Free awareness materials

The following privacy-related security awareness materials have been donated to GSW visitors by our sponsors and supporters. If you’d like to donate similar awareness materials, please get in touch.

NOTE: You will need a recent version of the free Adobe Acrobat reader to open many of these freebies.

Awareness/promotional poster image

Privacy briefings

2-sides with ten top tips on protecting your online privacy.

1-side executive briefing on privacy and data protection.

14-side white paper/technical briefing on privacy and data protection risks controls.

Privacy presentations/seminars

PowerPoint slides and printable handouts for a seminar on privacy and data protection.

A set of presentation materials is available from the GSW seminar in Dublin:

• Seminar Introduction - Brian Honan ( 353 kb) and the Pizza Privacy movie played during this talk is also available.
• A Presentation of Data Protection - Office of the Data Protection Commissioner ( 84 kB)  by Tony Delaney, Assistant Commissioner, Office of the Data Protection Commissioner highlighted a lot of the items companies operating within Ireland need to consider with regards to Data Protection.  Tony showed a video “My Data - Your Business?” demonstrating the common mistakes companies make with regards to Data Protection.  The video is available at the Office of the Data Protection Commissioner’s website.  Alternatively you can get a copy of the video by writing to the Office of the Data Protection Commissioner or by emailing .
• Privacy and the PCI DSS Data Standard - Mathieu Gorge ( 5.5 Mb)
• Privacy and the ISO 27001 Information Security Standard - Brian Honan ( 538 kb)

Links to privacy-related resources on the Web

Below you will find a collection of Web hyperlinks to privacy resources from all around the world, split into three sections:
(1) resources for individuals concerned about their own privacy;
(2) resources for organizations that handle personal data on their employees, customers etc.; and
(3) news of privacy incidents. 

The GSW blog has more news and links.

Please note: the following hyperlinks lead to third party websites. GSW is not responsible for the content of the websites and does not necessarily endorse or even agree with everything they say. These links are provided for general information and security awareness purposes only. We hope you find them as useful and interesting as we do.

(1) The personal perspective

Personal privacy risks

I’ve Got Nothing To Hide And Other Misunderstandings of Privacy by Professor Daniel Solove from George Washington University explores the flaws in this common argument. Well worth a read. A blog entry Privacy: Are You Sure You REALLY Have Nothing To Hide? discusses the paper, and another Carnegie Mellon's Data Privacy Head Urges Development of New Privacy Technologies extends the dicussion. This is a great week to discuss within your organization the ways in which your company takes steps to preserve privacy, along with the ways in which privacy protections can be improved.

Educational Security Incidents is a digest of privacy-related security incidents reported elsewhere.

The Privacy Forum has a mailing list for discussion of personal privacy and related issues.

Tips to protect your privacy

US-CERT’s Cyber Security Tip on privacy is one of a series of well-written and down-to-Earth guides on computer security.

Be careful what you mutter to yourself when you’re ‘on-hold’, especially if the telephone is being recorded. The article notes that third parties are increasingly being used to monitor calls, including overseas companies.

Webcams that allow parents to monitor their children at kindergartens etc. (“kindycams”) present privacy concerns. Some teachers resent the intrusion into their classrooms and the risk of images being viewed by pedophiles is considered significant.

Mobile phones with integrated cameras raise numerous confidentiality and privacy issues such as their use in changing/rest rooms. Spies, pedophiles and peeping Toms like miniature wireless cameras for similar reasons.

Identity theft, phishing etc.

MakeITSecure is a beautifully clear and succinct Irish website on identity theft. 

Wikipedia’s entry on phishing incorporates helpful advice on controls.

The US Federal Trade Commission offers advice on how to not get hooked by a phishing scam as part of the excellent FTC identity theft site. If you need more detail, the FTC’s guide to identity theft is just the ticket. FTC materials are available in English and Spanish.

The US Treasury's identity theft resource page offers a free DVD about identity theft including a piece from Howard Schmidt and a whole stack of other papers and information on this topic, such as this double-sided phishing prevention tips brochure.

SafeCanada’s identity theft questions and answers has a stack of excellent resources on identity theft - how to avoid it, how to recognize if your identity has been stolen and what to do if you are a victim. Their consumers’ checklist on identity theft gets straight down to business.

What to do if your privacy is compromised

An [anti-] identity theft kit from the Australian Government's National Crime Prevention Programme goes beyond the usual brief fact sheet approach. The 28 page goody-pack provides well-written guidance and includes pro forma victim reporting sheets and a checklist.

US victims of identity theft are encouraged to report the details to the Internet Crime Complaint Center, a collaboration between the FBI and National White Collar Crime Center.

(2) The corporate perspective

Information on the risks and legal obligations

None of this is legal advice! Seek professional advice
on legal matters from qualified lawyers, not us.

Global

The Australian Privacy Foundation maintains a list of privacy laws in about 30 countries and the Global Internet Liberty Campaign periodically surveys privacy laws worldwide.

Privacy International publishes an excellent summary and map on privacy legislation around the world.

Australia

Community Attitudes to Privacy, a report published by the Federal Privacy Commissioner reveals that 90% of Australians are concerned about how businesses send personally identifiable information (PII) to other countries. 60% are concerned about identity theft, 45% believe the Internet is the most likely venue for identity fraud and theft, 73% believe the government is trustworthy, and [only] 58% believe financial institutions properly protect PII.

Canada

Canada’s Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) are monitored by the Privacy Commissioner of Canada who also publishes a range of privacy advice/fact sheets.

Europe

More than two decades ago, the Council of Europe Convention For the Protection of Individuals with Regard to Automatic Processing of Personal Data defined ‘personal data’ as ‘any information relating to an identified or identifiable individual (“data subject”)’. The convention was the precursor to current European data protection legislation, although the definition has evolved (in some European countries at least) to refer specifically to identifiable living individuals. 

A citizens’ guide to data protection in the European Union gives an overview of the legislation. Like most official EU documents, it is available in several languages.

Ireland

Here is the Irish Data Protection Commissioner’s website.

New Zealand

The NZ Privacy Commissioner is inviting comments on a draft guideline on reporting privacy breaches. Comments are due by September 28^th.

UK

The Information Commissioner who oversees compliance with the Data Protection Act, has released a guidance note regarding disclosure of personal data by the DVLA (Driver and Vehicle Licensing Agency) . Even if you have no interest in the topic of this note, it’s a good example of how to word a formal document giving guidance on the law and ethics.

USA

This is not legal advice! Privacy breach disclosure laws are now in place in 39 states at the latest count although the picture is changing by the month. 

Guidance has been released on the interpretation of FERPA (Family Educational Rights and Privacy Act) and HIPAA (Health Insurance Portability and Accountability Act) rules under circumstances in which failure to disclose Personally Identifiable Information could cause wider public safety issues (such as for example when a psychiatrist fears that a patient is planning a murder or massacre).

Carnegie Mellon University is conducting a Privacy Policy Study. Why not take a few minutes to visit the site and contribute?

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Americans have rights to access their own medical records and organizations gathering/holding/processing medical data have obligations to protect patient privacy. NIST Special Publication 800-66 is An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule.

The Identity Theft and Assumptions Deterrent Act made identity theft a specific crime in the US since at least 1998.

Corporate privacy/security controls

One of the challenges facing many security professionals is justifying the investment in additional information security controls, procedures and supporting technologies. The Privacy Breach impact Calculator could help estimate the costs of a privacy incident, providing more objective data for your risk assessments.

Here’s a strategic overview of privacy.

The Better Business Bureau’s paper Security & Privacy - Made Simpler is aimed at helping companies secure their customers’ personal data.

The IIA’s Global Technology Audit Guide (GTAG) number 5 covers Managing and Auditing Privacy Risks.

The American Institute of Certified Public Accountants (AICPA)’s Generally Accepted Privacy Principles (GAPP) cover ten key privacy issues.

The Anti-Phishing Working Group is a self-help community of professionals fighting phishing.

Canada’s Consumer Measures Committee advises retailers on how to report identity theft, privacy and similar breaches to consumers.

CIO Magazine’s top ten ways you can help prevent identity theft are mostly suggestions for organizations to protect their employees’ personal data (SSNs etc.).

Dumpster diving covers a broad range of pastimes from those who casually remove and recycle all manner of useful but discarded materials from dumpsters, waste bins or skips, through to those who target much more valuable booty including personal data on credit card bills/bank statements, internal phone books, system admin manuals, computer printouts in general and so forth. If you have a spare moment this week, don some gloves and take a look through the bins in your office or home to find examples of things that would prove interesting/valuable to anyone brave or foolhardy enough to go through the trash.

(3) Privacy incidents

Applicants for jobs as the Family Video store in Geistown, PA, are less than impressed to find that their applications/CVs have been stored in boxes in the public restroom. Hundreds of Social Security numbers, addresses and phone numbers have been vulnerable to privacy violations. Even worse, the Pennsylvania Attorney Generals Office reportedly said “the company did not violate any laws by having the documents in the restroom, but they could become liable in the future if a case of identity theft arose out of the situation.”

A privacy incident at John Hopkins Hospital involving the theft of a PC containing names, Social Security numbers, birth dates, medical histories and other personal information on nearly 6,000 patients was kept quiet for five weeks until patients or their families were informed of the theft. Do your organization's contingency plans cover privacy and security incidents, giving management a blueprint to help them deal with a crisis in the most efficient and professional manner possible under the circumstances?

Case notes on children at risk in Essex, England, found their way on to eBay despite the secure data destruction processes that were supposed to prevent this kind of thing.

Fraud Watch International lists current phishing attacks. Hundreds of phishing sites are active at any one time.

The personal information of “every police officer in Texas” was compromised through the theft of a laptop from a supplier.

A Trojan uses two convincing Microsoft Windows Activation screens as the lure to steal victims’ credit card numbers. Kardphisher launches a blended phishing attack, combining social engineering and malware.

The Information Commissioner found 11 big-name UK financial institutions in breach of the Data Protection Act for dumping paperwork containing their valued customers’ personal details in outside waste bins

A calendar of (US) data breaches reported since the ChoicePoint incident shows a conservatively estimated total of more than 165 million personal data records exposed since February 2005. Yes, more than 165 million! That’s an appalling average of 5½ million a month!

Please get in touch to suggest further links on privacy and related subjects. We particularly welcome links to non-English language resources since this is a global initiative, but please provide a short summary/intro in English for the sake of the language-challenged webmaster (!).