chapter 9 – protecting the confidentiality and privacy of information information systems, first...

Chapter 9 – Protecting the Confidentiality and Privacy of

Information

Information Systems, First Edition John Wiley & Sons, Inc

by France Belanger and Craig Van SlykeContributor: Brian West, University of Louisiana

at Lafayette

9-1Copyright 2012 John Wiley & Sons, Inc.

The ChoicePoint Story ChoicePoint was created in 1997 as a spinoff of the insurance services unit of the Equifax corporation. The company’s business model involves collecting public data about individuals, organizing the data into databases, and selling the results. ChoicePoint also provides intelligence information to law enforcement and counter intelligence agencies. ChoicePoint mistakenly released data on thousands of Americans (approximately 162,000) to fraudsters who created false accounts.ChoicePoint’s stated position is that the entities maintain the source data and are therefore responsible for keeping them accurate.

Copyright 2012 John Wiley & Sons, Inc. 9-2

Focusing Questions

• How much data do you think ChoicePoint has about you? Give specific examples.

• Where do you think the data that ChoicePoint has about you comes from?

• Why is ChoicePoint allowed to sell your data to companies and agencies?

• Should ChoicePoint be held accountable for the accuracy of the data they sell to companies and agencies?


Information Privacy

• Privacy of information is the confidentiality of the information collected by organizations about the individuals using their services

• Everyone is concerned about their own information privacy, but also about the privacy of customers, employees, business partners, students, parents, children, and more


Data Collection

• It has become easier and faster to collect ever increasing amounts of information

• Data can be collected without anyone’s awareness, for example through the use of cookies– Cookies – Clickstream data– Online forms


Secondary Use of Information

• The use of data for purposes other than those for which they were originally collected

• “Opt-in” or “opt-out” options when submitting personal information

• When information collection and use is not regulated you have the responsibility of protecting data

• Be aware of the risks!


Privacy Pizza

The Privacy Pizza video can also be found at: http://www.aclu.org/pizza/ •Do you think access to the various types of information identified is regulated or not?•For the technologies identified, are the technologies widely available today?•How likely is it that a pizza shop/company can use such technologies?•What can someone do to avoid this situation from happening to him or her?


http://www.aclu.org/pizza/

Identity Theft

• Almost 10 million identity theft victims in 2008 in the United States

• 71% of fraud happens within a week of stealing a victim’s personal data

• Low-tech methods for stealing personal information are more popular than technology-driven methods


Types of Fraud


New graphic used in PDF

How much would you be willing to pay for?

• A valid credit card number with a security code?

• Valid bank account details including the PIN (Personal identification Number)?

• A valid social security number?• A complete new (valid) identity?


Protecting yourself• Watching for shoulder-surfers who observe what you

are typing. • Request photo identification when someone asks for

your information. • Shred everything that has any data about you. • Destroy digital data by going beyond a simple delete. • Really check the statements you receive. • Limit the information provided on your checks. • Request your free annual credit report and check it! • Do not use your Social Security Number unless it is

absolutely needed.


Organizational Consequences

If organizations fail to protect the privacy of their customers’ information, then their reputation can suffer•ChoicePoint consequneces– Send notices to all customers– 1 year of credit monitoring to affected customers– Open toll-free line to deal with issues– $15 million total costs ($10 to FTC, $5 to

customers)


Cookies and Cookie Managers

• Cookies are small text files located on your computer, to store information about you, your accounts, and your computer

• Information not typed in can also be stored in cookies ( )

• When accessing some sites, browsers transmit information contained in stored cookies


Cookies and Cookie Managers

• Privacy settings within a web browser can help protect data

• Cookie managers can be available to delete unwanted or dangerous cookies

Copyright 2012 John Wiley & Sons, Inc. 9-14Figure 9.1- Cookies identified with IECookiesView

Cookie Management ToolsName Description Creator and LinkCookie Cruncher Rendering Better Avenues Software

http://www.rbaworld.com/Programs/CookieCruncher/

Cookie Crusher Cookie manager The Limit Software http://download.cnet.com/Cookie-Crusher/3000-2144_4-10006576.html

Cookie Monster Cookie manager AMPsoftMaxa Cookie Manager Freeware cookie manager Maxa Research

http://www.maxa-tools.com/cookie.php

Cookie Pal Cookie manager Kookaburra Software Extended Cookie Manager Sven Jost

IECookiesView Nir Soferhttp://www.nirsoft.net/utils/iecookies.html

Window Washer Webroot Softwarehttp://www.webroot.com/En_US/consumer-products-windowwasher.html


Table 9.1- Sample Cookie Management Tools

Privacy Policy CreationTwo of your best friends from class have asked you to join them in a new venture they are starting to sell customized high quality university branded apparel. They want you to be the Chief Technology Officer. You have been asked to provide a privacy policy regarding your handling of customer data.•Go to one of these sites (or other free tool) to create your privacy policies.•OECD: http://www2.oecd.org/pwv3/•or•The Direct Marketing Association (use the visitor sign on) : http://www.dmaresponsibility.org/PPG/•Bring your resulting policy to class (if the activity is performed before class).•Be prepared to discuss how you created your policy and which decisions you had to make.


http://www2.oecd.org/pwv3/

http://www.dmaresponsibility.org/PPG/

Privacy Statement or Policy

• A privacy policy is a statement that describes what the organization’s practices are.

• The information contained in the privacy policies of companies usually follow:

• The FIP principles provide guidance for how to deal with personal information


Fair Information Practices – Privacy Policy

Fair Information Principle Privacy Policies

Notice/Awareness what data we are collectinghow the data are collectedwhat we are doing with the datawhy we are collecting the datawhich other companies we may or may not share the data with

Choice/Consent how you can (or not) opt out of us collecting these data about you

Access/Participation how you can access the data we have about you

Integrity/Security what actions we are taking to protect the data

Enforcement/Redress how you can fix errors in our data about you


Table 9.2- Mapping Fair Information Practices to Privacy Policies

Privacy Seals• Seals are an attempt by companies

at self-regulation regarding privacy of consumers

• Some company or organization develops a seal program with a logo that companies can post on their website if they follow certain rules

• Only 25% of consumers seem to recognize seal features on websites (Harris 2001), and many users will acquire goods or services independent of whether trusts seals are present or not (Bélanger, Hiller et al. 2002)


Why your advisor can’t talk to your parents.

Legislation exists to protect information privacy of individuals in a number of specific cases, such as financial information, health information, children, and even students. •Go to the FERPA website for students: http://www.ed.gov/policy/gen/guid/fpco/ferpa/students.html. This link is available on the book website.•Pay particular attention to the types of information covered by FERPA and individuals to whom protected information can be released. Answer the following questions and be prepared to discuss them in class.•What types of information are protected under FERPA?•Under what conditions may school officials provide protected information to parents? In your opinion, how do these conditions relate to the concept of “owning” your personal data?•Why do you think FERPA was created? What problem did it solve?•Compare the protections afforded by FERPA to the privacy policies you examined in Exercise ##. What elements do they have in common? How are they different? Which has stronger protections?


http://www.ed.gov/policy/gen/guid/fpco/ferpa/students.html

Government Privacy Regulations

• There are specific situations where governments have created regulations to protect information privacy

• Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA)

• Family Educational Rights and Privacy Act (FERPA)

• Children's Online Privacy Protection Act of 1998 (COPPA)


Government Privacy Regulations


Law Description SourceChildren's Internet Protection Act of 2001 (CIPA)

http://www.fcc.gov/cgb/consumerfacts/cipa.html

Children's Online Privacy Protection Act of 1998 (COPPA)

Prevents websites from collecting personally identifiable information from children without parental consent.

http://www.ftc.gov/ogc/coppa1.htm

Electronic Communications Privacy Act of 1986 (ECPA)

Regulates access, use, disclosure, interception and privacy protections of electronic communications.

http://legal.web.aol.com/resources/legislation/ecpa.html

Family Educational Rights and Privacy Act (FERPA)

http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA)

Provides regulations to protect consumers’ personal financial information held by financial institutions.

http://www.ftc.gov/privacy/privacyinitiatives/glbact.html

Health Insurance Portability and Accountability Act (HIPPA)

http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

Table 9.3- Sample Privacy Regulations

Privacy and EthicsPAPA Component

Description Questions to Ask Yourself

Privacy What information about you must you reveal to others? What information should others be able to know about you

– with or without your permission? How is your information protected??

Accuracy Who is responsible for the accuracy of your information? Who is accountable for errors about your information? How do you remedy errors about your information?

Property Who owns your information? Who has the legal rights to your information? How is the distribution of your information regulated?

Accessibility Who individually can have access to your information? Which companies can have access to your information? What safeguards are in place when someone accesses your

information?


Table 9.4- PAPA Ethical Framework- For Students (Mason. 1986)

PAPA, Privacy Policies and FERPAReview the privacy policies you created earlier in this chapter and the information on FERPA regulation you read earlier. Answer the following questions and be prepared to discuss them in class.•How is each element of the PAPA model addressed in the privacy policy? Are any aspects of PAPA not addressed? Which ones (if any)?•How is each element of the PAPA model addressed by FERPA? Are any aspects of PAPA not addressed? Which ones (if any)?•Explain how the conditions under which a university can disclose information to parents relates to the property element of PAPA.


Summary

• There are four main categories of threats to information privacy: data collection, unauthorized secondary use of data, improper access to data, and errors in data.

• We identified several technologies used to infringe on and/or protect information privacy, such as cookies, cookie managers, privacy statements and policies, trust seals, and government regulations.

• Information privacy is one of the four components of the PAPA ethical framework, which include Privacy, Accuracy, Property, and


Summary

• Information privacy and information security are related concepts since it is mandatory for the information to be secured before it can be private. The reverse is not necessarily true since information that is protected from a security standpoint can still be shared with others, infringing on the privacy of the information.


Copyright 2012 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information herein.

9-27Copyright 2012 John Wiley & Sons, Inc.

chapter 9 – protecting the confidentiality and privacy of information information systems, first...

Documents

use of data

amounts of information

personal information

data collection

edition john wiley sons

intelligence information

information collection

public data