Upload
maryann-jordan
View
227
Download
4
Tags:
Embed Size (px)
Citation preview
Chapter 9 – Protecting the Confidentiality and Privacy of
Information
Information Systems, First Edition John Wiley & Sons, Inc
by France Belanger and Craig Van SlykeContributor: Brian West, University of Louisiana
at Lafayette
9-1Copyright 2012 John Wiley & Sons, Inc.
The ChoicePoint Story ChoicePoint was created in 1997 as a spinoff of the insurance services unit of the Equifax corporation. The company’s business model involves collecting public data about individuals, organizing the data into databases, and selling the results. ChoicePoint also provides intelligence information to law enforcement and counter intelligence agencies. ChoicePoint mistakenly released data on thousands of Americans (approximately 162,000) to fraudsters who created false accounts.ChoicePoint’s stated position is that the entities maintain the source data and are therefore responsible for keeping them accurate.
Copyright 2012 John Wiley & Sons, Inc. 9-2
Focusing Questions
• How much data do you think ChoicePoint has about you? Give specific examples.
• Where do you think the data that ChoicePoint has about you comes from?
• Why is ChoicePoint allowed to sell your data to companies and agencies?
• Should ChoicePoint be held accountable for the accuracy of the data they sell to companies and agencies?
Copyright 2012 John Wiley & Sons, Inc. 9-3
Information Privacy
• Privacy of information is the confidentiality of the information collected by organizations about the individuals using their services
• Everyone is concerned about their own information privacy, but also about the privacy of customers, employees, business partners, students, parents, children, and more
Copyright 2012 John Wiley & Sons, Inc. 9-4
Data Collection
• It has become easier and faster to collect ever increasing amounts of information
• Data can be collected without anyone’s awareness, for example through the use of cookies– Cookies – Clickstream data– Online forms
Copyright 2012 John Wiley & Sons, Inc. 9-5
Secondary Use of Information
• The use of data for purposes other than those for which they were originally collected
• “Opt-in” or “opt-out” options when submitting personal information
• When information collection and use is not regulated you have the responsibility of protecting data
• Be aware of the risks!
Copyright 2012 John Wiley & Sons, Inc. 9-6
Privacy Pizza
The Privacy Pizza video can also be found at: http://www.aclu.org/pizza/ •Do you think access to the various types of information identified is regulated or not?•For the technologies identified, are the technologies widely available today?•How likely is it that a pizza shop/company can use such technologies?•What can someone do to avoid this situation from happening to him or her?
Copyright 2012 John Wiley & Sons, Inc. 9-7
Identity Theft
• Almost 10 million identity theft victims in 2008 in the United States
• 71% of fraud happens within a week of stealing a victim’s personal data
• Low-tech methods for stealing personal information are more popular than technology-driven methods
Copyright 2012 John Wiley & Sons, Inc. 9-8
Types of Fraud
Copyright 2012 John Wiley & Sons, Inc. 9-9
New graphic used in PDF
How much would you be willing to pay for?
• A valid credit card number with a security code?
• Valid bank account details including the PIN (Personal identification Number)?
• A valid social security number?• A complete new (valid) identity?
Copyright 2012 John Wiley & Sons, Inc. 9-10
Protecting yourself• Watching for shoulder-surfers who observe what you
are typing. • Request photo identification when someone asks for
your information. • Shred everything that has any data about you. • Destroy digital data by going beyond a simple delete. • Really check the statements you receive. • Limit the information provided on your checks. • Request your free annual credit report and check it! • Do not use your Social Security Number unless it is
absolutely needed.
Copyright 2012 John Wiley & Sons, Inc. 9-11
Organizational Consequences
If organizations fail to protect the privacy of their customers’ information, then their reputation can suffer•ChoicePoint consequneces– Send notices to all customers– 1 year of credit monitoring to affected customers– Open toll-free line to deal with issues– $15 million total costs ($10 to FTC, $5 to
customers)
Copyright 2012 John Wiley & Sons, Inc. 9-12
Cookies and Cookie Managers
• Cookies are small text files located on your computer, to store information about you, your accounts, and your computer
• Information not typed in can also be stored in cookies ( )
• When accessing some sites, browsers transmit information contained in stored cookies
Copyright 2012 John Wiley & Sons, Inc. 9-13
Cookies and Cookie Managers
• Privacy settings within a web browser can help protect data
• Cookie managers can be available to delete unwanted or dangerous cookies
Copyright 2012 John Wiley & Sons, Inc. 9-14Figure 9.1- Cookies identified with IECookiesView
Cookie Management ToolsName Description Creator and LinkCookie Cruncher Rendering Better Avenues Software
http://www.rbaworld.com/Programs/CookieCruncher/
Cookie Crusher Cookie manager The Limit Software http://download.cnet.com/Cookie-Crusher/3000-2144_4-10006576.html
Cookie Monster Cookie manager AMPsoftMaxa Cookie Manager Freeware cookie manager Maxa Research
http://www.maxa-tools.com/cookie.php
Cookie Pal Cookie manager Kookaburra Software Extended Cookie Manager Sven Jost
IECookiesView Nir Soferhttp://www.nirsoft.net/utils/iecookies.html
Window Washer Webroot Softwarehttp://www.webroot.com/En_US/consumer-products-windowwasher.html
Copyright 2012 John Wiley & Sons, Inc. 9-15
Table 9.1- Sample Cookie Management Tools
Privacy Policy CreationTwo of your best friends from class have asked you to join them in a new venture they are starting to sell customized high quality university branded apparel. They want you to be the Chief Technology Officer. You have been asked to provide a privacy policy regarding your handling of customer data.•Go to one of these sites (or other free tool) to create your privacy policies.•OECD: http://www2.oecd.org/pwv3/•or•The Direct Marketing Association (use the visitor sign on) : http://www.dmaresponsibility.org/PPG/•Bring your resulting policy to class (if the activity is performed before class).•Be prepared to discuss how you created your policy and which decisions you had to make.
Copyright 2012 John Wiley & Sons, Inc. 9-16
Privacy Statement or Policy
• A privacy policy is a statement that describes what the organization’s practices are.
• The information contained in the privacy policies of companies usually follow:
• The FIP principles provide guidance for how to deal with personal information
Copyright 2012 John Wiley & Sons, Inc. 9-17
Fair Information Practices – Privacy Policy
Fair Information Principle Privacy Policies
Notice/Awareness what data we are collectinghow the data are collectedwhat we are doing with the datawhy we are collecting the datawhich other companies we may or may not share the data with
Choice/Consent how you can (or not) opt out of us collecting these data about you
Access/Participation how you can access the data we have about you
Integrity/Security what actions we are taking to protect the data
Enforcement/Redress how you can fix errors in our data about you
Copyright 2012 John Wiley & Sons, Inc. 9-18
Table 9.2- Mapping Fair Information Practices to Privacy Policies
Privacy Seals• Seals are an attempt by companies
at self-regulation regarding privacy of consumers
• Some company or organization develops a seal program with a logo that companies can post on their website if they follow certain rules
• Only 25% of consumers seem to recognize seal features on websites (Harris 2001), and many users will acquire goods or services independent of whether trusts seals are present or not (Bélanger, Hiller et al. 2002)
Copyright 2012 John Wiley & Sons, Inc. 9-19
Why your advisor can’t talk to your parents.
Legislation exists to protect information privacy of individuals in a number of specific cases, such as financial information, health information, children, and even students. •Go to the FERPA website for students: http://www.ed.gov/policy/gen/guid/fpco/ferpa/students.html. This link is available on the book website.•Pay particular attention to the types of information covered by FERPA and individuals to whom protected information can be released. Answer the following questions and be prepared to discuss them in class.•What types of information are protected under FERPA?•Under what conditions may school officials provide protected information to parents? In your opinion, how do these conditions relate to the concept of “owning” your personal data?•Why do you think FERPA was created? What problem did it solve?•Compare the protections afforded by FERPA to the privacy policies you examined in Exercise ##. What elements do they have in common? How are they different? Which has stronger protections?
Copyright 2012 John Wiley & Sons, Inc. 9-20
Government Privacy Regulations
• There are specific situations where governments have created regulations to protect information privacy
• Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA)
• Family Educational Rights and Privacy Act (FERPA)
• Children's Online Privacy Protection Act of 1998 (COPPA)
Copyright 2012 John Wiley & Sons, Inc. 9-21
Government Privacy Regulations
Copyright 2012 John Wiley & Sons, Inc. 9-22
Law Description SourceChildren's Internet Protection Act of 2001 (CIPA)
http://www.fcc.gov/cgb/consumerfacts/cipa.html
Children's Online Privacy Protection Act of 1998 (COPPA)
Prevents websites from collecting personally identifiable information from children without parental consent.
http://www.ftc.gov/ogc/coppa1.htm
Electronic Communications Privacy Act of 1986 (ECPA)
Regulates access, use, disclosure, interception and privacy protections of electronic communications.
http://legal.web.aol.com/resources/legislation/ecpa.html
Family Educational Rights and Privacy Act (FERPA)
http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA)
Provides regulations to protect consumers’ personal financial information held by financial institutions.
http://www.ftc.gov/privacy/privacyinitiatives/glbact.html
Health Insurance Portability and Accountability Act (HIPPA)
http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
Table 9.3- Sample Privacy Regulations
Privacy and EthicsPAPA Component
Description Questions to Ask Yourself
Privacy What information about you must you reveal to others? What information should others be able to know about you
– with or without your permission? How is your information protected??
Accuracy Who is responsible for the accuracy of your information? Who is accountable for errors about your information? How do you remedy errors about your information?
Property Who owns your information? Who has the legal rights to your information? How is the distribution of your information regulated?
Accessibility Who individually can have access to your information? Which companies can have access to your information? What safeguards are in place when someone accesses your
information?
Copyright 2012 John Wiley & Sons, Inc. 9-23
Table 9.4- PAPA Ethical Framework- For Students (Mason. 1986)
PAPA, Privacy Policies and FERPAReview the privacy policies you created earlier in this chapter and the information on FERPA regulation you read earlier. Answer the following questions and be prepared to discuss them in class.•How is each element of the PAPA model addressed in the privacy policy? Are any aspects of PAPA not addressed? Which ones (if any)?•How is each element of the PAPA model addressed by FERPA? Are any aspects of PAPA not addressed? Which ones (if any)?•Explain how the conditions under which a university can disclose information to parents relates to the property element of PAPA.
Copyright 2012 John Wiley & Sons, Inc. 9-24
Summary
• There are four main categories of threats to information privacy: data collection, unauthorized secondary use of data, improper access to data, and errors in data.
• We identified several technologies used to infringe on and/or protect information privacy, such as cookies, cookie managers, privacy statements and policies, trust seals, and government regulations.
• Information privacy is one of the four components of the PAPA ethical framework, which include Privacy, Accuracy, Property, and
Copyright 2012 John Wiley & Sons, Inc. 9-25
Summary
• Information privacy and information security are related concepts since it is mandatory for the information to be secured before it can be private. The reverse is not necessarily true since information that is protected from a security standpoint can still be shared with others, infringing on the privacy of the information.
Copyright 2012 John Wiley & Sons, Inc. 9-26
Copyright 2012 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information herein.
9-27Copyright 2012 John Wiley & Sons, Inc.