Savitribai Phule Pune University

Fourth Year of Computer Engineering (2015 Course)

410251: Information and Cyber Security

UNIT VI
Confidentiality And Cyber Forensic
 Savitribai Phule Pune University
Fourth Year of Computer Engineering
(2015 Course)
410251: Information and Cyber Security

Unit V
Confidentiality and Cyber Forensic
Question
No: 9 and 10
Weightage: 16 %
 Syllabus

CONTENTS:
Introduction to Personally Identifiable Information (PII), Cyber
Stalking, PII impact levels with examples. Cyber Stalking, Cybercrime,
PII Confidentiality Safeguards, Information Protection Law: Indian
Perspective.

Text Books:
T1. Bernard Menezes, “Network Security and Cryptography”, Cengage Learning India, 2014
T2. Nina Godbole, Sunit Belapure, “Cyber Security”, Wiley India, 2014

References:
R1. Eoghan Casey, “Digital Evidence and Computer Crime Forensic Science, Computers and
the Internet ”, ELSEVIER , 2011, ISBN 978-0-12-374268-1
Introduction to PII

 Identifying PII

 Examples of PII Data

 PII and Fair Information Practices

Page: 4
What is
PII?
 Personally Identifiable Information (PII) is
any information, maintained by a
company, which:
• can be used to distinguish or trace an
individual’s identity
• is linked or linkable to an individual
 Examples of PII:
• Name, Address, SSN, Date of Birth,
Phone Number
• Device specific static identifier (e.g.,
IP Address, UDID, etc.)
• Logs of user actions
• Financial, Employment or Location
Page: 5
data
PII Data Breaches (2004-2019)
PII and the
Law

Page: 8
PII and the
Law
 Indian Government Actions:
• The RSP(Reasonable Security Practices) Rules have wide
applicability, affecting any kind of entity dealing in
electronic information.
• Currently exist 3 different sources of data privacy law in
India –
• a legally binding 9-bench Supreme Court judgement,
• the existing Rules, and
• the proposed Bill of PII
• https://novojuris.com/2017/09/20/indias-data-privacy-l
aws-current-scenario/
Page: 9
Other Impacts of a PII
Breach
 Loss of customers
 Revenue loss
 Drop in customer confidence
 Adverse publicity

 Departure of key employees Sony executives apologize aYer recent data

breach

Average cost per compromised record: $266

Page: 10
 Unauthorized access of PII
Unauthorized access, use, or disclosure of PII can seriously harm to
 Individuals:
• Identity theft
• blackmail
• embarrassment
 Organization:
• By reducing public trust in the organization
• By creating legal liability.
PII Definition

PII is ―any information about an individual maintained by an agency including any information that can be
used to distinguish or trace an individual‘s identity or any other information that is linked or linkable to an
individual.

Distinguish Trace Linked or Linkable

Name, passport An audit log containing medical, educational,

number, social security records of user actions financial, and
number, or biometric could be used to trace employment
data. an individual‘s information
activities.
 
 Identifying PII
Organizations or methods are required to identify all PII
Privacy threshold analyses (PTAs), also referred to as initial privacy assessments (IPAs),
are often used to identify PII residing within their organization or under the control of
their organization through a third party .
PTAs are used to determine if a system contains PII,
whether a Privacy Impact Assessment (PIA) is required,
whether a System of Records Notice (SORN) is required,
PTAs are usually submitted to an organization‘s privacy office for review and approval.
PTAs are comprised of simple questionnaires that are completed by the system owner
in collaboration with the data owner.
PTAs are useful in initiating the communication and collaboration for each system
between the privacy officer, the information security officer, and the information officer.
Other examples of methods to identify PII include reviewing system documentation,
conducting interviews, conducting data calls, using data loss prevention technologies
Organizations should also ensure that retired hardware no longer contains PII and that
proper sanitization techniques are applied

Page: 13
 Identifying PII
Privacy Impact Assessment (PIA)/
System of Record Notice (SORN) Essential Elements Crosswalk
PIA SORN
What privacy information is collected Categories of Records in the System
PIA/SORN Crosswalk
Why the information is collected Authority/Purpose(s)
What the intended uses are for the Purposes(s)
information
With whom the information is shared Routine Uses
What opportunities individuals have to decline Privacy Act Statement/Notification procedure
to provide PII
How information is secured Safeguards
What privacy risks need to be addressed Narrative Statement/Probable or potential
effects on the privacy of individuals.
Whether a System of Records Notice (SORN) (Not applicable)
exists

14
Examples of PII Data
The following list contains examples of information that may be considered PII.

Name, such as full name, maiden name, mother‘s maiden name, or alias
Personal identification number, such as social security number (SSN), passport number,
driver‘s license number, taxpayer identification number, patient identification number, and
financial account or credit card number

Address information, such as street address or email address

Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or
other host-specific persistent static identifier that consistently links to a particular person
or small, well-defined group of people

Telephone numbers, including mobile, business, and personal numbers

Personal characteristics, including photographic image (especially of face or other

distinguishing characteristic), x-rays, fingerprints, or other biometric image or template
data (e.g., retina scan, voice signature, facial geometry)

Information identifying personally owned property, such as vehicle registration number or

title number and related information

Information about an individual that is linked or linkable to one of the above (e.g., date of
birth, place of birth, race, religion, weight, activities, geographical indicators, employment
information, medical information, education information, financial information).
PII and Fair Information
Practices
The protection of PII and the overall privacy of information are concerns both for
individuals whose personal information is at stake and for organizations that may
be liable or have their reputations damaged should such PII be inappropriately
accessed, used, or disclosed.

Treatment of PII is distinct from other types of data because it needs to be not
only protected, but also collected, maintained, and disseminated in accordance
with Federal law.22

The Privacy Act, as well as other U.S. privacy laws, is based on the widely-
recognized Fair Information Practices, also called Privacy Principles.

The Organisation for Economic Co-operation and Development (OECD) , Privacy

Guidelines are the most widely-accepted privacy principles, and they were
endorsed by the Department of Commerce in 1981.

The OECD Fair Information Practices are also the foundation of privacy laws and
related policies in many countries.

https://www.oecd.org/india/
OECD Fair Information Practices.
Collection Limitation: There should be limits to the collection of personal data
Data Quality: Personal data should be accurate, complete and kept up-to-date.
Purpose Specification: The purposes for which personal data are collected should
be specified not later than at the time of data collection
Use Limitation: Personal data should not be disclosed, made available or
otherwise used for purposes other than those specified, except with the consent
of the data subject or by the authority of law.
Security Safeguard :Personal data should be protected by reasonable security
safeguards against such risks as loss or unauthorized access, destruction, use,
modification or disclosure of data.
Openness: There should be a general policy of openness about developments,
practices and policies with respect to personal data.
Individual Participation: An individual should have the right to obtain from a
data controller, or otherwise, confirmation of whether or not the data controller
has data relating to him;
Accountability: A data controller should be accountable for complying with
measures which give effect to the principles stated above
 PII Confidentiality Impact
Levels
The confidentiality of PII should be protected
based on its impact level.
The PII confidentiality impact level—
low, moderate, or high—indicates the
potential harm that could result to the subject
individuals and/or the organization if PII were
inappropriately accessed, used, or disclosed.
 Confidentiality Impact Levels
The confidentiality of PII should be protected based on its
impact level. Items of PII which do not need protection
include:
• Publicly available information (phone book)
• Information voluntarily shared/disclosed
• Information that organization has permission or
authority to release publicly
Assess the harm caused by a breach of confidentiality
• Individual Harm: Relates to adverse affects experienced
by an individual when a breach of confidentiality occurs
with their PII
• Organizational Harm: This may take the form of financial
Page:

losses, loss of public reputation and public confidence,

19

legal liability and additional administrative work

 Confidentiality Impact Levels ‐-­

Impact Level 
LOW MODERATE HIGH
Impact Type 

Limited
Mission capability Significant Degradation Severe Degradation
Degradati
on

Organizational Assets Minor Damage Significant Damage Major Damage

Financial Loss Minor Significant Major

Significant; does Catastrophic; involves

Harm to Individuals Minor not involve loss loss of life or serious
of life or injuries
serious injuries

Page:
20
 Confidentiality Impact Levels
Factors for Determining PII Confidentiality Impact Levels :
Identifiability: Evaluate how easily PII can be used to identify
specific individuals
SSNs/Aadhaar can uniquely and directly identify individuals
(High)
Zip Code or Date of Birth can significantly narrow a list
(Moderate)
Quantity of PII: Consider how many individuals are identified in the
information
25 records (Low) versus 2 million records (High)
Data Field Sensitivity: Evaluate the sensitivity of each individual PII
data field as well as sensitivity of the fields together
An individual’s SSN/Aadhaar is more sensitive than his phone
number
A combination of name and address is more sensitive than
either one by itself
Some data fields have higher potential for harm when used in
contexts other than their intended use. E.g., mother’s maiden
Page:
name, place of birth are oYen used to recover account 21
passwords
 
Confidentiality Impact Levels
 Context of Use: This is the purpose for which PII is collected and
used
• E.g., providing services, behavioral analysis, evaluation of
preferences, serving up ads, statistical analysis or law enforcement.
• Important for understanding how disclosure can harm individuals
and the organization.
• Relevant to evaluating impact to different categories of people – list
of newsletter subscribers compared to list of law enforcement
officers.
 Obligation to Protect Confidentiality:
• There may be legal or contractual obligations to protect PII. The
collected PII may being assigned higher impact levels as a result
 Access to and Location of PII: Factors to consider:
• Number of people who have access to PII
• Frequency of access
• Remote, offsite or offshore access or backups
• Accessed or carried around by mobile workers
Page:
22
 Determine Confidentiality
Impact Level
 How to get started?
 Form a team consisting of InfoSec, Privacy, IT,
“system owner” or info custodian and Legal
 Develop a form to help guide you through
the review and document the impact levels.
 Review the impact levels on a regular basis
 Similar to HIPAA
Determine Confidentiality
Impact Level
Form should
include:
 Process Name:
 Process Description:
 Process Owner:
 PII data elements use:
 Distinguishability:
 Aggregation/Sensitivity:
 Context of Use:
 Obligation:
 Access to/Location of:
 Impact Level
Declaration:
 Date of Declaration:
 Example 1:Incident Response
Roster
 Data elements: Name, titles, office &
work cell numbers, work email addresses
 Distinguishability: small number (under 20)
 Aggregation/Sensitivity: internally available
 Context of Use: release would not likely
cause harm to individual or organization
 Obligation: none
 Access to/Location of: accessed by IT and
response team; is
available to remote workers
 Impact level = Low
Example 2:Intranet Activity Tracking
 Data Elements: user’s IP address, URL if website user viewed,
date/time user access website, amount of time user spent viewing, web
pages or topics accessed
 Distinguishability: by itself – no, but linked - admins can view this log and the
AD log to identify individual)
 Aggregation/Sensitivity: info accessed could cause embarrassment if related
to HR subjects, however amount of potential info is limited
 Context of Use: release of info would unlikely cause harm. Since logging is
known
and assumed to happen – would not cause harm.
 Obligation: none
 Access to/Location of: Log data is accessed by small number of sys admins
and only accessible from Org’s own systems.
 Impact level = Low
Example 3: Fraud, Waste, and Abuse Reporting Application

A database contains web form submissions by individuals claiming possible fraud,

waste, or abuse of organizational resources and authority.
Identifiability: By default, the database does not request PII, but a significant
percentage of users choose to provide PII. Quantity of PII: Approximately 50 records
with PII out of nearly 1000 total records.
Data field sensitivity: The database‘s narrative text field contains user-supplied text
and frequently includes information such as name, mailing address, email address, and
phone numbers.
Context of use: Because of the nature of the submissions (i.e., reporting claims of
fraud, waste, or abuse), the disclosure of individuals‘ identities would likely cause some
of the individuals making the claims to fear retribution by management and peers.
Access to and location of PII: The database is only accessed by a few people who
investigate fraud, waste, and abuse claims. All access to the database occurs only from
the organization‘s internal systems.
The PII confidentiality impact level of high.
 
PII Confidentiality
Safeguards
Operational Safeguards
Policy and Procedure Creation
Awareness, Training, and Education
Privacy-Specific Safeguards
Minimizing the Use, Collection, and Retention of PII
Conducting Privacy Impact Assessments
De-Identifying Information
Anonymizing Information
Security Controls
Operational Safeguards
Create Policies and Procedures in the following areas:
Access Rules for PII
PII Retention Schedules and Procedures
PII Incident and Data Breach Notification
Privacy in the SDLC process
Limitation of collection, disclosure, sharing and use of PII
Consequences for failure to follow these policies
Training and Education:
Designed to change behavior or reinforce PII practices
Focus attention on protection of PII
Updates on the latest scams and breaches and their impacts
Examples of how staff involved in inappropriate actions have been held
accountable
Examples of recommended practices
Specific role-­‐based training
Privacy-Specific Safeguards
Minimize the Collection, Use and Retention of PII. This is the “minimum
necessary” principle
Collect only those items of PII which are essential to meet the organization’s
business purpose
If PII serves no current purpose, then it should no longer be collected and used
Check if previously collected PII is still relevant and necessary. If not, then the PII
must be properly destroyed. Ensure that destruction conforms to any legal or
contractual requirements
Conduct a Privacy Impact Assessment (PIA). This is a structured process to identify
confidentiality risks at every stage of SDLC. Collect details of:
PII to be collected
Reason for collecting this PII
The intended use of the PII
How the PII will be secured
 Privacy-Specific Safeguards
De-­‐Identifying Information:
Full data records not always required. E.g., correlations, trend analysis
Obscure enough PII so that remaining information does not identify an
individual
May be re-­‐identified via a code or algorithm assigned to each record
Re-­‐identifying code or algorithm should not be derived from other related
information about the individual
Means of re-­‐identification should only be known to authorized staff and not
disclosed to anyone without the authority to re-­‐identify records
Can be assigned a PII confidentiality impact level of LOW provided the following
conditions are both true:
The re-­‐identification algorithm or code is maintained in a separate system,
with controls to prevent unauthorized access; and
The data elements are not linkable, via public records or other reasonably
available external records in order to re-­‐identify the data
 
 
Privacy-Specific Safeguards
Anonymized Information:
De-­‐identified information for which a code or algorithm for re-­‐ identification no longer
exists
Information is no longer PII
Usually involves application of disclosure limitation techniques like:
Generalizing the Data – making information less precise
Suppressing the Data – Deleting an entire record or certain parts of a record
Introducing Noise: Adding small amounts of variation into selected data
Swapping Data: Exchanging data fields of one record with the same data fields of
another similar record (e.g., swapping ZIP codes of two records)
Replacing data with the average value – replacing a selected value of data with the
average value for the entire group of data
Useful for system testing since realistic properties are retained
Caution: PII used in test environments requires the same level of protection as in
production environment
 Security Controls
Specific security controls should be established to ensure confidentiality of PII.
Access Controls:
Identification and Authentication: Users must be uniquely identified and authenticated prior to accessing
PII. Typically, two-­‐factor authentication is required as well as a time-­‐ out function for remote access
Enforcement: Control access to PII through role-­‐based access control to allow each user to only access
pieces of data necessary for the user’s role; or allow access only through an application which tightly
restricts access to PII
Least Privilege: Ensure that users only have access to the minimum amount of PII, along with those
privileges – read, write, execute – that are necessary to perform their work
Remote Access: Prohibit or strictly limit access to PII. If remote access is permitted, ensure that the
communications are encrypted
Mobile Devices: Prohibit or strictly limit access to PII from portable or mobile devices because these are
generally higher-­‐risk than non-­‐portable devices. If access is permitted, ensure devices are properly
secured with up-­‐to-­‐date anti-­‐malware soYware and OS patches
Media Access: Restrict access to media (CDs, USB flash drives, tapes, paper, etc.) containing PII
 
Security Controls
Separation of Duties: Enforce separation of duties for roles
involving access to PII. For example, users of de-­‐identified data
should not also be in roles that permit them to access the codes
needed to re-­‐identify the records
Monitoring and Audits:
Monitor all access to PII to detect unauthorized access events or attempts
Monitor PII internally or at network boundaries for unusual or suspicious
data transfers
Regularly review and analyze system logs for indications of inappropriate or
unusual activity affecting PII and investigate suspicious activity or suspected
violations
 Security Controls
Media Handling:
Marking: Label media containing PII to indicate how it should be distributed and
handled
Storage: PII on paper or on digital media must be securely stored until it is
destroyed or sanitized. For example, encrypt data stored on storage drives, backup
taps and removable media
Transport: Protect media and mobile devices containing PII that is transported
outside the organization’s controlled areas
Sanitization: Sanitize media containing PII before it is disposed or released for
reuse
Information Transmission: Protect the confidentiality of transmitted PII either
by encrypting the communications or by encrypting the information before it is
transmitted
 
Data Protection Laws in
India
Data Protection refers to the set of privacy laws, policies and procedures that aim to
minimise intrusion into one's privacy caused by the collection, storage and dissemination of
personal data.
The (Indian) Information Technology Act, 2000 deals with the issues relating to payment of
compensation (Civil) and punishment (Criminal) in case of wrongful disclosure and misuse
of personal data and violation of contractual terms in respect of personal data..
The Government has notified the Information Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Data or Information) Rules, 2011.
The Rules only deals with protection of "Sensitive personal data or information of a person",
which includes such personal information which consists of information relating to:-
Passwords;
Financial information such as bank account or credit card or debit card or other payment
instrument details;
Physical, physiological and mental health condition;
Sexual orientation;
Medical records and history;
Biometric information.
Data Protection Laws in
India
Under section 72A of the (Indian) Information Technology Act, 2000, disclosure of
information, knowingly and intentionally, without the consent of the person
concerned and in breach of the lawful contract has been also made punishable with
imprisonment for a term extending to three years and fine extending to Rs 5,00,000
(approx. US$ 8,000).
It is to be noted that s 69 of the Act, which is an exception to the general rule of
maintenance of privacy and secrecy of the information, provides that where the
Government is satisfied that it is necessary in the interest of:
the sovereignty or integrity of India,
defence of India,
security of the State,
friendly relations with foreign States or
public order or
for preventing incitement to the commission of any cognizable offence relating to
above or
for investigation of any offence,
 Information Technology Act, 2000

The Information Technology Act, 2000 (hereinafter referred to as the "IT

Act") is an act to provide legal recognition for transactions carried out by
means of electronic data interchange and other means of electronic
communication, commonly referred to as "electronic commerce", which
involve the use of alternative to paper-based methods of communication
and storage of information to facilitate electronic filing of documents with
the Government agencies
Grounds on which Government can
interfere with Data

Under section 69 of the IT Act, any person, authorised by the Government or any of its officer
specially authorised by the Government, if satisfied that it is necessary or expedient so to do
in the interest of sovereignty or integrity of India, defence of India, security of the State,
friendly relations with foreign States or public order or for preventing incitement to the
commission of any cognizable offence relating to above or for investigation of any offence,
for reasons to be recorded in writing, by order, can direct any agency of the Government to
intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any
information generated, transmitted, received or stored in any computer resource.
The scope of section 69 of the IT Act includes both interception and monitoring along with
decryption for the purpose of investigation of cyber-crimes.
The Government has also notified the Information Technology (Procedures and Safeguards
for Interception, Monitoring and Decryption of Information) Rules, 2009, under the above
section.
The Government has also notified the Information Technology (Procedures and Safeguards
for Blocking for Access of Information) Rules, 2009, under section 69A of the IT Act, which
deals with the blocking of websites. The Government has blocked the access of various
websites.
Penalty for Damage to Computer,
Computer Systems, etc. under the IT Act

Section 43 of the IT Act, imposes a penalty without prescribing any upper limit, doing
any of the following acts:
1. Accesses or secures access to such computer, computer system or computer
network;
2. Downloads, copies or extracts any data, computer data base or information from
such computer, computer system or computer network including information or data
held or stored in any removable storage medium;
3. Introduces or causes to be introduced any computer contaminant or computer
virus into any computer, computer system or computer network;
4. Damages or causes to be damaged any computer, computer system or computer
network, data, computer data base or any other programmes residing in such
computer, computer system or computer network;
5. Disrupts or causes disruption of any computer, computer system or computer
network;
6. Denies or causes the denial of access to any person authorised to access any
computer, computer system or computer network by any means.
Tampering with Computer Source Documents as provided for under the IT Act, 2000
Section 65 of the IT Act lays down that whoever knowingly or intentionally conceals, destroys, or
alters any computer source code used for a computer, computer programme, computer system
or computer network, when the computer source code is required to be kept or maintained by
law for the time being in force, shall be punishable with imprisonment up to three years, or with
fine which may extend up to Rs 2,00,000 (approx. US$3,000), or with both.
Computer related offences
Section 66 provides that if any person, dishonestly or fraudulently does any act referred to in
section 43, he shall be punishable with imprisonment for a term which may extend to three years
or with fine which may extend to Rs 5,00,000 (approx. US$ 8,000)) or with both.
Penalty for Breach of Confidentiality and Privacy
Section 72 of the IT Act provides for penalty for breach of confidentiality and privacy. The Section
provides that any person who, in pursuance of any of the powers conferred under the IT Act
Rules or Regulations made thereunder, has secured access to any electronic record, book,
register, correspondence, information, document or other material without the consent of the
person concerned, discloses such material to any other person, shall be punishable with
imprisonment for a term which may extend to two years, or with fine which may extend to Rs
1,00,000, (approx. US$ 3,000) or with both.
Amendments as introduced by the IT
Amendment Act, 2008

Section 10A was inserted in the IT Act which deals with the validity of contracts formed through
electronic means which lays down that contracts formed through electronic means "shall not be
deemed to be unenforceable solely on the ground that such electronic form or means was used for
that purpose".
The following important sections have been substituted and inserted by the IT Amendment Act,
2008:
1. Section 43A – Compensation for failure to protect data.
2. Section 66 – Computer Related Offences
3. Section 66A – Punishment for sending offensive messages through communication service, etc.
(This provision had been struck down by the Hon'ble Supreme Court as unconstitutional on 24th
March 2015 in Shreya Singhal vs. Union of India)
4. Section 66B – Punishment for dishonestly receiving stolen computer resource or communication
device.
5. Section 66C – Punishment for identity theft.
6. Section 66D – Punishment for cheating by personation by using computer resource.
7. Section 66E – Punishment for violation for privacy.
8. Section 66F – Punishment for cyber terrorism.
.
 
Amendments as introduced
by the IT Amendment Act,
2008
9. Section 67 – Punishment for publishing or transmitting obscene material in electronic
form.
10. Section 67A – Punishment for publishing or transmitting of material containing
sexually explicit act, etc, in electronic form.
11. Section 67B – Punishment for publishing or transmitting of material depicting
children in sexually explicit act, etc, in electronic form.
12. Section 67C – Preservation and Retention of information by intermediaries.
13. Section 69 – Powers to issue directions for interception or monitoring or decryption
of any information through any computer resource.
14. Section 69A – Power to issue directions for blocking for public access of any
information through any computer resource.
15. Section 69B – Power to authorize to monitor and collect traffic data or information
through any computer resource for cyber security.
16. Section 72A – Punishment for disclosure of information in breach of lawful contract.
17. Section 79 – Exemption from liability of intermediary in certain cases.
18. Section 84A –Modes or methods for encryption.
19. Section 84B –Punishment for abetment of offences.
20. Section 84C –Punishment for attempt to commit offences