Data Breaches and Privacy Concerns: An Overview

Slide Note
Embed
Share

Privacy expert Marilyn Prosch, Ph.D., sheds light on the significant issue of privacy, emphasizing recent data breaches in various institutions and outlining some alarming cases where sensitive information was compromised. The incidents range from stolen laptops and office break-ins to mishandling of paper-based records, highlighting the pervasive nature of privacy violations affecting thousands of individuals.

mide463
mide463 Follow

Uploaded on Oct 01, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. PRIVACY Marilyn Prosch, Ph.D., CIPP Arizona State University W.P. Carey School of Business Department of Information Systems Member AICPA/CICA Privacy Task Force

  2. IS PRIVACY REALLY ALL THAT BIG OF A PROBLEM?

  3. DATA BREACHES: WHERE IS THE HORSE? Some of the reported incidents that have recently occurred.

  4. Manhattan Veteran's Affairs Medical Center & New York Harbor Health Care System Swedish Medical Center Univ. of Pittsburgh, Med. Center St. Rita's Medical Center Beaumont Hospital Univ. Calif. Irvine Medical Center Baystate Medical Center Baylor Health Care System Inc. Sisters of St. Francis Health Services via Advanced Receivables Strategy DCH Health Systems Mercy Medical Center Group Health Cooperative Health Care Cedars-Sinai Medical Center Johns Hopkins Hospital System Southwest Medical Association Allina Hospitals and Clinics CBIZ Medical Management Professionals Prudential Financial Inc. Wuesthoff Medical Center Northeast Orthopaedics DePaul Medical Center Massachusetts General Hospital Christus Health Care Beacon Medical Services Seton Healthcare Network University of Pittsburgh Medical Center Kaiser Medical Center St. Anthony Central Hospital McAlester Clinic & Veteran's Affairs Medical Center Bue Cross/Blue Shield Akron Children's Hospital Highland Hospital Back and Joint Institute of Texas Emory University Hospital, Emory Crawford Long Hospital, Grady Memorial Hospital, Geisinger Health System, Williamson Medical Center via Electronic Registry Systems Palo Alto Medical Foundation Cleveland Clinic Gulf Coast Medical Center Jacobs Neurological Institute Erlanger Health System Parkland Memorial Hospital Westerly Hospital Deaconess Hospital CVS Pharmacies WellPoint's Anthem Blue Cross Blue Shield Health Resources, Inc. Moses Cone Hospital Kanawha-Charleston Health Dept. South County Hospital Kaiser Permanente Colorado Concord Hospital Harris County Hospital Providence Alaska Medical Center Swedish Urology Group Intermountain Health Care Stevens Hospital via billing company Med Data Gundersen Lutheran Medical Center Catskill Regional Medical Center New Hampshire Dept. of HS St. Mary's Hospital, MD Womancare Inc. WorkCare Orem North Carolina Dept. of HHS St. Vincent Hospital Mary Washington Hospital Sky Lakes Medical Center via Verus Inc New Hampshire's Lakes Region General Hospital Wellpoint's Empire Blue Cross/ Blue Shield NY Grady Memorial Hospital Segal Group of New York via web site of Vermont agency Georgia Dept. of Community Health Peninsula Orthopaedic Associates Healing Hands Chiropractic

  5. Some of the causes! A Blackberry containing patient information was stolen from the hospital. The Blackberry contained an email message that included patient information, such as Social Security numbers, dates of birth and medical histories. 3,200 people affected Laptop stolen from an employee's car. 14,000 people affected Laptop stolen from an employee's car. 9,300 people affected Office broken into and computer stolen. Unknown people affected Office broken into and laptop stolen. 1,000 people affected Tapes stolen while in transit. 100,000 people affected Paper-based records left on a train by an employee. 56 people affected Child welfare worker s records ended up with a local TV station. The files, which included names, Social Security numbers, contact information and details on child abuse investigations, reportedly were left behind when a DHS worker was evicted from a rent house. Paper based records stolen from an employee's car. 242 people affected Records posted on the Internet. The records appeared on a Web site visvabpo.com, which was a defunct company in India. 1,000 people affected Documents, such as labels from prescription bottles and old prescriptions, in unsecured dumpsters. Unknown people affected A woman was fired for allegedly spying. The employee had access to company files. 431 people affected Medical records were improperly disposed of when left in a dumpster behind the office.

  6. WHATIS PRIVACY?

  7. PRIVACY: AICPA/CICA DEFINITION PRIVACY encompasses the rights and obligations of individuals and organizations with respect to the Collection Use Disclosure, and Retention of personal information. 9

  8. Individuals Organizations Establish and communicate its privacy policies and commitments to the individual Provide choices or seek consent for the use of the personal information Collect, use, retain, and disclose personal information according to its privacy policies and commitments Allow the individual to update or correct personal information that is used by the organization Protect the personal information from unauthorized use and disclosure Otherwise adhere to its policies, applicable laws and regulations, and other agreements with the individual Be aware of the organization s privacy policies Provide accurate and appropriate information suited to the purpose for which the information is needed Rights and Obligations Notify the organization of inaccuracies in or changes to personal information used by the organization Adhere to applicable laws and regulations, and other agreements with the organization 10

  9. WHATISTHERELATIONSHIP BETWEENPRIVACYAND SECURITY?

  10. SECURITY, ASITRELATESTOPRIVACY Security of processes and technologies is a necessary, but not sufficient, condition of privacy Security Privacy Enhancing Technologies Policies & Procedures Privacy

  11. WHYSHOULDSYSTEMS PROFESSORS/PRACTIONERSCARE ABOUTDATAPROTECTIONAND PRIVACY?

  12. LASTWEEK VIRGINIA PRESCRIPTION MONITORING PROGRAMDRUGDATABASE HACKED Data hijackers deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records. The database of prescriptions had been bundled into an encrypted, password- protected file and payment of the ransom would result in the password to decrypt. Their backups seem to have gone missing, too. http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html?wprss=securityfix

  13. REASONS With enterprise systems, personal information (PI) is commingled with accounting transactions Much PI is part of accounting transaction data Data has value and that value can be an asset or a liability Good internal controls are a mechanism for protecting all assets

  14. WHATIS GAPP?

  15. WHAT IS GAPP? Generally Accepted Privacy Principles Developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) to help guide organizations in implementing, sustaining, and auditing privacy programs. 17

  16. AICPA/CICA GENERALLY ACCEPTED PRIVACY PRINCIPLES Available for free download and use 10 Principles of privacy and 66 criteria, (soon to have an additional 8 criteria with the new exposure draft is finished with the review process) http://infotech.aicpa.org/Resources/Privacy/

  17. WHATARETHE PRINCIPLES? Management:The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures. 1. 4. Collection: The entity collects personal information only for the purposes identified in the notice. 19 5. Use and Retention: The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes. Notice: The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed. 2. Choice and Consent: The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, retention, and disclosure of personal information. 3.

  18. WHATARETHE PRINCIPLES? 6. Access: The entity provides individuals with access to their personal information for review and update. 9. Quality: The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice. 20 7. Disclosure: The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. 10. Monitoring and Enforcement: The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes. 8. Security for Privacy: The entity protects personal information against unauthorized access (both physical and logical).

  19. COMPONENTS OF GAPP Consistency ofCommitments With Privacy Policies and Procedures Infrastructure and Systems Management 21

  20. WHYHASTHE AICPA/CICA ISSUEDANUPDATETO GAPP IN THEFORMOFANEXPOSURE DRAFT?

  21. CONTINUOUSIMPROVEMENTOF GAPP Major changes Modification of 2 criteria 8 new criteria

  22. WHATISTHE GLOBAL PRIVACY STANDARD?

  23. GLOBAL PRIVACY STANDARD Final version of the GPS was formally in the United Kingdom, on November 3, 2006, at the 28th International Data Protection Commissioners Conference Championed and developed by Commissioner Ann Cavoukian, Ontario 10 Principles

  24. WHATARETHESENEWREDFLAG RULESTHATAREINTHENEWS?

  25. NEW RED FLAG RULESEFFECTIVEMAY 1, 2009: POSTPONEDUNTIL 8/1/2009 Require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. Originally effective May 1, 2009. The program can be different, depending on the organization s size and complexity. Thus, a small physician practice might have a much different program than a large hospital. Programs should include four basic points/steps, which could be covered under one or multiple policies. http://www.hinshawlaw.com/health-care-identity-theft-prevention-programs-and-red-flags-rules-compliance-03-10-2009/

  26. 4 REQUIRED STEPS Identify Common Red Flags Detect Red Flags Responses to Red Flags Program Execution and Updates http://www.hinshawlaw.com/health-care-identity-theft-prevention-programs-and-red-flags-rules-compliance-03-10-2009/

  27. WHATISTHERELATIONSHIPOF PRIVACYANDOTHERMORE TRADITIONALAREASOF AIS, AUDIT, ANDASSURANCE

  28. THEPRIMARYLINKTOTHESE 3 AREASIS effective internal controls! GAPP provides tangible criteria that can be audited and about which assurances can be made.

  29. 3 TRICKSTOGETTINGHORSESBACKINTHEBARN & KEEPINGTHEMTHERE Teach your horse that you are in control over him/her. Corporate Culture towards the use and management of personal information will likely have to change. Who owns and controls the data? Make it dang hard for the horse to do the wrong thing. Implement privacy enhancing policies, procedures, and controls. Ride a lot! Test the use and management of your data frequently.

  30. WHATARESOMERESEARCH OPPORTUNITIES?

  31. IMPLICATIONS FOR CA/CM RESEARCH Descriptive research: What are companies actually doing? Are they aware of the issues? If so, how are they handling these issues? Are they using some kind of data masking during these processes? Normative research: How can we build privacy protection into processes? Data tagging and masking Data replication (logging) Security around possession and handling Data life and destruction techniques (poison pills)

  32. FURTHER QUESTIONS? marilyn.prosch@asu.edu twitter.com/ProfofPrivacy

Related


Understanding the Privacy Paradox: Attitudes vs. Behaviors

Understanding the Privacy Paradox: Attitudes vs. Behaviors

clai_evi
NHS Sussex Conflicts of Interest Breach Register Summary May 2024

NHS Sussex Conflicts of Interest Breach Register Summary May 2024

nave_633
Privacy Breach Management Guide by Health PEI

Privacy Breach Management Guide by Health PEI

zack
FMCSA Privacy Awareness Training Overview for 2022

FMCSA Privacy Awareness Training Overview for 2022

natan
Importance of Privacy & Data Security Training in Healthcare

Importance of Privacy & Data Security Training in Healthcare

tach645
Privacy and Data Protection in the Digital Age

Privacy and Data Protection in the Digital Age

smer
NCVHS Subcommittee on Privacy Comments on HIPAA Privacy Rule for Reproductive Health Care

NCVHS Subcommittee on Privacy Comments on HIPAA Privacy Rule for Reproductive Health Care

haley
Privacy Considerations in Data Management for Data Science Lecture

Privacy Considerations in Data Management for Data Science Lecture

maen728
Understanding Privacy in Information Security Training

Understanding Privacy in Information Security Training

lillia
Privacy-Preserving Analysis of Graph Structures

Privacy-Preserving Analysis of Graph Structures

bilal
Understanding Privacy Rights in Europe: A Comprehensive Overview

Understanding Privacy Rights in Europe: A Comprehensive Overview

jesu_26
Dynamic Pricing Algorithms with Privacy Preservation in Personalized Decision Making

Dynamic Pricing Algorithms with Privacy Preservation in Personalized Decision Making

lillia
Understanding Data Privacy Laws and Regulations in Saudi Arabia

Understanding Data Privacy Laws and Regulations in Saudi Arabia

twyla
Ransomware and Data Breaches in Public Libraries Analysis

Ransomware and Data Breaches in Public Libraries Analysis

cinder
Anonymization Techniques in Data Privacy

Anonymization Techniques in Data Privacy

mona_9
Online Privacy Concern in Post-Transition Era: A Study on European Internet Users

Online Privacy Concern in Post-Transition Era: A Study on European Internet Users

raff_hea
Privacy Breach Response and Reporting under the Health Information Act

Privacy Breach Response and Reporting under the Health Information Act

renn_yl
Understanding Data Security and Privacy: An Overview of k-Anonymity, l-Diversity, t-Closeness, and Reconstruction Attacks

Understanding Data Security and Privacy: An Overview of k-Anonymity, l-Diversity, t-Closeness, and Reconstruction Attacks

strozier_k
Understanding Response Patterns to Data Breaches in Firm IT Investment

Understanding Response Patterns to Data Breaches in Firm IT Investment

alyssa
Kansas Student Data Privacy Legislation Overview

Kansas Student Data Privacy Legislation Overview

herme
Data Privacy in Sharing Sensitive Information

Data Privacy in Sharing Sensitive Information

vaid_955
Real-time Monitoring and Detection of Android Privacy Leakage

Real-time Monitoring and Detection of Android Privacy Leakage

sam_pla
Understanding IoT Privacy and Security in Addis Ababa Workshop 2019

Understanding IoT Privacy and Security in Addis Ababa Workshop 2019

kye
Understanding Big Data and Privacy Issues in Today's Society

Understanding Big Data and Privacy Issues in Today's Society

mpaul

More Related Content

Understanding Breach of Confidence and Privacy Rights in Legal Context
Understanding Breach of Confidence and Privacy Rights in Legal Context
Understanding Breach of Confidence and Privacy Rights in English Law
Understanding Breach of Confidence and Privacy Rights in English Law
Understanding Big Data: Privacy Implications and Social Impact
Understanding Big Data: Privacy Implications and Social Impact
PoSeID-on: Innovative Data Management Platform for Enhanced Privacy
PoSeID-on: Innovative Data Management Platform for Enhanced Privacy
Privacy-Aware Smart Buildings: Ensuring Privacy Policies and Preferences
Privacy-Aware Smart Buildings: Ensuring Privacy Policies and Preferences
The Importance of Privacy in the Media Landscape
The Importance of Privacy in the Media Landscape
Leveraging AI Technology for Humanization and Privacy in Industry
Leveraging AI Technology for Humanization and Privacy in Industry
Understanding Data Governance and Data Privacy in Grade XII Data Science
Understanding Data Governance and Data Privacy in Grade XII Data Science
Social Networks, Privacy, and Freedom of Association in the Digital Age
Social Networks, Privacy, and Freedom of Association in the Digital Age
Understanding Low Level Concerns in Safeguarding Children and Young People
Understanding Low Level Concerns in Safeguarding Children and Young People
Safeguarding Student Privacy in Educational Technology: A Comprehensive Guide
Safeguarding Student Privacy in Educational Technology: A Comprehensive Guide
Proposal for IEEE 802.11 Privacy Enhancement
Proposal for IEEE 802.11 Privacy Enhancement
Overview of Personal Data Protection Bill, 2018
Overview of Personal Data Protection Bill, 2018
Understanding Blockchain Data Structures and Hyperledger Implementation
Understanding Blockchain Data Structures and Hyperledger Implementation
Understanding Data Anonymization in Data Privacy
Understanding Data Anonymization in Data Privacy
Powering the Digital Economy: Regulatory Approaches to Securing Consumer Privacy, Trust, and Security
Powering the Digital Economy: Regulatory Approaches to Securing Consumer Privacy, Trust, and Security
Understanding VA Privacy Issues and Sensitive Information
Understanding VA Privacy Issues and Sensitive Information
Understanding Data Collection and Analysis for Businesses
Understanding Data Collection and Analysis for Businesses
HIPAA and Research Data Security Training for Researchers at BU Charles River Campus
HIPAA and Research Data Security Training for Researchers at BU Charles River Campus
Understanding the Risks and Privacy Challenges in the Internet of Things
Understanding the Risks and Privacy Challenges in the Internet of Things
Understanding AI, Privacy, and Data in Cybersecurity
Understanding AI, Privacy, and Data in Cybersecurity
Enhancing Privacy and Anonymous Communications with Technology
Enhancing Privacy and Anonymous Communications with Technology
Privacy and Registered Training Organisations: Lessons and Insights
Privacy and Registered Training Organisations: Lessons and Insights
Privacy-Preserving Prediction and Learning in Machine Learning Research
Privacy-Preserving Prediction and Learning in Machine Learning Research