Security and Privacy: Ethical and Legal Considerations

Stephanie Peppers: in Charlotte, NC

Personally Identifiable Information is information that is unique to an individual and either alone or in conjunction with other information, can be used to directly identify someone. There can be public PII and private PII. The private PII is the more sensitive and confidential information such as DOB and SSN. Public PII is more publicly common information that is publicly available. The Privacy Act of 1974 was the first comprehensive legislation adopted in the United States which dealt with personal information collected and used by federal agencies (Stallings, W., & Brown, L. (2015, p. 623).  While this law dealt with government records, several laws have been enacted since that time that cover other areas including Banking and Financial, Credit Reports, Medical and Health Insurance, Children’s Privacy and Electronic Communication. The law that pertains to credit reports is the Fair Credit Reporting Act. The FCRA was established because individuals have certain rights when it comes to information that is being reported about them and the credit reporting agencies have obligations that they have to fulfill to report this data. If PII is lost or stolen, great harm can be caused to the individual which can include identity theft.

What are the ethical and legal responsibilities of your company in designing its interface implementing security protocols to its systems?

          PII is collected, maintained and shared by organizations and agencies around the world. Organizations use private information to build detailed profiles of individuals Stallings, W., & Brown, L. (2015 p. 625).  They mine this information and then later distribute and sell it. It is the responsibility of organizations to protect this PII. Organizations need management controls and technical measures to comply with privacy laws. They also need to implement corporate policies concerning privacy (Stallings, W., & Brown, L. (2015, p. 623).  Safety measures must be taken into effect when designing the security protocol. And all employees, contractors and other users of the system must be made aware of the laws and legal obligations when dealing with the PII. There are some safeguards that can be used to protect the PII such as, creating policies and procedures for protecting the information, conducting training on how to access and handle the information, de-identifying the information which is to remove enough of the information so that what is left does not identify the individual, access enforcement to control access through different types of mechanisms like access control lists, implementing access control for mobile devices so that PII is not accessible from portable and mobile devices, transmission confidentiality by encrypting the information before it is transmitted and auditing events where PII has been accessed inappropriately (Nvlpubs.nist.gov. (2017).

What ethical and legal issues should you consider determining your response when confidential information has been compromised

Forty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. Security breach laws typically have provisions regarding who must comply with the law; definitions of “personal information”; what constitutes a breach; requirements for notice (Ncsl.org. (2017). The ethical and legal obligations in determining response depend on the organization and the type of organization. The Fair Credit Reporting Act (FCRA) is the governing legislature to use when determining the legal duties during the response. The Fair Credit Reporting Act promotes the accuracy, fairness and privacy of information in the files of consumer reporting agencies (Consumer.ftc.gov. (2017). Ethically and morally, different duties may be required. Every organization should have a current and complete Incident Response Plan. This will lay out in detail the main steps that need to be taken to comply with the legal and organizational rules and laws. Some of the steps to be taken should be to conduct a thorough investigation and immediately notify your immediate supervisor. Informing victims, the best way you can by mail, telephone, advertisements and using media outlets to spread the word so victims can take proper steps to protect themselves from further damage.

Breach laws mandate disclosure of any loss of consumer information. Positive and negative effects these have had

There is currently a bill introduced called the Personal Data Notification and Protection Act of 2017. Currently, states have set up their own rules and regulations in determining what to do in case of a data breach. Some states have strong laws already in place and with this bill, if passed, there will be one standard to follow with the minimum rules that will need to be followed. The laws also must be taken into account of where the victim lives. It is important to determine where data breach victims reside in order to identify the relevant requirements in each case (The National Law Review. (2017). With the enactment of a federal bill, the reporting will be streamlined, which will make the reporting easier.  This can be easier unless there is an organization with locations in multiple states. Then it becomes increasingly more difficult to figure out the reporting laws. States that have more comprehensive laws in place will not find it cumbersome to follow the federal guidelines. The laws that are in effect now are the minimum that must be done in case of a breach. If an organization is lax and only completes the minimum, consumers may be at a higher risk. Similar bills have been introduced in the past and have not passed.

In conclusion, there are many different factors to consider when designing security protocols in an organization. State laws must be followed, company policies, rules and regulations must be followed. Serious consequences to the consumer and organization can occur if the laws are not followed. Every organization should have an Incident Response plan that is updated and in a central area or locked area so that it can be retrieved quickly in time of need. Taking the time to learn the rules and laws before a breach will save time and effort post-breach.

Consumer.ftc.gov. (2017). A Summary of your rights under the FCRA. [online] Available at: https://www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf [Accessed 6 Nov. 2017].

Ncsl.org. (2017). Security Breach Notification Laws. [online] Available at: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx [Accessed 6 Nov. 2017].

Nvlpubs.nist.gov. (2017). Guide to protecting the confidentiality of personally identifiable information. [online] Available at: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf [Accessed 6 Nov. 2017].

Stallings, W., & Brown, L. (2015). Computer security: Principles and practice (3rd ed.). Upper Saddle River, NJ: Pearson.

The National Law Review. (2017). Data Breach 101, Part I: Data Breach Notification Laws. [online] Available at: https://www.natlawreview.com/article/data-breach-101-part-i-data-breach-notification-laws [Accessed 6 Nov. 2017].

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s