protecting donor privacy
Post on 10-May-2015
540 Views
Preview:
DESCRIPTION
TRANSCRIPT
Protecting Donor Privacy
Raymond K. Cunningham, Jr. CRM, CA, CIPP
University of Illinois Foundation
Higher Education Institutions account for more security breaches than any other industry including financial institutions.
–Information Security News
We are all subject to information breaches
• Security and Privacy
• Privacy and the Law
• Implementing a Privacy Program
• Credit Card Industry Security
Security and Privacy – What is the difference?
• Security is a process - you implement security to insure privacy
• Security is action• Security is a strategy, privacy is the
outcome• Enterprise privacy and security
management must be integrated• Security maintains confidentiality and
privacy
Information Security – it is not a technical issue
• Often Security is viewed as a technical issue
• Many information breaches occur in the paper world
Information Privacy – it is not a Legal issue
• Often viewed as a legal issue handed to legal counsel as a compliance issue
• While many privacy officers report to legal, it is not strictly a legal issue
• Privacy is a concern of all and should be a priority of any fundraising organization
Navigating the Alphabet SoupPrivacy and the Law
Changes in Information Policy
Federal
State
Ethics
Trends
• Information Management Law is moving from the general to the specific
• What was formerly ethical is now being required by law
• Penalties are being strengthened and cases of theft/misuse are higher profile
• The ethics of information management are evolving
Information Management Laws
FERPA
FERPA - 1974
• FERPA – Family Education Rights and
Privacy Act• Directory Data, Degree Data and Non-
Directory Data• FERPA block –all data disclosure including
alumni database
Information Management Laws
GLB
FERPA
Gramm-Leach-Bliley Act 1999
• FTC has ruled that Universities are covered under GLB Affiliated Orgs (2003)
• Trust operations – issuers of Charitable agreements
• Financial Planners
• CPAs
Gramm-Leach-Bliley Act 1999
• GLB provides for the protection of personal financial information – similar to FERPA
• Records containing financial information are to be protected.– Financial Institutions are to make
disclosures regarding their privacy policies and release to third parties
– Criminalizes certain practices of data collection services: obtaining financial and personal information by misrepresenting their right to such information
Gramm-Leach-Bliley Act 1999
• Financial Privacy Rule – governs the collection and disclosure of personal financial information. It applies to those who receive such information.
• Pretexting Provisions – covers using false pretenses for obtaining personal financial information
• Safeguards Rule – requires all financial institutions to design, implement and maintain safeguards to protect customer information
GLB - Privacy
• GLB protects consumers’ non-public information. Private information (PI) includes “personally identifiable financial information”
• Student Financial Aid and Loan information is protected under GLB
• Federal financial aid
ORGANIZATIONAFFILIATE
AGENCY
GLB Pretexting
GLB Safeguards Rule
• The Safeguards Rule requires financial institutions to develop a written information security plan that describes their program to protect customer information. – Designate one or more employees to coordinate
the safeguards– Identify and assess the risks to customer
information relevant to the company’s operation
GLB – Safeguards Rule Compliance
• Select service providers that can maintain appropriate safeguards
• Evaluate and adjust the program in light of relevant circumstances including changes in business or the results of security testing
• Customer data stored at any off-site location
GLB – Safeguards Rule Compliance
• Check references on employees before hiring who have access to customer information
• Sign a confidentiality agreement or NDA• Limiting access to customer information
based on business need• Develop specific policies for the appropriate
use of laptops, PDAs, cell phones
GLB – Safeguards Rule Compliance
• Confidentiality training is required• Encrypting information when it is transmitted• Reporting suspicious attempts to obtain
customer information• Dispose of customer information according
to the FTC Disposal Rule
Comparison of Legislative Mandates
Mandate Processes and Risk
Management
Records Management
Data Security and Privacy
Training
Sarbanes-Oxley
X X X X
HIPAA X X XCalifornia Bill 1386
X X
Gramm-Leach-Bliley
X X
FOIA X XUSA Patriot Act
X X X
Information Management Laws
GLB
FERPA
SOX
FACTA
FACTA – Fair and Accurate Credit Transactions Act of 2003
• FACTA is directed by the FTC and mandates that employers and financial institutions subject to GLB are also subject to FACTA
• Information is to be disposed of so that said information cannot be read or reconstructed - destroy or erase electronic files or media
• Opt-Out for Marketing• Conduct due diligence and hire a document
destruction contractor
State Personal Information Laws
• HB 1633 (PA 94-36) Effective January 1, 2006
• Personal information is defined as: SSN, driver’s license number or State ID card, account number, credit card number
• Breach of security should be made in the most expedient time possible without delay
Illinois State Law
• Customers must be provided notice in writing or electronic notice provided it meets with electronic records and signatures for such notices
Illinois State Law
• Illinois law more broadly applicable than California statute – data collectors provisions are more broad – includes public and private corporations, universities, financial institutions.
• Violation of the law is Consumer Fraud under Deceptive Business Practices Act
Implementing a Privacy Program
Six steps for creating a Privacy Program
• Information Asset Inventory
• Risk Assessment
• Policy Review
• Develop Policies and Practices
• Conduct training
• Monitoring
Asset Management
• Understand your information assets - inventory
• Locate and identify what is to be protected
• Differentiate between the “owner” and “user”
• Record Retention Schedules – business need or regulatory requirements
Asset Classification
• Assets should be evaluated as to sensitivity and confidentiality, potential liability, intelligence value and criticality to the business
• Classify assets – Confidential, Proprietary, Internal Use Only, Public
Map the Organizational Data Flow
• Map points of data collection – examine web forms, email collection, call centers, POS, Contests, Surveys, chat rooms, marketing lists
• How does data move through the system?• Is the data held in-house or is it outsourced?• Is any PII collected from outside the US?
Risk Assessment
• What are the risks with your storage practices?
• What are the physical storage requirements?
• Are personnel tasked with the protection of the information?
Conduct a Policy Review
• Develop the principles that will guide your strategy
• Involve stakeholders, senior management and legal – Get Everyone on Board!
• This is not an IT Problem
• Review all applicable regulatory requirements particular to your industry
Elements of a Good Privacy Policy
• Commitment to Privacy• Information Collected• How Information is Used• Commitment to Data Security• Commitment to Children’s Privacy• How to Access or Correct Your
Information• Contact Information
Training
• Training is one of the most often neglected piece of the program, yet it is one of the most important
• Train your employees prior to exposure to information systems – supply handouts
• Train employees to report information breaches - contacts
• Train employees annually on your policies and compliance issues
• Develop an ethical culture
Monitor Compliance
• Conduct audits of security procedures
• Review systems annually
• Conduct incident response drills – convene your incident response team
PCI – DSS Payment Card Industry Digital
Security Standard
What should I know?
Twelve DSS Requirements
1. Install and Maintain a Secure Network2. Do not use vendor-supplied defaults for
systems passwords and other security parameters
3. Protect Stored Cardholder Data4. Encrypt Transmission of Cardholder Data
Across Open, public networks5. Use and Regularly update Anti-virus
software6. Develop and Maintain Secure Systems and
Applications
Twelve DSS Requirements
7. Restrict Access to Cardholder data by business need-to know
8. Assign a unique ID to all users9. Restrict physical access to cardholder data10. Track and monitor all access to network
resources and cardholder data11. Regularly test security systems and
processes12. Maintain a policy that addresses
information security for employees and contractors
PCI – DSS Payment Card Industry Digital
Security Standard
• Merchants must comply with the standards• Should a breach occur the fines are
substantial, up to $500,000 per incident (VISA)
• Audit through self-assessment• Most organizations are outsourcing a part of
this process – vulnerability scans
Conclusions
Ray’s Recommendations
• Gain the Support of Senior Management
• Encourage a culture of confidentiality
• Have a policy in place and enforce it
• Be specific on roles within the organization
• Have mechanisms in place to sign on and sign off users efficiently
• Train all users before log-on in confidentiality and security
Ray’s Recommendations
• Monitor users
• Create an incident response group and provide a way for employees to report data loss
• Tell donors what you are doing with their data
• Allow donors to opt out
• Dump SSNs where not needed
• Monitor Third Party Contracts
Resources
• International Association of Privacy Professionals IAPP www.privacyassociation.org
• EDUCAUSE Information Technology and Security 2003
• Kahn, Randolph Privacy Nation 2006• ISO 17799 International Organization for
Standardization www.iso.org• PCI www.pcisecuritystandards.org
Contact information
• Raymond K. Cunningham, Jr. • Manager of Records Services• University of Illinois Foundation• Urbana IL 61801• cunningham@uif.uillinois.edu• 217 244-0658
top related