an extensive delay in response that might have been fatal. While dramatic, the point being that distributed EHR/EMR systems and practitioners not leveraging EMR/EHR create information gaps, as the assumption becomes that "everyone who needs your information will get it.".

Sensitivity of the data was discussed; this might seem obvious to those of us in health care, but some concrete examples of PHI as sensitive, biographical core information were given as stigmatised conditions, prescriptions, and other aspects of non-benign conditions. The panel debated on whether PCI or PHI was more sensitive; the consensus was that both are, and both must be respected at least equally, and the priority seems to be based on which is currently at more risk in the eyes of the individual.

Discussed ownership or control over our PHI. The Lab Info System of BC has your data if you've had a lab test, private labs like LifeLabs have their proprietary system, but this is being folded into the central system later this year. This information is no longer yours.

David asked the panel what the best defence in controlling your information is, and the response was that we must understand what is being released, and how it is protected. All your medical information is highly correlated, so hiding or encrypting one piece, such as a diagnoses, but leaving lab results, or treatment, still makes the locked information highly predictable. So the value of locking parts of the correlated data is minimal if not de-identified for secondary uses. Patients overly concerned with privacy have the right to have information not entered into EHRs, but this risks future health.

A case study of in patient teenagers on use of facebook indicated that they would not use facebook to share information about their current health as they wanted to be viewed as "normal" to their peers. These same teenagers were very conscious of facebook privacy settings as opposed to their peers, and used facebook to communicate with their health care practitioners via facebook messaging.

The concept of lockboxes in Ontario healthcare EHRs was discussed, and studies have shown that few health care providers actually have educated patients of their rights. Disclosure Directives are the BC equivalent; labs have been given posters and bulletins to share with clients, and information is available on the govt of BC website. This has had a very small uptake, and only certain health communities with stigmatised conditions have shared the information heavily. This does not apply to private data collections of private labs.

The panel was asked to weigh risks and benefits, and provide their over-all opinion of the value of EHRs.

the Canadian Health Ways motto of "knowing is better than not knowing" was cited, but importantly stressed that control over who is accessing what information and for what purposes is vital. This does give us reason to worry, and the controls and governance is critical, but governance and controls without enforcement and management/monitoring is ineffective for those who truly wish to abuse the access. It seems there is still no good answer to how do we actually police the use of these systems. You have handed this information into the trust of the public service and their private agents, and we need to ensure we hold the public sector accountable for what they do with it.

Examples of Alberta's provincial EHR failures would include the citizens not knowing about or how to mask their data, and more so, that a high percentage of the physicians are also ignorant of this. Benefits would be the provincial financial benefits of the secondary use of the data to reduce fraud, and improve service delivery.

The question came to the panel of whether they support 3rd party access (such as the RCMP or other police agencies) to EHR data for public safety purposes. The response from the panel was mixed, the primary concern against was the slippery-slope argument. This brought up the lawful access debate on federal Bill C30. It was an example of public backlash against concerns over privacy being successful. Correlating data across different health agencies or institutions could be considered for lawful disclosure, and limited to health care service works, perhaps the definition of what is health care service provision needs to be addressed. Breakdowns in social working systems were suggested as being fixed by leveraging wider access to HR data, but this seems like a knee-jerk reaction that must be considered beyond the emotional reaction for an instant fix, and elevated to finding the right solutions, governed by the right policies.

- Posted using BlogPress from my iPad

Location:13th Privacy & Security Conference

The Repo Men Reductio Body EULAs, Privacy and Security of the Person

Ian Kerr, Canada Research Chair in Ethics, Law & Technology at the University of Ottawa
(Salon AB)
The Repo Men Reductio Body EULAs, Privacy and Security of the Person
Recent medical advances allow us to transcend biological limitations through the implantation of microchips, digital body parts and artificial organs. However, surprisingly little thought has been given to the ethical and legal aspects of their design and use. In this keynote address, Ian Kerr, Canada Research Chair in Ethics, Law and Technology, examines current ethical and regulatory approaches that govern medical devices and argues that the existing paradigm of mass-market consumer goods is not particularly well suited for the health sector. His primary concern is that individuals are increasingly called upon to sign complex contractual documents that diminish privacy and autonomy not only as users of mass market consumer goods but, now, as medical patients. Drawing on lessons learned in the field of privacy and information technology law, he suggests that special considerations are required in the healthcare context to ensure that patient autonomy and privacy are adequately protected in an era where our bodies are becoming inextricably tethered by devices and software owned by health care providers in partnership with industry

Ian Kerr's premise is that the digital drives the mechanical. This covers the human-machine merger. We are implanting more equipment into our bodies, and giving machines more personification.

Digital body parts, and prosthetics; questions implicate the security of the person, beyond simply privacy concerns. Reductio ad absurdum almost seems an easy way out of the debate, except that things have already moved well beyond science fiction.

"Building Better Humans" is the course he teaches across North America in prestigious universities. The topic revolves around enhancement based medicine, intended to make us "better than well." The trans-humanist movement includes deliberative selection, not natural selection, including the use of artificial organs. Current examples are ventricular assist valves that can replace the need for a heart transplant, insulin pumps which replace the need for a pancreatic system, and cochlear implants for hearing.

A cochlear implant is an interventionist technology, as the change required to the auditory nerve is a one way road; the nerve is severed and this is a permanent change.

The book "My Bionic Quest for Bolero" summarises how the cochlear implant improved hearing beyond normal human capabilities to distinguish more discrete differences in frequencies.

What is the social model that goes along with this change in our technologies impacting our society?
There are politics infused in the architecture of these technologies.
This represents the cultural genocide of the deaf community. This implies that this group is broken and needs to be fixed. Political decisions are built right into the design of these technologies.

Reference to Alexander Graham Bell, his wife and mother both being deaf, and his political view of deaf culture was to assimilate deaf people into the society of those who could hear via hearing assist devices.

Discussion now shifts to the techno legal model. Prof Kevin Warnick has engaged in a number of experiments with a neural transducer. Placed in his arm, this "router" intercepts the signal and routes the signals to the Internet and to a robotic arm that performs the desired actions.

We live in a world of ad hoc sensor networks and wi fi. Devices we carry interact with each other, without our knowledge or permission. What are the implications?

Implantable devices and personal area networks have privacy implications, as the nature of the information we exchange intentionally or unknowingly changes. Our physiological information is also moving over the PANs and subject to the WANs.

IPV6 would allow us to provide 7 unique identifiers to every atom in every human body.

Process for getting a cochlear implant includes a consent to a contract with the vendor for warranty; effectively a terms of services agreement for the technology implanted in your body.

The business model for medical devices, is the exact same model for mass market consumer products. These devices are being regulated the same way your iPod is regulated.

There is a proprietary nature to these devices, but are the EULAs appropriate given the actual use? For software and hardware, these are take it or leave it bargains, where the consumer's choice is summarised by mandatory volunteerism. Fictional consent mechanisms imply a consent, contract where both parties have negotiating abilities, this should be offensive to each of us.

EULAs by default are not privacy friendly.

We should have freedom of contract, even more so, as the technologies enter our bodies, we need freedom from the contracts.

"End user licenses are becoming the rule, and those who draft them are becoming the rule makers." - Ian Kerr

Showed us the terms and conditions agreement you must sign to agree to get a bionic ear, which includes voiding a support if there is unauthorised maintenance or work on the device, putting you at the mercy of the manufacturer for a part of your body irrevocably implanted.

We need to be aware of our digital rights.

- Posted using BlogPress from my iPad

Location:13th Privacy & Security Conference, Victoria BC

Cory Doctorow and the Privacy Bargain

Cory Doctorow, Science fiction novelist, blogger and technology activist. Co-editor of weblog Boing Boing (, and contributor to The Guardian, the New York Times, Publishers Weekly, and Wired

Internet giants will tell you that they're participating in a "privacy bargain" where consumers trade privacy for services. But it's a funny sort of bargain that involves Internet users giving up everything, with no ability to dicker --- not even the ability to see what they're giving up and to whom. What if we gave Internet users the power to decline an offer? What if we changed the analytics shooting war so that the users were armed, too?

Cory started and discussed the Kim Possible game that Disney put in place in Florida. Kids are given mobile devices and actually inverse the common social media model, by making the humans the sensors, as opposed to the sensed. Private information is put into the hands of the users in this model.

GalaxyZoo & Google Page Rank are examples of crowd-sourcing where humans do what they are good at - making decisions, and computers do what they are good at, counting decisions. We cant rely on computers to make decisions for us as to what we should or shouldn't give away online. They can be tools to facilitate this, but humans need to be empowered to leverage the tools.

Discussed facebook's privacy "policies" and the concept of making terms and agreements confusing and obscure, which at the end should be "we'll give you this service for this information." It's all the mechanics of a rigged Vegas game. It's the same mechanism used to program slot machines for limited payouts to keep people addicted to their use.

It is a deliberate strategy.

How should we price our privacy?
What are the consequences of giving out our privacy?
Related story of person having a child giving child's name and birthdate to a marketing company in return for a basket each year. Child died shortly after, but baskets kept coming each year - what is the personal impact of that divulgence of privacy?

Introduced the concept of having an interest, vs. property rights with respect to information. Discussed Bill C30, SOPA act, and other aspects of privacy and ownership debates over information.

What about pop ups? They were prevalent, until Mozilla blocked them by default. technology was the impetus to kill that invasion of privacy. Cookie managers could be the new version of this concept.
As a case in point of why changes need to be made to make this feasible, try creating new users in browsers, and turning on "ask me every time" for cookie acceptance; you will be overwhelmed in a short amount of time. The impact to your Internet experience will drive you to simply accept them. This can be addressed by browser design by more easily managing cookies; managing cookies would be a key way to give the populace informed consent to the trade of privacy for service.

Users have come to the gunfight with analytics and advertisers with a wooden stick.

A call for people to be realistic about what the cloud can and should do, what information is reasonable to stream? What information is reasonable to have conglomerated into a single physical space that provisions the virtual space? What is the risk of the mash-up of the data?

The public needs bargaining chips in this war on our information. Android has an app/feature that allows you to lie to apps that are asking for your personal information. This mod feeds junk data to privacy sniffing apps, and arms the consumer to fight back against draconian imperialist forces.

Questioned on his stand on jailbreaking. Compared to alchemy, and the risk of having to learn everything over and over. Stated that alchemic operating systems that are illegal to break the "copyright" are equivalent to an engineering firm designing a building and disclosing anything about the design of the building. Case in point was policy of proprietary file format for audio books being enforced, and giving no flexibility, and in fact, removing the copyright of the author de facto. Discussed CarrierIQ being detected first on Android, due to the open aspects of the OS. People were able to learn that our privacy was being violated because the OS allowed inspection and transparency into what was installed and happening on our devices with our information.

Discussed the workflow for managing your personal information on the web. The browser would need to examine the cookies for "questionable" requests, and block them like email clients block images, and allow you to have an insight into what cookies you will trust and or distrust. A blacklist can be created in public crowdsourcing that leverages communal intelligence and experience.

- Posted using BlogPress from my iPad

Opening Keynotes @ 13th Annual Privacy and Security Conference

The conference theme is "Keeping Pace With the Digital Revolution" and the conference is webcast and recorded to watch the sessions again afterwards. This is a good thing as there were a number of concurrent sessions i wished to attend.!/Reboot_PrivSec
Hashtag: #psyyj

The first speaker after MC work by Keith Baldry, was the Honourable Dr. Margaret MacDiarmid, Minister of Labour, Citizens’ Services and Open Government.

Government transparency and increased participation in democracy via open government policy. Last summer every ministry was directed to make information and data available to the citizens. Policies are put in place for these ministries to guide them. First province in canada to launch a website like dataBC. This work has been acknowledged by the silver medal in the 2011 government service innovation awards.

Last fall amendments were made to FOIPPA, an act created in 1992. The amendments give the information and privacy commissioner enhanced authority, and enable the centralised identity management with secure online credentials that the OCIO has been working on.

The first BC Services cards become available, combining DL and Health Care card into one card.

- Posted using BlogPress from my iPad

Location:Victoria, BC

Wednesday, February 15, 2012

Information Incidents and Privacy Breaches - Process, policies and prevention opportunities through lessons Learned

My first blog entry from the 2012 Privacy & Security Conference in Victoria, a summary of the morning workshop I attended today, presented by the Office of the CIO, Province of BC.

Presenters for this session were:
Margaret Patton, director of the Privacy Investigations team
Wendy Taylor, Security Investigations & Forensics team
Ken McLean, Security Investigations & Forensics team

In 2010 the Security Investigations & Forensics team was formed, in response to 2009 privacy breach by internal government staffer. A focus was placed on the need for information sharing, balanced by a centralised reporting process to ensure a consistent approach to every incident. The intent is to take the responsibility from the individual to have to deal with these issues independently, and have a cross-government service.

This group has been able to institute mandatory training for every govt employee at the executive, then managerial layer. A CBT program was developed, and is mandatory for every govt employee and contractor.

A document has been created and is published called the "working outside the workplace" which lets you know what is OK to take outside the office, how to store and protect it, etc. including proper care and storage of paper and electronic information outside the workplace.

The Security clearance program outside of government has been enhanced. A CRC is necessary for any position, this is at time of hire, or movement to a new position. It is not a renewal point based process.

What is an information incident?
A single, or series, of unwanted or unexpected events that threaten privacy or information security.
What should be reported?
Actual or suspected breaches are asked to be reported, to err on the side of caution, and not have people feel they need to figure this out for themselves.

The OCIO group has & recommends for each organisation to have well documented processes and workflows for the three key areas of event reporting and triage, investigation and resolution, and compliance/prevention. This provides a clear understanding of how and when to inform and involve the right parties. This is essential as FOIPA governs the actions and determines what is or is not a privacy related incident, or breach, but FOIPA is daunting and confusing to most people in our organisations.

Information Management guiding principles:
Right information - is the information accessed appropriate
Right person - who has access to information in the organisation
Right purpose - information used for approved and governed uses
Right time - ensuring access to info in a timely way to get the work done
Right way - safety and security of information where it is or is moving

Types of information:
Business - everything an employee does for their employer, service provider contracts, estimates, budgets, reports, etc.
Client - PHI, PI
Employee - HR files, CRCs, complaints, employee performance and development, etc.

What is the level of sensitivity of the information?
Information that if compromised could result in serious consequences for individuals, organisations, or government.
Government has a information classification security model and acknowledges that sensitivity is important, but the issue is of classification in an incident is around a confluence of events... Combination of protected elements determines the overall sensitivity of the impact of a breach, based on all the combined information breached.

What is PI?
Recorded information about an identifiable individual other than business contact information. This is governed by the FOIPPA.

Information Incident Management Process:
1. All actual or suspected information incidents must be reported immediately to the supervisor or OCIO hotline.
2. A team approach: the OCIO investigator facilitates the coordination, investigation, and resolution of information incidents. Brings all the necessary SMEs to the table at the appropriate time.
3. OCIO is responsible for reporting to / liaising with the Information and Privacy Commissioner regarding privacy breaches.
4. Each ministry has designated parties that need to be notified of all information incidents, they are accountable for coordination and communication within that ministry. Effectively, a privacy officer, but this is almost always the responsibility of the CIO, or a delegate.

Common causes of data leakage, or information incidents are:
Employee error; double stuffing envelopes, incorrect fax, email, or mailing address, forgetting to clear a MFP, etc. Analysis of trends in incidents help identify simple process to ensure fewer errors.

Hacking or Phishing; most often alerted by service providers for both, staff don't often report phishing incidents, so you need to be vigilant for these, and increasingly educate staff. Service providers can be viewed as a risk as well as a help on these issues.

Loss of unencrypted data storage devices.

Mis-configuration of systems and permissions, need to approach as a non-punitive process to encourage compliance and reporting

Deliberate Employee misconduct; declarations of information incidents are available for staff to use, kept separate from HR to distinguish accidents from intentional misconduct. Gives employees the opportunity to clear their own name.

The four steps to managing an Information Incident:
Step 1 - Report
Immediate, actual or suspected
Triage and intake;
What happened, and when?
What actions have been taken so far? Hs he incident been contained?
Does it involve identifiable individual data?

Step 2 - Recover
Recover the information or assets
Contain the incident
Whenever electronic information is involved, technical SMEs should be involved ASAP

Step 3 - Remediate
Action team collaborates with investigators
Determine the specifics
Determine the appropriate action plan
Post incident review to improve process

Step 3b - Notify
Each individual whose privacy may have been breached needs the notification assessed.
The harms test:
1. Risk of identity theft or fraud
2. Risk of physical harm
3. Risk of hurt, humiliation, or damage to reputation
4. Risk to business or employment opportunities
Other considerations might be legal, contractual, etc.

Step 4 - Prevent
Major focus is here, lessons learned, education, and opportunities for improvement
Most changes are:
Education, awareness
Practice and procedures
Business process
Technological advancements

Considerations throughout the Incident Process:
Impacts and repercussions
Public trust and perception
Use the appropriate response mechanism to communicate to those who need to be notified to respect their privacy, and minimise harm.

Next we were broken into groups and given one of three case studies to evaluate as a team, and discuss as a larger group. Working through the case studies, the lessons learned were:
Always start a chronology ASAP, don't lose what happened when and by whom
If a physical asset of any sort is involved, that asset(s) needs to be obtained and contained if possible.
Immediately involved parties should be asked to sign a declaration that they swill not divulge inappropriately
Anyone who may inappropriately have information they should not have is subject by provincial law to the terms of that declaration, FOIPPA legislation has moderate enforcement options here.
Often the approach and tone of the conversation is important to ensure maximum containment. You get more results with approach than enforcement.
The golden rule with notification is "if it was me, would I want to know?"
the case studies opened up excellent conversations around governance and process in the handling of Information incidents or privacy breaches.

All materials will be available electronically post conference.

OCIO IS Branch works very closely with para govt organisations on incidents and process and is happy to collaborate with any of us.

The closing advice from this team was:
Set the tone and performance expectations regarding the protection of personal and confidential information.
Ensure adequate resources, processes, and organisational supports are in place for you to implement your roles and responsibilities.
Actively promote information sharing and address barriers to collaboration.

- Posted using BlogPress from my iPad

Location:2012 Privacy & Security Conference