Information Security & Data Breach Report 2011 / 2012 Annual Review

Size: px
Start display at page:

Download "Information Security & Data Breach Report 2011 / 2012 Annual Review"

Transcription

1 Information Security & Data Breach Report 2011 / 2012 Annual Review

2 2 Information Security and Data Breach Report Data breaches and large scale cyber attacks continue to make headlines for entities of all types, including corporations, government agencies and hospitals or health systems. Newspaper headlines such as Epsilon Data Breach to Cost Billions in Worst-Case Scenario or Sony Data Breach Cleanup to Cost $171 Million, have become common. 1 Because sensitive and/or personal information is often involved, the post-breach responsibilities of companies and other entities are becoming more strictly regulated. In response, companies are putting together tactical plans to handle potential data breaches or cyber attacks along with other risk management plans. In this new environment, companies must protect themselves both externally and internally from these types of issues. Navigant is pleased to release its inaugural annual update of its Information Security and Data Breach Report. This report is designed to review data breach activity during 2011 and 2012, spotlight notable breaches, and identify longitudinal trends and other major changes taking place in the information security arena. The goal of this publication is to answer the following principal questions: 1. What is the total number of breaches per year? 2. What types of entities are experiencing breaches? 3. What is the average number of days between discovery and disclosure of a data breach? 4. What types of data are being compromised? 5. What is the average number of records per breach? 6. What are the leading causes of data breaches? 7. What is the average total cost of a data breach? METHODOLOGY USED FOR IDENTIFYING DATA BREACHES Navigant has captured all major data breaches disclosed publicly during the last two years (January 1, 2011 December 31, 2012). As part of the methodology, we evaluated multiple sources to compile a list of breaches that took place in the United States involving a minimum of 1,000 exposed or potentially exposed records. 2 The incidents identified in this report involve breaches in which physical and electronic records were hacked, lost, stolen, or improperly exposed or discarded. Data Breach Dashboard Healthcare entities accounted for the largest percentage of data breaches identified across either year (2011: 39% vs. 2012: 40%). Hospitals were the type of Healthcare entity most likely to experience a data breach; 41% in 2011 and 35% in The time between discovery and disclosure for Corporate entities increased 27% year over year (2011: 47 days vs. 2012: 61 days). The average number of records per breach was 39% higher in 2012 than in 2011 (2011: 35,546 vs. 2012: 49,429). The average total cost of a data breach in 2011 was $6,895,975. The average total cost in 2012 was $9,292, WHAT IS THE TOTAL NUMBER OF BREACHES PER YEAR? Navigant identified 221 major data breaches in 2012 compared to 233 in the previous year, representing a 5% decrease between reporting periods. However, the total number of records breached increased by 32%, from 8,282,279 records breached in 2011 to 10,923,791 in The top ten breaches in 2012 were split between Government (3), Corporate (3), Education (2), Healthcare (1) and Other (1) entities. Government entities accounted for the three largest breaches representing over 2.4 million records. In 2011, the top ten breaches were divided between Corporate and Healthcare entities, with Corporate entities accounting for seven breaches, totalling 2.7 million records. One of the largest data breaches identified across both years involved a wellknown foreign policy think tank. The Texas-based firm had more than 860,000 addresses and 75,000 credit card accounts breached by hackers and dumped online to Pastebin and other sites. The information included names, addresses, credit card numbers, MD5 hashed passwords, user names and addresses. The breach of the company s servers was allegedly carried out by Anonymous on December 24, The hackers also defaced the firm s website and destroyed four servers in the process. The following day, hackers released a list of clients and warned they had obtained additional sensitive data during the data breach. The hacked credit card account numbers were not encrypted. The company immediately notified users of the breach and offered one year of identity theft protection services to anyone affected by the incident. Working with the FBI, the company initiated an investigation into the incident and shut down its website for several weeks. The redesigned website was launched early the following year. After the breach, a federal class-action lawsuit was filed alleging the company failed to employ basic security measures to protect user information. The case was recently settled for $1.5 million. 2. WHAT TYPES OF ENTITIES ARE EXPERIENCING BREACHES? Our report classifies the organizations that experienced a data breach into five main categories: Healthcare, Corporate, Education, Government and Other. 3 These designations provide an overview of the entities that experienced a physical or electronic records breach. Across both years, Healthcare entities had the largest percentage of breaches identified. In 2012, Healthcare entities accounted for 40% of all breaches, followed by Corporate (20%), Education (19%), Government (15%), and Other (6%) (See Figure 1). In 2011, Healthcare entities experienced 39% of the data breaches, followed by Corporate (27%), Education (16%), Government (13%), and Other (5%) (See Figure 2).

3 / 2012 Annual Review FIGURE 1: 2012 Breaches by Type of Entity Healthcare 40% Other 6% Corporate 20% While the percentage of data breaches occurring at Physician s Offices increased from 18% in 2011 to 30% in 2012, the percentage at Health Systems decreased from 16% to 11%. Dental Practices made up 10% of the entities that had a data breach in 2011 but only 5% in The 2011 average size of a data breach for Healthcare entities was 23,711 records but only 14,717 records in 2012, a 38% decline. The Healthcare entities with the largest year over year percentage increase in the average number of records per breach were Health Systems (373%) and Mental Health Treatment Facilities (57%). The Healthcare entities with the largest percentage decrease in the average number of records per breach were Clinics (507%) and Physicians Office (75%). Government 15% Education 19% The Corporate industries which experienced a data breach in 2012 and 2011 are shown below. FIGURE 2: 2011 Breaches by Type of Entity Other 5% Services (36%) Insurance & Finance (38%) Insurance & Finance (25%) Services (27%) Retail & Wholesale Trade (25%) Manufacturing (16%) Manufacturing (7%) Retail & Wholesale Trade (16%) Transportation, Utilities & Public Services (7%) Transportation, Utilities & Public Services (3%) Healthcare 39% Government 13% Education 16% Corporate 27% As part of Navigant s analysis, we further segmented both Healthcare and Corporate entities to get a better sense of the type of organizations affected by data breaches. The types of Healthcare entities which experienced a data breach in 2012 and 2011 are shown below. Services and Insurance & Finance made up over 60% of the Corporate entities experiencing a breach across both reporting periods. Insurance & Finance entities made up 38% of the incidents in 2011 but only 25% in The 2011 average size of a data breach for Corporate entities was 67,277 records in 2011 but declined to 60,017 records in 2012, an 11% decrease. The Corporate entities with the largest percentage increase, year over year, in the average number of records per breach were Transportation, Utilities & Public Services (191%), Services (14%) and Insurance & Finance (7%). The Corporate entities with the largest percentage decrease in the average number of records per breach were Retail & Wholesale Trade (64%) and Manufacturing (7%). The 2012 data shows that 73% of Corporate entities experiencing a data breach were private firms while 27% were publicly traded. The prior year shows 67% of Corporate entities were private while 33% were publicly traded Hospital (35%) Hospital (41%) Physicians Offices (30%) Physicians Offices (18%) Health System (11%) Health System (16%) Clinics (10%) Dental Practice (10%) Dental Practice (5%) Clinics (9%) Mental Health Treatment Facility (5%) Mental Health Treatment Facility (3%) Other (4%) Other (3%)

4 4 Information Security and Data Breach Report One of the largest healthcare entity breaches to occur in either year involved a medical center on the West Coast that potentially exposed the information of over 500,000 patients. A computer was stolen from the hospital containing patient information including names, dates of birth (DOB), last four digits of the patient s Social Security Number (SSN) and the medical record number. The computer was password protected but not encrypted. The information came from the hospital s master patient index file that was on the stolen desktop computer. The incident took place on March 11, 2011 but was not discovered for several days. Once the theft was discovered, the hospital launched an internal investigation and contacted the county sheriff s department. After a few weeks, the hospital began to send notification letters and set up a toll-free number to answer questions from those affected. According to news articles, the hospital took additional steps to increase its computer security after the incident. We also tracked the average number of days between discovery and disclosure by type of entity (See Figure 3). The time between discovery and disclosure for Corporate entities experiencing a breach increased 27% year over year (2011: 47 days vs. 2012: 61 days). Healthcare entities registered a 9% increase between discovery and disclosure, from 66 days in 2011 to 72 days in Government entities, on the other hand, had a decrease in the time between discovery and disclosure from 38 days in 2011 to 32 days in The number of days between discovery and disclosure for Education entities increased from 28 days in 2011 to 29 days in Other entities registered no change between discovery and disclosure with 32 days across both reporting periods. 3. WHAT IS THE AVERAGE NUMBER OF DAYS BETWEEN DISCOVERY AND DISCLOSURE OF A DATA BREACH? Data security regulations and the increasing danger of identity theft have elevated the importance of a timely response and disclosure after the discovery of a data breach. Discovery takes place when either electronic or physical records are confirmed to be lost or stolen, or data is otherwise identified as compromised. Disclosure can be made through notification to those affected by the data breach or to a regulatory agency or when news of the breach is disclosed through publications, websites or blogs. Forty-six states and several U.S. territories including Guam, the Virgin Islands and Puerto Rico have enacted data breach reporting requirements for different types of data. Some states allow for a company to conduct a reasonable investigation regarding the incident while other states have established specific timelines for notification. States such as Texas and Connecticut have recently passed legislation strengthening data breach notification rules. The Securities and Exchange Commission s (SEC) guidance on Cyber Security has also shown the increasing importance regulators place on the risk associated with information security and data breaches. The increasing regulatory oversight regarding the disclosure of a data breach has prompted Navigant to track this metric using public sources, news and government websites. The average number of days between discovery and disclosure for all breaches was 54 days in 2012 and 50 days in FIGURE 3: Average Number of Days Between Discovery and Disclosure by Type of Entity Corporate Education Government Healthcare 38 Other The significant increase in the time between discovery and disclosure for Corporate entities can be attributed to several breaches that were not reported for over 150 days. One specific example involved a large international financial institution with customers in both the United States and Canada. In October 2012, the company began notifying 267,000 customers of a data breach which took place in March 2012 when two unencrypted backup tapes shipped to one of its locations went missing. Upon discovering the breach, the company initiated an investigation to locate the missing tapes. According to news reports, the company stated the lag of over 180 days in reporting this event was necessary to complete a thorough investigation of the matter. The tapes contained the names, addresses, DOBs, driver s license numbers, SSNs, debit card numbers and bank account numbers. The company s notification to affected customers included one free year of credit monitoring as well as the option to transfer funds to a new bank account number Currently both federal and state authorities require that entities holding personal health information must disclose that a data breach has occurred. The Department of Health & Human Services (DHHS) issued data breach regulations in August At the same time, similar breach notification regulations were issued by the Federal Trade Commission (FTC). As part of directives under the Health Information Technology for Economic and Clinical Health

5 / 2012 Annual Review (HITECH) Act, finalized in January 2013, both the HHS and the FTC require HIPAA-covered entities to provide notification following a breach of protected health information no later than 60 days after the incident. 4 From public sources, our analysis shows the average number of days between discovery and disclosure for medical records was 73 days in 2011 compared to 75 days in 2012, representing a 3% increase from the previous year. 4. WHAT TYPES OF DATA ARE BEING COMPROMISED? The types of data being compromised include personally identifiable information (PII), such as DOBs, names or SSNs, protected health information (PHI), such as information related to medical conditions, the provision of healthcare, or the payment for the provision of healthcare, and financial information, such as bank accounts or credit card numbers. We identified several categories of data commonly at risk in data breaches including: Name, Contact Information, SSNs, DOBs, Medical, Credit Card, , Financial and Miscellaneous (See Figure 4). Many of the incidents identified in this report have multiple types of data associated with each breach. The number of breaches involving some of the most sensitive data increased year over year: SSNs (2011: 48% vs. 2012: 52%), DOBs (2011: 33% vs. 2012: 37%) or medical information (2011: 35% vs. 2012: 42%). One of the largest breaches identified involving the release of personally identifiable information (PII) and other patient data took place at a state technology services department. The agency, where most of the state s data is stored, disclosed that the personal data of around 800,000 residents was stolen by hackers. The data breach occurred in early 2012 when a newly installed test server was improperly configured, allowing hackers to enter the system. According to state authorities, the data was being accessed from a server in Eastern Europe when the intrusion was detected. The server was immediately shut down. The personal data of roughly 280,000 individuals was hacked, including medical claims information and SSNs. This data was kept by the state in order to determine Medicaid eligibility. The hacked data of another 500,000 individuals included names, addresses, DOBs, medical diagnostic codes, billing codes and national provider identification numbers. The state offered one year of free credit monitoring to those whose SSNs were stolen. Following the incident, the state implemented new data security procedures including additional network monitoring and intrusion detection capabilities. Additionally, the state CTO resigned, and an independent audit of IT security systems was ordered. FIGURE 4: Breaches by Type of Information Names Contact Info SSNs DOBs Medical Info Credit Cards Financial Info s Misc. Info

6 6 Information Security and Data Breach Report 5. WHAT IS THE AVERAGE NUMBER OF RECORDS PER BREACH? FIGURE 6: 2012 Breaches by Type of Method Navigant has calculated the average number of records per breach by type of entity (See Figure 5). This analysis revealed that the average number of records per breach was 39% higher in 2012 than in 2011 (2011: 35,546 vs. 2012: 49,429). Unauthorized Access/Use 10% Unknown 1% Virus 4% Other entities saw the largest change from 18,475 records in 2011 to 72,948 records in 2012, a 295% increase year over year. The average number of records per breach increased 272% from 2011 to 2012 for Government entities (2011: 29,326 vs. 2012: 109,212). Healthcare entities experienced a 38% decrease in the average number of records per breach from 23,711 records in 2011 to 14,717 records in The average number of records per breach for Education entities was 21,422 in 2011 versus 57,640 in 2012, an increase of 169%. Corporate entities averaged 67,277 records in 2011 and 60,017 records in 2012, an 11% decrease between reporting periods. Theft 32% Public Access/ Distribution 19% Loss 9% Hacking 21% Improper Disposal 4% FIGURE 5: Average Records Per Breach by Type of Entity , had a similar break-out (See Figure 7). Theft was again the most common type of breach (34%) followed by Public Access/Distribution (21%), Hacking (19%), Loss (12%), Unauthorized Access/Use (6%), Virus (3%), Improper Disposal (2%) and Unknown (3%). 67,277 60,017 57,640 72,948 FIGURE 7: 2011 Breaches by Type of Method Unauthorized Access/Use 6% 21,422 29,326 23,711 14,717 18,475 Unknown 3% Virus 3% Corporate Education Government Healthcare Other Theft 34% As part of Navigant s analysis, we found that the large increase in the average size of a data breaches involving Education and Government entities in 2012 was largely influenced by several incidents. The top five incidents affecting Education entities involved 1.8 million records and were primarily concentrated in Q2 and Q The methods of breach were Hacking or Public Access/Distribution. The top five incidents affecting Government entities involved 2.8 million records and were largely concentrated in Q The methods of breach, for the most part, were either Hacking or Loss. Public Access/ Distribution 21% Loss 12% Hacking 19% Improper Disposal 2% 6. WHAT ARE THE LEADING CAUSES OF DATA BREACHES? The different causes of a data breach are summarized into seven major categories. These categories are Virus, Hacking, Loss, Theft, Public Access/ Distribution, Unauthorized Access/Use, and Improper Disposal. 5 The most common methods used to breach data in 2012 are shown in Figure 6.

7 / 2012 Annual Review Looking at the data by method of breach and type of entity, we identified some interesting statistics. 50% of Hacking incidents that took place in 2011 involved Corporate entities. Across both reporting periods, 67% of breaches involving Theft or Loss took place at Healthcare entities. 54% in 2011 and 63% in 2012 of Public Access/Distribution breaches involved Education or Government entities. 40% of Unauthorized Access/Use incidents across both reporting periods involved Healthcare entities. A college in the Southeastern United States discovered that a data breach occurred between May 21, 2012 and September 24, 2012, which compromised records of 276,000 people. Affected individuals included 76,000 current or former students, 3,200 current or retired employees, and over 200,000 students eligible for the Bright Futures scholarship between 2005 and The coordinated hack breached the school s servers over several months. This led to the identity theft of over 50 people including the college president. The hackers took out loans through Payday services in Canada and repaid them from bank accounts of those affected. The hackers also applied for and used Home Depot credit cards. The compromised information for current and former students included names, addresses, SSNs and DOBs. The compromised data for employees included DOBs, SSNs as well as direct deposit routing and account numbers. An internal review by the college in October 2012 identified the breach. The college initiated an investigation with outside consultants and the local law enforcement cybercrimes division. Following the breach, the college set up a website to help affected individuals to file a complaint or understand resources available from the Federal Trade Commission. Navigant also tracked the format of breached records. We divided the types of records into three categories: physical, electronic and a combination of both. Electronic records may be accessed via CD-ROM, laptop, thumb drive, other media devices, , website or server. In 2012, 82% of the records compromised were electronic, 14% were physical records, 1% were classified as a combination of both types, and 3% were unknown. In 2011, 77% of the records compromised were electronic, 19% were physical records, and 4% were unknown. 7. WHAT IS THE AVERAGE TOTAL COST OF A DATA BREACH? One of the most critical questions being asked relates to the total cost of a data breach for the entities involved. One of the foremost studies on this issue is published by the Ponemon Institute. 6 The most recent information released provides some statistics on the total costs of a data breach. These costs can include detection, discovery, notification, legal costs, ex-post costs, loss of customers, and/or brand damage but will vary with each specific breach. For purposes of this annual report, Navigant calculated the average total cost of a data breach by type of entity and type of breach. One of the largest hacking incidents involved a restaurant wholesaler with outlets across the country. The company had malware inserted into its credit and debit card processing system resulting in over 300,000 customers having their credit card information exposed. Using the Ponemon Institute study estimates, the total cost of this data breach might be as high as $58.2 million. The hackers use of malware allowed them to temporarily collect credit card information as it was processed and then send it to a computer server in Russia. The stolen credit card data included the names on the credit cards, credit or debit card numbers, expiration dates and the three digit verification code. Once the breach was identified, the wholesaler enhanced the company s security measures. The company is also reimbursing card holders for any reasonable costs incurred due to this breach as well as providing 12 months of credit monitoring. The average total cost of a data breach in 2011 was $6,895,975. The average total cost in 2012 was $9,292,637, a 37% increase. Some notable results from the analysis of average total cost of a data breach by entity were (see Figure 8): In 2012, Corporate ($11,283,217); Education ($10,836,284); Government ($20,531,839) and Other ($13,714,238) entities were above the average total cost of $9,292,637. The average total cost of a Healthcare entity breach was 70% below the average. In 2011, Corporate ($13,051,658) entities were above the average total cost of $6,895,975 while Education, Government, Healthcare and Other entities were below the average total cost. Other entities had the largest increase from 2011 to The average total cost of a data breach increased from $3,584,102 to $13,714,238, a 283% increase. Corporate and Healthcare entities showed decreases in the average total cost of a data breach from year to year. Healthcare entities declined by 40% over reporting periods (2011: $4,599,898 vs. 2012: $2,766,870). Education and Government entities average total cost of a data breach increased 161% and 261% respectively from 2011 to Navigant also calculated the average total cost of a data breach by method of breach (See Figure 9). Loss (2011: $6,115,102 vs. 2012: $21,421,472) showed the most significant increase from year to year, a 250% increase. Virus saw the largest decrease over reporting periods, a 59% reduction (2011: $13,624,925 vs. 2012: $5,645,993). The other top categories included Hacking and Unauthorized Access/Use, which both showed increases from year to year. The methods of breach that cost the most across both years were Hacking, Loss and Virus. In 2012, Hacking ($21,526,895) was the most expensive type of breach, followed by Loss ($21,421,472) and Public Access/Distribution ($5,845,309). In 2011, Hacking ($14,785,401) was the most expensive type of breach, followed by Virus ($13,624,925) and Loss ($6,115,102).

8 8 Information Security and Data Breach Report FIGURE 8: Average Total Cost by Type of Entity $20,531,839 $13,051,658 $13,714,238 $11,283,217 $10,836,284 $5,689,190 $4,155,822 $4,599,898 $2,766,870 $3,584,102 Corporate Education Government Healthcare Other FIGURE 9: Average Total Cost by Type of Breach $21,526,895 $21,421, $14,785,401 $13,624,925 $3,129,075 $2,338,114 $6,115,102 $4,461,368 $5,845,309 $5,524,660 $3,627,675 $3,250,961 $3,386,319 $5,645,993 $995,349 $1,166,965 Hacking Improper Disposal Loss Public Access/ Theft Unauthorized Distribution Access/Use Unknown Virus

9 / 2012 Annual Review Spotlight on Notable Breaches Company/Organization: Trion Worlds Industry: Internet Record Type: Electronic Breach Method: Hacking Size of Breach: 3.3 Million Accounts Type of Data Breached: Names, Addresses, DOBs Trion Worlds, a massive online role playing game platform, suffered a hack that breached over 3 million player accounts. The company, headquartered in California, publishes several game platforms including Rift, Defiance and Warface. In December 2011, hackers gained access to the games account database. Breached customer information included user names, encrypted passwords, DOBs, addresses, billing addresses and the first four and last four digits of the customers credit cards. Once the breach was detected, Trion suggested that all users change their passwords and instructed mobile authenticator users to unplug and reconnect to the online gaming system. To compensate, the company provided all players with three extra days of gaming time. According to news reports, the company did not provide credit monitoring or other remediation efforts following the breach. Company/Organization: Global Payments Industry: Banking Record Type: Electronic Breach Method: Hacking Size of Breach: 1.5 Million Credit Cards Type of Data Breached: Credit Card Global Payments, an electronics transaction processing company, experienced a data breach in March According to news reports, the breach was limited to the company s North American payment processing servers. The breach was estimated to have exposed 1.5 million cards and was allegedly confined to Track 2 card data which includes the account number, expiration date and sometimes discretionary data. The company immediately notified federal law enforcement as well as Visa and Mastercard of the breach. In June 2012, the company acknowledged the breach was larger than initially suggested and some news reports said it could be as high as 7 million accounts. Following this, the company hired a qualified security assessor to conduct an independent review of its Payment Card Industry Data Security Standard (PCI-DSS) compliance. The company spent over $90 million in associated costs and expenses related to the incident. ABOUT NAVIGANT Navigant (NYSE: NCI) is a specialized independent consulting firm providing dispute, financial, investigative, regulatory and operations advisory services to government agencies, legal counsel and large companies facing the challenges of uncertainty, risk, distress and significant change. The Company focuses on industries undergoing substantial regulatory or structural change and on the issues driving these transformations. 1 Fahmida Y. Rashid, Epsilon Data Breach to Cost Billions in Worst-Case Scenario, eweek, 3 May 2011; Mathew J. Schwartz, Sony Data Breach Cleanup To Cost $171 Million, Information Week, 23 May For the purposes of this study the Trion Worlds and Global Payments breaches are considered to be outliers and are reviewed in the Spotlight on Notable Breaches section of this report. Data reported in prior studies may change when information regarding breaches is identified or amended. 3 Insurance companies are classified as Corporate entities for the purposes of this study, although protected health information may be breached in incidents involving insurance companies A Virus is an intrusive malware that infects computers, servers and networks. A virus often carries out unwanted operations on a host computer. A virus could be used for hacking or it could be unintentionally loaded into a system and cause damage. A Hack occurs when a group or individual attempts to gain unauthorized access to computers or computer networks and tamper with operating systems, application programs, and databases. Unauthorized Access/Use is designated when an employee, contractor or volunteer of an organization wrongfully accesses or uses records. Improper Disposal occurs when either physical records or electronic media are not properly disposed and could be accessed by other parties. A Theft involves physical records or electronic media that have been stolen or taken from an organization without permission by an employee or other party. Loss is designated when either physical records or electronic media have been lost and cannot be located by the organization. Public Access/ Distribution occurs when records or data are made available publicly or to inappropriate parties. This includes data made accessible via a server, website or network and sent to inappropriate recipients via paper or electronic methods Cost of Data Breach Study: United States, Ponemon Institute LLC, May The total average cost per compromised record was $194 in 2011 and $188 in For purposes of this study, we estimated the total cost of each data breach using these figures calculated by the Ponemon Institute.

10 10 Information Security and Data Breach Report CONTACT» For questions related to the data presented herein: Lead Data Breach Forensic Investigators Steven Visser Daren Hutchison Brad Pinne Bill Hardin Andrew Obuchowski Cuyler Robinson Strategic Initiative Contacts Scott Paczosa Jonathan Drage Darin Bielby Research Lead Bill Schoeffler navigant.com The authors would like to thank Vanessa Nelson Meihaus for her invaluable assistance. Vanessa is a Research Coordinator specializing in practice specific and general business development research in the firm s Chicago office. Greg Osinoff, Esq Navigant Consulting, Inc All rights reserved. Navigant Consulting is not a certified public accounting firm and does not provide audit, attest, or public accounting services. See navigant.com/licensing for a complete listing of private investigator licenses.

Information Security & Data Breach Report November 2013 Update

Information Security & Data Breach Report November 2013 Update Information Security & Data Breach Report November 2013 Update 2 Information Security and Data Breach Report Headlines like State Attorneys General Are Crucial Force in Enforcement of Data Breach Statutes

More information

Information Security & Data Breach Report March 2013 Update

Information Security & Data Breach Report March 2013 Update Information Security & Data Breach Report March 2013 Update 2 Information Security and Data Breach Report Data breaches and large scale cyber attacks continue to make headlines for entities of all types,

More information

Information Security & Data Breach Report November 2012 Update

Information Security & Data Breach Report November 2012 Update Information Security & Data Breach Report November 2012 Update 2 Information Security and Data Breach Report The impact of data breaches continues to be discussed in boardrooms across America as well as

More information

Information Security & Data Breach Report June 2012 Update

Information Security & Data Breach Report June 2012 Update Information Security & Data Breach Report June 2012 Update 2 Information Security and Data Breach Report Data breaches continue to be one of the Achilles heels for corporations as these incidents become

More information

Privacy Legislation and Industry Security Standards

Privacy Legislation and Industry Security Standards Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,

More information

Common Data Breach Threats Facing Financial Institutions

Common Data Breach Threats Facing Financial Institutions Last Updated: February 25, 2015 Common Data Breach Threats Facing Financial s Although exact figures are elusive, there is no question that the number of data security breaches both reported and unreported

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

Managing Cyber & Privacy Risks

Managing Cyber & Privacy Risks Managing Cyber & Privacy Risks NAATP Conference 2013 NSM Insurance Group Sean Conaboy Rich Willetts SEAN CONABOY INSURANCE BROKER NSM INSURANCE GROUP o Sean has been with NSM Insurance Group for the past

More information

Data Breach and Senior Living Communities May 29, 2015

Data Breach and Senior Living Communities May 29, 2015 Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs

More information

Proofpoint HIPAA Breach Report:

Proofpoint HIPAA Breach Report: Proofpoint HIPAA Breach Report: An Analysis of HITECH Breach Notifications and Settlements, Q1 2013 Healthcare Industry Update threat protection compliance archiving & governance secure communication Contents

More information

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Data Breach Cost. Risks, costs and mitigation strategies for data breaches Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,

More information

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS The following claim scenarios are hypothetical and are offered solely to illustrate the types of situations that may result in claims. Although sorted by industry,

More information

Network Security & Privacy Landscape

Network Security & Privacy Landscape Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies

More information

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455 Notification of Security Breach Policy Purpose: This policy has been adopted for the purpose of complying with the Health

More information

Iowa Health Information Network (IHIN) Security Incident Response Plan

Iowa Health Information Network (IHIN) Security Incident Response Plan Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security

More information

Cybercrime: Protecting Your Digital Assets in Today's Threat Landscape

Cybercrime: Protecting Your Digital Assets in Today's Threat Landscape Cybercrime: Protecting Your Digital Assets in Today's Threat Landscape Presented by Rachel Ratcliff OM03 Saturday, 10/5/2013 9:30 AM - 10:45 AM Cybercrime: Protecting Your Digital Assets in Today s Threat

More information

Student Data Breaches: Is Your District Prepared?

Student Data Breaches: Is Your District Prepared? Student Data Breaches: Is Your District Prepared? Colleen A. Sloan, Esq., Manager, Labor Relations and Associate School Attorney JoAnn Balazs, Director, Management Services Janell Hallgren, Manager, Policy

More information

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin

More information

Health Care Data Breach Discovery Strategies for Immediate Response

Health Care Data Breach Discovery Strategies for Immediate Response Health Care Data Breach Discovery Strategies for Immediate Response March 27, 2014 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Sarah Flanagan Partner

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

Cyber Liability & Data Breach Insurance Claims

Cyber Liability & Data Breach Insurance Claims Cyber Liability & Data Breach Insurance Claims A Study of Actual Payouts for Covered Data Breaches Mark Greisiger President NetDiligence June 2011 Last year, privacy breaches ran about 1-2 per week. This

More information

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule Reporting of HIPAA Privacy/Security Breaches The Breach Notification Rule Objectives What is the HITECH Act? An overview-what is Protected Health Information (PHI) and can I protect patient s PHI? What

More information

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches

More information

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident. THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident. September 22, 2015 Erica Ouellette Beazley Technology, Media & Business Services Alyson Newton, Executive

More information

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Minnesota Society for Healthcare Risk Management September 22, 2011 Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Melissa Krasnow, Partner, Dorsey & Whitney, and Certified Information

More information

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks Thank you for joining us. We have a great many participants in today s call. Your phone is currently

More information

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the

More information

CSR Breach Reporting Service Frequently Asked Questions

CSR Breach Reporting Service Frequently Asked Questions CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could

More information

Network Security & Privacy Landscape

Network Security & Privacy Landscape Network Security & Privacy Landscape Presented By: Pam Townley, AVP / Eastern Zonal Manager AIG Professional Liability Division Jennifer Bolling, Account Executive Gallagher Management Liability Division

More information

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029 Cyber Liability Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029 Today s Agenda What is Cyber Liability? What are the exposures? Reality of a

More information

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services What we are NOT doing today Providing Legal Advice o Informational Purposes

More information

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry DATA BREACH A FICTIONAL CASE STUDY THE FIRST SIGNS OF TROUBLE Friday, 5.20 pm :

More information

Discussion on Network Security & Privacy Liability Exposures and Insurance

Discussion on Network Security & Privacy Liability Exposures and Insurance Discussion on Network Security & Privacy Liability Exposures and Insurance Presented By: Kevin Violette Errors & Omissions Senior Broker, R.T. Specialty, LLC February, 25 2014 HFMA Washington-Alaska Chapter

More information

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS) Payment Card Industry Data Security Standard (PCI DSS) WARNING: Your company may be in noncompliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage,

More information

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013 Regulatory Updates Eric M. Wright, CPA, CITP Schneider Downs & Co., Inc. December 5, 2013 Eric M. Wright, CPA, CITP Eric has been involved with Information Technology with Schneider Downs since 1983. He

More information

9/13/2011. Miscellaneous Current Topics in Healthcare Professional Liability. Antitrust Notice. Table of Contents. Cyber Liability.

9/13/2011. Miscellaneous Current Topics in Healthcare Professional Liability. Antitrust Notice. Table of Contents. Cyber Liability. Miscellaneous Current Topics in Healthcare Professional Liability Josh Zirin, FCAS, MAAA Antitrust Notice The Casualty Actuarial Society is committed to adhering strictly to the letter and spirit of the

More information

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared; Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014

More information

HIPAA and Privacy Policy Training

HIPAA and Privacy Policy Training HIPAA and Privacy Policy Training July 2015 1 This training addresses the requirements for maintaining the privacy of confidential information received from HFS and DHS (the Agencies). During this training

More information

Cyber Security: Emerging Risks and Trends (and what you can do about it)

Cyber Security: Emerging Risks and Trends (and what you can do about it) Cyber Security: Emerging Risks and Trends (and what you can do about it) UVU Business and Economic Forum May 19, 2016 Presented by: Daniel D. Hill, Esq. Christopher Droubay, Esq. Risks and Trends Widely

More information

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION

More information

STANDARD ADMINISTRATIVE PROCEDURE

STANDARD ADMINISTRATIVE PROCEDURE STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019

More information

The Age of Data Breaches:

The Age of Data Breaches: The Age of Data Breaches: HOW TO AVOID BEING THE NEXT HEADLINE MARCH 24, 2015 2015 Epstein Becker & Green, P.C. All Rights Reserved. ebglaw.com This presentation has been provided for informational purposes

More information

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013 ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches

More information

Harvard University Payment Card Industry (PCI) Compliance Business Process Documentation

Harvard University Payment Card Industry (PCI) Compliance Business Process Documentation Harvard University Payment Card Industry (PCI) Compliance Business Process Documentation Business Process: Documented By: PCI Data Security Breach Stephanie Breen Creation Date: 1/19/06 Updated 11/5/13

More information

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes

More information

Best Practices for a Healthcare Data Breach: What You Don t Know Will Cost You

Best Practices for a Healthcare Data Breach: What You Don t Know Will Cost You Best Practices for a Healthcare Data Breach: What You Don t Know Will Cost You By: Emilio Cividanes, Venable LLP Partner and Co-Chair Regulatory Practice Group Paul Luehr, Stroz Friedberg Managing Director

More information

HCCA Compliance Institute 2013 Privacy & Security

HCCA Compliance Institute 2013 Privacy & Security HCCA Compliance Institute 2013 Privacy & Security 704 Conducting a Privacy Risk Assessment A Practical Guide to the Performance, Evaluation and Response April 23, 2013 Presented By Eric Dieterich Session

More information

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING PURPOSE The purpose of this policy is to describe the procedures by which Workforce members of UCLA Health System and David Geffen School of Medicine

More information

Industry leading Education Todays Webinar

Industry leading Education Todays Webinar Compliance Simplified Achieve, Illustrate, Maintain Industry leading Education Todays Webinar Please ask questions Todays slides are available http://compliancy- group.com/slides023/ Certified Partner

More information

HIPAA Privacy & Security Rules

HIPAA Privacy & Security Rules HIPAA Privacy & Security Rules HITECH Act Applicability If you are part of any of the HIPAA Affected Areas, this training is required under the IU HIPAA Privacy and Security Compliance Plan pursuant to

More information

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

HIPAA Privacy Breach Notification Regulations

HIPAA Privacy Breach Notification Regulations Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Linda Vincent, R.N., P.I., CITRMS Vincent & Associates Founder The Identity Advocate San Pedro, California The opinions expressed

More information

The Future of Data Breach Risk Management Response and Recovery. The Cybersecurity Forum April 14, 2016

The Future of Data Breach Risk Management Response and Recovery. The Cybersecurity Forum April 14, 2016 The Future of Data Breach Risk Management Response and Recovery Increasing electronic product life and reliability The Cybersecurity Forum April 14, 2016 Today s Topics About Merchants Information Solutions,

More information

HIT Audit Workshop. Jeffrey W. Short. jshort@hallrender.com

HIT Audit Workshop. Jeffrey W. Short. jshort@hallrender.com HIT Audit Workshop Jeffrey W. Short jshort@hallrender.com 1 Audits and Investigations to be Discussed Meaningful Use Audits HIPAA Audits Data Breach Investigations Software Vendor Audits FTC Investigations

More information

Medical Information Breaches: Are Your Records Safe?

Medical Information Breaches: Are Your Records Safe? Medical Information Breaches: Are Your Records Safe? Learning Objectives At the conclusion of this presentation the learner will be able to: Recognize the growing risk of data breaches Assess the potential

More information

Cybersecurity Workshop

Cybersecurity Workshop Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153

More information

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI

More information

Beazley presentation master

Beazley presentation master The Art of Breach Management Beazley presentation master February 2008 A Brief Review of Data Breaches What is a Data Breach? Actual release or disclosure of information to an unauthorized individual/entity

More information

HIPAA Compliance. 2013 Annual Mandatory Education

HIPAA Compliance. 2013 Annual Mandatory Education HIPAA Compliance 2013 Annual Mandatory Education What is HIPAA? Health Insurance Portability and Accountability Act Federal Law enacted in 1996 that mandates adoption of Privacy protections for health

More information

HIPAA Compliance: Efficient Tools to Follow the Rules

HIPAA Compliance: Efficient Tools to Follow the Rules Bank of America Merrill Lynch White Paper HIPAA Compliance: Efficient Tools to Follow the Rules Executive summary Contents The stakes have never been higher for compliance with the Health Insurance Portability

More information

Cybersecurity: Protecting Your Business. March 11, 2015

Cybersecurity: Protecting Your Business. March 11, 2015 Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks

More information

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012 HIPAA Privacy, Security, Breach, and Meaningful Use Practice Requirements for 2012 CHUG October 2012 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Standards for Privacy of Individually

More information

Information Security Addressing Your Advanced Threats

Information Security Addressing Your Advanced Threats Information Security Addressing Your Advanced Threats Where We are Going Information Security Landscape The Threats You Face How To Protect Yourself This Will Not Be Boring What Is Information Security?

More information

Cyber Liability. AlaHA Annual Meeting 2013

Cyber Liability. AlaHA Annual Meeting 2013 Cyber Liability AlaHA Annual Meeting 2013 Disclaimer We are not providing legal advise. This Presentation is a broad overview of health care cyber loss exposures, the process in the event of loss and coverages

More information

Protecting personally identifiable information: What data is at risk and what you can do about it

Protecting personally identifiable information: What data is at risk and what you can do about it Protecting personally identifiable information: What data is at risk and what you can do about it Virtually every organization acquires, uses and stores personally identifiable information (PII). Most

More information

2011 Data Breach Notifications Report

2011 Data Breach Notifications Report 2011 Data Breach Notifications Report December 2011 2011 Report on Data Breach Notifications History, Laws and Regulations On October 31, 2007, the Commonwealth s Data Security Breach Law, Mass. Gen. Law

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,

More information

Cybersecurity: Emerging Legal Risks

Cybersecurity: Emerging Legal Risks Cybersecurity: Emerging Legal Risks Data Breach Cyber Liability Seminar April 17, 2015 By: Tsutomu L. Johnson tj@scmlaw.com Overview of 2014 Data Breaches: JP Morgan, Home Depot, P.F. Chang s, Healthcare.gov,

More information

Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement

Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement Office of the Secretary Office for Civil Rights () Current Developments in Privacy and Security Rule Enforcement Michigan Medical Billers Association Andrew C. Kruley, J.D. Equal Opportunity Specialist

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

Information Privacy and Security Program. Title: EC.PS.01.02

Information Privacy and Security Program. Title: EC.PS.01.02 Page: 1 of 9 I. PURPOSE: The purpose of this standard is to ensure that affected individuals, the media, and the Secretary of Health and Human Services (HHS) are appropriately notified of any Breach of

More information

LIGC-ACC Presentation November 9, 2015

LIGC-ACC Presentation November 9, 2015 Bryan Frank, DDIS Info Sec Corp, panelist Jennifer M. Mone, Deputy General Counsel, Hofstra University, panelist Keith J. Frank, Partner, Forchelli, Curto, Deegan, Schwartz, Mineo & Terrana,. LLP, moderator

More information

The HITECH Act: Protect Patients and Your Reputation

The HITECH Act: Protect Patients and Your Reputation The HITECH Act: Protect Patients and Your Reputation By: Donna Maassen Director of Compliance, and Privacy & Security Officer Extendicare Health Services, Inc. Table of Contents Executive Summary...3 The

More information

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed

More information

Cyber Liability. What School Districts Need to Know

Cyber Liability. What School Districts Need to Know Cyber Liability What School Districts Need to Know Data Breaches Growing In Number Between January 1, 2008 and April 4, 2012 314,216,842 reported records containing sensitive personal information have

More information

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August

More information

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand

More information

Covered Areas: Those EVMS departments that have activities with Covered Accounts.

Covered Areas: Those EVMS departments that have activities with Covered Accounts. I. POLICY Eastern Virginia Medical School (EVMS) establishes the following identity theft program ( Program ) to detect, identify, and mitigate identity theft in its Covered Accounts in accordance with

More information

The Home Depot Provides Update on Breach Investigation

The Home Depot Provides Update on Breach Investigation The Home Depot Provides Update on Breach Investigation Breach confirmed Investigation focused on April forward No evidence of debit PIN numbers compromised No customers liable for fraudulent charges Customers

More information

HIPPA Goes HITECH. Data Protection for Agents

HIPPA Goes HITECH. Data Protection for Agents HIPPA Goes HITECH Data Protection for Agents For agent information only. this material should not be distributed to the public or used in any solicitation. 13-0127 Course objectives Agents will be able

More information

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone

More information

IT Security Compliance Monitoring: Dealing with Increasing Demands

IT Security Compliance Monitoring: Dealing with Increasing Demands IT Security Compliance Monitoring: Dealing with Increasing Demands Duke TechExpo 2011 January 6, 2011 Mark Phillips, Director - IT Audit, Office of Internal Audits Brian Lowinger, JD, Institutional Ethics

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)

More information

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations Health Care Litigation Webinar Series March 22, 2012 Spence Pryor Paula Stannard Jason Popp 1 HIPAA/HITECH

More information

Getting Hip to the HIPAA and HITECH Act Compliance

Getting Hip to the HIPAA and HITECH Act Compliance Getting Hip to the HIPAA and HITECH Act Compliance NaNotchka M. Chumley, D.O., M.P.H. Family Medicine Physician Los Angeles, CA Integrating Global Trade & Logistic and Cybersecurity Westin St. Francis,

More information

Personal Information Protection Act Information Sheet 11

Personal Information Protection Act Information Sheet 11 Notification of a Security Breach Personal Information Protection Act Information Sheet 11 Introduction Personal information is used by organizations for a variety of purposes: retail and grocery stores

More information

Target Security Breach

Target Security Breach Target Security Breach Lessons Learned for Retailers and Consumers 2014 Pointe Solutions, Inc. PO Box 41, Exton, PA 19341 USA +1 610 524 1230 Background In the aftermath of the Target breach that affected

More information

(1) regulate the storage, retention, transmission, and security measures for credit card, debit card, and other payment-related data;

(1) regulate the storage, retention, transmission, and security measures for credit card, debit card, and other payment-related data; Legal Updates & News Legal Updates Pending Changes to California s Data Breach Law: New Burdens for Retailers? September 2007 by Christine E. Lyon, William L. Stern Related Practices: Privacy and Data

More information

HIPAA Privacy and Information Security Management Briefing

HIPAA Privacy and Information Security Management Briefing HIPAA Privacy and Information Security Management Briefing Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta Information Security Officer sen@columbia.edu (212)

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

Office of the President University Policy

Office of the President University Policy Office of the President University Policy SUBJECT: IDENTITY THEFT PREVENTION PROGRAM Effective Date: 6-17-09 Policy Number: 5.6 Supersedes: Page Of New 1 7 Responsible Authority: Senior Vice President,

More information

Privacy Rights Clearing House

Privacy Rights Clearing House 10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights

More information

HIPAA Privacy. September 21, 2013

HIPAA Privacy. September 21, 2013 HIPAA Privacy September 21, 2013 HIPAA Privacy Workforce Training The Health Insurance Portability & Accountability Act (HIPAA) requires that the University train all workforce members (faculty, staff,

More information

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA APPENDIX PR 12-A FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section

More information

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING By: Jerry Jackson Compliance and Privacy Officer 1 1 Introduction Welcome to Privacy and Security Training course. This course will help you

More information

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased

More information