Nonpublic Personal Information (NPI)

Posted on September 30, 2019 by Adora Myers

Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6801-6809 (2002). Available at: https://www.law.cornell.edu/uscode/text/15/6809

(4)Nonpublic personal information
(A)The term “nonpublic personal information” means personally identifiable financial information—
(i)provided by a consumer to a financial institution;
(ii)resulting from any transaction with the consumer or any service performed for the consumer; or
(iii)otherwise obtained by the financial institution.
(B)Such term does not include publicly available information, as such term is defined by the regulations prescribed under section 6804 of this title.
(C)Notwithstanding subparagraph (B), such term—
(i)shall include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information; but
(ii)shall not include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any nonpublic personal information.

(GLBA, 15 U.S.C. § 6809(4)(B))

Personally Identifiable Financial Information (PIFI)

Posted on September 23, 2019 by Adora Myers

PIFI is defined in Securities and Exchange Commission (SEC), Final Rule: Privacy of Consumer Financial Information (Regulation S-P) 17 CFR Part 248 (2000). Available at: https://www.sec.gov/rules/final/34-42974.htm

Both the GLBA and the regulations define NPI[5] in terms of PIFI.
The GLBA does not define PIFI but the FTC regulations define the term to mean any information:
(i) A consumer provides to you [the financial institution] to obtain a financial product or service from you;
(ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
(iii) You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.

Explanations are Optional

Posted on August 6, 2019 by Adora Myers

Septimus shrugged and said nothing, the ways of Camp Heap rubbing off on him. He was learning from his brothers that you didn’t have to explain yourself if you didn’t want to—and that sometimes, with a witch, it was better not to.

–Septimus Heap, Book Four: Quest by Angie Sage

Medical Data Exploitation

Posted on May 1, 2019 by Adora Myers

Administration, Census Bureau, and Department of Veterans’ Affairs all maintain extensive collections of genetic data. Since May 1998, sex offenders have been required to surrender DNA samples to federal databases, and today every state maintains its own DNA database that contains the DNA profiles of felons—and of others, including people merely suspected of crimes or even of innocent people rounded up in DNA sweeps. The samples of 450,000 convicts are stored with identifiers, such as the person’s name, description, criminal record, Social Security number, and image. The government has also sponsored the creation of national databases, such as the FBI’s Combined DNA Index System (CODIS), which stores DNA samples, most without identifying information. CODIS went online in 1998 with samples from 8,000 convicted child molesters, and by 2001, it contained the profiles of 1.5 million felons. In 2002, the U.S. Attorney General ordered the FBI to expand CODIS to 50 million profiles, and by 2004, CODIS stored 2.6 million samples containing the DNA of people convicted of almost any crime. In October 2005, the Senate Judiciary Committee approved a law, which was pending when this book went to print, to force anyone who is merely detained by federal authorities to provide DNA, and in August 2006 the database contained more than 3.5 million samples. The FBI predicts that CODIS will accommodate 50 million samples “in the near future.”

Besides harboring the markers for four thousand disease risks, DNA also contains information about the health and identity of one’s forebears and descendants. With a sample of your DNA, a person can predict certain disease and disorder probabilities for you and for your children. George Annas, a law professor and bioethicist at Boston University, has referred to one’s DNA profile as a “future coded diary,” and with the completion of the Human Genome Project, the code has essentially been broken. Therefore, taking the fingerprints of an arrestee and taking a sample of his DNA are not comparable acts; the latter is far more intrusive and revealing—but far less likely to yield a uniquely definitive identification.

–Medical Apartheid: The Dark History of Medical Experimentation on Black Americans from Colonial Times to the Present by Harriet A. Washington

GDPR: Search Engines and Privacy

Posted on August 20, 2018 by Adora Myers

Quote 1:

The European Court of Justice set out the general rule for these decisions in 2014: the search engine which lists results leading to information about a person must balance the individual’s right to privacy against Google’s (and the greater public’s) right to display / read publicly available information.

Quote 2:

The bigger issue though is the – almost deliberate – lack of clarity. Each person’s details need to be considered on their own merit, and a decision made based on this balance between the rights of the individual and the rights of the wider society, based on a subjective consideration of the original crime, the persons actions since and the benefit to society as a whole. This is further complicated by the fact that different rules will apply in different countries, even within the EU, as case law diverges. The result: Google is likely to face challenges if it takes anything other than a very obedient approach to those requests to be forgotten which it receives.

–Google or Gone: UK Court Rules on ‘Right to be Forgotten,’ Data Protection Representatives (DPR), by Tim Bell, April 16, 2018

Bragging Rights: GDPR Training

Posted on July 9, 2018 by Adora Myers

I’ve successfully completed the Understanding the GDPR MOOC offered by the University of Groningen’s Security, Technology and e-Privacy (STeP) Research Group on FutureLearn.

Observations:

It’s a four week course but I completed a good amount of on-the-job research prior to taking the course and, therefore, managed to complete the entire thing in about a week.
The topics covered are both comprehensive and realistic. It doesn’t get bogged down in the details and does an excellent job of covering the issues companies need to know in order to begin a gap analysis and ensure compliance.
The General Data Protection Regulation (GDPR) is still very new and many of the questions professionals, researchers, companies, corporations and governments have are not possible to answer. The reason for the lack of answers is simply this: when the issue is taken to court, the courts will hold a full investigation and trial. The results of that legal process will stand as Independence for suture decisions. There is very little in the way of legal precedence currently established, so the academic and professional focus is on the ‘spirit of the requirements’ and the ‘primary objectives behind the establishment of the law.’
The course has a series of quizzes that must be passed at 75% or higher (total cumulative score) in order to receive a certificate. There’s only one opportunity to take each quiz – they cannot be redone. It’s possible to open up the videos, articles and lecture notes while taking the quiz and there is no time limit – so it is (in essence) open book. It is not possible to search everything and auto-find the answers. So, be sure to do your readings, watch all the videos and pay attention to the notes provided during the practice quizes!
Successful completion of the full (paid) version results in a certificate that can be used for continuing education credits (this is useful if you hold a professional certification in a related area!).

The MOOC is well worth the time and effort. I highly recommend it to anyone involved in GDPR compliance or information security.

GDPR: Facebook data privacy scandal

Posted on July 2, 2018 by Adora Myers

Like any organization providing services to users in European Union countries, Facebook is bound by the EU General Data Protection Regulation (GDPR). Due to the scrutiny Facebook is already facing regarding the Cambridge Analytica scandal, as well as the general nature of the social media giant’s product being personal information, its strategy for GDPR compliance is similarly receiving a great deal of focus from users and other companies looking for a model of compliance…Facebook members outside the US and Canada have heretofore been governed by the company’s terms of service in Ireland. This has reportedly been changed prior to the start of GDPR enforcement, as this would seemingly make Facebook liable for damages for users internationally, due to Ireland’s status as an EU member.

“Shadow profiles” are stores of information that Facebook has obtained about other people—who are not necessarily Facebook users. The existence of “shadow profiles” was discovered as a result of a bug in 2013. When a user downloaded their Facebook history, that user would obtain not just his or her address book, but also the email addresses and phone numbers of their friends that other people had stored in their address books…Because of the way that Facebook synthesizes data in order to attribute collected data to existing profiles, data of people who do not have Facebook accounts congeals into dossiers, which are popularly called a “shadow profile.” It is unclear what other sources of input are added to said “shadow profiles,” a term that Facebook does not use, according to Zuckerberg in his Senate testimony.

–Facebook data privacy scandal: A cheat sheet, Tech Republic, By James Sanders and Dan Patterson, June 14, 2018

Information Security Resources: Federal USA

Posted on January 8, 2018 by Adora Myers

United States of America Federal Regulations and recommendations affecting Information Security, cyber security, data security and privacy.

ADA: Americans with Disabilities Act (ADA) of 1990: https://www.ada.gov/pubs/adastatute08.htm
CJIS: Criminal Justice Information Services (CJIS) Security Policy: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
DMCA: Digital Millennium Copyright Act (DMCS) of 1998 (The DMCA allows internet service providers to shield themselves from liability for copyright infringement due to infringing activity by users of the service provider’s networks.): https://www.copyright.gov/legislation/dmca.pdf
ECPA: Electronic Communications Privacy Act (ECPA) 18 U.S. Code
- 119: Chapter 119 – WIRE AND ELECTRONIC COMMUNICATIONS INTERCEPTION AND INTERCEPTION OF ORAL COMMUNICATIONS: https://www.law.cornell.edu/uscode/text/18/part-I/chapter-119
- 121: Chapter 121 – STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS: https://www.law.cornell.edu/uscode/text/18/part-I/chapter-121
EOAA: Equal Opportunity and Affirmative Action, Executive Order 11246 (Presidential Order) – Equal Employment Opportunity: https://www.dol.gov/ofccp/regs/compliance/ca_11246.htm
FCC: Federal Communications Commission (FCC): https://www.fcc.gov
- CPNI: Customer Proprietary Network Information (CPNI) Rules: https://www.fcc.gov/general/customer-privacy
- FCC 47: Federal Communications Commission (FCC) Rules and Regulations for Title 47: https://www.fcc.gov/general/rules-regulations-title-47
FFIEC: Federal Financial Examination Council (FFIEC) Information Technology (IT) Examination Handbook: https://ithandbook.ffiec.gov/
FISMA: Federal Information Security Management Act (FISMA): https://csrc.nist.gov/projects/risk-management/detailed-overview
FTC: Federal Trade Commission (FTC): https://www.ftc.gov/
- FACTA: Fair and Accurate Credit Transactions Act (FACTA) of 2003, Red Flags Rules : https://www.ftc.gov/tips-advice/business-center/privacy-and-security/red-flags-rule
- FCRA: Fair Credit Reporting Act (FCRA), 15 USC § 1681 et seq, Federal Trade Commission (FTC): https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/fair-credit-reporting-act
- GLBA: Gramm-Leach-Bliley Financial Services Modernization Act (GLBA), Federal Trade Commission (FTC): https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
- COPPA: Children’s Online Privacy Protection Rule (COPPA), Federal Trade Commission (FTC), Children’s Online Privacy Protection Act of 1998, 15 U.S.C. 6501–6505: https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule
HSS: Department of Health and Human Services: http://www.hhs.gov
- HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) of 1996: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
- HITECH: Health Information Technology for Economic and Clinical Health (HITECH) Act https://www.hhs.gov/hipaa/for-professionals/special-topics/HITECH-act-enforcement-interim-final-rule/index.html
NG-SEC: National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standard (NG-SEC) Standard: https://www.nena.org/?page=NG911_Security
Privacy Act of 1974: The Privacy Act of 1974 – 552a. Medical Records Maintained on Individuals: https://www.justice.gov/opcl/privacy-act-1974
SEC: Securities Exchange Commission (SEC): https://www.sec.gov
- SOX: Sarbanes–Oxley Act (SOX): https://www.sec.gov/answers/about-lawsshtml.html
SSAE-16: Statement on Standards for Attestation Engagements 16 (SSAE-16): http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/default.asp
Telecommunications Act of 1934, 47 U.S.C. § 151 et seq.: https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1288
USA PATRIOT: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001: https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1281#contentTop

Strip Search Is Normal

Quote

Posted on November 24, 2016 by Adora Myers

Amazon.com

The bouncer was inspecting people’s bags and backpacks before letting them in. That was the only sign that something unusual had happened. No one protested—we’re all inured these days to being searched. Pretty soon, we’ll have to get undressed before we walk into our apartment buildings at night, and we’ll probably submit to that without a murmur.

–Body Work (V.I. Warshawski Novels) by Sara Paretsky

The Internet is Karma

Quote

Posted on February 22, 2016 by Adora Myers

Amazon.com

“When you’ve been on the Internet long enough, you just assume that whatever you did, good or bad, will appear somewhere. So you suddenly start caring whether what you said was the truth or not. If what you did was honest or not. If who you are is good or not. The Internet makes us behave ourselves. The Internet makes us accountable. The Internet keeps it real. The Internet is Karma.”

–Freedom Is Blogging in Your Underwear by Hugh MacLeod

Adora Myers

Tag Archives: Privacy

Nonpublic Personal Information (NPI)

Like this:

Personally Identifiable Financial Information (PIFI)

Like this:

Explanations are Optional

Like this:

Information Security Resources: Federal USA

Like this:

Strip Search Is Normal

Quote

Like this:

The Internet is Karma

Quote

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: