Data Protection, Privacy and the Law. Presented for Data Privacy Month 2013 Presented by Tim Gurganus, OIT And Clifton Williams, OGC
|
|
- Ross Thomas Harvey
- 8 years ago
- Views:
Transcription
1 Presented for Data Privacy Month 2013 Presented by Tim Gurganus, OIT And Clifton Williams, OGC
2 Payment Card Industry Data Security Standard (PCI-DSS) Protection of card holder data processed, stored or transmitted for University merchants and system integrity of payment applications and connected systems used by the University Mandates over 280 security controls, processes and policies There are two kinds of PCI requirements: Technology and Process Security technology consists of software, hardware and third-party services used to implement purpose-built applications that protect cardholder data from various threats. Security process is a specific set of operational procedures used to implement and maintain protection, which may or may not require a particular type of security technology.
3 Payment Card Industry Data Security Standard (PCI-DSS) University Merchants must report compliance annually to our merchant bank NCSU has around 120 Merchant organizations accepting credit and debit cards for payment including: Athletics University Dining Transportation Ticket Central Online Giving
4 Payment Card Industry Data Security Standard (PCI- DSS) The standard is composed of 6 major areas of security Build and Maintain a secure network Protect Cardholder data stored and transmitted Maintain a Vulnerability Management Program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy Standard is written and maintained by PCI security standards committee which is composed of security and audit professionals from: Visa MasterCard American Express Discover card Japanese Credit Bank Others
5 Payment Card Industry Data Security Standard (PCI-DSS) There are some non-ncsu merchant ID holders including: Food trucks Gopack.com Compliance is required by chain of contracts from Card Brands to Merchant Bank to Acquirer to State of NC OSC to NCSU Controllers Office to Merchant One of the principles in the PCI-DSS is segmentation building separate networks, servers, workstations, firewalls, etc. for credit card payment applications only. The University has plans to build out such separate systems. As such, not all campus IT services are suitable for payment transactions such as Nomad wireless, building VLAN networks, and VoIP telephone system.
6 Payment Card Industry Data Security Standard (PCI- DSS) If there is a breach of credit card data, the University is required to disclose this to our merchant bank and the card brands as part of the required PCI-DSS incident response plan. Members or merchants are subjected to fines up to $500,000 per incident if there is a compromise on their network resulting in the loss or theft of cardholder information, and the network was subsequently found to be non-compliant at the time of the compromise. Also, if a member or merchant fails to immediately notify credit card companies of suspected or confirmed loss or theft of transaction information, the member or merchant will be subject to a penalty of $100,000 per incident Related University regulation: REG Payment Card Merchant Services
7 Defense Federal Acquisition Regulations (DFAR) Security Clauses Research projects using unclassified data obtained from the Department of Defense, DoD, will need to protect the data and meet specific security standards still being developed. Campus researchers required to meet this standard will likely require special protection of the computer network used by the project as well as specific security controls on the computer systems storing and processing the data. Desktop computers and personal electronic devices that individual researchers use under a covered contract would have to be inventoried and assessed to ensure that they are utilizing the appropriate FISMA-compliant technologies The proposed standard will also likely mandate the use of encryption software and additional systems/network monitoring on the computers used in the DoD, NSF or DoE research.
8 Health Insurance Portability and Accountability Act (HIPAA) U.S. federal law enacted in 1996 HIPAA protects patients rights regarding personal health information (PHI). HIPAA applies to covered entities providing health care treatment and storing Protected Health Information NCSU Covered Entities include: Athletics sports medicine Student Health center Counseling center
9 Health Insurance Portability and Accountability Act (HIPAA) Related University Regulation REG Privacy/Confidentiality, Release and Security of Protected Health Information HIPAA fines for non-compliance - Failure to comply with the HIPAA can result in civil penalties of $25,000 per individual per violation per year and criminal penalties of a quarter million dollars and 10 years imprisonment.
10 Health Insurance Portability and Accountability Act (HIPAA) HIPAA mandates: -Privacy protection -Plans for handling PHI and incidents of unintentional disclosure -Use of encryption for transmitting and storing PHI -Audit
11 Health Insurance Portability and Accountability Act (HIPAA) Three components: Protection for the privacy of Protected Health Information (PHI) Protection for the security of Protected Health Information Standardization of electronic data interchange in healthcare transactions HIPAA PRIVACY RULE Key Elements Individually Identifiable Health Information Name Birth date All geographic subdivisions smaller than state Telephone/Fax numbers addresses Medical Record Number Account Number Vehicle identifier/serial number Uniform Resource Locators (URLs) Biometric identifiers Social Security Number Health Plan Number Certificate / license number Device identifier/serial number IP addresses Photos Other unique characteristics Full face photograph
12 Health Insurance Portability and Accountability Act (HIPAA) The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. PHI PHI stands for protected health information, or any confidential information that identifies you. PHI may be oral or recorded in any form or medium a health care provider, health plan, public health authority, employer, life insurer, school, university, or health care clearinghouse creates that relates to past, present or future payment for the provision of health care to an individual.
13 Health Insurance Portability and Accountability Act (HIPAA) Technical Requirements of HIPAA Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-phi). Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-phi. Integrity Controls. A covered entity must implement policies and procedures to ensure that e-phi is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-phi has not been improperly altered or destroyed. Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-phi that is being transmitted over an electronic network.
14 Health Insurance Portability and Accountability Act (HIPAA) Minimum Necessary. A central aspect of the Privacy Rule is the principle of minimum necessary use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes.
15 Health Insurance Portability and Accountability Act (HIPAA) Civil Money Penalties. HHS may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement. That penalty may not exceed $25,000 per year for multiple violations of the identical Privacy Rule requirement in a calendar year. Criminal Penalties. A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one-year imprisonment.89 The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Criminal sanctions will be enforced by the Department of Justice.
16 Health Insurance Portability and Accountability Act (HIPAA) Related University Regulation: Some excerpts: 4. SECURITY REQUIREMENTS AND PROCEDURES FOR ELECTRONICALLY-MAINTAINED PHI a Protect against malicious software b Monitor log-in attempts c Creation and management of passwords Develop guidelines on the encryption of Electronic Health Records (EHR) Audit Controls: record and examine activity on information systems that contain or use EHR
17 Red Flag Rule The Federal Trade Commission (FTC) regulates financial transactions at NC State University. The FTC has defined NC State as a creditor. The FTC has determined that all creditors must comply with the Red Flags regulation and by law must train certain respective employees that could come in contact with a Red Flag. Red Flag is an indication or warning that a fraudulent transaction or event could be occurring as a result of identity theft. Some NCSU employees have to get Red Flag Rule training
18 Red Flag Rule By law, we must be able to do the following: Identify areas of exposure to ID theft and what types of events within those areas could be interpreted as Red Flags what to look for Detect when these Red Flag indicators might be present Reduce the exposure of financial or personal loss to the University and to the customer who might have been a victim of ID theft by investigating the detected Red Flags for actual fraud and responding quickly and appropriately if fraud does indeed exist Train our employees on how to accomplish all of this
19 Red Flag Rule The following University Units have been identified by the University Red Flag Rules Committee as having covered accounts : Student Accounts The AllCampus Card Short Term Student Loans For individuals, covered accounts include any account that allows individuals to make multiple payments to pay off an obligation.
20 Red Flag Rule Red Flags come in 5 categories: 1. Notifications and Warnings from Consumer Reporting Agencies 2. Suspicious Documents 3. Suspicious Personal Identifying Information 4. Suspicious Covered Account Activity 5. Alerts from Others Example Red Flags: Documents provided for identification that appear to be altered or forged Photograph on ID does not match the appearance of the individual or does not look like the individual Information on ID does not match the information provided by the person opening the account A suspicious address is supplied, such as a mail drop or a prison A phone number associated with pagers or answering service is given You notice a drastic change in payment patterns, use of available credit, or spending patterns on an account A request for withdrawal (drop all classes) when a refund is required shortly after a change of relevant information
21 Section V Privacy Gramm Leach Bliley Act (GLBA) Actual GLB Act Total of 7 sections Title I. Facilitating affiliation among banks, securities firms, and insurance companies Title II. Functional regulation Title III. Insurance Title IV. Unitary savings and loan holding companies Title V. PRIVACY Title VI. Federal home loan bank system modernization Title VII. Other provisions
22 Gramm Leach Bliley Act (GLBA) The GLBA states that an entity must develop, implement, and maintain a comprehensive information security program. The Objectives of the Program are: 1. Insure the security and confidentiality of customer information 2. Protect against any anticipated threats or hazards to the security and integrity of the information 3. Protect against unauthorized access to or use of the information
23 Gramm Leach Bliley Act (GLBA) The following items are deemed as non-public identifying data and are therefore protected under the GLB Act and must be safeguarded from unauthorized access and transfer. Phone number (unless it can be proved that the number is available in a phonebook and is not unlisted ) Date of Birth Social Security number Passport number Bank information Bank Routing information (even though bank routing information is actually public information for each bank, what we need to safeguard is the routing information as it pertains and is associated with each individual account so as to not let it be compromised) Credit Card / Debit card information Credit Card number/ Debit card number Loan Balances and Payment Schedules Credit History information including previous addresses Tax returns Asset statements
24 Basic Safeguarding Rules Gramm Leach Bliley Act (GLBA) Many of the processes surrounding the safeguarding of data are general common sense business best practices such as: Limit access where not needed Do not leave non-public identifying data unattended on a desk or overnight Ensure that any documents containing non-public information are locked when stored with limited access Ensure your computer system has a screen lock function and it is activated when not at or with your computer, especially your laptop Never share your password with anyone Never allow someone else to utilize your account. Change passwords periodically Change your password immediately if you think anyone else knows your password Turn your computer monitor away from public view or Use a privacy screen
25 Gramm Leach Bliley Act (GLBA) Basic Safeguarding Rules (cont.) Whenever possible, and within University, State, and Federal regulations, shred any paper data that has non-public information Do not release non-public information to requests via phone or electronic inquiry All inquires for personal information must be forwarded to the Department of Human Resources Do not store confidential physical documents in areas that can not be reasonably secure from disasters such as flood or fire. Any modification of non-public customer information should trigger an automatic notification to the customer Do not repeat credit card numbers over the phone where other unauthorized people can over hear the number
26 Gramm Leach Bliley Act (GLBA) Basic Safeguarding Rules (cont.) Dispose of outdated customer information within record retention policies Electronic Messaging Services ( , Instant Messaging Services, etc.) should NOT be used to send any confidential/sensitive information such as bank or credit card numbers, etc. Ensure that your computer and especially your laptop are running all current University Anti Virus software as indicated by the Office of Information Technology (OIT) Department. This includes access via home computer or mobile device when accessing information that includes non-public information.
27 Records Requests, Subpoenas and Search Warrants What are these? Records Request Court Order Subpoenas vs. Search Warrants (both are types of court orders) Notify OGC for all of these! REG Public Records Request ( REG Providing Expert Witness Testimony ( Suggest private party consultants to provide expert opinion Provide fact knowledge and data as an expert witness; not opinions and un-substantiated ideas
28 NC Identity Theft Protection Act What is this? Designed to protect SSNsin various ways Allows for credit report freezing to deter financial crimes Requires stricter safeguards and security breach notifications for personal information Personal Information = A person s first name (or initial) andlast name and SSN, DL#, checking, savings or credit account numbers, etc. Digital signatures, biometric data, fingerprints, etc.
29 What is this? FERPA Family Educational Rights and Privacy Act (FERPA) Protects education records (more than just educational records) Requires student consent prior to release Requires strict notification requirement if education record is requested by third party Requires procedure to change incorrect records Education Record examples: Any submitted student coursework identifiable to the student Office of Student Conduct (OSC) investigative report Student s medical records shared for non-medical purposes
30 NCSU Computer Use Policy and Regulation Computer Use Policy (POL ) Computer Use Regulation (REG ) Items related to Data Protection and Privacy / Network Data The University may examine personal electronic information stored on or passing over University equipment or networks to: Insure the security and operating performance of its systems and networks. Conduct an audit. Investigate an issue before bringing it to the University Institutional Review Board. Comply with E-discovery rules connected to a subpoena or other court document.
31 NCSU Computer Use Policy and Regulation The University may examine personal electronic information stored on or passing over University equipment or networks to: Enforce University policies or compliance with state or federal law where examination is approved in advance by a dean, vice chancellor, or vice provost, and: There is suspicion a law or University policy was violated, or Examination is necessary to comply with a state or federal law.
32 NCSU Computer Use Policy and Regulation Regulatory Limits: Computer Users should have no expectation of privacy in personal material stored by them on the University computing systems when: There is a reasonable suspicion that a law or University policy has been violated, or Examination is necessary to comply with a state or federal law. If there is information you wish to keep private and personal you should not store it on University equipment. At the very least personal information should be stored in a separate folder and labeled as personal.
33 NCSU Computer Use Policy and Regulation Protecting Data: Security Precautions Users of IT resources must take appropriate security precautions in order to prevent computer virus infections, misuse or data leakage. These precautions include: Ensuring critical vendor-supplied security patches are applied to software products in a timely manner Following the university Antivirus Software Requirements regulation Following the university Administrative Password Standard.
34 NCSU media disposal procedures Covers: University data on storage devices going to surplus Mandates overwriting University data with random information or factory reset of a device to wipe data NC State is obligated to remove confidential data and certain software applications from surplused electronic and computer equipment in order to maintain data security, be compliant with various federal and state regulations, and fulfill licensing agreements. To ensure due diligence, the university has implemented procedures for surplusing computer equipment running Windows, OS X and Unix
35 NCSU media disposal procedures Procedures need to be developed for other storage devices such as: Flash drives Memory cards Fax machines with memory Copiers with hard drives Scanners with hard drives Cell phones Smartphones/PDAs ipads, ipods Video Conferencing systems Printers with hard drives DVRs with hard drives Audio Recorders with solid state data storage
36 How to Set up a Credit Fraud Alert A fraud alert advises creditors to contact you before they open any new accounts or change your existing accounts Should be no charge after revision to NC ID Theft Protection Act You may place this fraud alert on your credit file by contacting any one of the three major credit bureaus listed on the next slide. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your credit file. All three bureaus will then send a credit report to you, free of charge. Additional information and resources are available from the FTC by visiting their Website, Identity Theft helpline at
37 How to Set up a Credit Fraud Alert You may place this fraud alert on your credit file by contacting any one of the three major credit bureaus listed below: Equifax PO Box Atlanta, GA Experian PO Box 9532 Allen, TX TransUnion PO Box 6790 Fullerton, CA
38 Questions? (4H Meeting 1920)
MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationCovered Areas: Those EVMS departments that have activities with Covered Accounts.
I. POLICY Eastern Virginia Medical School (EVMS) establishes the following identity theft program ( Program ) to detect, identify, and mitigate identity theft in its Covered Accounts in accordance with
More informationGramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationPII = Personally Identifiable Information
PII = Personally Identifiable Information EMU is committed to protecting the privacy of personally identifiable information of its students, faculty, staff, and other individuals associated with the University.
More information01.230 IDENTITY THEFT PREVENTION PROGRAM (RED FLAGS)
01.230 IDENTITY THEFT PREVENTION PROGRAM (RED FLAGS) Authority: Board of Trustees History: Effective May 1, 2009 (approved initially April 24, 2009) Source of Authority: Related Links: Responsible Office:
More informationplantemoran.com What School Personnel Administrators Need to know
plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of
More informationCOUNCIL POLICY NO. C-13
COUNCIL POLICY NO. C-13 TITLE: POLICY: Identity Theft Prevention Program See attachment. REFERENCE: Salem City Council Finance Committee Report dated November 7, 2011, Agenda Item No. 3 (a) Supplants Administrative
More informationIDENTITY THEFT PROCEDURES
IDENTITY THEFT PROCEDURES FREQUENTLY ASKED QUESTIONS ABOUT IDENTITY THEFT INCIDENTS AND RED FLAGS Q1: How is a Red Flags incident different from a data security breach? A1: A data security breach is the
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationCorona Police Department
By Detective John Alvarez Corona Police Department High Technology Crimes Unit California Penal Code 530.5(a) defines Identity Theft: Every person who willfully obtains personal identifying information,
More informationIdentity Theft Prevention Policy. Effective Date: January 1, 2011. Policy Statement
Identity Theft Prevention Policy Effective Date: January 1, 2011 Policy Statement Identity Theft is a crime in which an individual wrongfully obtains and uses another person's personal data, usually for
More informationTHE LUTHERAN UNIVERSITY ASSOCIATION, INC. d/b/a Valparaiso University IDENTITY THEFT PREVENTION PROGRAM
THE LUTHERAN UNIVERSITY ASSOCIATION, INC. d/b/a Valparaiso University IDENTITY THEFT PREVENTION PROGRAM SECTION 1: BACKGROUND The risk to Valparaiso University ("University"), its employees, students (in
More informationIDENTITY THEFT PREVENTION PROGRAM
IDENTITY THEFT PREVENTION PROGRAM Implemented October 2009 Page 1 Table of Contents Background... 3 Purpose... 3 Definitions... 3 Pretext Calling... 4 Receiving Telephone Calls... 5 Change of Address...
More informationCYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
More informationDRAFT National Rural Water Association Identity Theft Program Model September 22, 2008
DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008 This model has been designed to help water and wastewater utilities comply with the Federal Trade Commission s (FTC)
More informationSection 5 Identify Theft Red Flags and Address Discrepancy Procedures Index
Index Section 5.1 Purpose.... 2 Section 5.2 Definitions........2 Section 5.3 Validation Information.....2 Section 5.4 Procedures for Opening New Accounts....3 Section 5.5 Procedures for Existing Accounts...
More informationFRAUD PACKET. Instructions and Useful Information. Mesa Police Department Attention Financial Crimes PO Box 1466 Mesa, AZ 85211-1466
FRAUD PACKET Instructions and Useful Information Please read entire packet and follow instructions to complete this packet properly. **This packet should ONLY be completed if you are a victim of Identity
More informationWellesley College Written Information Security Program
Wellesley College Written Information Security Program Introduction and Purpose Wellesley College developed this Written Information Security Program (the Program ) to protect Personal Information, as
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationHIPAA and Privacy Policy Training
HIPAA and Privacy Policy Training July 2015 1 This training addresses the requirements for maintaining the privacy of confidential information received from HFS and DHS (the Agencies). During this training
More informationCSR Breach Reporting Service Frequently Asked Questions
CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could
More informationTHE UNIVERSITY OF NORTH CAROLINA AT GREENSBORO IDENTITY THEFT PREVENTION PROGRAM
Program Adoption THE UNIVERSITY OF NORTH CAROLINA AT GREENSBORO IDENTITY THEFT PREVENTION PROGRAM As a best practice and using as a guide the Federal Trade Commission s ( FTC ) Red Flags Rule, implementing
More informationCounty Identity Theft Prevention Program
INTRODUCTION CHAPTER OSCEOLA COUNTY IDENTITY THEFT PREVENTION PROGRAM The Osceola County Board of County Commissioners is committed to protecting consumers who do business with Osceola County, and as such
More informationIDENTITY THEFT PREVENTION PROGRAM TRAINING MODULE February 2009
IDENTITY THEFT PREVENTION PROGRAM TRAINING MODULE February 2009 Table of Contents Introduction to the Training Module.. i I. Introduction. 1 II. Definitions. 3 III. Recognizing Identity Theft.. 6 IV. Identifying
More informationCalifornia State University, Sacramento INFORMATION SECURITY PROGRAM
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
More informationIDENTITY THEFT PREVENTION
IDENTITY THEFT PREVENTION Policy Title: Identity Theft Prevention Program Policy Type: Administrative Policy Number: #41-07 (2014) Approval Date: 05/12/2015 Responsible Office: University Controller Responsible
More informationAUBURN WATER SYSTEM. Identity Theft Prevention Program. Effective October 20, 2008
AUBURN WATER SYSTEM Identity Theft Prevention Program Effective October 20, 2008 I. PROGRAM ADOPTION Auburn Water System developed this Identity Theft Prevention Program ("Program") pursuant to the Federal
More informationIdentity Theft and Data Protection
Identity Theft and Data Protection As keepers of student, faculty, and staff information, we as an institution are obligated and regulated by state and federal laws to protect certain pieces of information.
More informationPII Personally Identifiable Information Training and Fraud Prevention
PII Personally Identifiable Information Training and Fraud Prevention Topics What is Personally Identifiable Information (PII)? Why are we committed to protecting PII? What laws govern us? How do we comply?
More informationMCPHS IDENTITY THEFT POLICY
SECTION 1: BACKGROUND MCPHS IDENTITY THEFT POLICY The risk to the College, its employees and students from data loss and identity theft is of significant concern to the College and can be reduced only
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationidentity TheFT PREVENTION Programs and Response
IDENTITY THEFT PREVENTION PROGRAM This program is launched in response to the Federal Trade Commission Red Flag Rules and Address Discrepancy Rules in conjunction with the Fair and Accurate Credit Transaction
More informationMASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009
MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009 Current Laws: Identity Crime: A person is guilty of identity
More informationB. Credit - Deferral of payment of a debt incurred for the purchase of goods services, including educational services.
Date Revised: Page 1 of 16 5-21 Identity Theft Prevention Program I. BACKGROUND As a result of the increasing instances of identity theft, the United States Congress passed the Fair and Accurate Credit
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationHIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationIdentity Theft is a Crime in the State of New Jersey.
NEW JERSEY STATE POLICE Identity Theft: A Victim s Reference Identity Theft occurs when someone uses your personally identifying information like your name, Social Security number, or credit card number
More information6-8065 Payment Card Industry Compliance
0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card
More informationIdentity Theft Prevention Program Compliance Model
September 29, 2008 State Rural Water Association Identity Theft Prevention Program Compliance Model Contact your State Rural Water Association www.nrwa.org Ed Thomas, Senior Environmental Engineer All
More informationThe University of North Carolina at Charlotte Identity Theft Prevention Program
The University of North Carolina at Charlotte Identity Theft Prevention Program Program Adoption As a best practice and using as a guide the Federal Trade Commission s ( FTC ) Red Flags Rule ( Rule ),
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia 30303 (404)522-5022 (404)525-2477 www.accg.
ACCG Identity Theft Prevention Program ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia 30303 (404)522-5022 (404)525-2477 www.accg.org July 2009 Contents Summary of ACCG Identity Theft Prevention Program...
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationUniversity of Tennessee's Identity Theft Prevention Program
IDENTITY THEFT PREVENTION PROGRAM 1. BACKGROUND The University of Tennessee (UT) developed this Identity Theft Prevention Program pursuant to the Federal Trade Commission s Red Flags Rule, Section 114
More informationValdosta Technical College. Information Security Plan
Valdosta Technical College Information Security 4.4.2 VTC Information Security Description: The Gramm-Leach-Bliley Act requires financial institutions as defined by the Federal Trade Commision to protect
More informationHIPAA Compliance for Students
HIPAA Compliance for Students The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by the United States Congress. It s intent was to help people obtain health insurance benefits
More information2014 Core Training 1
2014 Core Training 1 Course Agenda Review of Key Privacy Laws/Regulations: Federal HIPAA/HITECH regulations State privacy laws Privacy & Security Policies & Procedures Huntsville Hospital Health System
More informationWe are writing to you because of a recent security incident which may have resulted in unauthorized access of your personal information.
EQUIFAX AUTHORIZATION CODE July, 2012 Dear [insert name]: We are writing to you because of a recent security incident which may have resulted in unauthorized access of your personal information. On or
More informationUniversity of Nebraska - Lincoln Identity Theft Prevention Program
I. Purpose & Scope This program was developed pursuant to the Federal Trade Commission s (FTC) Red Flag Rules promulgated pursuant to the Fair and Accurate Credit Transactions Act (the FACT Act). The University
More informationUnderstanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule
Understanding Health Insurance Portability Accountability Act AND HITECH HIPAA s Privacy Rule 1 What Is HIPAA s Privacy Rule The privacy rule is a component of the Health Insurance Portability and Accountability
More informationHIPAA Security Training Manual
HIPAA Security Training Manual The final HIPAA Security Rule for Montrose Memorial Hospital went into effect in February 2005. The Security Rule includes 3 categories of compliance; Administrative Safeguards,
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationOregon University System Identity Theft Prevention Program Effective May 1, 2009
Oregon University System Identity Theft Prevention Program Effective May 1, 2009 Page 2 I. PROGRAM ADOPTION The Oregon University System ( System ) developed this Identity Theft Prevention Program ("Program")
More informationCONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008
CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008 Current Laws: A person commits identity theft when he intentionally
More informationPersonal Information Protection Policy
I Personal Information Protection Policy Purpose: This policy outlines specific employee responsibilities in regards to safeguarding personal information. To this end, each employee has a responsibility
More informationPacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009
Pacific University Policy Governing Identity Theft Prevention Program Red Flag Guidelines Approved June 10, 2009 Program adoption Pacific University developed this identity Theft Prevention Program ( Program
More informationImportant Customer Notice. Information Concerning Data Security Incident at Some Staples Stores
Important Customer Notice Information Concerning Data Security Incident at Some Staples Stores Staples wants to make customers aware that we have confirmed a data security incident involving customer payment
More informationCHAPTER 12 IDENTITY PROTECTION AND IDENTITY THEFT PREVENTION POLICIES
CHAPTER 12 IDENTITY PROTECTION AND IDENTITY THEFT PREVENTION POLICIES Section 1-12-1: Purpose 1-12-2: Definitions 1-12-3: Scope 1-12-4: Identity Protection Policy 1-12-5: Identity Theft Prevention Policy
More informationHEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA
TRAINING MANUAL HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA Table of Contents INTRODUCTION 3 What is HIPAA? Privacy Security Transactions and Code Sets What is covered ADMINISTRATIVE
More informationb. USNH requires that all campus organizations and departments collecting credit card receipts:
USNH Payment Card Industry Data Security Standard (PCI DSS) Version 3 Administration and Department Policy Draft Revision 3/12/2013 1. Purpose. The purpose of this policy is to assist the University System
More informationCREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy
CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE
More informationAccepting Payment Cards and ecommerce Payments
Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont
More informationIdentity Theft Prevention Program Derived from the FTC Red Flags Rule requirements
Identity Theft Prevention Program Derived from the FTC Red Flags Rule requirements 1.0 Introduction In 2003, Congress enacted the Fair and Accurate Credit Transactions Act of 2003, 15 U.S.C. Section 1681,
More informationPCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data
PCI Training for Retail Jamboree Staff Volunteers Securing Cardholder Data Securing Cardholder Data Introduction This PowerPoint presentation is designed to educate Retail Jamboree Staff volunteers on
More informationHFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY
HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY Illinois Department of Healthcare and Family Services Training Outline: Training Goals What is the HIPAA Security Rule? What is the HFS Identity
More informationIDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240
IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance
More informationPage 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;
Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014
More informationIDENTITY THEFT PREVENTION (Red Flag) POLICY
IDENTITY THEFT PREVENTION (Red Flag) POLICY The risk to the College, its employees and students from data loss and identity theft is of significant concern to the College and can be reduced only through
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationAccounting and Administrative Manual Section 100: Accounting and Finance
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
More informationINFORMATION SECURITY & PRIVACY INSURANCE WITH BREACH RESPONSE SERVICES
INFORMATION SECURITY & PRIVACY INSURANCE WITH BREACH RESPONSE SERVICES NOTICE: INSURING AGREEMENTS I.A., I.C. AND I.D. OF THIS POLICY PROVIDE COVERAGE ON A CLAIMS MADE AND REPORTED BASIS AND APPLY ONLY
More informationEAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
More informationCentral Oregon Community College. Identity Theft Prevention Program
Central Oregon Community College Identity Theft Prevention Program Effective beginning May 1, 2009 I. PROGRAM ADOPTION This program has been created to put COCC in compliance with Section 41.90 under the
More informationINFORMATION SECURITY AND PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY COVERAGE. I. GENERAL INFORMATION Full Name:
INFORMATION SECURITY AND PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY COVERAGE NOTICE: COVERAGE UNDER THIS POLICY IS PROVIDED ON A CLAIMS MADE AND REPORTED BASIS AND APPLIES ONLY TO CLAIMS FIRST MADE
More informationGRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY
GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationPrivacy Legislation and Industry Security Standards
Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,
More informationHamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)
Hamilton College Administrative Information Systems Security Policy and Procedures Approved by the IT Committee (December 2004) Table of Contents Summary... 3 Overview... 4 Definition of Administrative
More informationRed Flag Identity Theft Financial Policy 1.10
Issued: 05/16/2014 Revised: Policy and College ( Seminary ) developed this Identity Theft Prevention Program ("Program") pursuant to the Federal Trade Commission's ( FTC ) Red Flags Rule, which implements
More informationHOME DEPOT DATA BREACH
HOME DEPOT DATA BREACH This notice contains important information about the data breach announced by Home Depot, affecting some debit and credit cards used at Home Depot stores beginning April 2014. Data
More informationState Of Florida's Real Estate Law
Office of the President University Policy SUBJECT: IDENTITY THEFT PREVENTION PROGRAM Effective Date: 6-17-09 Policy Number: 5.6 Supersedes: Page Of New 1 7 Responsible Authority: Senior Vice President,
More informationAlphabet Soup - GLBA, FERPA and HIPAA: Security Best Practices
Alphabet Soup - GLBA, FERPA and HIPAA: Security Best Practices (Session ID: 152) Maureen Carver, Assistant Dean and Registrar, Law School, Villanova University Rita Garner, Registrar, Medical College of
More informationSOUTH TEXAS COLLEGE. Identity Theft Prevention Program and Guidelines. FTC Red Flags Rule
SOUTH TEXAS COLLEGE Identity Theft Prevention Program and Guidelines FTC Red Flags Rule Issued June 24, 2009 Table of Contents Section Section Description Page # 1 Section 1: Program Background and Purpose
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationDetecting, Preventing, and Mitigating Identity Theft
THE RED FLAGS RULE Detecting, Preventing, and Mitigating Identity Theft Training for Ball State University s Identity Theft Protection Program What is the Red Flag Rule? Congress passed the Fair and Accurate
More informationOklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention
Oklahoma State University Policy and Procedures Rules and Identity Theft Prevention 3-0540 ADMINISTRATION & FINANCE July 2009 Introduction 1.01 Oklahoma State University developed this Identity Theft Prevention
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationThese rules became effective August 1, 2009, and require certain agencies to implement an identity theft program and policy.
Red Flag Policy Protecting your privacy is of paramount importance at Missouri Southern State University, and we are dedicated to the responsible handling of your personal information. We are very committed
More informationFerris State University
Ferris State University BUSINESS POLICY TO: All Members of the University Community 2009:08 DATE: May 2009 I. BACKGROUND IDENTITY THEFT PREVENTION PROGRAM The risk to the University, and its students,
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationIdentity Theft Victim Checklist
CONSUMER INFORMATION SHEET 3 4/30//08 Identity Theft Victim Checklist This checklist can help identity theft victims clear up their records. It lists the actions most identity theft victims should take
More informationIDENTITY THEFT PREVENTION PROGRAM
LEGAL REQUIREMENTS Section 114 of the Federal Trade Commission s Fair and Accurate Credit Transactions Act of 2003 created the Red Flags Rule. This regulation requires the College to have an Identity Theft
More informationClient Advisory October 2009. Data Security Law MGL Chapter 93H and 201 CMR 17.00
Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,
More informationProtecting. Personal Information A Business Guide. Division of Finance and Corporate Securities
Protecting Personal Information A Business Guide Division of Finance and Corporate Securities Oregon Identity Theft Protection Act Collecting, keeping, and sharing personal data is essential to all types
More informationHIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator
HIPAA Happenings in Hospital Systems Donna J Brock, RHIT System HIM Audit & Privacy Coordinator HIPAA Health Insurance Portability and Accountability Act of 1996 Title 1 Title II Title III Title IV Title
More informationINFORMATION SECURITY AND SECURITY BREACH NOTIFICATION GUIDANCE Preventing, Preparing for, and Responding to Breaches of Information Security
INFORMATION SECURITY AND SECURITY BREACH NOTIFICATION GUIDANCE Preventing, Preparing for, and Responding to Breaches of Information Security The Office of Illinois Attorney General Lisa Madigan has created
More information