FNT102 Privacy Management and Identity

Theft

Module 3 Lecture 8 Privacy Management Frameworks

A Privacy Management Framework
PRIVACY/SECURITY BREACH: SOURCE OF THREAT RISKS
MODULE 1

• EXTERNAL
• Cybersecurity
• Social Engineering
• INTERNAL
• Criminal Intent – Malicious
• Human Error (Software or Behavioural)
Risk Management Approach: safeguarding
personal information
Privacy is not about secrecy or preventing organizations from
collecting & using personal information, its about preventing a breach.

Technical Physical
Safeguards Safeguards

Administrative
Safeguards

5
PRIVACY RISK MANAGEMENT

PRIVACY BREACH PROTOCOL

OWASP Top 10 Privacy Risks
1. Web Application 6. Collection Of Data Not
Vulnerabilities Required For The Primary
Purpose
2. Operator-sided Data
Leakage 7. Sharing Of Data With Third
Party
3. Insufficient Data Breach
Response 8. Outdated Personal Data
4. Insufficient Deletion of 9. Missing Or Insufficient
personal data Session Expiration
5. Non-transparent Policies, 10. Insecure Data Transfer
Terms and Conditions
https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project
Open Web Application Security Project
 Possible Harms of Data Breaches*
Identity theft: the most common malicious use of data and the most obvious worry
that people have about their data.
Mistaken identity: occurs when you are mistaken for someone else - usually with the
same name as you. This can mean you are: arrested, charged by a collections
agency for purchases you didn’t make, denied space on an airplane (No-Fly List),
asked to pay fees you don’t owe (e.g. copyright infringement).
Embarrassment: if your private photos or communications are leaked.
Loss of trust: when clients no longer trust you with their information.
Legal liability: when you are legally liable to your clients for losing their data.
Manipulation: when companies use data about you to market things you normally
wouldn’t buy. Can also be used by political organizations to influence the news you
read.
Competitive advantage: when businesses lose trade secrets, information about
contracts with clients, etc.
PRIVACY MANAGEMENT PROGRAM
demonstrates ‘privacy’ as both a strategic and an operational risk
flowing through the entire organization
senior management support is vital to fostering a culture of privacy
requires consideration across disciplines and job functions – all
employees must be aware of and understand their obligations under
the program
ensures appropriate training and education, risk assessment and
monitoring, and auditing
Office of the Privacy Commissioner of Canada
Governance

- Appoint a person responsible for privacy

- Monitoring and reports to Board of Directors
- Allocate adequate resources
- Establish reporting mechanisms
- Identify documenting requirements
Program Controls

- Personal information inventory

- Policies and procedures
- Ongoing assessment and improvements
- Training and awareness
 Privacy Commissioner’s 12 Steps to
Data Security*
Understand the threats you’re facing
1.Know what personal information you have, where it is, and what you are doing with it.
2.Know your vulnerabilities.
3.Know your industry – hackers often use the same types of attacks on multiple targets within an industry.

Think beyond the hacker

4.Encrypt laptops, USB keys and other portable media.
5.Limit the personal information you collect, as well as what you retain.
6.Don’t neglect personal information’s end-of-life – you’re required to delete data once it is no longer being used.
7.Train your employees.
8.Limit, and monitor, access to personal information – don’t give your employees access to more data than they need access to.

But don’t forget about hackers, either

9.Maintain up-to-date software and safeguards.
10.Implement and monitor, intrusion prevention and detection systems.

Breach containment and preliminary assessment

11.You should take immediate common sense steps to limit the breach.
12.Prevent future breaches.
- Joint Auditor and Privacy Commissioner
approach
- Human Resources & Social
Development Canada
- Canada Revenue Agency
- Elections Canada
- Treasury Board Secretariat
- Different maturity levels in privacy
management framework
- Although public sector examples, good
to understand strengths & weaknesses
Areas of Weakness
 personal information is being collected, where the
institution had not formally considered whether it was
needed
 personal information is at risk of unauthorized disclosure
or loss
 privacy risks were not assessed when significant
changes to business practices were introduced
 gaps in privacy training
NIST Privacy Framework Privacy Framework | NIST
NIST Privacy Framework 2021
https://www.linkedin.com/feed/update/urn:li:activity:6639237491457163264/
Selecting a privacy framework: considerations
1. Who should be involved?
2. How will a framework benefit the organization?
3. Which business processes may be impacted?
4. Which frameworks are already being used within the organization?
5. What regulatory requirements (e.g., Health Insurance Portability
and Accountability Act [HIPAA], California Consumer Privacy Act
[CCPA], GDPR) should be considered?
Although a privacy framework is focused on privacy efforts, it impacts many other
parts of the organization and may overlap with other frameworks being used by
other business functions.

A Four-Step Approach to Adopting a Privacy Framework (isaca.org)

You may ask….
What is the budget for a privacy program?
 The average surveyed Fortune 1000 company's privacy program has
a budget of $2.4 million. The median budget is $1 million.
 The smallest company does about $2.5 billion in revenue. The largest,
Wal-Mart, does almost $500 billion
 Twelve percent of firms have budgets of more than $5 million annually.
Another 14 percent spend less than $500k annually.
 Of that mean $2.4 million number, roughly $1.9 million is spent
internally, the other $500k is spent externally.
 Of the internal spend, 50 percent is for salary and benefits of privacy
program employees.
 # of employees range from 3.3FTE to 25FTE (mature)
https://iapp.org/news/a/industry-of-privacy-project-new-budget-benchmarking/
More budget numbers…..

https://teachprivacy.com/privacy-budget-cartoon/
 Use Case: Privacy by design in the gaming industry

APPLYING A PRIVACY RISK MANAGEMENT FRAMEWORK 9 privacy risks to online

gaming
1. Camera and microphone
access
2. Location tracking
3. Poorly protected servers
4. Online gaming malware
5. In-game ransomware
6. Keyloggers
7. Unsecured WiFi
8. Phishing
https://protonvpn.com/blog/online-gaming-privacy/ 9. Not using 2FA
The huge trove of banking data was leaked by an anonymous whistleblower to the German newspaper Süddeutsche
Zeitung. “I believe that Swiss banking secrecy laws are immoral,” the whistleblower source said in a statement. “The
pretext of protecting financial privacy is merely a fig leaf covering the shameful role of Swiss banks as collaborators
of tax evaders.”
Credit Suisse said that Switzerland’s strict banking secrecy laws prevented it from commenting on claims relating to
individual clients.
“Credit Suisse strongly rejects the allegations and inferences about the bank’s purported business practices,” the bank
said in a statement, arguing that the matters uncovered by reporters are based on “selective information taken out of
context, resulting in tendentious interpretations of the bank’s business conduct.”
The bank also said the allegations were largely historical, in some instances dating back to a time when “laws,
practices and expectations of financial institutions were very different from where they are now”.

https://www.theguardian.com/news/2022/feb/20/credit-suisse-secrets-leak-unmasks-criminals-fraudsters-corrupt-politicians
Upcoming written assignment
This assignment is for Module 4 – it is an individual assignment. Please review this case
study (attached here) and prepare brief written responses to each of the 5 questions
outlined below. Each response should be no more than ½ page of text. Please submit your
assignment before Lecture 10 [Wednesday November 22nd ] by uploading into
Learn@Seneca. The evaluation rubric is also attached. The assignment is worth 15
points.

Questions
1. Was it unethical for the Path developers to collect and store the app users’ "Contacts"
information in the way they did initially, before Arun Thampi raised the issue on his blog?
2. What, if anything, should Path's designers have done differently?
3. Was the company's response an appropriate and sufficient resolution of the controversy
around Path's initial practices?
4. Did the developers at Apple share some of the responsibility for Path's practices,
because Apple had not configured its platform to prevent those practices?
5. Knowing the value of Privacy by Design, what advice would you offer to another
company looking to develop an Apple iOs app?
Final Assignment FNT102: Thinking ahead
• The final assignment for this course is worth 30% of the final grade
• Due by end of day on Thursday Dec 7th. (no extensions)
• You may have heard about the Capstone Project (FNT203) for
Semester 2
• A capstone project is a multifaceted assignment that serves as a
culminating academic and intellectual experience for students that
demonstrates program learning outcomes
• Capstone projects are generally designed to encourage students to
think critically, solve challenging problems, and develop skills such
as oral communication, public speaking, research skills, media
literacy, teamwork, planning, self-sufficiency, or goal setting
Final Assignment FNT102: Thinking ahead
The assignment:
• develop a written report (e.g. white paper, case study, or management report) outlining
your analysis and application of privacy and the principles of Privacy by Design to the
privacy issue or challenge relevant to your topic.
• your report should demonstrate that you have understood the course material; have
done some independent research; are aware of relevant issues and considerations; and
are developing your own approaches to the implementation of privacy and the
principles of Privacy by Design.
• The completed written assignment should be between 3,000 – 3,500 words (6-7
pages). The file must be uploaded into Learn@Seneca for grading.
• Record a summary of your written report. In lieu of live presentations, students will
record a max 10 min. video or audio summary of their final assignment & upload it
along with the written document.
• Always include your name, student number, date and course number on the
assignment
• The evaluation rubric and sample outline are available on Learn@Seneca
Sneak Peek – Module 3 Lecture 9
 Privacy Risk Management Tools – Privacy Impact
Assessment (PIA)