Information privacy in the United States

James Jones, Jason Mallory,Quentin James

Debate is centered around data privacy

Very few U.S. laws or regulations about information privacy

No all-encompassing law that regulates information privacy or data protection

Problems arise out of need to transfer information to places like India or other European countries

U.S. Privacy Laws

In short, anyone who wants to take down the data not only has the right to do so but also has the ability to store and use the data anyway they deem necessary regardless of how the information was obtained.

U.S. Privacy Laws(the gist)

Access to your private data can be accessed via third-party credit reports for: Employment

Medical Care

House, Automobile payments

Any other purchases on credit

Privacy Problems in the U.S.

Privacy act of 1974

Computer Security Act of 1987

PATRIOT Act of 2001

U.S. Privacy Laws

Mandated that all U.S. government agencies have in place an administrative and physical security to prevent unauthorized release of personal records.

Allowed for individuals to review his/her personal information upon request and to even request an amendment to records pertaining to him/her.

This does not apply however, to courts, executive components, or non-agency government entities.

Privacy act of 1974

Provided for the establishment of a computer standards program known as The National Bureau of Standards. (now known as NIST)

This new bureau was to be responsible for developing standards, guidelines, and

associated methods and techniques for computer systems.

have responsibility within the Federal Government for developing technical, management, physical, and administrative standards and guidelines

Computer Security Act of 1987

For all data collected there should be a stated purpose

Information collected by an individual cannot be disclosed to other organizations of individuals unless authorized by law or by consent of the individual

Records kept on an individual should be accurate and up to date

Basic Principles of Data Protection in Europe.

(a possible model for the U.S.)

There should be mechanisms for individuals to review data about them, to ensure accuracy. This may include periodic reporting

Data should be deleted when it is no longer needed for the stated purpose

Some data is too sensitive to be collected, unless there are extreme circumstances (e.g., sexual orientation, religion)

Basic Principles of Data Protection in Europe.

(continued)

Start date was March 1, 2010 Convinced several companies to

leave Massachusetts. 46 states have data breach

notification laws. Can you guess which don’t?

201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF

THE COMMONWEALTH

AlabamaKentuckyNew MexicoSouth Dakota

U.S. States Without Breach Notification Laws

“Every person who owns or licenses personal information about a resident of the commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.”

Scope

A breach of security.

Unauthorized acquisition or unauthorized use of unencrypted data or…

Encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information

What constitutes an infraction?

Your first name and last name or first initial and last name and any of the following… Social Security number Driver’s license number State-issued Identification card number Financial account number

or Credit card or debit card number

Legally, what is personal information?

Address Phone number Age Sex Any information gathered from public

databases (Take note here, it’s important.)

Legally, what isn’t protected?

Up to $5000 per violation and per record lost.

“One stolen laptop loaded with a database containing the names and Social Security numbers of 200 Massachusetts residents puts you in the hole for a cool million.” --Randy George of Information Week

Incentive

Inferring classified data from public data.

Name and rank within a company is public.

Salary is classified. All members of each rank share a

salary. Therefore, salary is inferred from rank.

Inference Problems

Internal Data Privacy

What is inference? Inference is a data mining technique used to

find information hidden from normal users. Information can be missing personal data or

new data that predicts useful information based on what is known

Inference

Name: Robert A. Pilgrim Alias: Robert Beth Pilgrim Age: 59 Phone number: (270) 527-2*** Address: *** Wilkins Rd City, State: Benton, KY Company:   CONCURRENT SOLUTIONS, LLC Phone Number:  270-752-2657     Email Address:  bob.pilgrim@concurrent.us     Web Address:  http://concurrent.us Son: Andrew Pilgrim Wife: Mary Beth Pilgrim Wife DOB: 18-Feb

Inference Example

Credit card companies can look at what you have purchased and know if you are going to get a divorce

95% accuracy Two years out

Target uses data to infer if you are or will soon be pregnant

purchase certain items at certain timesTargeted marketing Long-term customer

Inference Example

http://en.wikipedia.org/wiki/Information_privacy_law http://www.nist.gov/cfo/legislation/Public%20Law%20100-235.pdf http://www.justice.gov/opcl/privstat.htm http://blogs.kuppingercole.com/kuppinger/2011/03/16/database-securi

ty-a-hot-topic/

http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf   http://www.sqlmag.com/article/sql-server/an-update-on-new-law-that-

will-change-the-way-you-build-database-applications

http://www.informationweek.com/news/security/government/224400426?queryText=massachusetts+cmr

http://www.acsa-admin.org/secshelf/book001/24.pdf http://www.businessinsurance.com/article/99999999/NEWS070101/39

9999961#

http://www.almaden.ibm.com/cs/people/fagin/bucketwb.pdf

References