What Every Security Professional Needs to Know About Privacy: Elimu Kajunju, Chief Privacy Officer & Senior Compliance Director, UnitedHealth

2014 Chief Information Security Officer
(CISO) Leadership Forum
What every security professional needs to know
about privacy
- Elimu Kajunju, CISSP, CIPP/US
Chief Privacy Officer &
Senior Associate General Counsel, Privacy and Security

2
Confidential Property of UnitedHealth Group. Do not distribute or reproduce without express permission of UnitedHealth Group.
UnitedHealthcare Military & Veterans
• UnitedHealthcare Military & Veterans draws on the unmatched experience and expertise
of the UnitedHealth Group family of companies to provide affordable, high-quality health
care to active duty military, retirees, and their families.
• In partnership with the Department of Defense, UnitedHealthcare provides health care
services to over 2.9 million beneficiaries as the TRICARE Managed Care Support
Contractor for the TRICARE West Region.

3
 I am a lawyer but not your lawyer. This presentation should not be
construed as legal advice
 If you don’t have a lawyer advising you on privacy or security
compliance, you should get one
 This presentation represents my personal opinion and not that of
United Health Group, UnitedHealthcare or any of its affiliates
 Making friends with your privacy colleague is the best way to learn
more about privacy
Disclaimers

4
 Difference between privacy and security
 Commitments
 Ethical & political considerations
 Data collection
 Location, location, location
 Data disclosure
 Data use
 Data retention
 Takeaways
Topics Covered

5
Privacy Confessional

6
Difference between privacy & security
Privacy
The rights and obligations of individuals and organizations with respect to the collection,
use, retention, disclosure and destruction of personal information
Security
The processes and methodologies which are designed and implemented to protect print,
electronic, or any other form of confidential, private and sensitive information or data from
unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.

7
Commitments
Importance of the following commitments
• Privacy policies – usually interpreted in favor of the consumer
• Regulatory requirements
• Legal obligations
• Self-regulatory obligations
• Contracts

8
Ethical & political considerations
Importance of these ethical and political considerations
• If your customer knew everything you did with her data, would she approve?
• “Ick” factor
• Political implications
• Legislative scrutiny
• Media attention/scrutiny
• Social media backlash

9
Data collection
Data collection practices
• Most important factor in privacy compliance
• Question the need to collect data
• Question scope of collection
• Contradictions between collection and commitments
• Frontline for guarding against the “ick” factor

10
Location, location, location
Critical for multi-state or multi-country businesses
• Know your customers
• Know your jurisdictions
• Understand the enforcement landscape
• Location of your customer is just as important as where you locate your customer’s
information
• Pay careful consideration of the impact of location-related decisions

11
Data disclosure (external)
Ethical & political considerations may impact data disclosure practices
• Know who you are or will soon share information with
• Make this very clear in your policies
• Don’t add “future” disclosures to your policies
• Limit disclosures to minimum necessary
• Ask for permission from the customer when it makes sense to

12
Data use (internal)
This is the reason why you collect the data – Make sure it is on solid ground
• Know what you are or will soon be using the information for
• Make this very clear in your policies
• Don’t add “future” uses to your policies
• Limit uses to minimum necessary
• Use de-identified data when appropriate

13
Data retention
Mature data retention strategy is key
• Simple but comprehensive data retention schedule is needed
• Very few sets of data need to be kept forever
• Without a solid implementation plan, the strategy won’t work
• Use your record retention program to reduce your risks
• Hope is not a strategy

14
Takeaways
• Familiarize yourself with the Generally Accepted Privacy Principles
• http://www.cica.ca/resources-and-member-benefits/privacy-resources-for-
firms-and-organizations/gen-accepted-privacy-principles/item61833.pdf
• Understand the commitments you have made in your privacy policies and contracts
and with regulatory bodies
• Put yourself in the approval chain of your contracts and other voluntary commitments
• Before making security implementation decisions, familiarize yourself with the
requirements for the applicable location (or make sure someone is checking). Some
free and good resources for this information include:
• Morrison/Foerster Privacy Library
(http://www.mofo.com/privacylibrary/PrivacyLibraryListing.aspx?xpST=Priv
acyLibraryListing&pid)
• National Conference of State Legislators
(http://www.ncsl.org/research/telecommunications-and-information-
technology/state-laws-related-to-internet-privacy.aspx)

15
Questions

What Every Security Professional Needs to Know About Privacy: Elimu Kajunju, Chief Privacy Officer & Senior Compliance Director, UnitedHealth

Recomendados

Recomendados

Más contenido relacionado

Más de Argyle Executive Forum

Más de Argyle Executive Forum (20)

Último

Último (20)

What Every Security Professional Needs to Know About Privacy: Elimu Kajunju, Chief Privacy Officer & Senior Compliance Director, UnitedHealth