Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Privacy and Breaches

Published byLeonard Harper Modified over 5 years ago

Similar presentations

Presentation on theme: "Data Privacy and Breaches"— Presentation transcript:

1 Data Privacy and Breaches
Creating a culture of privacy awareness and how to respond to a breach Carrie O’Brien

2 Agenda Data Privacy Data Breaches in Arizona Data Breach exercise

3 Security and Privacy Data Security—systems of protections around your data to adequately protect it. Data Privacy—laws, regulations, public expectations on the data you maintain

4 Data Privacy should NOT be the Wild West

5 How to tackle it?

6 Sensitivity and Privacy
Needs What data and what level of access is needed? Regulations and Laws State, federal and local laws dictate the sensitivity of data. Sensitivity and Privacy Stakeholder Concerns What level of confidentiality do the owners of the data demand?

7 Do you know your data’s impact?
LOW: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. MODERATE: The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. HIGH: The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. National Institute of Standards and Technology FIPS-199

8 Examine what data you maintain internally
Student Records Teacher Records Financial Records Federal and State Programs HR Records

9 Not All Data Are Created Equal - Group Exercise
Restricted Sensitive Public

10 Procedures for reporting or releasing data
Internal Controls Use ID numbers to de-identify student data Role-based access to PII in Databases Data Management (record retention) IT Security Physical security; authentication; firewalls/intrusion protection Procedures for reporting or releasing data Limit access to data to public schools through end user authentication (ADE Connect) Aggregation and redaction in data reports Application and review of all research requests Data Sharing Agreements with all outside parties

11 How ADE Processed Requests
Public Records Request Public Records Request Tracking Legal Aggregated Data Request On-line data request form Data Governance tracking Peer reviewed prior to release PII Data Request Application Packet Reviewed by Chief Privacy Officer/ Chief Data Officer Data Sharing Agreement

12 Public Records Requests
! Attachments Looking for a needle in a haystack that might not be there Custom Data Requests ACLU v. DCS (2016) Inadvertent Disclosures

13 Requests for aggregate data
Subgroup Asian Native Amer. African Amer. Hispanic White Total All Students 216 * 217 ELL Free Lunch 171 172 Migrant SPED 30

14 Creating Workplace Awareness of Data Privacy
Frequent and Relevant Employee Trainings on Privacy (and Security) Educate employees on their responsibility to maintain privacy of data and report concerns Mandatory reporting of potential privacy and security breaches by employees to remediate (no privacy JAIL).

15

16 Maricopa County Colleges Computer Hack Cost tops $26M
Auditors were able to hack Arizona DES during routine cybersecurity review State auditors were able to access confidential information when testing cybersecurity a the Arizona Department of Economic Security, revealing vulnerabilities that could have put residents’ personal information at risk. Jerod MacDonald-Evoy , The Republic | azcentral.com 12:27 p.m. MT April 20, 2017 Maricopa County Colleges Computer Hack Cost tops $26M Mary Beth Faller , The Republic | azcentral.com Published 11:15 a.m. MT Dec. 17, 2014 | Updated 12:58 p.m. MT Dec. 17, 2014 Spear Phishing Attacks are Often the Root Cause of Security Breaches More than one third (34%) of respondents who reported experiencing a spear phishing attack in the past year believe that such an attack resulted in the compromise of user login credentials (e.g., usernames passwords) or unauthorized access to corporate IT systems.

17 Headlines You Never Want for Your City
Target breach exposes personal data of 110 million customers County government settles potential HIPAA violations for $215k Global cyberattack targets 300,000 machines in 150 countries, taking data hostage with ransomware

18 What are Network Security and Privacy Risks and Costs ?
Legal liability to others for breach of credit/debit cards Legal liability to others for breach of personally identifiable info (PII) Legal liability to others for breach of personal health info (PHI)

19 What are Network Security and Privacy Risks and Costs ?
Cyber extortion Loss or damage of data (internal) Loss of Community Confidence

20 Data Breach Costs

21 Causes of Data Loss Other 11.4% 3rd Party vendor 4.3% Hacker 18.6%
Theft 5.7% System Glitch 3.6% Staff Error 5% Lost / Stolen Device 20.7% Rogue Employee 12.1% Paper Records 8.6% Malware/Virus 10% 2013 NetDiligence® Cyber Liability & Data Breach Insurance Claims A Study of Actual Payouts for Covered Data Breaches. 21

22 Factors Affecting Public Sector
Enormous amount of personal data on employees (birthdates, SSNs, direct deposit/banking info) Data is kept for decades IT equipment not always state-of-the-art Budgetary constraints

23 Takeaways Expectations for data protection have increased
Where is your city or town vulnerable? How will you increase awareness of data privacy expectations? How will you respond to a breach?

24 Questions? Please contact the presenters:
Carrie O’Brien, Gust Rosenfeld (602)

25 Thank You.

Download ppt "Data Privacy and Breaches"

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,

Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.

Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.

Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.
Northern Insuring Agency 1. 2 Important Notice ●This presentation is not a representation that coverage does or does not exist for any particular claim.

Northern Insuring Agency 1. 2 Important Notice ●This presentation is not a representation that coverage does or does not exist for any particular claim.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
General Awareness Training

General Awareness Training
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.

Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
Security considerations for mobile devices in GoRTT

Security considerations for mobile devices in GoRTT

Similar presentations

Ads by Google