Legal Grand Rounds Update on Privacy and Security Laws with Best Practices Carol Romej, J.D., LL.M. August 26, 2015

Transcription

1 Legal Grand Rounds Update on Privacy and Security Laws with Best Practices Carol Romej, J.D., LL.M. August 26, 2015

2 Passwords Alphanumeric Cap Sensitive

3 Data Sources: Where is the data stored? Office Computers/Home Computers Laptops PDAs CDs, DVDs Flash/thumb drives, memory cards Personal folders Deleted s or documents Network and FTP Servers Mainframes Backup tapes Legacy systems Cell /Smart Phones Answering Machines Voic Other archive media or third-party storage media

4 Understanding Data Volume 2 kilobytes = 1 typewritten page 1 megabyte = 1 small novel 1 gigabyte = 1 pickup truck full of novels 100 gigabytes = 1 average library floor of academic journals 2 terabytes = An academic research library 10 terabytes = U.S. Library of Congress 2 exabytes = All information generated in 1999 [Roy Williams, Data Powers of Ten]

5 Critical Data Social Security Number Drivers License Birth Date Protected Health Information under HIPAA/HITECH (Insurance/Medical) Employment/Income address

6 ANTHEM Breach The second largest health insurance company operating plans across the country Breach: Estimated 80 Million current and past customers affected Method: Infiltrated Anthem s network with a malware program that provided the login credentials of an Anthem employee; Login used to make database queries

7 Compromised Anthem Customer Data Social Security Numbers Date of Birth Name and Address Address Employment and Income

8 Potential Illegal Uses of Data Phishing attacks Opening new accounts Takeover current accounts Sell Insurance Account on black market

9 Action Items for Victims Change all passwords to your accounts, and elect to have a secondary password assigned Ensure two factor authentication is enabled (PW and Device) Obtain copies of credit reports minimally once a year (Equifax, Experian, TransUnion) Activate a security freeze

10 General Recommendations Never carry your Social Security Card with you Be conservative in your disclosures on social media Shred outdated sensitive documents Lock up and secure important documents Monitor financial and account information

11 Compliance Security Survey says: 61%: implemented a security product to satisfy a compliance requirement which actually put the organization s data at greater risk 71%: fear for their organization s data security Lieberman Software's Annual Information Security Survey 2015

12 BEST PRACTICES Create & implement written document retention/destruction policy for data. Data Map where does PHI and other data requiring security live? (i.e., who, what, where, how, when.) Organize data storage efforts to reduce time, cost, and human capital related to locating critical data Identify the vendors who store, transmit and/or receive PHI Audit Business Associate Agreements and their core agreements

13 Introduction to Legal Issues Data Security

14 Identity Theft Protection Act A crime to obtain personally identifying information of another with intent to commit a crime, or sell such information to someone else who will

15 Communications under False Pretenses Electronic mail, web page, or other communications Purporting to be on behalf of a business without authority Induce or solicit disclosure of personally identifying information Intent to use information to commit identity theft or another crime

16 Data Breach Notification A requirement to notify residents of Michigan upon the discovery of a security breach of last name and driver license, social security number or account number(s).

17 Data Breach Notification Laws are directed to a person or agency that: Owns or licenses personal information data Maintains personal information data

18 Primary Obligation Determining if a breach is likely to cause a substantial loss or injury to, or result in Identity Theft with respect to, 1 or more residents of this state

19 Breach Evaluation Criteria Encrypted/Unencrypted Redacted/Unredacted Authorized/Unauthorized Access Identification of Device: Server(s), Laptop, USB (thumb) Drive

20 Exceptions for Unauthorized Access Data was accessed in good faith Access was related to activities of the company The employee or other individual accessing the data did not misuse or improperly disclose any personal information

21 Notice Requirement If unencrypted and unredacted personal information was accessed and acquired by an unauthorized person If personal information was accessed and acquired in encrypted form by a person with unauthorized access to the encryption key

22 Notice Communications Clearly state the general information related to the security breach Describe the personal information that was the subject of the unauthorized access/use Describe what has been done to protect data from further security breaches Provide contact information where a recipient of notice may obtain assistance Communicate need to remain vigilant for instances of fraud and Identity Theft

23 SOCIAL SECURITY NUMBER PRIVACY ACT For all or more than 4 sequential digits of SSN: Do not display Do not use as a primary account no. Do not use on identification badge Do not use on a membership card Do not require a transmission over Internet (unless secure/encrypted) Do not mail a document where SSN is visible from the outside of envelope

24 Consumer Protection Act With only limited exceptions, cannot require a consumer to disclose SSN as a condition of selling or leasing goods or providing a service A receipt from an electronic device where a credit or debit card was used for payment may not display any part of the expiration date or more than last 4 digits of the consumer s account number

25 HIPAA PHI is individually identifiable information that is transmitted or maintained in any form or medium (electronic, paper, or oral), that relates to: past, present, future physical or mental health conditions the provision of health care to an individual past, present, future payments for the provision of health care

26 HITECH Required Breach Notification Breach notification is required when there is: acquisition, access, use, or disclosure not permitted by the HIPAA Privacy Rule unsecured PHI, And, when exception does not apply, that incident compromises security or privacy of data. 26

27 PCI DSS Payment Card Industry Data Security Standard

28 EMV Cards Standard set: Europay, MC & Visa Embedded microchip which generates a unique one time code required for transaction approval Protects in store payments Liability shift falls on retailers who have not upgraded their systems Deadline for face to face transactions : October 1, 2015

29 Data Breach Investigations Report Over 50 Global Organizations are Contributors Aggregate and analyze common incident patterns Publish findings and make recommendations to industry

30 Classifications of Security Incidents Web App Attacks Cyber espionage POS Intrusions Insider Misuse Card Skimmers Error Physical Theft/Loss 2015 DBIR Verizon

31 2010 DBIR Verizon Data Most breaches are discovered by external parties Most breaches could have been avoided without difficult or expensive controls

32 2014 DBIR Data Cyber Espionage a consistent growth of reported incidents Payment Card Skimmers the ATM skimmers are getting more realistic and sophisticated Stolen Devices from Corporate Offices on the rise

33 How Risk is Created Poor access controls Improper or weak authentication Insufficiently protected credentials Untimely security patch management No network monitoring Improper device configuration Lack of audit logging

34 Risk Scenarios for Mobile Devices Employee fails to use remote wipe on a lost mobile device with hospital information Employee uses unapproved cloud based note takin and clipping service and stores unencrypted patient information Employee copies patient information to USB drive Employee transfers patient information to a commercial file sharing application

35 The Detection Deficit Discovery Resolution Root Cause

36 Insurance Coverage Policy exclusions pre/post 2001 Policies New Insurance Products: Network Security, Privacy, Data Loss, Business Interruption Loss from Viruses

37 Selection of Data Breach Insurance Assess Hospital's Risk Situation Have 3 rd Party Perform a Risk Assessment Discuss Insurance Options with Variety of Internal Departments

38 Recent Case Law Jane Doe v Henry Ford Health System Columbia Casualty Co. v Cottage Health System 2010 DBIR Verizon

39 Internal Procedures Govern the development, acquisition, implementation, and maintenance of information systems and related technology used to collect, use, retain, and disclose personal information. Ensure that the entity's backup and disaster recovery planning processes are consistent with its privacy policies and procedures. Classify the sensitivity of classes of data and determine the classes of users who should have access to each class of data. Users are assigned user access profiles based on their need for access and their functional responsibilities as they relate to personal information. Assess planned changes to systems and procedures for their potential effect on privacy. Test changes to system components to minimize the risk of an adverse effect on systems that process personal information. All test data is analyzed. Sign off by the privacy/security officer and/or business unit manager before implementing changes to systems and procedures that handle personal information, including those that may affect security.

40 Top 10 Data Breach Questions 1. Was any data compromised? 2. What data was compromised? 3. Is the data breach still occurring? 4. Have you set a defensible path? 5. Was the data breach accidental or malicious? 6. Was the data encrypted? 7. Have you implemented a crisis communications plan? 8. Have you alerted counsel/ law enforcement? 9. Have you researched your legal obligation for breach notification? 10. Have you tested your data breach response plan? See

41 BREACH RESPONSE ACTIVITES Convene the Security Incident team Identify affected individuals Retain IT experts, Forensic imaging services Create call center Identify Identity Theft Protection Service Provider Retain mail notice vendor Retain public relations firm Preserve attorney client privilege (contract with third party IT/Forensics and notice production vendors) Stage internal communications

42 Practice Tips Perform system risk assessment Implement Company wide security training Enable network security monitoring Review access and security log files Require physical access controls for facilities and computers Review hardware and software contracts for security obligations and liabilities

43 Phishing Employee Security Training Avoid e mail that asks for user name, password Awareness that connecting your infected personal device to the organization network can infect other devices on the network No legitimate business/service/website would ever ask employees to transmit sensitive data Employees should be directed to utilize devices that have been vetted by the organization Entrust, Inc.

44 References cy/privacy and security guide.pdf Jane Doe and All Others Similarly Situated, v Henry Ford Health System, 2014 WL Columbia Casualty Co. v Cottage Health System, Complaint for Declaratory Judgment and Reimbursement of Defense and Settlement Payments, May 7, 2015

45 References

46 References The 2015 Data Breach Investigations Report (DBIR). Edited by Verizon Enterprise Solutions. The Poneman Institute LLC. 2014: A Year of Mega Breaches, The Security Impact of Mobile Device Use by Employees, Pub. Date: Dec cert.gov

47 Questions? Carol Romej J.D., LL.M. (248) Hall, Render, Killian, Health & Lyman