• No results found

Privacy Act of 1974

In document Federal Cloud Computing (Page 100-104)

The Privacy Act of 197413 was established as a statutory framework to govern the federal government’s collection and use of personal information. This statutory

13The Pivacy Act of 1974 (Public Law 93-579). Available from: http://www.justice.gov/opcl/privstat.htm.

Table 4.2 Fair Information Practice Principles (FIPPs) [8]

FIPPs Description

Collection

Limitation There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject Data Quality Personal data should be relevant to the purposes for which they are to

be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date

Purpose

Specification The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose

Use Limitation Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified, except with the consent of the data subject or by the authority of law

Security

Safeguards Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data

Openness There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller

Individual

Participation An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive;

in a reasonable manner; and in a form that is readily intelligible to him;

(c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed, or amended

Accountability A data controller should be accountable for complying with measures which give effect to the principles stated above

78 CHAPTER 4 Security and Privacy in Public Cloud Computing

framework balances the federal government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted inva-sions of their privacy stemming from the collection, maintenance, use, and disclosure of personal information about them [10].

The Privacy Act is based on the internationally recognized FIPPs previously dis-cussed. The Act protects certain federal government records14 pertaining to individu-als,15 collected, maintained, used, and disseminated by federal agencies. The records containing PII are stored in a system of records (SOR) which is “a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual” [11].

In accordance with the Privacy Act,16 federal agencies are required to give public notice through a Systems of Records Notice (SORN) in the Federal Registrar,17 that includes information about the SOR such as

• System name.

• Security classification.

• System location(s).18

• Categories of individual covered by the system.

• Categories of records covered by the system.

• Authority for maintenance of the system.

• Disclosure to consumer reporting agencies.

• Routine use of records maintained in the system, including categories of users and the purpose of such uses.

• Policies and practices for storing, retrieving, access, retaining, and disposal of records in the system.

• Exceptions claimed for the system.

14From Office of Management and Budget (OMB). Privacy Act Implementation: Guidelines and Responsibilities. Washington, DC: Executive Office of the President, Office of Management and Bud-get; 1975. “The term “record” means any item, collection, or grouping of information about an indi-vidual that is maintained by an agency.”

15From Office of Management and Budget (OMB). Privacy Act Implementation: Guidelines and Responsibilities. Washington, DC: Executive Office of the President, Office of Management and Bud-get; 1975. “The term “individual” means a citizen of the United States or an alien lawfully admitted for permanent residence.”

16U.S.C. section 552a – Records maintained individuals.

17From The Federal Register [Internet]. Washington, US: Government Printing Office [cited 2011 Sep 31]. Available from: http://www.gpo.gov/help/about_federal_register.htm. “The Federal Register is the official daily publication for rules, proposed rules, and notices of Federal agencies and organizations, as well as executive orders and other presidential documents.”

18From Federal CIO Council and Chief Acquisition Officers Council. Creating Effective Cloud Com-puting Contracts for the Federal Government. Washington: Executive Office of the President, Office of Management and Budget; 2012. “Under the Privacy Act, Federal agencies must be able to inform individuals, in the applicable SORN, where their data is being maintained, which can be complicated in a CSP environment.”

79 Federal Privacy Laws and Policies

The extension of Privacy Act requirements for the collection and storage of PII to a public cloud service will likely need to be carefully evaluated by the CSP and the federal agency for a cloud service operating as the federal agencies’ SOR. “Once an agency chooses a cloud computing provider to collect and store information, the individual is no longer providing information solely to the government, but also to a third party who is not necessarily bound by the same laws and regulations” [13].

Since federal agencies are “ultimately accountable for the security and privacy of data held by a cloud provider on their behalf” [5], the requirements of the Privacy Act and the responsibility for the implementation of privacy controls will be discussed later in this chapter. Therefore, assistance or requirements by the CSP to support the federal agency meeting requirements under the Privacy Act will need to be clearly addressed through a contractual obligation (e.g., protecting privacy information, and reporting breaches or disclosures).

E-Government Act of 2002, Federal Information Security Management Act (FISMA)

FISMA provides federal agencies with a recommended set of security control requirements21 necessary to protect information contained within an information

21From E-Government Act of 2002 [Internet]. Washington: US Government Printing Office [cited 2011 Oct 9]. Available from: http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/html/PLAW-107publ347.

htm. Comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.

TIP

Under Section (m) of the Privacy Act, a government contractor’s information system is subject to the requirements of the Act, if under contract, the federal agency contracts for the operation by or on behalf of the agency, a SOR to accomplish an agency function [11].

Since CSPs may store records covered under the Privacy Act, the CSPs’ cloud service could be considered a SOR and be subject to the same requirements19 as federal agencies. In addition, a cloud service operated by a CSP that is covered by the Privacy Act could be subject to civil and criminal implications if the CSP knowingly and willfully acts or fails to act as described in the Privacy Act [21].

19Government contractors fall under subsection (m) of the Privacy Act of 1974.

NOTE

The Privacy Act Issuances20

According to the Privacy Act, the Office of the Federal Register (OFR) must biennially compile and publish (1) descriptions of system of records maintained on individuals by federal agencies which were published in the Federal Register; and (2) rules of each agency which set out the procedures agencies will follow in helping individuals who request information about their records. In addition, the Privacy Act requires OFR to publish the compilation in a form available to the public at a low cost [12].

20Privacy Act Issuances. Available from: http://www.ofr.gov/privacy/AGENCIES.aspx.

80 CHAPTER 4 Security and Privacy in Public Cloud Computing

system.22 In addition, federal agencies are required to identify and assess the risk to their PII, and to ensure security controls are implemented to enable adequate secu-rity. Therefore, CSPs that collect, store, or process PII on behalf of the federal gov-ernment may have a responsibility to meet specific security requirements. These security requirements are based on the confidentiality,23 integrity, and available objectives for the information identified as a result of a security categorization con-ducted by the CSP or the federal agency.

NIST was given the responsibility for developing standards and guidelines for information systems. These standards and guidelines include providing federal agen-cies with guidance24 on categorizing PII. The Privacy Act requires federal agencies to establish administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenient or unfairness on whom information is obtained [9]. Harm is the adverse effects that would be experienced by an individual whose PII was the subject of a loss of confidentiality, as well as any adverse effects experienced by the organization that maintains the PII [14]. Therefore, the loss (or breach) of confidentiality would likely need to be evaluated against the unauthorized disclosure of the PII and the “effect on the organizational operations, organizational assets, or individual” [15] against the different confidentiality impact levels (see Table 4.3).

FISMA also required federal agencies to establish procedures for the detection, reporting, and response of security incidents. In addition, OMB requires federal agencies to report incidents involving PII to the US Department of Homeland Secu-rity (DHS), US Computer Emergency Readiness Team (US-CERT).25 Incidents that involve breaches to PII are categorized by the US-CERT as a Category 1 and require reporting within one hour of the discovery/detection. The CSPs’ incident response plan26 will need to reflect any new requirements for notification and reporting by ensuring service agreements address the requirements and responsibility for notifica-tion, reporting, and any costs associated with an incident involving the compromise of PII.

22From Office of Management and Budget (OMB), OMB Circular No. A-130 Revised (Transmit-tal Memorandum No. 4), Management of Federal Information Resources. Washington, DC: Execu-tive Office of the President, Office of Management and Budget; 2000. “A discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual.”

23US Congress. Federal Information Security Management Act. Washington, DC: US Congress; 2002.

“Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.”

24Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems. Available from: http://csrc.nist.gov/publications/fips/

fips199/FIPS-PUB-199-final.pdf.

25US-CERT Incident Reporting System. Available from: https://forms.us-cert.gov/report/.

26NIST Special Publication (SP) 800-61 Revision 2, Computer Security Incident Handling Guide.

Available from http://csrc.nist.gov/publications/nistpubs/SP800-61rev2/SP800-61rev2.pdf.

81 Federal Privacy Laws and Policies

In document Federal Cloud Computing (Page 100-104)