Professional Documents
Culture Documents
UNIT VI
Confidentiality And Cyber Forensic
Savitribai Phule Pune University
Fourth Year of Computer Engineering
(2015 Course)
410251: Information and Cyber Security
Unit V
Confidentiality and Cyber Forensic
Question
No: 9 and 10
Weightage: 16 %
Syllabus
CONTENTS:
Introduction to Personally Identifiable Information (PII), Cyber
Stalking, PII impact levels with examples. Cyber Stalking, Cybercrime,
PII Confidentiality Safeguards, Information Protection Law: Indian
Perspective.
Text Books:
T1. Bernard Menezes, “Network Security and Cryptography”, Cengage Learning India, 2014
T2. Nina Godbole, Sunit Belapure, “Cyber Security”, Wiley India, 2014
References:
R1. Eoghan Casey, “Digital Evidence and Computer Crime Forensic Science, Computers and
the Internet ”, ELSEVIER , 2011, ISBN 978-0-12-374268-1
Introduction to PII
Identifying PII
Page: 4
What is
PII?
Personally Identifiable Information (PII) is
any information, maintained by a
company, which:
• can be used to distinguish or trace an
individual’s identity
• is linked or linkable to an individual
Examples of PII:
• Name, Address, SSN, Date of Birth,
Phone Number
• Device specific static identifier (e.g.,
IP Address, UDID, etc.)
• Logs of user actions
• Financial, Employment or Location
Page: 5
data
PII Data Breaches (2004-2019)
PII and the
Law
Page: 8
PII and the
Law
Indian Government Actions:
• The RSP(Reasonable Security Practices) Rules have wide
applicability, affecting any kind of entity dealing in
electronic information.
• Currently exist 3 different sources of data privacy law in
India –
• a legally binding 9-bench Supreme Court judgement,
• the existing Rules, and
• the proposed Bill of PII
• https://novojuris.com/2017/09/20/indias-data-privacy-l
aws-current-scenario/
Page: 9
Other Impacts of a PII
Breach
Loss of customers
Revenue loss
Drop in customer confidence
Adverse publicity
Page: 10
Unauthorized access of PII
Unauthorized access, use, or disclosure of PII can seriously harm to
Individuals:
• Identity theft
• blackmail
• embarrassment
Organization:
• By reducing public trust in the organization
• By creating legal liability.
PII Definition
PII is ―any information about an individual maintained by an agency including any information that can be
used to distinguish or trace an individual‘s identity or any other information that is linked or linkable to an
individual.
Page: 13
Identifying PII
Privacy Impact Assessment (PIA)/
System of Record Notice (SORN) Essential Elements Crosswalk
PIA SORN
What privacy information is collected Categories of Records in the System
PIA/SORN Crosswalk
Why the information is collected Authority/Purpose(s)
What the intended uses are for the Purposes(s)
information
With whom the information is shared Routine Uses
What opportunities individuals have to decline Privacy Act Statement/Notification procedure
to provide PII
How information is secured Safeguards
What privacy risks need to be addressed Narrative Statement/Probable or potential
effects on the privacy of individuals.
Whether a System of Records Notice (SORN) (Not applicable)
exists
14
Examples of PII Data
The following list contains examples of information that may be considered PII.
Name, such as full name, maiden name, mother‘s maiden name, or alias
Personal identification number, such as social security number (SSN), passport number,
driver‘s license number, taxpayer identification number, patient identification number, and
financial account or credit card number
Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or
other host-specific persistent static identifier that consistently links to a particular person
or small, well-defined group of people
Information about an individual that is linked or linkable to one of the above (e.g., date of
birth, place of birth, race, religion, weight, activities, geographical indicators, employment
information, medical information, education information, financial information).
PII and Fair Information
Practices
The protection of PII and the overall privacy of information are concerns both for
individuals whose personal information is at stake and for organizations that may
be liable or have their reputations damaged should such PII be inappropriately
accessed, used, or disclosed.
Treatment of PII is distinct from other types of data because it needs to be not
only protected, but also collected, maintained, and disseminated in accordance
with Federal law.22
The Privacy Act, as well as other U.S. privacy laws, is based on the widely-
recognized Fair Information Practices, also called Privacy Principles.
The OECD Fair Information Practices are also the foundation of privacy laws and
related policies in many countries.
https://www.oecd.org/india/
OECD Fair Information Practices.
Collection Limitation: There should be limits to the collection of personal data
Data Quality: Personal data should be accurate, complete and kept up-to-date.
Purpose Specification: The purposes for which personal data are collected should
be specified not later than at the time of data collection
Use Limitation: Personal data should not be disclosed, made available or
otherwise used for purposes other than those specified, except with the consent
of the data subject or by the authority of law.
Security Safeguard :Personal data should be protected by reasonable security
safeguards against such risks as loss or unauthorized access, destruction, use,
modification or disclosure of data.
Openness: There should be a general policy of openness about developments,
practices and policies with respect to personal data.
Individual Participation: An individual should have the right to obtain from a
data controller, or otherwise, confirmation of whether or not the data controller
has data relating to him;
Accountability: A data controller should be accountable for complying with
measures which give effect to the principles stated above
PII Confidentiality Impact
Levels
The confidentiality of PII should be protected
based on its impact level.
The PII confidentiality impact level—
low, moderate, or high—indicates the
potential harm that could result to the subject
individuals and/or the organization if PII were
inappropriately accessed, used, or disclosed.
Confidentiality Impact Levels
The confidentiality of PII should be protected based on its
impact level. Items of PII which do not need protection
include:
• Publicly available information (phone book)
• Information voluntarily shared/disclosed
• Information that organization has permission or
authority to release publicly
Assess the harm caused by a breach of confidentiality
• Individual Harm: Relates to adverse affects experienced
by an individual when a breach of confidentiality occurs
with their PII
• Organizational Harm: This may take the form of financial
Page:
Impact Level
LOW MODERATE HIGH
Impact Type
Limited
Mission capability Significant Degradation Severe Degradation
Degradati
on
Page:
20
Confidentiality Impact Levels
Factors for Determining PII Confidentiality Impact Levels :
Identifiability: Evaluate how easily PII can be used to identify
specific individuals
SSNs/Aadhaar can uniquely and directly identify individuals
(High)
Zip Code or Date of Birth can significantly narrow a list
(Moderate)
Quantity of PII: Consider how many individuals are identified in the
information
25 records (Low) versus 2 million records (High)
Data Field Sensitivity: Evaluate the sensitivity of each individual PII
data field as well as sensitivity of the fields together
An individual’s SSN/Aadhaar is more sensitive than his phone
number
A combination of name and address is more sensitive than
either one by itself
Some data fields have higher potential for harm when used in
contexts other than their intended use. E.g., mother’s maiden
Page:
name, place of birth are oYen used to recover account 21
passwords
Confidentiality Impact Levels
Context of Use: This is the purpose for which PII is collected and
used
• E.g., providing services, behavioral analysis, evaluation of
preferences, serving up ads, statistical analysis or law enforcement.
• Important for understanding how disclosure can harm individuals
and the organization.
• Relevant to evaluating impact to different categories of people – list
of newsletter subscribers compared to list of law enforcement
officers.
Obligation to Protect Confidentiality:
• There may be legal or contractual obligations to protect PII. The
collected PII may being assigned higher impact levels as a result
Access to and Location of PII: Factors to consider:
• Number of people who have access to PII
• Frequency of access
• Remote, offsite or offshore access or backups
• Accessed or carried around by mobile workers
Page:
22
Determine Confidentiality
Impact Level
How to get started?
Form a team consisting of InfoSec, Privacy, IT,
“system owner” or info custodian and Legal
Develop a form to help guide you through
the review and document the impact levels.
Review the impact levels on a regular basis
Similar to HIPAA
Determine Confidentiality
Impact Level
Form should
include:
Process Name:
Process Description:
Process Owner:
PII data elements use:
Distinguishability:
Aggregation/Sensitivity:
Context of Use:
Obligation:
Access to/Location of:
Impact Level
Declaration:
Date of Declaration:
Example 1:Incident Response
Roster
Data elements: Name, titles, office &
work cell numbers, work email addresses
Distinguishability: small number (under 20)
Aggregation/Sensitivity: internally available
Context of Use: release would not likely
cause harm to individual or organization
Obligation: none
Access to/Location of: accessed by IT and
response team; is
available to remote workers
Impact level = Low
Example 2:Intranet Activity Tracking
Data Elements: user’s IP address, URL if website user viewed,
date/time user access website, amount of time user spent viewing, web
pages or topics accessed
Distinguishability: by itself – no, but linked - admins can view this log and the
AD log to identify individual)
Aggregation/Sensitivity: info accessed could cause embarrassment if related
to HR subjects, however amount of potential info is limited
Context of Use: release of info would unlikely cause harm. Since logging is
known
and assumed to happen – would not cause harm.
Obligation: none
Access to/Location of: Log data is accessed by small number of sys admins
and only accessible from Org’s own systems.
Impact level = Low
Example 3: Fraud, Waste, and Abuse Reporting Application
Under section 69 of the IT Act, any person, authorised by the Government or any of its officer
specially authorised by the Government, if satisfied that it is necessary or expedient so to do
in the interest of sovereignty or integrity of India, defence of India, security of the State,
friendly relations with foreign States or public order or for preventing incitement to the
commission of any cognizable offence relating to above or for investigation of any offence,
for reasons to be recorded in writing, by order, can direct any agency of the Government to
intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any
information generated, transmitted, received or stored in any computer resource.
The scope of section 69 of the IT Act includes both interception and monitoring along with
decryption for the purpose of investigation of cyber-crimes.
The Government has also notified the Information Technology (Procedures and Safeguards
for Interception, Monitoring and Decryption of Information) Rules, 2009, under the above
section.
The Government has also notified the Information Technology (Procedures and Safeguards
for Blocking for Access of Information) Rules, 2009, under section 69A of the IT Act, which
deals with the blocking of websites. The Government has blocked the access of various
websites.
Penalty for Damage to Computer,
Computer Systems, etc. under the IT Act
Section 43 of the IT Act, imposes a penalty without prescribing any upper limit, doing
any of the following acts:
1. Accesses or secures access to such computer, computer system or computer
network;
2. Downloads, copies or extracts any data, computer data base or information from
such computer, computer system or computer network including information or data
held or stored in any removable storage medium;
3. Introduces or causes to be introduced any computer contaminant or computer
virus into any computer, computer system or computer network;
4. Damages or causes to be damaged any computer, computer system or computer
network, data, computer data base or any other programmes residing in such
computer, computer system or computer network;
5. Disrupts or causes disruption of any computer, computer system or computer
network;
6. Denies or causes the denial of access to any person authorised to access any
computer, computer system or computer network by any means.
Tampering with Computer Source Documents as provided for under the IT Act, 2000
Section 65 of the IT Act lays down that whoever knowingly or intentionally conceals, destroys, or
alters any computer source code used for a computer, computer programme, computer system
or computer network, when the computer source code is required to be kept or maintained by
law for the time being in force, shall be punishable with imprisonment up to three years, or with
fine which may extend up to Rs 2,00,000 (approx. US$3,000), or with both.
Computer related offences
Section 66 provides that if any person, dishonestly or fraudulently does any act referred to in
section 43, he shall be punishable with imprisonment for a term which may extend to three years
or with fine which may extend to Rs 5,00,000 (approx. US$ 8,000)) or with both.
Penalty for Breach of Confidentiality and Privacy
Section 72 of the IT Act provides for penalty for breach of confidentiality and privacy. The Section
provides that any person who, in pursuance of any of the powers conferred under the IT Act
Rules or Regulations made thereunder, has secured access to any electronic record, book,
register, correspondence, information, document or other material without the consent of the
person concerned, discloses such material to any other person, shall be punishable with
imprisonment for a term which may extend to two years, or with fine which may extend to Rs
1,00,000, (approx. US$ 3,000) or with both.
Amendments as introduced by the IT
Amendment Act, 2008
Section 10A was inserted in the IT Act which deals with the validity of contracts formed through
electronic means which lays down that contracts formed through electronic means "shall not be
deemed to be unenforceable solely on the ground that such electronic form or means was used for
that purpose".
The following important sections have been substituted and inserted by the IT Amendment Act,
2008:
1. Section 43A – Compensation for failure to protect data.
2. Section 66 – Computer Related Offences
3. Section 66A – Punishment for sending offensive messages through communication service, etc.
(This provision had been struck down by the Hon'ble Supreme Court as unconstitutional on 24th
March 2015 in Shreya Singhal vs. Union of India)
4. Section 66B – Punishment for dishonestly receiving stolen computer resource or communication
device.
5. Section 66C – Punishment for identity theft.
6. Section 66D – Punishment for cheating by personation by using computer resource.
7. Section 66E – Punishment for violation for privacy.
8. Section 66F – Punishment for cyber terrorism.
.
Amendments as introduced
by the IT Amendment Act,
2008
9. Section 67 – Punishment for publishing or transmitting obscene material in electronic
form.
10. Section 67A – Punishment for publishing or transmitting of material containing
sexually explicit act, etc, in electronic form.
11. Section 67B – Punishment for publishing or transmitting of material depicting
children in sexually explicit act, etc, in electronic form.
12. Section 67C – Preservation and Retention of information by intermediaries.
13. Section 69 – Powers to issue directions for interception or monitoring or decryption
of any information through any computer resource.
14. Section 69A – Power to issue directions for blocking for public access of any
information through any computer resource.
15. Section 69B – Power to authorize to monitor and collect traffic data or information
through any computer resource for cyber security.
16. Section 72A – Punishment for disclosure of information in breach of lawful contract.
17. Section 79 – Exemption from liability of intermediary in certain cases.
18. Section 84A –Modes or methods for encryption.
19. Section 84B –Punishment for abetment of offences.
20. Section 84C –Punishment for attempt to commit offences