Privacy and Data Breaches
A GROWING AIRPORT CONCERN
Dominic Nessi
Privacy in General
There is none
Google and other search engines, cookies Growth of on-line commerce
Social media Mobile devices Vehicle tracking Traffic cameras
Privacy in General
RIGHT OF PRIVACY. : the qualified legal right of a person to have reasonable privacy in not having his private affairs made known or his likeness exhibited to the public having regard to his habits, mode of living, and occupation.
Personal Identifiable information (PII) as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s
identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." So, for example, a user's IP address as used in a communication exchange is classed as PII regardless of whether it may or may not on its own be able to uniquely identify a person.
From an IT perspective, we use the Privacy Act of 1974, FISMA, the Electronic Communications Act, Computer Fraud and Abuse Act and HIPAA to guide our actions.
Six Privacy Issues Airports Must Consider
Data Breaches
should be high on an airport’s priority list
Prevention measures
Compartmentalize personal information Access control
Encrypt when storing, and transmitting over public networks Encrypt data on mobile devices
Mobile device management
Mitigation measures
Six Privacy Issues Airports Must Consider
Data Leakage
should also be high on an airport’s priority list
Prevention measures
Organizational policies that limit an employee’s ability to take PII home Disabling USB drives
Mitigation measures
Remote wiping a device
Six Privacy Issues Airports Must Consider
Location based services use personal information
LBS comes from many sources – GPS, cell towers, wireless access points,
indoor positioning, IP addresses, MAC addresses
This is a growing area of concern as airports track wait times, based on
mobile devices
Mobile devices track locations, could be used to determine shopping
and eating patterns
Police and parking facilities track license plates Many providers are still in a “collect” phase
Collect only what you need
Six Privacy Issues Airports Must Consider
Cloud Computing Challenges Traditional Legal and Technical Privacy
Protection
Airports are increasingly considering cloud solutions
By definition, cloud computing and privacy are at odds
Privacy laws relate to a single country – cloud computing often crosses
national boundaries
Privacy laws are evolving slowly in this area
Focus on the corporate headquarters of the provider, not the location of
the data itself
Sensitive information should not leave the country – public safety records,
CCTV images, credentialing systems
Other data can be stored outside the country, but beware of countries
known for privacy violations
Cloud technology and privacy can co-exist but it needs to be thought out
Six Privacy Issues Airports Must Consider
The Value of Privacy Determines the Level of Protection
Airports maintain a great deal of privacy information – human resources,
credentialing, POS, CCTV, Law Enforcement records, ALPR, medical information
Finding the “balance” between not enough protection and too much is
difficult
Don’t just use legal requirements – slow to evolve and trail technology
and social changes
Data in each system must be classified
Six Privacy Issues Airports Must Consider
Regulatory Changes are Ongoing
Absent of specific laws, airports must interpret general privacy laws
and general privacy legislation
This is especially true for emerging technologies such as smart
meters, indoor positioning, facial recognition, vehicle and device
location
The following laws effecting privacy were proposed and are
pending consideration before the U.S. House or Senate or were
proposed, but not enacted:
•S. 2588 Cybersecurity Information Sharing Act (CISA), pending, introduced in the
U.S. Senate on July 10, 2014.
•H.R. 3523, H.R. 624 Cyber Intelligence Sharing and Protection Act (CISPA),
pending, introduced in and passed by the U.S. House in 2012, reintroduced in
and passed by the U.S. House in 2013, pending before the U.S. Senate.
•H.R. 3674 Precise Act, reported by committee April 18, 2012 by Representative
Dan Lungren (R-CA), but not enacted. The bill changed as "Lungren dropped
many of the critical infrastructure and DHS provisions" due to the house.
•H.R. 4257 Federal Information Security Amendment Act of 2012, reported by
committee April 18, 2012 by Representative
Darrell Issa
(
R
-
CA
), but not enacted.
•S. 2151 Secure IT, introduced by Senator John McCain (R-AZ) on March 1, 2012,
but was not enacted.
•S. 2105 Cybersecurity Act, reported by committee on February 15, 2012.
Sponsored by Senator Joseph Lieberman (I-CT). Failing to gain enough support
for passage, the bill, entitled "Cybersecurity Act of 2012" (S. 3414), was
reintroduced on July 19, 2012 in a revised form which omitted federal imposition
of security standards on IP providers, as well as including stronger privacy and
civil liberties protections. The revised bill was not enacted.
In 2015
•
S. 1158 (Consumer Privacy Protection Act) would establish a federal security breach notificationlaw and provides protection for many types of data including social security numbers, financial account information, online usernames and passwords, unique biometric data (including
fingerprints), information about a person's physical and mental health, information about a
person's geo-location, and access to private digital photographs and videos. The bill would pre-empt weaker state laws while leaving stronger state privacy laws in place.
•
H.R. 2092 (Student Digital Privacy and Parental Rights Act) would prohibit operators of websites,applications and other online services from selling students' personal information to third parties and using or disclosing students' personal information to tailor advertising to them.
•
S. 668 (Data Broker Accountability and Transparency Act) would, among other things: requiredata brokers to establish procedures to ensure the accuracy of the personal information they collect, assemble, or maintain.
