[Log In] []

Exploring the science and magic of Identity and Access Management
Thursday, April 19, 2018

Keep your Personal Data Safe Online

Privacy
Author: Mark Dixon
Thursday, April 19, 2018
11:51 am

DigiMe

In the wake of the US Senate grilling Mark Zuckerberg about the Cambridge Analytics scandal, and as we move ever so quickly towards the May 25th date when the EU will begin enforcing the General Data Protection Regulation (GDPR), it is easy to focus on the responsibilities online companies have for implementing what GDPR calls “Data Protection by Design and by Default.”

All that focus is good, but we should not forget the responsibilities each person has for making sure their own personal data is safe. In her blog post today, Emma Firth of digi.me proposes “10 ways to keep your personal data safe online.”

Please take a few minutes to read Emma’s commentary, but here are the ten points she recommends:

  1. Be clear who can see what
  2. Have strong passwords – and don’t reuse them or write them down
  3. Take care not to post information that is often used as security questions 
  4. Don’t fall for dodgy or so-called phishing emails
  5. Be careful where you log-on – take care to disconnect from a session if using public computers
  6. Make sure your home wifi is password-protected
  7. Be wary about who you befriend online
  8. Beware what pictures and status updates on social media tell a potential criminal about you
  9. Be sensible and always have your wits about you

Thanks, Emma, for your insightful reminders.

And remember, in the words of Sergeant Phil Esterhaus (Michael Conrad) of Hill Street Blues fame …

 

Bermuda Personal Information Protection Act

Privacy
Author: Mark Dixon
Monday, April 16, 2018
9:07 am

When I give a presentation about the Global Data Protection Regulation (GDPR), someone usually asks how long it will be before the United States has a similar regulation?  I really don’t know, but the Senate Facebook hearings last week show that the topic is certainly on the minds of our elected leaders.

Bermudaflag

Another strong indicator that a US regulation is forthcoming is the emergence of “GDPR-like” regulations in other countries.  For example, the article “A paradise for data privacy advocates – Bermuda’s privacy law now in full effect,” states:

With enactment of the Personal Information Protection Act (PIPA), Bermuda can now count itself among the ever-expanding list of jurisdictions with enhanced privacy protections. PIPA, passed on July 27, 2016, and entered into force in December 2017, shares many of the more stringent requirements and protections with Europe’s impending General Data Protection Regulation (GDPR), which indicates a growing, global trend towards stepped-up privacy regimes. 

Regulations such as this will put pressure on the US to act, in order to facilitate economic interaction with other countries:

Unless and until the United States passes an overarching privacy statute providing comparable levels of protection over the use of one’s personal information, including for non-US Persons, it is unlikely that the Privacy Commissioner will allow for the free flow of personal information between Bermuda and the United States.

A concluding statement

Ultimately, the trend towards greater privacy protections—and the limitation on cross-border data transfers, especially to the United States—is only picking up steam, as this Bermuda law highlights. And more may still be to come.

How soon do you think the United States will act?

 

Time for a Federal Data Breach Law in the US?

Privacy
Author: Mark Dixon
Friday, April 13, 2018
6:55 am

Data breach

Recently, I have given several presentations about the European Union’s General Data Protection Regulation (GDPR). A common question that arises is whether we should expect a similar data protection regulation in the US.  

This morning, an interesting article on the subject crossed my desk: “No more waiting: it’s time for a federal data breach law in the U.S.”

A few excerpts:

With the recent passage of data breach notification laws in Alabama and North Dakota, all U.S. states and the District of Columbia now require that companies let us know when our personal data are breached. It only took 15 years.

Notably, states overwhelmingly require notification only if some sort of financial data or password information is involved. That’s a problem because data breaches often entail other kinds of harm. A better, more rights-respecting standard — one that could be incorporated into existing state standards and a new federal law — would require companies to notify us of breaches of our personal information tied to other harms.

It is crucial that any new federal standard does not prevent states from adding protections. A federal breach law should create a floor of minimum standards that companies must meet, not a ceiling prohibiting tougher state enforcement.

Members of Congress have already proposed a number of data breach notification laws, but while some proposals are better than others, none have been great for the people these laws are supposed to protect. Even one of the better efforts had provisions to preempt stronger state laws. As we wait for the right bill, ordinary people remain vulnerable and without sufficient redress under many state laws.

It seems to me that demand in the US for privacy protection in general and breach notification in particular has lagged such demand in Europe, probably because of difference in culture and political philosophy.  However, due to the increaser in high-profile data breaches in the last couple of years, I expect we will see federal legislation fairly soon. 

 

 

Can YOU choose how your personal data is used?

Privacy, Social Media
Author: Mark Dixon
Thursday, April 12, 2018
11:47 am

This little exchange highlights the essence of an individual’s right to privacy – Individuals should have control over how their personal data is used. Do you have control?  Should you?

If you can’t see the video, you can access it on YouTube here.

 

Identity – Critical for GDPR?

Identity, Privacy
Author: Mark Dixon
Friday, July 28, 2017
12:44 pm

GDPR2

How critical is Identity and Access Management to GDPR Compliance?

The somewhat radical, but underlying philosophy of GDPR is that enterprises must enable individual data subjects (EU citizens) to control their own Personally Identifiable Information (PII), and grant or withdraw permission to store and use such data. Certainly, appropriate processes and technology are essential to protect the data “by design and default,” but the question remains – how can enterprises keep track of all the data subjects and their PII data?

I propose that Identity is at the heart of the matter.  How can an enterprise:

  1. Know who all data subjects are and what personal data is being maintained?
  2. Know what rights of data use each data subject has granted? 
  3. Know PII data elements are being maintained and processed for each data subject?
  4. Enable data subjects to edit (rectify) any of the data elements being maintained?
  5. Allow each data subject to grant or withdraw consent?
  6. Securely authenticate and authorize data subjects when they desire access to their PII?
  7. Guarantee that only people with legitimate need-to-know can access PII?
  8. Enable data subjects to request erasure?
  9. Audit and certify processes for consent, use and erasure?
  10. Notify data subjects of any breaches?

There are probably more reasons, but this list is a start. In my opinion, Identity at the heart of effective GDPR compliance.

By the way, as of today, there are only 300 days left.

Comments Off on Identity – Critical for GDPR? . Permalink . Trackback URL
WordPress Tags:
 

Oracle White Paper: Helping Address GDPR Compliance

Information Security, Oracle, Privacy
Author: Mark Dixon
Thursday, July 27, 2017
12:00 pm

GDPR

May 25, 2018 is bearing down on us like a proverbial freight train. That is the date when the European Union General Data Protection Regulation (GDPR) becomes binding law on all companies who store or use personal information related to EU citizens. (Check out the count down clock on the GDPR website).

Last week, Oracle published a new white paper, “Helping Address GDPR Compliance Using Oracle Security Solutions.”

Leveraging our experience built over the years and our technological capabilities, Oracle is committed to help customers implement a strategy designed to address GDPR security compliance. This whitepaper explains how Oracle Security solutions can be used to help implement a security framework that addresses GDPR.

GDPR is primarily focused on protecting fundamental privacy rights for individuals. By necessity, protection of personal information requires good data security. As stated in the white paper, 

The protection of the individuals whose personal data is being collected and processed is a fundamental right that necessarily incorporates IT security.

In modern society, IT systems are ubiquitous and GDPR requirements call for good IT security. In particular, to protect and secure personal data it is, among other things, necessary to:

  • Know where the data resides (data inventory)
  • Understand risk exposure (risk awareness)
  • Review and, where necessary, modify existing applications (application modification)
  • Integrate security into IT architecture (architecture integration)

Oracle proposes the following framework to 

… help address GDPR requirements that impact data inventory, risk awareness, application modification, and architecture integration. The following diagram provides a high-level representation of Oracle’s security solutions framework, which includes a wide range of products and cloud services.

OracleGDPR SecuritySolutions july17

 

The paper primarily focuses on the “Enforcement” portion of this model, postposing that:

… four security requirements are a part of many global regulatory requirements and well-known security best practices (i.e. ISO 27000 family of standards, NIST 800-53, PCI-DSS 3.2, OWASP and CIS Controls).

Enforcement

In conclusion, the paper states:

The path towards GDPR compliance includes a coordinated strategy involving different organizational entities including legal, human resources, marketing, security, IT and others. Organizations should therefore have a clear strategy and action plan to address the GDPR requirements with an eye towards the 25 May, 2018 deadline.

Based on our experience and technological capabilities, Oracle is committed to help customers with a strategy designed to achieve GDPR security compliance.

 

May 25, 2018 is less than ten short months away.  We all have a lot of work to do.

 

 

 

Comments Off on Oracle White Paper: Helping Address GDPR Compliance . Permalink . Trackback URL
WordPress Tags: , , ,
 

$1,000 per Record?

Information Security, Privacy
Author: Mark Dixon
Tuesday, November 19, 2013
5:49 pm

One Thousand Dollars

Today, I read of at three separate instances where class-action lawsuits have been filed on behalf of people whose personal information had been breached at a healthcare company.  The largest lawsuit, filed against TRICARE, represents 4.9 million affected individuals and is seeking damages of $1,000 per record – a total of $4.9 BILLION. Wow!

This action or other similar lawsuits have yet to be reach court or settlement. Depending on the outcomes, potential costs of litigation and resulting awards to victims may emerge as the single most powerful financial driver to implement good information security in the healthcare industry. 

Comments Off on $1,000 per Record? . Permalink . Trackback URL
WordPress Tags: ,
 

Video: Ann Cavoukian – Privacy and Security by Design: An Enterprise Architecture Approach

Information Security, Privacy
Author: Mark Dixon
Wednesday, November 6, 2013
4:17 pm

The following video features Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, Canada, discussing the paper I co-authored with her, “Privacy and Security by Design: An Enterprise Architecture Approach.”

Comments Off on Video: Ann Cavoukian – Privacy and Security by Design: An Enterprise Architecture Approach . Permalink . Trackback URL
WordPress Tags: ,
 

Protect Privacy to Build Trust in the Age of Context

Privacy
Author: Mark Dixon
Monday, November 4, 2013
4:04 pm

Wetrust

My recent post about the book, “Age of Context: Mobile, Sensors, Data and the Future of Privacy,” by Robert Scoble and Shel Israel, began to explore the benefits that might accrue from converging technologies of the “perfect storm” of mobile devices, social media, big data, sensors and location-based services. But what effect will this have on personal privacy?

Scoble and Israel provide these comments in the final chapter of the book, entitled “Trust is the New Currency”:

We have spoken to hundreds of people and looked at hundreds of technologies, and we firmly believe that adding context will make the world an easier, more efficient, cleaner and more productive place.

However, we’d be negligent if we didn’t point out that the price we pay for many of these benefits is our personal privacy. Every new piece of technology we adopt requires us to consider that price and how it will be exacted.

The book proposes the follow principles that need to be wrestled with in this area.  These are not the exact order or terminology used in the book, but my interpretation of what is needed.

  1. Transparency and candor.  Service providers don’t attempt to cover up impacts to privacy made by choices consumers make.
  2. Freedom to choose.  Consumers are always able to opt in and out at will – choosing what privacy they may be willing to sacrifice for other benefits.
  3. The right to know.  Consumers can know what data services providers maintain, and what that data is used for.
  4. The right to go silent.  Consumers retain the right to “go silent,” or opt out of any attempts to monitor or track that consumer.
  5. Data ownership.  Personal data remains property of the consumer, event when the service provider is a steward of that data.
  6. Human override.  Humans can always over ride automatic processes.
Do other principles apply?  Probably.  But figuring out the implication of this list will take some concerted effort.

Scoble and Israel propose that online service providers that get it right will gain advantage over those that don’t – that privacy will become a valuable asset, not just for consumers, but those who hope to deliver services to them.

This was echoed in a recent Huffington Post article:

Today there is a new business currency. It can’t be found at the local bank, or purchased for any price. The new commodity is trust. And while I speak of trust as a commodity it can’t be bough or sold. It has to be earned. … A shift is underway in how businesses and consumers interact, both online and in person, and the businesses that recognize the value of building trust and dare I say “wow” with each transaction will set themselves apart from the competition.

“Protect privacy to build trust” can and must become a powerful mantra for modern business.

 

 

Comments Off on Protect Privacy to Build Trust in the Age of Context . Permalink . Trackback URL
WordPress Tags: , ,
 

Great Book – Age of Context: Mobile, Sensors, Data and the Future of Privacy

Identity, Privacy, Technology
Author: Mark Dixon
Tuesday, October 29, 2013
10:24 pm

Ageofcontext

This evening, I finished reading a fascinating book, “Age of Context: Mobile, Sensors, Data and the Future of Privacy,” by Robert Scoble and Shel Israel.

Scoble and Israel propose that we are in the midst of a perfect storm:

Our perfect storm is composed not of three forces, but five, and they are technological rather than meteorological: mobile devices, social media, big data, sensors and location-based services. … they’re already causing disruption and making waves. As discrete entities, each force is already part of your life. Together, they have created the conditions for an unstoppable perfect storm of epic proportion: the Age of Context.

I have long been fascinated with the concept of context. I first mentioned context as an important factor in Identity Management in July, 2005,  as I blogged about the Catalyst Conference.  During my years with Sun Microsystems, we often spoke about “context-aware, blended services” being delivered via mobile devices.  For example, in September, 2008, one of my blog posts entitled, “Sensor-triggered Personalized Services,” stated, in part:

Project Destination, an initiative I lead for Sun, is all about providing the infrastructure to deliver highly personalized, context-aware, blended services to online users across the “screens of your life.” When you couple sensor technologies with Identity, personalization and service orchestration techniques, you can get some powerful results.

It is great to see the progression and refinement of that concept.  I sense we are barely scratching the surface of possibilities in this arena.  Lot of fun ahead!

Comments Off on Great Book – Age of Context: Mobile, Sensors, Data and the Future of Privacy . Permalink . Trackback URL
WordPress Tags: , ,
 
Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.