More Content - Including Podcasts

Wednesday, February 15, 2012

Information Incidents and Privacy Breaches - Process, policies and prevention opportunities through lessons Learned

My first blog entry from the 2012 Privacy & Security Conference in Victoria, a summary of the morning workshop I attended today, presented by the Office of the CIO, Province of BC.

Presenters for this session were:
Margaret Patton, director of the Privacy Investigations team
Wendy Taylor, Security Investigations & Forensics team
Ken McLean, Security Investigations & Forensics team

In 2010 the Security Investigations & Forensics team was formed, in response to 2009 privacy breach by internal government staffer. A focus was placed on the need for information sharing, balanced by a centralised reporting process to ensure a consistent approach to every incident. The intent is to take the responsibility from the individual to have to deal with these issues independently, and have a cross-government service.

This group has been able to institute mandatory training for every govt employee at the executive, then managerial layer. A CBT program was developed, and is mandatory for every govt employee and contractor.

A document has been created and is published called the "working outside the workplace" which lets you know what is OK to take outside the office, how to store and protect it, etc. including proper care and storage of paper and electronic information outside the workplace.

The Security clearance program outside of government has been enhanced. A CRC is necessary for any position, this is at time of hire, or movement to a new position. It is not a renewal point based process.

What is an information incident?
A single, or series, of unwanted or unexpected events that threaten privacy or information security.
What should be reported?
Actual or suspected breaches are asked to be reported, to err on the side of caution, and not have people feel they need to figure this out for themselves.

The OCIO group has & recommends for each organisation to have well documented processes and workflows for the three key areas of event reporting and triage, investigation and resolution, and compliance/prevention. This provides a clear understanding of how and when to inform and involve the right parties. This is essential as FOIPA governs the actions and determines what is or is not a privacy related incident, or breach, but FOIPA is daunting and confusing to most people in our organisations.

Information Management guiding principles:
Right information - is the information accessed appropriate
Right person - who has access to information in the organisation
Right purpose - information used for approved and governed uses
Right time - ensuring access to info in a timely way to get the work done
Right way - safety and security of information where it is or is moving

Types of information:
Business - everything an employee does for their employer, service provider contracts, estimates, budgets, reports, etc.
Client - PHI, PI
Employee - HR files, CRCs, complaints, employee performance and development, etc.

What is the level of sensitivity of the information?
Information that if compromised could result in serious consequences for individuals, organisations, or government.
Government has a information classification security model and acknowledges that sensitivity is important, but the issue is of classification in an incident is around a confluence of events... Combination of protected elements determines the overall sensitivity of the impact of a breach, based on all the combined information breached.

What is PI?
Recorded information about an identifiable individual other than business contact information. This is governed by the FOIPPA.

Information Incident Management Process:
1. All actual or suspected information incidents must be reported immediately to the supervisor or OCIO hotline.
2. A team approach: the OCIO investigator facilitates the coordination, investigation, and resolution of information incidents. Brings all the necessary SMEs to the table at the appropriate time.
3. OCIO is responsible for reporting to / liaising with the Information and Privacy Commissioner regarding privacy breaches.
4. Each ministry has designated parties that need to be notified of all information incidents, they are accountable for coordination and communication within that ministry. Effectively, a privacy officer, but this is almost always the responsibility of the CIO, or a delegate.

Common causes of data leakage, or information incidents are:
Employee error; double stuffing envelopes, incorrect fax, email, or mailing address, forgetting to clear a MFP, etc. Analysis of trends in incidents help identify simple process to ensure fewer errors.

Hacking or Phishing; most often alerted by service providers for both, staff don't often report phishing incidents, so you need to be vigilant for these, and increasingly educate staff. Service providers can be viewed as a risk as well as a help on these issues.

Loss of unencrypted data storage devices.

Mis-configuration of systems and permissions, need to approach as a non-punitive process to encourage compliance and reporting

Deliberate Employee misconduct; declarations of information incidents are available for staff to use, kept separate from HR to distinguish accidents from intentional misconduct. Gives employees the opportunity to clear their own name.

The four steps to managing an Information Incident:
Step 1 - Report
Immediate, actual or suspected
Triage and intake;
What happened, and when?
What actions have been taken so far? Hs he incident been contained?
Does it involve identifiable individual data?

Step 2 - Recover
Recover the information or assets
Contain the incident
Whenever electronic information is involved, technical SMEs should be involved ASAP

Step 3 - Remediate
Action team collaborates with investigators
Determine the specifics
Determine the appropriate action plan
Post incident review to improve process

Step 3b - Notify
Each individual whose privacy may have been breached needs the notification assessed.
The harms test:
1. Risk of identity theft or fraud
2. Risk of physical harm
3. Risk of hurt, humiliation, or damage to reputation
4. Risk to business or employment opportunities
Other considerations might be legal, contractual, etc.

Step 4 - Prevent
Major focus is here, lessons learned, education, and opportunities for improvement
Most changes are:
Education, awareness
Practice and procedures
Business process
Technological advancements

Considerations throughout the Incident Process:
Impacts and repercussions
Public trust and perception
Use the appropriate response mechanism to communicate to those who need to be notified to respect their privacy, and minimise harm.

Next we were broken into groups and given one of three case studies to evaluate as a team, and discuss as a larger group. Working through the case studies, the lessons learned were:
Always start a chronology ASAP, don't lose what happened when and by whom
If a physical asset of any sort is involved, that asset(s) needs to be obtained and contained if possible.
Immediately involved parties should be asked to sign a declaration that they swill not divulge inappropriately
Anyone who may inappropriately have information they should not have is subject by provincial law to the terms of that declaration, FOIPPA legislation has moderate enforcement options here.
Often the approach and tone of the conversation is important to ensure maximum containment. You get more results with approach than enforcement.
The golden rule with notification is "if it was me, would I want to know?"
the case studies opened up excellent conversations around governance and process in the handling of Information incidents or privacy breaches.

All materials will be available electronically post conference.

OCIO IS Branch works very closely with para govt organisations on incidents and process and is happy to collaborate with any of us.

The closing advice from this team was:
Set the tone and performance expectations regarding the protection of personal and confidential information.
Ensure adequate resources, processes, and organisational supports are in place for you to implement your roles and responsibilities.
Actively promote information sharing and address barriers to collaboration.

- Posted using BlogPress from my iPad

Location:2012 Privacy & Security Conference

No comments: