Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Privacy: Laws, Rights, and Protections Deborah A. Robinson, CISSP Chief Information Security Officer Georgia Perimeter College 5/7/20151.

Similar presentations

Presentation on theme: "Digital Privacy: Laws, Rights, and Protections Deborah A. Robinson, CISSP Chief Information Security Officer Georgia Perimeter College 5/7/20151."— Presentation transcript:

1 Digital Privacy: Laws, Rights, and Protections Deborah A. Robinson, CISSP Chief Information Security Officer Georgia Perimeter College 5/7/20151

2 285 5/7/20152 How many records were reported compromised in 2009? 285 million 662 data breaches reported in 2010, up from 250 reported in 2009

3 285 5/7/20153 How long does it take to break your password? 6 days to break a reasonably strong password (10 characters) with 5 lowercase, 2 uppercase and 3 numbers. Less than 2 minutes to break an 8 character password with uppercase, lowercase, and numbers More common passwords like "test", "password" or "123" will be cracked instantly. Per SANS statistics

4 285 5/7/20154 Which country hosts the most phishing attacks? The United States In first half of 2010, the United States hosted 70-80% of all such sites. Second and third place was Hong Kong and China.

5 285 5/7/20155 The average security breach in 2010 cost the enterprise $7.2 million. The average cost per record was $214.

6 285 5/7/20156 Do you know where your mobile devices are? 10 to 15 percent of all handheld computers, smart phones, and cell phones are eventually lost by their owners. Losses (theft/other) per 1,000 laptops last year was just under 20.

7 285 5/7/20157 Cyber Crime Identity theft is the fastest growing crime, according to the Federal Trade Commission. Experts estimate that about 10 million people become victims each year. That means every minute, 19 people become new victims of identity fraud! Drug trafficking has been replaced by identity theft as the number one crime. The major player is now organized crime, responsible for 70% and billions in ill-gotten gains.

8 285 5/7/20158 In the News: A security firm discovered a botnet responsible for stealing sensitive data from more than 2,500 companies, gov’t agencies, and educational institutions over the past 18 months. The company found a 75GB cache of data that included 68,000 logon credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail, and others. The company described it as "a vast cache of dossier-level data sets on individuals including complete dumps of entire identities from victim machines.” Once infected, the botnet can capture everything the victim types (including passwords), files, cookies, usernames, and provides full remote control. Once an endpoint is infected, the attacker then makes their way onto the primary network.

9 Digital Privacy 5/7/20159

10 Digital Privacy - Issues Risks  Identity theft and fraud  Profiling and commercial targeting  Personal attacks 5/7/201510

11 Digital Privacy - Issues Threats  Malware*  Social networking – many issues  Phishing  Impersonation  Cookies and web bugs  Cloud computing (HealthVault, Flickr, Gmail)  Data mining  Web browsing history  Digital trails and retained data 5/7/201511

12 Digital Privacy - Issues Malware (Malicious Software)  Viruses, trojans, worms  Root kits, botnets  Key loggers and scrapers  Spyware, adware, spam 5/7/201512 “Malware has, in fact, become professionalized. Malware is now coded by professional software developers, often working for organized crime. Malware authors now employ encryption to make detection more difficult, and, in the spirit of the best defense being a good offense, aggressively target and remove security software and even rival malware. This evolution in the nature of malware behavior is forcing security experts to change their approach to security, moving from a threat recognition model to a behavior analysis model.”

13 Digital Privacy - Issues Did You Know? You can buy on underground Internet: 5/7/201513 Identity Data $1-$15 Credit Card Numbers $.10-$20 Malware Kits $25 and up

14 Digital Privacy - Protections Laws and Regulations  Electronic Communications Privacy Act  Computer Fraud and Abuse Act  Identity Theft Enforcement and Restitution Act  The Children's Online Privacy Protection Act  FERPA  HIPAA/HITECH and Health Breach Notification Rule  PCI DSS  GLBA  Red Flags Rule  Privacy and Identity Theft Notification Laws  USA PATRIOT Act 5/7/201514

15 Digital Privacy - Protections Electronic Communications Privacy Act  Derived from Fourth Amendment protection against unreasonable search and seizure  Regulates when and how law enforcement can intercept and use electronic communication  Protects electronic and telephone communications from non-government eavesdroppers  Amended by USA PATRIOT Act  Administered by Department of Justice 5/7/201515

16 Digital Privacy - Protections Computer Fraud and Abuse Act  Prohibits unauthorized use of computers – hacking, implementing malware, data theft, etc.  Prohibits trafficking in passwords or other unauthorized means of access  Amended by USA PATRIOT Act  Administered by Department of Justice 5/7/201516

17 Digital Privacy - Protections Identity Theft Enforcement and Restitution Act  Strengthens federal prosecution of identity theft crimes  Makes certain acts felonies that were previously misdemeanors  Allows for the restitution of victims of identity theft 5/7/201517

18 Digital Privacy - Protections Children’s Online Privacy Protection Act  Applies to online collection of information from children under 13  Must post easily accessible policy  Must obtain parental consent for gathering information from the child  Administered by FTC 5/7/201518

19 Digital Privacy - Protections FERPA – Family Educational Rights and Privacy Act  Specifies rights to view educational data  Protects against unauthorized disclosure of educational data  Requires reasonable and appropriate protection of educational data  Administered by Department of Education 5/7/201519

20 Digital Privacy - Protections HIPAA/HITECH and Health Breach Notification Rule  HIPAA – Health Insurance Portability and Accountability Act  Applies to health conditions, treatments, and payment  Requires enterprises to implement reasonable and appropriate security to protect your information  Failure to comply carries fines and criminal penalties  Consumers must be notified of security breaches and unauthorized exposure of protected information  HIPAA and HITECH – Administered by HHS  Health Breach Notification Rule – administered by FTC 5/7/201520

21 Digital Privacy - Protections HIPAA/HITECH Non-compliance  Rite Aid – fined $1 million, 7/2010 – improper disposal of data  General Hospital Corp. and Massachusetts General Physicians Organization Inc. – fined $1 million, 2/2011 – document left on subway  CVS – fined $2.25 million, 2/2009 – improper disposal of data 5/7/201521

22 Digital Privacy - Protections PCI DSS – Payment Card Industry Data Security Standard  Industry regulation – credit card companies  Specifies detailed security measures for merchants handling credit and debit card information  Requires levels of compliance verification  Stiff fines levied by payment card companies  Ability for merchants to take cards can be revoked  Administered by individual credit card companies and acquiring banks 5/7/201522

23 Digital Privacy - Protections PCI – TJX Data Breach  2/2007  Loss of 45 million credit and debit card records  $40.9 million settlement with Visa  Unsecured wireless 5/7/201523

24 Digital Privacy - Protections PCI – CardSystems Solutions  MasterCard processor  6/2005  Loss of up to 40 million credit card records  Lack of reasonable and appropriate security 5/7/201524

25 Digital Privacy - Protections PCI – HeartLand Payment Systems  1/2009  Loss of tens of millions of credit card records  $60 million settlement with Visa  Keylogger 5/7/201525

26 Digital Privacy - Protections GLBA – Gramm Leach Bliley Act  The Financial Privacy Rule – governs collection and disclosure of customers’ personal financial information by financial institutions and other companies that receive the information with specific privacy policy requirements  The Safeguards Rule – requires financial and other institutions to design, implement, and maintain safeguards (security) to protect customer information  Pretexting protection – reduces chances of someone gaining unauthorized access to customer information by impersonation, phishing, social engineering, etc.  Weak enforcement and compensation mechanisms  Administered by Federal Trade Commission 5/7/201526

27 Digital Privacy - Protections Red Flags Rule  Part of Fair and Accurate Credit Transactions (FACT) Act  Requires financial institutions and creditors to implement an Identity Theft Prevention Program  Designed to detect warning signs — or "red flags" — of identity theft in day-to-day operations  Examples – alerts from credit agencies or customers of possible identity theft, suspicious customer documents, suspicious personal identifying information, unusual activity on the account  Administered by Federal Trade Commission 5/7/201527

28 Digital Privacy - Protections Privacy and Identity Theft Notification Laws  State laws that specify protections and/or notifications for unauthorized disclosure of personally identifiable information (PII)  Currently 47 states, first was California, strongest is Massachusetts  Georgia law – specifies timely notification to any individuals whose unencrypted personally identifiable information was, or is reasonably believed to have been, acquired by an unauthorized person. 5/7/201528

29 Digital Privacy - Protections USA PATRIOT Act  USA PATRIOT Act – Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act  Reduced restrictions on law enforcement agencies' ability to search telephone, e-mail communications, medical, financial, and other records  Expanded access to variety of business records  Significantly expanded wiretapping, surveillance, and physical search capabilities, with “intelligence” warrants not requiring probable cause or specific location  Weakened privacy rights 5/7/201529

30 Digital Privacy - Protections What Organizations Do to Protect Your Data  Identify risks to sensitive data  Implement information security program to ensure adequate protection of sensitive data: – Policies and procedures – Incident response plans – Security awareness – Encryption of sensitive data – Technical security measures  Comply with industry standard security practices  Comply with applicable laws and regulations 5/7/201530

31 Digital Privacy - Protections What You Can Do Protect your PII - Personally Identifiable Information  Name + SSN, drivers license number, any financial account number, address, phone number  Never give it out unless necessary  Don’t put it on social media, you can’t take it back  Be sure who you’re giving it to  Use sniff test 5/7/201531

32 Digital Privacy - Protections What You Can Do Practice good security  Opt out  Use strong privacy settings  Read policies and agreements  Patch and apply upgrades  Use current AV and firewalls  Use strong passwords  Search and surf anonymously  Don’t click on anything unsolicited Think – be smart! 5/7/201532

33 Digital Privacy - Protections What You Can Do Anonymizers  Most use proxy servers and multiple relays  Tor Network –  I2P –  ShadowSurf –  Startpage – private search engine –  Anonymous remailers 5/7/201533

34 Digital Privacy Report problems!!! 5/7/201534

35 Information Security 5/7/201535

Download ppt "Digital Privacy: Laws, Rights, and Protections Deborah A. Robinson, CISSP Chief Information Security Officer Georgia Perimeter College 5/7/20151."

Similar presentations

Ads by Google