4. Privacy is one of the biggest problems in this
new electronic age…
…At the heart of the
Internet culture is a
force that wants to find
out everything about
you. And once it has found
out everything about you
and two hundred million
others, that's a very
valuable asset, and
people will be tempted
to trade and do
commerce with that
What I've Learned: Andy Grove asset. This wasn't the
Former Chairman of Intel, 63, information that people
Santa Clara, California were thinking of when they
http://www.esquire.com/features/what called this the information
-ive-learned/what-ive-learned-archive age
OWASP 4
5. Presentation Objective & Agenda
Objective: different perspectives in regarding of privacy
and the trade offs between different needs of consumers
and businesses and future trends
Agenda
PART I: Doing business with customers' private
information
PART II: Threats to consumers private information and
measures to protect it
PART III: Future trends affecting data privacy
OWASP 5
7. Factors that Limit Personal Privacy
Law
Enforcement
Social
Networking Personal Data
Privacy
Targeted
Marketing
Taxation
OWASP 7
8. Factors that Enable Personal Data Privacy
Anonymity
Data Privacy
Laws &
Controls Personal
Confidentiality Data Privacy
Security
Controls (e.g.
Encryption)
OWASP 8
9. …about Privacy
1. Privacy is a personal right
2. There are different types of privacy, health, political,
race/sex etc financial privacy is important for the
avoidance of fraud, identity theft
3. Privacy is traded off with different needs such as
networking, business, marketing, compliance, law
enforcement
4. Businesses collect, process and store customers’ private
and confidential information for different reasons
5. Data confidentiality and privacy have similar goals
6. New technologies such as social networks, online services,
cloud computing challenge the notion of personal privacy
7. Perspectives about privacy change with time
OWASP 9
10. Private And Personal Identifiable Information
Private information and Personal
Identifiable Information (PII) uniquely
indentify an individual. What is private
and PII varies among countries, e.g.:
US SB1386: Name and SSN, Driven
License No., Account /Credit/Debit
Acc No + PIN
EU directive 95/46/Article 2a:
'personal data any information
relating to an identified or
identifiable person, identification
number or to one or more factors
specific to his physical,
physiological, mental, economic,
OWASP 10
cultural or social identity
11. Data Breach Notification Rules in Italy
.. Legislative Decree 69/2012 (into force since June 1st 2012
implementing in Italy Directive no. 2009/136/EC):
Definition of personal data breach a breach of security
leading to the accidental destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data
Procedures to deal with a personal data breach:
Shall notify the Italian Data Protection Authority (“DPA” or
Garante) without undue delay (e.g. 72 hrs for ISPs);
Shall notify the subject but the notification unless the
provider is able to give evidence to the DPA that it has
implemented appropriate security measures
Failure or delay to notify a personal data breach to the DPA
is sanctioned with a fine ranging between EUR25,000 to
EUR150,000 OWASP 11
12. Trade offs Between Business and Privacy Needs
Collection, Protection of C-PII
Processing of and sensitive
Customers PII (C-PII) information in storage
and Sensitive Info. and transmission
Sharing of C-PII and Disclosure &
personal information Consent to which 3rd
with 3rd parties and affiliates
parties/affiliates C-PII is shared with
Compliance with Notifications to
privacy laws, data customers when
breach notification private data is
laws and security collected and is either
policies lost or compromised
OWASP 12
13. Collection and Processing of PII
..in case of financial institutions, PII is:
Collected online and at a branch when opening
bank accounts, apply for loans, run credit report,
apply for credit cards, online banking
Processed and stored to identify/verify
customer by asking the last for digits of SSN and
ACC# for example:
Over the phone for bank account balance and
payments of bills
Online user validation for resetting a
password/PINs
Online for authenticate a user with
challenge/questions
OWASP 13
16. PART II
Threats to private information and measures to
protect it
OWASP 16
17. Statistical Data of Data Loss Incidents (*)
Hacking and external attacks are the major cause of private
data losses and increasing (32% to 61% and 53% to 75% )
NAA, SSN, DOB represent the majority of private data
record last year, this year are PWD, EMA and SSN
(*) Source:
DataLossDb.org
http://www.datalossdb.
org
OWASP 17
18. …In the space of one hour, my entire digital
life was destroyed.
First my Google account was taken
over, then deleted. Next my Twitter
account was compromised, and used
as a platform to broadcast racist and
homophobic messages. And worst of
all, my AppleID account was broken
into, and my hackers used it to
remotely erase all of the data on my
iPhone, iPad, and MacBook
(*) Source:How Apple and Amazon
Security Flaws Led to My Epic Hacking
http://www.wired.com/gadgetlab/2012/
08/apple-amazon-mat-honan-hacking/
.. all you need in addition to someone’s e-mail
is a billing address and the last four digits of a
credit card
OWASP 18
19. Cost to Businesses for Loss of PII
1. Data breach costs x data record lost: $ 222/record (*)
2. Out of pocket costs x identity fraud incident: $
631/victim/incident (**)
(*) Source: 2011 Cost of a Data
Breach: United States, Ponemon
Institute and Symantec, March 2012
(**) Source: The 2011 Identity Fraud
Survey Report by Javelin Strategy &
Research by Javelin Strategy &
Research
http://www.identityguard.com/downloads/j
avelin-2011-identity-fraud-survey-report.pdf
OWASP 19
20. Security Measures And Protection of Privacy
Business protect their customers private
information with:
Information Security Policy: Requirements
for protection of Confidentiality, Integrity and
Availability (CIA) of customers private data
Data classification: Public, Internal,
Confidential, PII, Restricted
Security measures:
Controls: Authentication, Entitlements,
Encryption, Session Management,
Auditing & Logging;
Measures: Security Audits;
Information Security and Privacy Officers
OWASP 20
21. Opt out Privacy Controls: Privacy Notices From
US Banks
OWASP 21
24. Individuals’ Awareness of Privacy
“Maybe Zuckerberg is right. The mores of privacy are
changing, and “people don’t want complete privacy.” Teens
may be the first adopters of this change, Source
http://trends.myyearbook.com/2010/07/facebook-privacy-issues-not-an-issue-for-teens/
OWASP 24
25. Adoption of New Technologies And New
Challenges For Consumer’s Privacy
2017
2015
2012
2010
2007
Face
2005 Recognition
Biometric
Authentication Gesture
2000 Smart- Big data
Recognition
phones Virtual
BYOD Assistants
1997 Social Cloud computing Internet of
Internet Networks
Location aware things
Webmail
applications Social TVs
Mobile Payments
Social Analytics
OWASP 25
26. Law Enforcement vs. Individual’s Privacy
Sources: https://www.eff.org
OWASP 26
28. Future Privacy Legislations in EU
1. EU regulation for 27
countries
2. Any processed PII data for
EU citizens (include IP
addresses, GPS location
data)
3. 24 hours data breach 6. Fines up to
notification 2% of
company
4. Mandatory security
annual
assessments
worldwide
5. EU citizens will have the turnover
right to request extended (*)
Source:http://www.donneespersonnelle
s.fr/6-things-you-need-to-know-about-
erasure of their personal data the-new-eu-privacy-framework
OWASP 28
29. Open Questions
Questions for consumers:
1. What are my privacy rights ?
2. How I can control my privacy ?
3. Which PII can be disclosed and to who ?
4. Who is legally liable for PII data that is lost
Questions for businesses:
1. Which are the privacy rights of my customers ?
2. Which security policies protect customer’s PII in
compliance with privacy laws?
3. How soon I need to inform my customers of a
breach of PII and/or identity theft fraud ?
4. When customers PII can be disclosed to law
enforcement ?
OWASP 29