Panel Discussion on Identity Theft and PII Facilitated by Barry West, CIO Department of Commerce –Panelists: Kenneth Mortensen, DOJ Marc Groman, FTC Hillary.

Slides:



Advertisements
Similar presentations
The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Advertisements

Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Overview of the Privacy Act
Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.
Office of Health, Safety and Security
Federal Guidance on Statistical Use of Administrative Data Shelly Wilkie Martinez, Statistical and Science Policy, OIRA U. S. Office of Management and.
Springfield Technical Community College Security Awareness Training.
EHR Privacy & Security. Missouri’s Federally-designated Regional Extension Center  University of Missouri:  Department of Health Management and Informatics.
Gramm-Leach-Bliley Act for Financial Aid Val Meyers Associate Director Michigan State University.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.
Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.
PII Breach Management and Risk Assessment
Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.
Defense Privacy Office 1 Budget Documentation and Justification Writing Class The Privacy Act of 1974: What Senior Leaders Need to Know.
The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Data Classification & Privacy Inventory Workshop
Information Security Policies Larry Conrad September 29, 2009.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ILONA GAVRONSKA GROUP IL-41 INTERNATIONAL LAW DEPARTMENT KYIV NATIONAL ACADEMY OF SCIENCES OF UKRAINE KYIV UNIVERSITY OF LAW.
What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
“Privacy Implications of RFID Technology in Health Care Settings” Marc Rotenberg President EPIC Dept. of Health & Human Services Washington, DC 11 January.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next Office of Management Privacy, Information and Records Management Services Privacy Safeguards Division.
Track II: Introduction and Overview of Financial Services and Information Technology Privacy Policy: Synthesizing Financial Services Industry Privacy David.
Deemed Exports Overview and the Inspector General’s Report Presentation for : Office of National Security and Technology Transfer Controls Bureau of Industry.
Unit 8:COOP Plan and Procedures  Explain purpose of a COOP plan  Propose an outline for a COOP plan  Identify procedures that can effectively support.
Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
PRIVACY AND INFORMATION SECURITY ESSENTIALS Information Security Policy Essentials Melissa Short, IT Specialist Office of Cyber Security- Policy.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION TECHNOLOGY SERVICES Privacy 101 Information Security and Privacy Office.
Arkansas State Law Which Governs Sensitive Information…… Part 3B
Protecting Personal Information at Fermilab. Outline F Why must we protect personal information? F What is Protected Personally Identifiable Information.
Deemed Exports Overview and the Inspector General’s Report Presentation for : Alex Lopes Director, Deemed Exports and Electronics Division Office of National.
PII BREACH MANAGEMENT Army Privacy Office 7701 Telegraph Road Casey Building, Room 144 Alexandria, VA DSN: Fax:
Business and Systems Aligned. Business Empowered. TM Federal Identity Management Handbook May 5, 2005.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
(Compliance Training)
HSPD-12 Identity Management Initiative Carol Bales Senior Policy Analyst United States Office of Management and Budget North American Day 2006.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Update on Privacy Issues at USU October 10, 2013.
C4HCO Security and Privacy Discussion Bill Jenkins C4HCO Security and Privacy Officer 16 October 2013.
Main Requirements on Different Stages of the Licensing Process for New Nuclear Facilities Module 4.10 Documents to be Submitted to the Regulatory Body.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process A course for the Department of Commerce contracting and contracting.
Privacy Act United States Army (Managerial Training)
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
FOIA Processing and Privacy Awareness at NOAA Prepared by Mark H. Graff NOAA FOIA Officer OCIO/GPD (301)
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Laws and Regulations. Family Educational Rights and Privacy Act Children’s Online Privacy Protection Act Protection of Pupil Rights Amendment Health Insurance.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Information Security and Privacy Office
An Update on FERPA and Student Privacy
Incident Response, Being Prepared
Understanding EU GDPR from an Office 365 perspective
Office of Health, Safety and Security
Responding to a Data Breach 360° of IT Compliance
PENNSYLVANIA BAR ASSOCIATION PROFESSIONAL LIABILITY COMMITTEE
Chapter 3: IRS and FTC Data Security Rules
Red Flags Rule An Introduction County College of Morris
Protecting Student Data/ Financial Aid Data Sharing
HQ Expectations of DOE Site IRBs
PERSONALLY IDENTIFIABLE INFORMATION: AUDIT CONSIDERATIONS
Presentation transcript:

Panel Discussion on Identity Theft and PII Facilitated by Barry West, CIO Department of Commerce –Panelists: Kenneth Mortensen, DOJ Marc Groman, FTC Hillary Fielden, OPM David Jarrell, Department of Commerce October 9, 2007 If graphics are not accessible, please go to notes page for further explanation.

2007 Federal IT Summit October 9, 2007 Hillary Fielden Policy Analyst, Privacy lead Office of Management and Budget

Privacy FAQ M requires agencies to report all incidents involving PII to US-CERT within one hour of discovery / detection. This reporting requirement does not distinguish between potential and confirmed breaches. –Is OMB going to revise this reporting requirement? –Why is the reporting requirement a one hour timeframe? –Why is does the requirement encompass suspected breaches as well as confirmed ones?

Privacy FAQ M defines PII as “information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” –Is this the only definition of PII? –Is this definition limited to the context of breach notification? –Should my agency develop its own definition of PII? –Will other definitions for PII be developed in the future?

Privacy FAQ M includes several security and privacy requirements. –Are agencies required to implement all of them? –Have agencies implemented all of them?

Privacy FAQ Will Federal agencies be prohibited from collecting or using SSN? Or, is the Federal government phasing out use of the SSN? How do we determine whether the collection or use of SSN is necessary or unnecessary?

Marc Groman, Chief Privacy Officer Federal Trade Commission October 9, 2007 Federal IT Summit

Inventory Inventory of Systems Checklist for Employees PII Questionnaire for Systems Managers Inventory of Critical Data

Education and Training

Compliance

Incident Response I. Introduction and Overview II. Definitions and Purposes of the Breach Notification Plan III. Breach Notification Response Team Membership IV. Taking Steps to Control the Breach V. Reporting of Incidents VI. Initial Response to Breaches VII. Identity Theft Risk Analysis VIII. Analysis of Other Likely Harms IX. Identity Theft Response X. Notification of Individuals XI. Notification to Third Parties XII. Documentation of Breach Notification Response XIII. Evaluation of Breach Response

Federal IT Summit Marc Groman, Chief Privacy Officer Federal Trade Commission October 9, 2007

FEDERAL CIO SUMMIT Office of the Chief Information Officer October 9, 2007

Commerce Mission Census Bureau –Collect, analyze, and disseminate demographic and economic data about citizens, businesses,… Patent and Trademark Office –Applicant information and intellectual property NOAA –License application data Bureau of Industry and Security –Export license applications and requests Just to mention a few… “to foster, promote, and develop the foreign and domestic commerce”

Preparedness for PII Commerce is serious about its responsibility to safeguard PII data. To ensure this: –IT Security Awareness Training includes focus on PII –Reporting process includes Bureau/Office CIRT, DOC CIRT, US-CERT, FedCIRC, law enforcement, and the Inspector General –Executive Management Team meets and discusses PII related matters routinely – proactive in addition to reactive –Policy on laptops, thumb drive usage, FIPS encryption on all laptops –Waiver process for any deviation to PII policy and controls, to include countermeasure put in place to allow change –Department’s ID Theft Task Force convened anytime a moderate or high risk PII loss occurs timely implement a risk-based, tailored response to each breach –Breach Notification Response Plan Plan details prompt and proper response to protect PII entrusted to Commerce

Commerce Breach Notification Work Flow Matrix

Commerce PII Risk Analysis Matrix

Evolving PII Issues Policy changes, software and hardware tools –also a change in the business model: do we need to even collect certain data, i.e., SSN’s HSPD-12 and PIV potential issues Decentennial Census 2010 New PII issues what have we not imagined yet?

Dave Jarrell FEDERAL CIO SUMMIT

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.