Introducing Google Buzz

Google launched what it expected would be the Twitter/Facebook competitor, Google Buzz on February 9, 2010. It was advertised as “a new way to share updates, photos, videos and more, and start conversations about the things you find interesting.” Buzz was designed to integrate with Gmail – which already had over 146 million users at the time of the launch – and other interface interaction elements with other Google products, such as Google Reader.

The service can also be accessed through supported mobile devices. The mobile version of Buzz is integrated with Google Maps, in order to let users know their location and identify other users who are around them.

Buzz was received with great interest. In the first two days after its launch, tens of millions of users created over nine million posts and comments. On average, there were over 200 posts per minute through mobile phones worldwide.

Responses

However, not all responses to Buzz were positive. Immediately after its introduction, privacy-minded users noticed that Buzz automatically set them up with followers and people to follow. This group of followers is chosen based on the contacts the user emails and chats with the most.

Another issue of concern was that the people a user follows and the people that follow the user are made public to anyone viewing the user’s profile. This is the default setting, which allows anyone who views a profile to see the people who a user chats with or emails most. The implications of this setting were worrisome to some users. For instance, a boss may discover that a subordinate has frequent email contact with executives at a competing firm.

What was distressing to most critics was that Google did not openly explain how the publicly viewable follower lists were determined. Buzz’s unclear opt-out approach put many users in the position of unknowingly sharing personal information. It is clear that Google’s choice to design the lists to show publicly by default was a strategic decision to get as many people using Buzz as quickly as possible. While it may be a helpful setting for some users, others may not feel comfortable with sharing with the world who they email or chat with most.

This glaring privacy flaw was brought to the spotlight two days after Buzz was launched, when Harriet Jacobs saw her personal information revealed to her ex-husband and his abusive friends. Unfortunately, Google automatically allowed her most frequent contacts to view her Google Reader, all the comments on her Reader, as well as her current location, workplace and other sensitive information. Her most frequent email contacts happened to be her ex-husband, his friends and other hostile blog commenters. She was unable to block these users as she never created a Google profile or Buzz profile, which left her unable to prevent them from following her.

Making Changes

Within three days of launching Buzz, Google issued a public apology and made some changes to the program in response to the widely-publicized consumer privacy concerns. It added a more visible opt-out selection to allow users to choose not to show their connections or followers on their profile. This was a rapid response to user concerns, especially when compared to Facebook’s Beacon privacy problems in 2007, which took over a month to resolve.

Although the changes were a positive step in terms of supporting user privacy rights, critics pointed out that Google did not go far enough to address immediate concerns. For instance, the selection box for sharing followers was checked by default. Since this is an option for sharing private or sensitive information, many argued that the box should be unchecked. Given its nature, it would be best to leave that as an opt-in feature.

Furthermore, the opt-out selection did not give users an adequate explanation as to what they were allowing Buzz to publish. Users were not informed that Buzz would publish the list of people they email and chat with most. Although the privacy settings could be adjusted, the problem was that most users do not know how to change these settings. The majority of users simply click “save and continue” until the application is fully set-up, unfortunately reading little of the information contained in the dialog boxes. This made it clear that Google’s changes were an inadequate response to the scope and implication of user’s concerns.

In April 2010, privacy officials from Canada, Germany, France, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the UK raised privacy concerns regarding Google Buzz, as well as other Google services. The letter pointed out that even months after its launch, Buzz was still disregarding its user’s privacy rights, despite Google’s promises to the contrary.

Opt-In vs. Opt-Out

Opt-out mechanisms give users the opportunity to express non-agreement to a specific purpose. Unless the user takes action to opt-out, the organization assumes consent and proceeds. The organization should clearly inform the users that failing to opt-out means that the user consents to the use or disclosure of information. For instance, the Google Buzz box presented users with the opt-out choice with a pre-checked box that read, “Show the list of people I’m following and the list of people following me on my public profile.”

Opt-in consent is often referred to as “express consent.” With opt-in consent, the organization presents the users with the opportunity to express positive agreement to a stated purpose. Only with the user’s action will the organization assume consent. Opt-in consent is considered the strongest form of consent. The Privacy Commissioner of Canada encourages organizations to use this form of consent wherever it is appropriate, as it is least likely to result in misunderstandings and complaints.

In the Google Buzz case, an effective opt-in statement for new users might have been a checkbox reading “Show the list of people I’m following and the list of people following me on my public profile. Right now, the list is made up of people you email and chat with most.”

Recommendations

Jennifer Stoddart, the federal Privacy Commissioner of Canada expressed her unease over how such a problematic application like Buzz was launched for public use in the first place. Stoddart did not support the decision to release Buzz in its “beta” form, as it should have demonstrated compliance with fair information principles before it was introduced. She felt it was unacceptable to launch a product that had such significant privacy issues, with the intention of addressing those problems only as they arise. This was also not the first time Google made a glaring privacy error, as Google Street View was launched earlier, without consideration of privacy, data protection laws or cultural norms.

Stoddart and the Privacy Commissioner’s Office sent Google a number of recommendations that would enable it to integrate fundamental privacy principles into its online services. The recommendations included:

• Collecting and processing only the minimum amount of personal information that is necessary for achieving the purpose of the product or service.
• Providing clear, unambiguous information regarding the use of personal information.
• Allowing users to provide informed consent.
• Creating privacy-protective default settings.
• Ensuring that privacy control settings are clear and easy to use.
• Ensuring that all personal data is adequately protected.
• Giving users simple procedures for account deletion.
• Honoring user requests in a timely manner.

Summary

This article examines privacy issues raised through the launch of the social networking program Google Buzz. It outlines some critical responses to the privacy settings and risks that the application exposes users to. The article also explores opt-in and opt-out consent mechanisms. Finally, the article takes a look at the Canadian Privacy Commissioner’s response and recommendations to Google Buzz.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Online privacy, online data collection (V.B.c.)
• End user expectations (V.C.c.a.i.)
• End user preferences, opt-in vs. opt-out (V.C.c.a.ii.)

Sectoral Approach

Certain countries prefer to create specific sectoral laws on privacy protection which apply to some, but not all, industries. The sectoral approach is based on a combination of legislation, regulation and self-regulation.

Self-regulation refers to companies and industry associations which establish codes of practice and implement self-policing techniques. This policy is currently promoted by the governments in the United States, Singapore and Japan. For the most part, the self-regulatory approach is rarely effective, due to the inadequacy of requirements and lack of enforcement.

An example of the sectoral approach can be found in the United States’ model of privacy protection, in which data protection legislation as adopted on a needs basis, when specific sectors and circumstances require. For instance, the following Acts were passed at different times, in different sectors to reinforce privacy rights in the US:

• Fair Credit Reporting Act (1970)
• Video Privacy Protection Act (1988)
• Cable Television Consumer Protection and Competition Act (1992)

A significant disadvantage of the sectoral approach is that new legislation is required each time new technology is introduced, so the scope of protection is often inadequate. Another challenge is the lack of oversight agency. While the Privacy Act (1974) governs personal data stored in government computers, crucial areas such as financial records, medical records and Internet usage remain unprotected.

Many countries choose to implement sectoral legislation in addition to a more comprehensive approach. In this way, governments are able to provide more specific and detailed protections for certain types of personal information.

Comprehensive Model

This refers to a general law governing the collection, use and dissemination of personal information by the public as well as private sector. It is characterized by an oversight body, which ensures compliance with the legislation.

There is a distinct trend towards the legislation of comprehensive data protection acts worldwide. Over 40 countries and jurisdictions currently have or are in the process of adopting comprehensive data protection laws which regulate the collection and management of personal information by both the government and private sector.

There are three key reasons for the movement towards the comprehensive model of privacy protection:

1. Remedy past injustices

• Countries in Central Europe and South America look to comprehensive privacy laws in order to provide redress for privacy violations that may have occurred under past authoritarian regimes.

2. Promote e-commerce

• Comprehensive laws recognize that consumers are uncomfortable with sharing personal data over computer networks.
• Comprehensive privacy laws can facilitate e-commerce by establishing a uniform set of rules and regulations.

3. Ensure consistency

• Most countries, including Canada and in South America, are adopting laws that reflect those set out in the European Union Data Protection Directive to prevent difficulties in trade.

The comprehensive model is favored by the EU to secure compliance with its Data Protection Directive. The Directive insists on increased privacy protections and more consistent privacy legislation throughout EU member states. It also sets out a requirement for specific minimum standards of data protection in countries that will be receiving information from EU member states. One area of concern is that the current US privacy standards do not meet the Directive’s requirements.

Within EU member states, a supervisory authority is established to monitor the level of data protection. This independent body is responsible for advising the government on administrative measures and regulations as well as initiating legal proceedings when data protection legislation has been violated. Individuals may take their report violations and complaints to this supervisory body or to a court of law.

Co-Regulatory Model

The co-regulatory model is closely linked to the comprehensive model of data protection. In the co-regulatory approach, industry develops the rules for privacy protection. These rules are enforced by the industry and overseen by the state privacy agency. This multi-tiered approach aims to involve individuals, organizations, industry associations and governments, within a legal framework. This model has been most notably adopted in Canada and Australia.

Elements of a co-regulatory data protection model include:

• Legislation
  • Establishing regulations and incentives for compliance, as well as consequences for privacy violations is absolutely crucial.
  • Effective legislation must reinforce the power of monitoring organizations (e.g. industry associations, supervisory authorities) to ensure compliance.
  • Must impose a comprehensive set of data protection principles which apply to specific sectors as well as general practices.
  • Agency
    • A government privacy protection agency must have the appropriate resources and adequate jurisdiction to ensure compliance with privacy legislation.
    • Watchdog Agencies
      • These agencies help to enforce privacy legislation by providing expert consultation; negotiating and approving codes and standards; supervising compliance; imposing penalties on violators; researching new technologies; and providing a means to adapt the law in a practical context.
      • Individuals
        • The public must be empowered and enabled to take actions to protect their personal information.
        • People should be aware of the privacy legislation in place, privacy agencies, industry agencies and complaints processes.

What Can Co-Regulation Look Like?

As mentioned earlier, Canada’s privacy protection framework offers a working example of a co-regulation model.

• Legislation
  • The fundamental right to privacy is protected in the Canadian Constitution, the Charter of Rights and Freedoms.
  • At the federal level, Canadian privacy legislation includes the Privacy Act (1983), which regulates 150 federal government departments regarding the collection, use and disclosure of personal information.
  • The Personal Information Protection and Electronic Documents Act (PIPEDA) is federal legislation which governs the use of electronic documents.
  • Provincial and territorial governments (excluding the province of Newfoundland) have also set out legislation regarding the collection, use and disclosure of personal information within provincial or territorial government agencies.
  • Agency
    • The Privacy Commissioner of Canada is a designated ombudsperson and officer of Parliament who can investigate complaints and violations of the Privacy Act or the PIPEDA.
    • The Office of the Privacy Commissioner (OPC) investigates complaints, conducts audits, publishes information about personal data handling practices, researches privacy issues and promotes awareness and understanding of privacy issues.
    • Watchdog Agencies
      • The Public Interest Advocacy Center (PIAC) is a non-profit organization which functions to provide legal assistance and research into consumer vulnerabilities. It also demands responsible provision of public services and has a history of reporting violations and complaints to the Privacy Commissioner.
      • The Canadian Access and Privacy Association (CAPA) is another national non-profit organization which aims to promote knowledge and understanding of privacy legislation at the international, federal, provincial and local levels.
      • Electronic Frontier Canada (EFC) is a non-profit civil rights organization which conducts research and promotes awareness of new computer, communication and information technologies. Its goal is to promote the right to privacy on the internet.
      • Individuals
        • The OPC regularly encourages and organizes informal awareness-raising activities with the public. It also maintains that both businesses and individuals have the responsibility of safeguarding personal information.

Summary

With the advent of new technologies and the information-driven society, it has become increasingly difficult for governments to safeguard the privacy rights of their citizens. Various models of privacy protection have been developed in response to concerns and violations of personal information. This article discusses the three main models: sectoral, comprehensive and co-regulatory approaches to privacy protection. Specific examples of each model are also provided.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Co-regulatory model (Canada) (II.B.a.)
• Comprehensive laws (EU model) (II.B.b.)
• Sectoral approach (United States) (II.B.c.)

Bandwidth Throttling

A study carried out by the Max Planck Institute for Software Systems showed that Comcast, among other broadband providers, slowed BitTorrent traffic at all times of the day, not just during times of peak congestion. This study was conducted between March 18, 2008 and July 25, 2008. The BitTorrent test was run from users in 135 countries worldwide, involving 1,987 different internet service providers (ISPs).

With 8,000 nodes worldwide, the study found that Comcast was interrupting between 30 and 80 percent of BitTorrent upload attempts at all times. In response to these findings, Comcast insisted that although it does slow some P2P traffic, this is done only during high-traffic times. In a statement, Comcast described its practices as “reasonable network management.”

Comcast Settlement

The settlement was introduced in December 2009. Despite Comcast’s continued denial of these claims, it has revised its P2P management techniques and has attempted to settle in order to avoid the cost of further litigation. Comcast has offered to credit or refund current and former customers, agreeing to pay up to $16 million to eligible customers. According to the terms of the settlement, this would include:

• Customers who had used P2P software between April 2006 and December 2008
• Customers who had used Lotus Notes to send email between March and October 2007

Eligible customers have the following options:

1. File a claim by submitting a claim form. In doing so, customers can receive the credit or refund from the settlement.
2. Exclude themselves from the settlement class. In doing so, customers maintain the right to sue independently about the lawsuit claims.
3. Object to the settlement, or comment on the settlement. This involves speaking at the Fairness Hearing, either independently or through a lawyer.
4. Do nothing. This means clients remain in the settlement. They will receive no compensation and they relinquish their right to sue independently.

Opt-Out

Critics and experts are urging Comcast customers to choose to opt-out of the settlement. In presenting the settlement, Comcast in no way admits to any wrongdoing. A number of observers have pointed out that this is nothing but a slap on the wrist for the large corporation. The settlement is structured in such a way that all those who do want to claim must first confirm their status as file-sharers.

Although Comcast has allocated $16 million for this settlement, each eligible customer can only receive a maximum of $16, about 50 cents per month for each month of limited bandwidth. Arguably, this is inadequate compensation for an over $50/month service. Given that the Federal Communications Commission (FCC) was left with continued oversight of Comcast, critics argue that tolerance of such interference and mismanagement may continue, unless consumers demand otherwise.

FCC & Net Neutrality

After a long FCC investigation, Comcast was forced to disclose and stop the bandwidth throttling and blocking of traffic in 2008. However, on April 6, 2010, a federal appeals court rejected the FCC’s authority to sanction Comcast for interference. This effectively reverses the Commission’s first attempt to enforce network neutrality.

Network neutrality (also referred to as internet neutrality or net neutrality) is a consumer-oriented principle that advocates no restrictions for user access, regarding content, sites, platforms or equipment. The principle applies to restrictions or controls imposed by internet service providers, or governments.

Supporters of net neutrality argue that telecommunications companies, such as Comcast, aim to exercise increasing control over the service pipeline. Net neutrality principles would then ensure that such companies cannot screen, interrupt or filter internet content, unless the appropriate court orders are presented. This principle also ensures that the internet is a free and open technology, by discouraging preferential treatment of internet traffic, which would put newer companies at a disadvantage.

Detractors of net neutrality argue that regulation is largely unnecessary and that tiered services enable different types of consumers to have access to suitable broadband internet services. According to opponents, prioritizing bandwidth is needed to allow online companies to be productive and innovative. Net neutrality legislation could make it more challenging for ISPs to perform important packet filtering in order to prevent denial of service attacks, filter out email spam and prevent or respond to the threat of computer viruses.

The Four Freedoms

Despite contentions on both sides, there is general net neutrality in the US. In 2004, the FCC announced a set of Network Freedom principles. These are non-discrimination principles that regarding consumers access to telecommunication technologies. These four freedoms and their descriptions are outlined below:

1. Freedom to access lawful internet content

• Users should have access to internet content of their choice, as long as it is legal.
• Premium charges for broadband must be justified in terms of the service consumers receive and the content they can access.
• While ISPs have to manage their networks, there should be reasonable, clearly communicated limits in service contracts.

2. Freedom to run applications and services

• Allowing users to run the applications they want is crucial in driving demand.
• Developers should be confident that their products will not face interference.
• Users should have this freedom, unless they exceed the limits of their service plan, or harm the network.

3. Freedom to connect devices

• Devices allow users greater choice, value and personalization.
• Users should be free to choose any devices, as long as they operate within their service plan and do not enable theft of service.

4. Freedom to obtain service plan information

• Consumers have the right to receive meaningful information about their service plans. For instance, they should know how their services protect against spam, spyware and other potential invasions of privacy.
• While providers have the right to offer different tiers of service in terms of bandwidth and features, users must be well-informed, as there should be competition between network providers, application and service providers, and content providers.

Critics have pointed out that these four freedoms are difficult to uphold, in light of the conditions that the FCC provides regarding service plan limitations. According to this position, it is impossible to reinforce the rights of the user or consumer, if they are dependent upon service plans which disregard those very rights.

Appeal & Analysis

Previous FCC actions have resulted in significant deregulation of US communications networks, creating a legal loophole that renders the Commission unable to protect consumer privacy or promote broadband internet access. Public interest groups advise the FCC to respond to the Comcast appeal by reinstating common-carrier regulations for internet service.

Under the Communications Act of 1934, title II, telecommunications carriers are supposed to be regulated by the FCC. Title I of the Act generally regulates computer networks, such as the internet. Many ISPs have attempted to differentiate themselves from common carriers. As a result, the FCC deemed ISPs (i.e. internet DSL and internet cable services) as “information services.” This decision has given ISPs market power and the ability to discriminate the content and applications used on their networks. This is in direct contrast to the FCC’s push for network neutrality and the principle regarding consumers’ freedom to access content and run applications of their choice.

Comcast appealed against federal court’s ruling on the basis that the FCC had overstepped its authority. It was important for net neutrality advocates that the FCC net neutrality approach was essentially invalidated by the appeal, which overturned the original ruling. Digital rights groups, such as Free Press and Public Knowledge point out that it is a direct consequence of aggressive deregulation on the part of the FCC.

It is argued that the Comcast case severely limits the FCC’s authority to regulate ISPs in the future. It sets a dangerous precedent and renders the Commission powerless to promote an open-internet approach. However, the FCC does have the option to appeal this decision and it may also choose to re-categorize ISPs into a stricter regulatory classification, perhaps placing it alongside telephone rules, thereby expanding the Commission’s jurisdiction.

Summary

This article discusses the recent Comcast BitTorrent bandwidth throttling lawsuit and subsequent appeal. The class members’ option to agree to the settlement is explored and is determined to be largely disadvantageous to the consumer. Concepts such as the FCC’s four freedom principles and net neutrality approach are also examined, in light of the Comcast case and industry deregulation.

CIPP Preparation

In preparation for the Foundations and Certified Information Privacy Professional exams, a privacy professional should be comfortable with topics related to this post, including:

• US Regulatory Authorities – Federal Communications Commission (CIPP I.A.c.ii)
• Web Protocols (Foundations III.A.a)

On May 22, 2007 the Presidential Identity Theft Task Force issued Memorandum 07-16. It required all agencies to develop and implement data breach notification policies within 120 days, as outlined by the memorandum. M-07-16 included a number of new recommendations and requirements agencies must use in creating such policies.

What is Personally Identifiable Information (PII)?

M-07-16 expanded the definition of personally identifiable information to the following: “personally identifiable information refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as data and place of birth, mother’s maiden name, etc.”

The following are a number of requirements outlined by various attachments to M-07-16 in order to protect personally identifiable information:

Safeguarding Against the Breach of Personally Identifiable Information

Part A of Attachment I reiterated the privacy and security requirements for Federal agencies enforced under the Privacy Act, such as establishing safeguards, ensuring the integrity of data and establishing “rules of conduct” for individuals handling information. Furthermore, under the Privacy Act, agencies are require to assign risk levels to information systems according to NIST SP 800-37.

Attachment I also created the following new requirements:

Review and Reduce the Volume of Personally Identifiable Information

Agencies should conduct an initial review to identify records containing PII and ensure that the information is timely, accurate, relevant and complete. Only the information necessary for carrying out government activities should be maintained. After the initial review, the holdings of PII should be periodically review according to a public schedule

Reduce the Use of Social Security Numbers

All agencies were required to develop a plan within 120 days of the memorandum to eliminate any unnecessary collection of Social Security Numbers (SSN) within eighteen months. Furthermore agencies were also charged with the responsibility of working with other Federal agencies to create a Federal identifier separate from Social Security Numbers.

Security Requirements

Agencies must implement the following security features to protect all Federal information, not just data containing PII:

• Encryption
• Require two factor authentication using separate devices when accessing information remotely
• Implement a Time-Out function requiring re-authentication after a period of inactivity on remote access and mobile devices
• Log data extracts from data files containing sensitive information and verify each extract including the destruction of sensitive data after 90 days after it is no longer in use
• Educate all individuals handling PII and have them sign a document annually stating they understand their responsibilities.

Incident Reporting and Handling

Attachment 2 of M-07-16 reviewed FISMA guidelines for the reporting of data breaches and modified several requirements.

US-CERT Reporting

All agencies must report incidents involving PII to the United States Computer Emergency Readiness Team regardless of whether a threat may be potential or confirmed. Reporting must take place with one hour of its detection for Category 1 incidents. Examples of Category 1 incidents include:

• An individual gaining physical or logical access to a Federal agency’s network, information system, applications, or data without authorization
• Any confirmed or potential breach of personally identifiable information regardless of how the breach occurred

Develop and Publish a Routine Use

Routine use includes all uses of data which are in line with the purposes for which data was originally collected. Effectively taking countermeasures to reduce the threat to information due to a security breach may require Federal agencies to share PII with other agencies and law enforcement officials with whom no data sharing agreement exists. To respond adequately, agencies should establish routine use policies to allow the disclosure of information without the prior consent of the individual in situations involving data breach investigations.

External Breach Notification

Attachment 3 of M-07-16 addresses how and when data breaches should be reported to   affected individuals and/or the public. All agencies must develop data breach notification policies to guide officials and deciding when notification is necessary and how it should be undertaken.

Whether Breach Notification is Required

Agencies should assess the level of risk and the likelihood of the breach causing harm using the following five factors:

• Type of information compromised
• Number of affected individuals
• Accessibility and usability of the information
• Likelihood of harm occurring
• Ability of the agency to mitigate harm

Timelines of the Notification

If notification is to be undertaken, it should be carried out promptly upon discovery. Notification may be delayed, as authorized but a senior official, if notification may seriously affect law enforcement proceedings.

Source of the Notification

Notification to affected individuals should come from the head of the agency where the breach occurred. Notification for breaches affecting less than fifty people may also come from the Chief Information or Privacy Officer.

Contents of the Notification

Notice should be provide in writing and contain the following information

• Type of information compromised
• Whether the information was encrypted or similarly protected
• Steps the individual can take to mitigate harm
• Steps the agency is taking to investigate the breach, mitigate harm and protect against future incidents
• Contact information for the agency

Means of Providing Notification

Method of notification depends on the number of affected individuals and the urgency of the notification. Methods include:

• Telephone
• First-Class mail
• Email
• Existing Government wide services
• Newspapers and other media
• Any accommodations necessary for individuals with disabilities

Who Receives Notification

For every data breach, agencies must consider whether to provide notification to the affected individuals and/or the public. Notification to individuals should occur promptly after the need for notification has been determined. Notification to the public including the media should be carefully planned to avoid alarm or confusion. Notice should also be posted on the agencies web page when public notification occurs.

Rules and Consequences Policy:

Attachment 4 of M-07-16 set forth a new requirement. All agencies must develop and implement a Rules and Consequences policy for employees handling personally identifiable information.

The policy must outline the requirements of employees according to their level of responsibility and the type of information they handle. Employees must be aware of their responsibilities under Federal law as well as the consequences for any violations. Supervisors that fail to take disciplinary action when violations occur are also subject to penalties. The policy should address:

• The types of individuals that must comply, including employees, contractors and other individuals handling PII maintained by the Federal government
• The types of actions that constitute violations including
  • Failing to maintain or implement security controls
  • Accessing PII or disclosing PII to other individuals without authorization
  • Failing to report suspected data breaches or unauthorized disclosures
  • Failing to adequately instruct, train or supervise employees handling PII (for managers)

Summary

The Federal Government has a legal responsibility to protect the personally identifiable information is has collected from individuals. Memoranda such as M-07-16 ensure that the security of personally identifiable information remains an ongoing discussion and concern within the Federal Government.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• OMB Memorandum 07-16 (II.A.c.2.j)

Memorandum 06-19 was issued by the Office of Management and Budget in July 2006 to update the reporting requirements for data breaches involving personally identifiable information. It also addressed the need to budget in anticipation of providing adequate data security.

Reporting Security Incidents

Under the Federal Information Security Management Act, all government agencies must alert the U.S. Computer Emergency Readiness Team (US-CERT) of any potential or confirmed security violations. Response times and procedures vary according to the type of violation. OMB 06-19 decreased the reporting time for incidents involving personally identifiable information to within one hours of its detection or discovery. This helps to facilitate prompt, efficient response to security and privacy threats. Security violations involving PII must be reported regardless of whether the information is stored physically or electronically.

Incorporating Security Funding Into Information Technology Investments

The second part of M-06-19 reiterated past memoranda which addressed budgeting for security funding with regard to information technology. When developing fiscal year budgets, agencies should:

• Use M-00-07 as a guidelines for preparing budget policy
• Ensure that security and funding is integrated into information technology at all stages of development and use
• Ensure current standards meet existing requirements so that new funds may be spent on developing new or improved systems
• Address how funds and resources are allocated between correcting current weaknesses in security and developing new IT
• Consider M-06-15 “Safeguarding Personally Identifiable Information” and M-06-16 “Protection of Sensitive Agency Information” when considering any improvements or changes to IT investments.

Memorandum 04-26

Memorandum 04-26 was issued in September 2004 regarding personal use policies for employees accessing government computers and the use of file sharing technology.

What is file sharing technology?

File sharing technology, also known as P2P (peer-to-peer) networking allows users to upload music, photos, videos, and other files to allow mass distribution. P2P networks do not depend on a single network or server to support all of the requests, but rather draws resources and bandwidth from users’ computers to support the transfer of files. While file sharing technology in itself is not illegal, there are many problems associated with it. Most e-piracy takes place through P2P networks, allowing individuals to download movies, music, books, pornography and other media content without paying. Furthermore, P2P networks facilitate the transmission of computer viruses.

The use of file sharing technology on government computers or networks is prohibited to prevent employees from engaging in illicit activities and/or compromising the security of privacy of the information maintained by the U.S. Government.

Directions to Agencies to Prevent File Sharing

M-04-26 directed agencies to take the following steps to protect Government information systems from problems associated with P2P technology:

1. Establish or Update Agency Personal Use Policies to be Consistent with CIO Council Recommended Guidance

All agencies must develop personal use policies outline the proper use of government information technology for the government employees that use them. Personal use policies should address the user’s responsibilities, possible consequences and include provisions against use of P2P technology

2.  Train All Employees on Personal Use Policies and Improper Uses of File Sharing

In addition to receiving personal use policies, all employees should receive training on how personal use policies relate to their specific responsibilities towards maintaing the security and privacy of data.

3.  Implement Security Controls to Prevent and Detect Improper File Sharing

Agencies should use NIST standards to implement internal security controls that prevent the access and use of P2P technology on government computers.

Summary

Memoranda from the Office of Management and Budget usually do not create all new privacy and security legislation. Rather, they amend or add to existing regulations. Often the changes may be small, such as in M-06-19 and M-04-26, however it does not make them less important. OMB memoranda allow privacy and security practices to be an ongoing process within the Federal government and strengthen the protections guaranteed to us under U.S. law.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• OMB Memorandum 04-26 (II.A.c.i.2.c)
• OMB Memorandum 06-15 (II.A.c.i.2.e)

What is Identity Theft?

Identity theft is the unauthorized use of personally identifiable information (PII) by an individual to commit fraud, usually financial related fraud. This is achieved either by using financial account information or using an individual’s Social Security Number (SSN) to open new financial accounts. Identity theft is a serious problem costing American citizens millions of dollars every year. As one of the largest collectors of information, the U.S. Government must implement strong measures to reduce the risk of security breaches leading to identity theft.

The President’s Identity Theft Task Force made the following recommendations:

Data Breach Planning

Effective information security requires building contingency plans in the event a data breach occurs. Each agency should select a number of appropriate individuals to be part of a data breach response group that convenes after any potential or confirmed data breach has been found.

This group should include at minimum:

• Chief Information Officer
• Chief Legal Officer
• Chief Privacy Officer
• Senior management official
• Agency’s Inspector General

This group should meet initially to develop basic contingency plans to be automatically implemented when a breach occurs and reconvene as necessary in response to security incidents.

Identifying an Incident that Presents Identity Theft Risk and the Level of Risk Involved

Not all data breaches may result in an identity theft risk. When a security breach occurs, agencies must determine on a case by case basis if there is a risk of identity theft and the level of that risk.

What constitutes an identity theft risk?

• Unauthorized disclosure of an individual’s Social Security Number
• Unauthorized disclosure of an individual’s name, address or telephone number with
  • a government identifier (ie: driver’s license)
  • a biometric record
  • a financial account number with the pin or security code
  • any information that particularly identifies an individual such as a relationship with a financial institution or club membership

When such information has been compromised the following criteria should be used to determine the level of risk of identity theft:

• the level of difficulty an unauthorized individual would have to use the information
• how the data loss occurred including whether it may be considered or related to criminal activity
• the ability of the agency to counteract or prevent abuse of the information
• evidence that the information that has been compromised is used to commit fraud related to identity theft

Reducing Risk After Disclosure

When a data breach has occurred and a risk of identity theft has been determined, measures should be taken by both the affected individual and the agency to minimize the abuse of the information. Responses may vary depending on the type of information compromised and the level of risk determined by the agency.

Individual actions may include:

• Closing affected financial accounts
• Monitoring financial accounts
• Requesting and monitoring their credit report
• Placing a fraud alert with the credit bureaus
• Placing a credit freeze on their credit account
• Increasing identity theft awareness by watching for criminals offering credit assistance who may just be attempting to obtain more PII

Agency actions may include:

• Notifying banks if government authorized credit cards or government payments are involved
• Perform data breach analysis to determine whether a data breach has resulted in identity theft
• Provide credit monitoring services to affected individuals.
• Notification to law enforcement officials

Providing Notice to Those Affected

Agencies are not required to notify affected individuals after any data breach has occurred. However, agencies must notify individuals when a breach has occurred that poses a significant risk of identity theft so that suitable countermeasures may be taken.

Providing notice for all data breaches is not an effective response to data breaches because:

• Notification is costly
• Counter measures, such as closing financial accounts, placing fraud alerts and obtaining new ID documents is too costly to both the public and private sector to be undertaken with every data breach
• Frequent public notices may confuse the public as to what constitutes a minor or major threat and what actions must be taken

If an agency has determined that the risk of identity theft is large enough to warrant notification, the following guidelines should be used in providing notice:

• Timing– Affected individuals must be notified at the correct time. Individuals should be notified as early as possible to allow protective measures to be implemented. However, information regarding identity theft, if released too early may exaggerate the threat, or impede an investigation. Agencies must confer with law enforcement officials to make sure that notification is made at the time appropriate to the actions that must be taken
• Source– Individuals must be given the name of the responsible party from where the breach occurred. The breach may not always occur within an agency, for instance, if an outside contractor handles the information on behalf of an agency and the breach occurred in their system. The agency still maintains liability for the information and an agency official should be cited as the contact person.
• Contents– Individuals should be told in clear, easy-to-understand terms:
  • brief description of the data breach
  • the type of information that may be compromised
  • brief description of the agency’s actions to investigate and mitigate the breach and prevent further problems in the future
  • contact information to ask questions including a toll free number, web address and postal address
  • the actions an individual should take to mitigate the threat of identity theft
• Method of Notification–Notification methods should be chosen based on how the majority of affected individuals can receive the information. A mailing address should be the primary means of communication.
• Preparing for follow-on inquiries– Agencies must be prepared to handle the volume of follow-up inquiries they may receive, especially after a public announcement. Officials may choose to delay public notice of data breaches to allow an agency adequate time to prepare a response plan for such requests.
• Preparing counterpart entities that may receive a surge in inquiries– agencies should alert other entities such as affected financial institutions or the credit bureaus if they may see a significant increase in requests due to notice of a data breach.

Summary

The Government is one of the largest consumers of personally identifiable information. As such, it is at significant risk for data breaches and unauthorized disclosure of sensitive data. In addition to implementing adequate security measures, agencies must be prepared to notify individuals when significant data breaches occur. While a data breach may be considered something of an embarrassment, agencies are required by law to report such incidents and alert affected individuals that may face significant threat of identity theft.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• OMB Memorandum, September 20, 2006: Recommendations for Identity Theft Related Data Breach Notification Guidance (II.A.c.2.i)

The memorandum issued the following recommendations:

Data Breach Guidance to Agencies

The Office of Management and Budget should issue a memorandum guiding agencies on when and how notice must be given to individuals at risk for identity theft due to a security breach. The suggested memorandum, titled “Recommendations for Identity Theft Related Data Breach Notification” was released almost concurrently with the Task Force’s memorandum.

Development of Universal Police Report for Identity Theft Victims

Identity theft victims my require official police reports to contest fraudulent information on their credit reports. A universal identity theft police report ensures that all necessary information is collected. It also allows identity theft victims to print the report from online, fill it out and bring it to their local enforcement agency for verification. Currently, individuals may also file an official complaint with the Federal Trade Commission on the FTC website. A universal form of filing complaints, reduces the strain on law enforcement agencies and  allows streamlining of investigations.

Extending Restitution for Victims of Identity Theft

The Task Force recommended to Congress that defendants be required to pay their identity theft victims monetarily for the time lost due to investigating, responding to and correcting fraudulent activity on their credit reports. This created extra penalties for committing identity theft, as well as allowed some renumeration to be paid to identity theft victims for their troubles, in addition to settling any financial disputes related to the fraudulent activity.

Reducing Access of Identity Thieves to Social Security Numbers

All agencies in the public sector should limit the use of Social Security Numbers as an individuals main identifier in an information system. The Office of Personnel Management was instructed to assign employee identification numbers for common use to eliminate the widespread use of SSN as the primary identifier for government employees. The OPM was also instructed to develop policies for the appropriate use and protection of Social Security Numbers. Further more all agencies were asked to review their use of SSNs in physical and electronic records systems to eliminate and restrict its usage where possible.

Developing Alternative Methods of Authentication Identities

The Task Force recommended that agencies confer with privacy and security experts in the private sector to create and implement technologies that use identifiers such as biometrics to authenticate identity. Biometric identifiers are harder for identity thieves to replicate or abuse. Using biometric identifiers in order to access personally identifiable information would significantly increase the protection to sensitive data.

Improving Data Security in the Government

The Task Force asked that the Office of Management and Budget and the Department of Homeland Security work together to investigate privacy practices in the Federal government and develop a list of the top mistakes that affect an agency’s ability to adequately protect data. This document was published in 2007 under the title “Common Risks Impeding the Adequate Protection of Government Information.”

Improving the Agencies’ Ability to Respond to Data Breaches in the Government

Agencies were instructed to develop and publish a “routine use” policy for their systems of records under the Privacy Act. These “routine use” policies would allow agencies to share PII–without the prior consent of the individual–with other agencies in order to respond effectively to security breaches.

Summary

In 2006, the Presidential Identity Theft Task Force allowed the U.S. Government to quickly analyze federal information security practices and create appropriate recommendations and plans to increase protection. Of the seven recommendations put forth by the Identity Theft Task force in 2006, several have been fulfilled and/or implemented in to government practice. Today, the Task Force continues to discuss ways in which the U.S. Government can increase the protection of its data holdings to prevent unauthorized disclosure and expose citizens to the threat of identity theft. While only the Federal Government was required to implement many of the guidelines, they serve as a model for institutions in the private sector concerned with identity theft.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Recommendations of the Identity Theft Task Force, September 2006

OMB Circular A-130

OMB Circular A-130 was first issued in 1985, and was revised several times, most recently in 2000, to establish guidelines for information management in the Federal Government.

When creating Information Management procedures, agencies should:

• Consider data at all stages of its lifecycle
• Consider the effects of such procedures on the public as well as local and stage governments
• Consider the effect on the privacy of individuals
• Use interagency data sharing where appropriate before collecting new information
• Coordinate information system planning with budget, personnel and other resource planning
• Provide the greatest level of protection to the information at greatest risk

Regarding records management and the public, agencies should:

• Provide notice of the existence of such records, the type of information they contain and how to gain access
• Provide public access to the information when appropriate
• Make sure records management programs accurately record government activity
• Implement information dissemination management products that allow timely, cost efficient access.
• Ensure members of the public with disabilities are able to access information dissemination products
• Ensure printed copies of information dissemination products are distributed to depository libraries
• Agencies may use electronic media as an information dissemination product if:
  • it is cost effective and practical for large volume access
  • the product is disseminated frequently
  • most users have the knowledge and training to access the product

Agencies should also practice the following safeguards:

• Make sure the protection of information is commensurate with the level of risk and magnitude of harm caused by misuse of the information
• Limit collection of personally identifiable information to that which is absolutely necessary
• Limit the sharing of personally identifiable information and take steps to ensure confidentiality when disclosure is necessary
• Provide individuals with the right to access and amend their records as required under the Privacy Act of 1974

OMB A-130 also includes guidelines for the implementing and managing of information systems. Such management includes a three step process of selection, control and evaluation. During the selection component agencies consider the cost effectiveness of a system against the benefits it provides and the adequacy of its protections. In the control stage, the system is evaluated for its performance and oversight mechanisms are put into place. During the evaluation stage, regular post-implementation reviews are conducted that consider the cost, benefit and effectiveness of the system and improvements are made accordingly.

OMB A-130 assigned specific responsibilities to several government departments. Appendix I outlines specific oversight responsibilities for the head of each agency. Each department head must:

• Review a random sample of agency contracts every two years to ensure the wording of each act is compliant with regulation
• Review record keeping and disposal practice every two years to ensure compliance with the Privacy Act
• Review routine use disclosures every four years to ensure that the uses of information is still in accordance with the purposes for which it was originally collected
• Review every four years those systems of records exempt from disclosure under the Privacy Act to determine whether such exemption is still need.
• Review agency matching programs on an annual basis to ensure compliance
• Review privacy act training every two years
• Review privacy any privacy violations resulting in civil or criminal liability biennially
• Review Systems of Records Notices every two years to ensure accuracy

Other departments were given additional responsibilities. For example, the Office of Personnel Management must develop Privacy Act training programs; the National Archives and Records Administration must develop procedures for the transfer and archival of records; the Office of Management and Budget must issue guidelines to assist in implementing the Privacy Act.

Lastly, OMB Circular A-130 outlines guidelines for specific reporting and publishing activities required under the Privacy Act.

• A Biennial Privacy Act Report should include:
  • Statistics regarding the number or records systems both exempt and non exempt; exempt systems added or deleted; routine uses; the number of access and amendment requests, and appeals and whether they were granted or denied; Number of litigations
  • Brief summary of public comments received on agency publications or activities and the agency response
  • Results of reviews performed by the head of the agency
• A Biennial Matching Activity Report should include:
  • Information on the Data Integrity Board including contact information for the Board Secretary
  • Information on each matching program, its purpose and the participating agencies; a cost/benefit analysis; description of any matching agreement rejected by the board with an explanation for the rejection
  • A listing of any violation of matching agreements; litigations involved with a participation in a matching program; an explanation of steps taken to ensure the integrity of data for litigations due to inaccurate data
• New or Altered System of Records Report and New or Altered Matching Program Report should be made when changes to the type of information or how it is accessed or protected are altered significantly. Such reports should include:
  • A Transmittal letter signed by the senior official responsible for implementing the change
  • A Narrative Statement describing the reasons for the change; the authority supervising the system; any potential impacts or effects; how each routine use remains compatible under the Privacy Act;
  • Supporting Documentation including a new System of Records Notice

M-01-05

In December 2000, the OMB issued Memorandum-01-05 to provide guidance on sharing personal data among agencies. M-01-05 served as a reminder of privacy protection already enacted under the Privacy Act of 1974, the Computer Matching and Privacy Protection Act and OMB Circular A-130, as well as additional recommendations for added protection.

It reiterated the following existing privacy requirements:

• Notice–agencies using data sharing must notify the individual at the time of application and periodically after that. 30 days before performing a data matching act, a notice must be placed in the Federal Register
• Consent–Agencies must obtain consent from individuals prior to the sharing of data unless one of the exceptions under the Privacy Act is met
• Redisclosure Limitations–Information should not be redisclosed unless it is required by law or necessary to perform a matching program
• Accuracy–Individuals must be provided with the right access and amend their information as required under the Privacy Act. If an agency plans to take adverse action against an individual due to information gained through a matching program, the information must be independently verified.
• Security Controls– Data must be guaranteed the same level of protection when shared with another agency or such disclosures mat not occur. Agencies should follow OMB Circular A-130 and NIST guidelines to adequately protect data.

M-01-05 also made additional recommendations:

• Minimization–the amount of personally identifiable information collected should be limited only to that which is necessary.
• Accountability–Agencies must be held responsible for upholding privacy principles during data sharing. Oversight and enforcement mechanisms should be implemented in ensure compliance
• Privacy Impact Assessments–PIAs should be completed before implementing new data systems to ensure adequate protection of information.

M-05-08

In February 2004, M-05-08 was issued to allow the designation of Senior Agency Officials for Privacy. The creation of such a role was taken in accordance of Executive Order 13353 which established the Safeguarding American Civil Liberties’ Board.

Under M-06-08, each agency must designate an official (such as the Chief Information Officer or a senior official with wide privacy responsibilities) to oversee privacy issues in the agency.

The Senior Agency Official of Privacy must:

• Hold overall responsibility and accountability for implementing privacy protection in the agency
• Ensure compliance with privacy laws such as the Privacy Act and the Federal Information Security Management Act
• Review the agencies privacy procedures and implement any necessary improvements
• Ensure employees and contractors receive adequate privacy training
• Be consulted heavily during the policymaking process to ensure privacy considerations play a role in the development of new laws and procedures

Summary:

The Office of Management and Budget plays a significant and ongoing role in the implementation of privacy protection in the U.S. Government. Though the laws such as the Privacy Act and the Freedom of Information Act legally protect individual rights. It is documents such as OMB A-130, M-01-05 and M-05-08 that help agencies implement the laws effectively.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Federal Agency Responsibilities including OMB Circular A-130 (II.C.i.1) and other OMB Provisions including M-01-05 (II.C.i.2.a) and M-05-08 (II.C.i.2.d)

In June 2007, the Office of Personnel Management published the “Guidance on Protecting Federal Employee Social Security Numbers and Combating Identity Theft.” The memorandum recognized that the use of a social security number as an employee identifier placed government employees at greater risk for identify theft should unauthorized access or disclosure occur. The memorandum required agencies to limit the unnecessary use of Social Security Numbers as the main identifier for government employees.

Social Security Numbers and Identify Theft

Social Security Numbers were originally issued in 1936 for taxation purposes. Since that time, SSNs have become something of a national identifier for individuals. It is used on everything from job applications to financial accounts and medical records. As such the importance of protecting the secrecy of one’s Social Security Number has grown. With the move to electronic record keeping systems, identity theft has become a widespread concern. With just an individual’s name, address and social security number, a criminal can open credit accounts, take out loans, buy property and wreak havoc with a person’s   financial standing. Employers used to use Social Security Numbers to avoid developing their own employee identification system, however with the increased risk of identify theft, the use of SSN as the main identifier in the work place and with other institutions has been phased out.

Protection of Federal Employee Social Security Numbers

The memorandum made several recommendations based on the findings of the Presidential Identity Theft Task Force:

• Employees with authorization to access SSN should be trained annually on their privacy and security responsibilities. They should also be issued privacy and confidentiality statements that specify the disciplinary action that may be taken should abuse of such information occur.
• All agency telework policies and written agreements should comply with Federal privacy protection policies
• Supervisory approval should be necessary prior to accessing or transporting information or equipment containing SSN outside of the agency facilities
• Encryption should be used during transportation or transmission of electronic data containing SSN
• Paper records containing SSN should be adequately protected with physical safeguards and labeled with the agency’s contact information
• When access is required to SSN, it should occur in a secure location
• All incidents involved with SSN must be reported
• Any disclosure of SSN along with other personally identifiable information must be made in accordance with Federal privacy protection laws
• Employees must be familiar with the procedures for labeling, storing and destroying printed material containing Social Security Numbers and other personally identifiable information
• On a records retrieval screen a Social Security Number must be masked with asterisks or special characters
• Internal control procedures must be in place to control authorized and unauthorized use of SSN and personally identifiable information by employees

A number of official regulations already enforce protection of Social Security Numbers including:

• 5 CFR 293 which allows individuals asked voluntarily to provide their SSN to refuse without threat of penalty or denial of benefits; protects agencies from requiring the disclosure of SSN unless required by Federal law; requires agencies to ensure the proper administrative, physical and technical safeguards are put into place to protect personally identifiable information
• 5 CFR 1001.102- All employees and contractors must protect SSN and other personally identifiable information in order to comply with the Privacy Act

Summary

Social Security Numbers have an immense hold over an individual’s privacy and security. Unauthorized disclosure and use of SSN costs millions of dollars in damages. The OPM Memorandum regarding the protection of Federal Employee’s Social Security Numbers was important not only for protecting the privacy of Federal Employees but also signaling to other institutions that the use of Social Security Numbers is no longer safe or acceptable.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Federal Agency Responsibilities including OPM Memorandum: Guidance on Protecting Federal Employee Social Security Numbers and Combating Identify Theft (II.A.c.ii)

1. “Security and Privacy Training is inadequate and poorly aligned with the different roles and responsibilities of personnel.”

Proper security and privacy education is part of the administrative safeguards needed to properly protect data. Information handlers must understand the risks facing sensitive information and their responsibilities towards maintaining the Fair Information Practices Principles. The report instructed agencies to include privacy and security training upon employment, maintain awareness through weekly tips, annual “security days” and other creative reminders. Agencies should also target individuals with more security and privacy responsibilities and provide more extensive training.

2. “Contracts and data sharing agreements between agencies and entities operating on behalf of the agency do not describe the procedures for appropriately processing and adequately safeguarding information.”

The Privacy Act of 1974 allows the sharing of information between government agencies provided the information receives the same level of protection after disclosure and the two agencies sign and follow a data sharing agreement. Failing to comply with a  data sharing agreement may allow serious breaches of a individual’s privacy. Agencies are encouraged to offer incentives for successful compliance with a data sharing agreement or contract. Agencies are also required to create detailed agreements (using Federal Acquisition Regulation Language) describing the procedures for protecting the information and assigning an individual to oversee the data sharing process.

3. “Information inventories inaccurately describe the types and uses of government information, and the locations where it is stored, processed or transmitted, including personally identifiable information.”

Under the Freedom of Information Act and the Privacy Act of 1974, government agencies are required to maintain adequate records on the type or information systems they maintain and the types and uses of the information. With a few exceptions, such information must be available to the public. Improper record keeping poses a threat to the transparency of government activities and an individual’s right to access the information and agency maintains about them. Agencies should use enterprise architecture and inventories to review the type, location, and uses of information it has on record. Security controls should be developed in consideration of the inventory and all systems containing personally identifiable information should be regularly assessed to ensure the integrity and security of the data.

4. “Information is not appropriately scheduled, archived or destroyed.”

Information must be protected at all stages of its lifecycle including those when it is not in active use. The proper destruction of information is particularly important to safeguarding privacy. Information must be assessed to determine how long it needs to be maintained and whether it is permanent and needs to be archived by the NARA or temporary and needs to be destroyed. Agencies must obtain the National Archives and Records Administration approval to dispose of their records according to established record schedules.

5. “Suspicious activities and incidents are not identified and reported in a timely manner.”

Information security is an ongoing process which requires identifying and detecting potential threats. Instituting a system without following up with security checks and incident response is ignoring a fundamental part of the information security process. Agencies should develop and follow a set of procedures to identify and respond to security or privacy incidents. Response should be timely in order to be effective. Agencies should configure their computer systems to detect intrusions, monitor use, and log any incidents. Furthermore incidents should be reported to authorized personnel and agencies to reduce risk as quickly as possible.

6. “Audit Trails documenting how information is processed are not appropriately created or reviewed.”

It is not just the type of information that is collected but how it is used that is restricted to protect privacy and civil liberties. Accurate audit trails are necessary to record how information is being collected, used, maintained and disclosed by an agency. Agencies should use managed data repositories to develop and review the necessary audit trails. Those audit trails can then be used to identify anomalies, determine the status of data and destroy data when it is no longer necessary.

7. “Inadequate security controls where information is collected, created, processed or maintained.”

Security controls include technical, physical and administrative safeguards. They are the primary defense against unauthorized access and use of information. Agencies should maintain inventories of their physical property including real estate and mobile devices. Stronger controls should be applied to areas of high impact or high risk. Security procedures should be reviewed regularly (at least annually) to ensure physical access is granted only to authorized individuals.

8. “Information security controls are not adequate.”

The sole purpose of information security controls is to prevent unauthorized use and access. When such controls fail, the system must be improved or replaced to be provide adequate protection to information which is guaranteed under U.S. law. Security controls should be tested annually with higher risk systems tested more frequently. Personnel that test controls should be separate from the personnel that administer the controls regularly, to allow outside enforcement. Problems and improvements should be shared among agencies to promote awareness. All common security configurations should follow NIST guidelines. Agencies must also consider how the public availability of information affects how government information is protected.

9. “Inadequate protection of information accessed or processed remotely.”

Mobile devices and the increasing use of cloud computing technologies all government employees to access government information when working away from the office. Data must be protected equally when accessed from a computer at the agency and when accessed from a mobile device. Agencies should maintain an audit log of any information accessed or processed remotely. NIST encryption methods, two factor authentication, and automatic log outs after a certain period of inactivity should be employed. Agencies should ensure personnel understand the security risks involved with remotely accessing such information and have them sign a document denoting their privacy and security responsibilities.

10. Agencies acquire information technology and information security products without incorporating appropriate security and privacy standards and guidelines.

The E-Government Act of 2002 requires that all new information security systems conduct Privacy Impact Assessments prior to use, and periodically thereafter in order to evaluate the effectiveness of the system in protecting the information it maintains. Failing to assess new technologies for their privacy protections leaves large holes in the security of the system. Agencies should include information system planning, development and maintenance in their procedures and budgets. Systems should be purchased and implemented only when found to be cost effective in adequately protecting information. Software and hardware encryption products should be used according to the NIST certified cryptographic modules.

Summary

While there are a number of regulations such as the Privacy Act of 1974, the E-Government Act of 2002, as well as the Fair Information Practice Principles which guide the use of information by the Federal Government, such regulations are not always implemented properly. Reports such as the Common Risks Impeding the Adequate Protection of Government Information are necessary to maintain an ongoing discussion regarding information privacy and security and continue to increase security protections as technologies and threats evolve.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Common Risks Impeding the Adequate Protection of Government Information
• Information Privacy Laws for U.S. Government Practice (I.C.)