Legal Issues in Information Security - Chapter 2 Privacy Laws PDF

Summary

This document provides a study guide on privacy laws, focusing on the US context. It examines constitutional, federal, and state laws related to privacy and information security. The guide also explores various aspects of privacy, including the sources of privacy law, different types of privacy laws (such as the Freedom of Information Act and the Privacy Act), and common law privacy torts.

Full Transcript

Here is an extensive study guide on privacy, drawing on the provided source:

Privacy and Information Security
Privacy is an individual's right to control their personal data, including how it is collected,
used, stored, and shared.
Information security, on the other hand, focuses on protecting data from unauthorized
access and disclosure.
Privacy and information security are related but distinct concepts. Information
security is essential for maintaining privacy, but secure information is not necessarily
private.
Privacy cannot exist without security.

Sources of Privacy Law
The right to privacy is widely considered a fundamental human right, but there is no
single, comprehensive data privacy law in the United States.

Instead, U.S. privacy laws are sector-specific, meaning they regulate the handling of
personal information in specific industries like healthcare, finance, and education.

Sources of privacy law in the United States include:

○ Constitutional Law:

While the U.S. Constitution does not explicitly mention "privacy," the
Supreme Court has interpreted several amendments, including the First,
Third, Fourth, Fifth, Ninth, and Fourteenth Amendments, to establish
a constitutional right to privacy.
These amendments, particularly the Fourth Amendment, guarantee
protection against unreasonable government intrusion and surveillance.
Key Supreme Court cases that have shaped the right to privacy
include:
Wheaten v. Peters (1834) recognized a person's interest in being
"let alone."
Griswold v. Connecticut (1965) established the right to privacy as
a fundamental right implied in the Constitution.
Katz v. United States (1967) recognized an individual's
"reasonable expectation of privacy," even in public spaces.
Whalen v. Roe (1977) acknowledged the right to "informational
privacy," emphasizing the importance of controlling one's personal
information.
○ Federal Law:

Various federal laws address data privacy in specific sectors, such as:

Freedom of Information Act (FOIA) (1966) grants the public the
right to access information from federal agencies.
Privacy Act (1974) governs the collection, use, and disclosure of
personally identifiable information (PII) by federal agencies.
E-Government Act (2002) mandates the use of privacy-protective
information technologies by the federal government.
Electronic Communications Privacy Act (ECPA) (1986)
regulates access to electronic communications like emails and
phone calls.
Wiretap Act forbids eavesdropping on communications
without a court order.
Stored Communications Act allows employers that
provide electronic communication services to access
stored messages.
Census Confidentiality (1952) mandates the Census Bureau to
protect census responses.
Cable Communications Policy Act (1984) requires cable
companies to provide annual privacy notices and obtain consent
before using customer data.
Driver's Privacy Protection Act (1994) safeguards personal
information in motor vehicle records.
○ State Law:

Several states have incorporated a right to privacy in their
constitutions, offering explicit privacy guarantees to their residents.
States like California have been at the forefront of enacting privacy
laws.
All states have data breach notification laws, requiring organizations
to inform residents if their personal information is compromised in a
security breach.
States also have sector-specific privacy laws protecting financial,
health, and motor vehicle information.
○ Common Law:

Common law, based on legal tradition and court decisions, has long
recognized privacy torts, which are civil wrongs that harm a person's
privacy.

Four key privacy torts include:
 Intrusion into Seclusion: Invading someone's private space,
physically or electronically.
Portrayal in a False Light: Publishing private information, even if
true, in a way that creates a false and offensive impression.
Appropriation of Likeness or Identity: Using someone's name
or likeness for commercial gain without their consent.
Public Disclosure of Private Facts: Sharing embarrassing and
truly private facts that a reasonable person would find offensive.
○ Voluntary Agreements:

While not legally binding, fair information practice principles (FIPPs),
such as those outlined by the Organization for Economic Co-operation
and Development (OECD), provide a framework for organizations to
handle personal data responsibly and transparently.
Organizations can demonstrate their commitment to privacy by
participating in seal programs like WebTrust, TRUSTe, and the Better
Business Bureau, which verify compliance with recognized privacy
practices.

Threats to Personal Data Privacy in the Information Age
The rapid advancement of technology presents significant challenges to personal data
privacy. Individuals often have limited control over how their data is collected, used, and
shared in the digital realm.

Technology-Based Privacy Concerns:

○ Spyware: Malware that secretly collects personal information and transmits it to
unauthorized third parties.

○ Adware: Software that displays advertisements, some of which can be targeted
based on user information collected through spyware.

○ Cookies: Small text files stored on a user's computer by websites to track their
browsing activity.

First-party cookies are created by the website being visited.
Third-party cookies are placed by advertising companies to track users
across multiple websites.
○ Web beacons: Invisible electronic files that monitor website traffic and user
behavior.
 ○ Clickstream data: Information about a user's browsing path, such as the order
of pages visited and links clicked.

○ Online profiling: The practice of compiling data from a user's online activities to
create a profile of their habits and preferences.

This information can be used for targeted advertising, displaying ads
tailored to a user's specific interests.
○ Wireless Technologies:

Radio Frequency Identification (RFID): Technology using radio waves
to identify and track tagged objects.
RFID tags can be used to track pets, inventory, people, and travel
patterns.
Concerns include unauthorized access to information stored on
RFID tags and the potential for tracking individuals' movements
without their knowledge or consent.
Bluetooth: Short-range wireless communication technology that enables
devices to connect and exchange data.
Concerns include information tracking, potential data exposure,
and vulnerability to hacking due to the visibility of Bluetooth
connections.
Near Field Communication (NFC): Very short-range wireless technology
used for tasks like mobile payments, with less risk of information
exposure due to the close proximity required for communication.
Global Positioning System (GPS): Technology that provides precise
location tracking.
Concerns include potential for constant monitoring of individuals'
movements through GPS-enabled devices like cell phones and
cars.
○ Security Breaches:

A security breach occurs when security measures fail, resulting in the
unauthorized disclosure of personal information.
Security breaches pose a significant threat to privacy, as they can expose
large amounts of personal data to misuse, potentially leading to identity
theft and fraud.
People-Based Privacy Concerns:

○ Phishing: A type of internet fraud where attackers try to trick people into
revealing personal information, often through deceptive emails.

○ Social engineering: Manipulating people into divulging confidential information.
 ○ Shoulder surfing: Observing someone entering sensitive information, such as
passwords or credit card numbers.

○ Dumpster diving: Searching through trash to find discarded documents
containing personal information.

○ Social Networking Sites:

While social networking sites offer valuable platforms for connection and
communication, they also present privacy risks.
Information (over) sharing: Users often post large amounts of personal
information on social networks, increasing their vulnerability to privacy
violations and risks like stalking and identity theft.
Security: Weak privacy settings or misunderstanding of privacy controls
can lead to unintended data exposure.
The Cambridge Analytica scandal highlighted the complex privacy
implications of social media platforms, data sharing with third-party apps,
and the potential for misuse of personal information for political purposes.
○ Online Data Gathering:

The vast amount of personal data available online makes it easy to find
information about individuals, which can be used for legitimate purposes
but also for harassment or identity theft.
Workplace Privacy:

○ Workplace privacy refers to privacy issues in the context of employment.
○ In the United States, employees generally have limited privacy expectations
in the workplace.
○ Employers are often allowed to monitor their employees' activities, including
telephone conversations, emails, computer use, and even video surveillance, for
legitimate business reasons.
However, there are some legal limitations and considerations, particularly
regarding employee consent, notification, and restrictions on monitoring in
private areas like restrooms.

General Principles for Privacy Protection in Information
Systems
Organizations need to prioritize data privacy throughout the entire data life cycle:
collection, use, storage, retention, and destruction.
 Privacy policies are essential to inform customers about data collection practices and
the organization's commitment to protecting personal information.

Key principles for privacy protection include:

○ Data Minimization: Only collecting necessary data.
○ Data Quality: Ensuring data accuracy.
○ Purpose Specification: Stating the intended use of data.
○ Use Limitation: Using data only for the stated purpose.
○ Security Safeguards: Protecting data from unauthorized access.
○ Openness (Transparency): Informing individuals about data collection practices.
○ Individual Participation: Granting individuals access to their data and the ability
to correct inaccuracies.
○ Accountability: Ensuring compliance with privacy principles.

International Privacy Laws
The European Union's General Data Protection Regulation (GDPR) is a landmark
data privacy law that sets a high standard for protecting the personal data of EU
residents, regardless of the location of the organization processing the data.

The GDPR has a global reach and includes key provisions like:

○ Data subject rights, including the right to access, rectification, erasure ("right to
be forgotten"), and data portability.
○ Requirements for data protection by design and default.
○ Mandatory data breach notification.
○ Significant penalties for non-compliance.

This study guide should help you understand privacy in the Information Age.