Presentation is loading. Please wait.

Presentation is loading. Please wait.

Panel Discussion on Identity Theft and PII Facilitated by Barry West, CIO Department of Commerce –Panelists: Kenneth Mortensen, DOJ Marc Groman, FTC Hillary.

Published byLeona Bradford Modified over 8 years ago

Similar presentations

Presentation on theme: "Panel Discussion on Identity Theft and PII Facilitated by Barry West, CIO Department of Commerce –Panelists: Kenneth Mortensen, DOJ Marc Groman, FTC Hillary."— Presentation transcript:

1 Panel Discussion on Identity Theft and PII Facilitated by Barry West, CIO Department of Commerce –Panelists: Kenneth Mortensen, DOJ Marc Groman, FTC Hillary Fielden, OPM David Jarrell, Department of Commerce October 9, 2007 If graphics are not accessible, please go to notes page for further explanation.

2 2007 Federal IT Summit October 9, 2007 Hillary Fielden hfielden@omb.eop.gov Policy Analyst, Privacy lead Office of Management and Budget

3 Privacy FAQ M-07-16 requires agencies to report all incidents involving PII to US-CERT within one hour of discovery / detection. This reporting requirement does not distinguish between potential and confirmed breaches. –Is OMB going to revise this reporting requirement? –Why is the reporting requirement a one hour timeframe? –Why is does the requirement encompass suspected breaches as well as confirmed ones?

4 Privacy FAQ M-07-16 defines PII as “information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” –Is this the only definition of PII? –Is this definition limited to the context of breach notification? –Should my agency develop its own definition of PII? –Will other definitions for PII be developed in the future?

5 Privacy FAQ M-07-16 includes several security and privacy requirements. –Are agencies required to implement all of them? –Have agencies implemented all of them?

6 Privacy FAQ Will Federal agencies be prohibited from collecting or using SSN? Or, is the Federal government phasing out use of the SSN? How do we determine whether the collection or use of SSN is necessary or unnecessary?

7 Marc Groman, Chief Privacy Officer Federal Trade Commission October 9, 2007 Federal IT Summit

8 Inventory Inventory of Systems Checklist for Employees PII Questionnaire for Systems Managers Inventory of Critical Data

9 Education and Training

10

11 Compliance

12 Incident Response I. Introduction and Overview II. Definitions and Purposes of the Breach Notification Plan III. Breach Notification Response Team Membership IV. Taking Steps to Control the Breach V. Reporting of Incidents VI. Initial Response to Breaches VII. Identity Theft Risk Analysis VIII. Analysis of Other Likely Harms IX. Identity Theft Response X. Notification of Individuals XI. Notification to Third Parties XII. Documentation of Breach Notification Response XIII. Evaluation of Breach Response

13 Federal IT Summit Marc Groman, Chief Privacy Officer Federal Trade Commission October 9, 2007

14 FEDERAL CIO SUMMIT Office of the Chief Information Officer October 9, 2007

15 Commerce Mission Census Bureau –Collect, analyze, and disseminate demographic and economic data about citizens, businesses,… Patent and Trademark Office –Applicant information and intellectual property NOAA –License application data Bureau of Industry and Security –Export license applications and requests Just to mention a few… “to foster, promote, and develop the foreign and domestic commerce”

16 Preparedness for PII Commerce is serious about its responsibility to safeguard PII data. To ensure this: –IT Security Awareness Training includes focus on PII –Reporting process includes Bureau/Office CIRT, DOC CIRT, US-CERT, FedCIRC, law enforcement, and the Inspector General –Executive Management Team meets and discusses PII related matters routinely – proactive in addition to reactive –Policy on laptops, thumb drive usage, FIPS 140-2 encryption on all laptops –Waiver process for any deviation to PII policy and controls, to include countermeasure put in place to allow change –Department’s ID Theft Task Force convened anytime a moderate or high risk PII loss occurs timely implement a risk-based, tailored response to each breach –Breach Notification Response Plan Plan details prompt and proper response to protect PII entrusted to Commerce

17 Commerce Breach Notification Work Flow Matrix

18 Commerce PII Risk Analysis Matrix

19 Evolving PII Issues Policy changes, software and hardware tools –also a change in the business model: do we need to even collect certain data, i.e., SSN’s HSPD-12 and PIV potential issues Decentennial Census 2010 New PII issues what have we not imagined yet?

20 Dave Jarrell djarrell@doc.gov FEDERAL CIO SUMMIT

21

Download ppt "Panel Discussion on Identity Theft and PII Facilitated by Barry West, CIO Department of Commerce –Panelists: Kenneth Mortensen, DOJ Marc Groman, FTC Hillary."

Similar presentations

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Overview of the Privacy Act

Overview of the Privacy Act
Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.

Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.
Office of Health, Safety and Security

Office of Health, Safety and Security
Federal Guidance on Statistical Use of Administrative Data Shelly Wilkie Martinez, Statistical and Science Policy, OIRA U. S. Office of Management and.

Federal Guidance on Statistical Use of Administrative Data Shelly Wilkie Martinez, Statistical and Science Policy, OIRA U. S. Office of Management and.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
EHR Privacy & Security. Missouri’s Federally-designated Regional Extension Center  University of Missouri:  Department of Health Management and Informatics.

EHR Privacy & Security. Missouri’s Federally-designated Regional Extension Center  University of Missouri:  Department of Health Management and Informatics.
Gramm-Leach-Bliley Act for Financial Aid Val Meyers Associate Director Michigan State University.

Gramm-Leach-Bliley Act for Financial Aid Val Meyers Associate Director Michigan State University.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.

Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.
PII Breach Management and Risk Assessment

PII Breach Management and Risk Assessment
Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.

Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.
Defense Privacy Office 1 Budget Documentation and Justification Writing Class The Privacy Act of 1974: What Senior Leaders Need to Know.

Defense Privacy Office 1 Budget Documentation and Justification Writing Class The Privacy Act of 1974: What Senior Leaders Need to Know.
The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 Safeguarding.

The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Similar presentations

Ads by Google