12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013"

Transcription

1 Regulatory Updates Eric M. Wright, CPA, CITP Schneider Downs & Co., Inc. December 5, 2013 Eric M. Wright, CPA, CITP Eric has been involved with Information Technology with Schneider Downs since He specializes in and oversees the design, setup installation and implementation of automated accounting, distribution and manufacturing systems. Eric also is responsible for the firm s IT compliance services. Eric has performed IT audits on a number of systems and different organizations. In addition to helping our clients with their IT audit initiatives, he has also assisted clients with becoming PCI DSS, HIPAA and SOX compliant, ISO certified and performed NIST security audits. 2 Eric M. Wright, CPA, CITP Member Pennsylvania Institute of Certified Public Accountants Member The American Institute of Certified Public Accountants Information Management and Technology Assurance Section Certified Information Technology Professional (CITP) Chair PICPA IT Assurance Committee B.S. Mathematics and Computer Science, Waynesburg College, Magna Cum Laude 3 1

2 Payment Card Industry Topics to be Covered HIPAA State Data Breach Law Federal Cyber Legislation 4 Why all the Fuss? Number of Hacks Number of Records Breached 250,000, ,000, ,000, ,000,000 50,000,

3 Payment Card Industry Data Security Standards 7 What is PCI DSS? The PCI Data Security Standard (DSS) represents a set of fundamental security requirements, industry tools and measurements, that address the handling of cardholder information. The first thing to note, PCI compliance is not required by any federal law. 48 states have or are in the process of enacting data breach legislation addressing the loss of credit card data, but for most organizations, this compliance requirement is strictly voluntary. PCI compliance requirements originally start as multiple programs administered by individual credit card companies. Applicable to everyone who stores, processes, or transmits payment card data. Enforced by contract with banks that provide payment card processing. 8 Merchant Compliance Validation Requirements Payment Brand Level 1 Level 2 Level 3 Level 4* Visa 6M+ transactions 1 6M transactions 20K 1M e commerce Less than 20K e regardless of transactions commerce or 1M Cardholder Information acceptance channel Self assessment overall transactions Security Program (CISP) questionnaire Self assessment Onsite security audit required annually questionnaire Self assessment required annually required annually questionnaire Network scan required recommended Network scan required Network scan required annually Network scan recommended MasterCard 6M+ transactions 1 6M transactions Over 20K e commerce All other merchants regardless of transactions and less Site Data Protection acceptance channel Self assessment than 1M total Self assessment (SDP) Program questionnaire questionnaire Onsite security audit required annually Self assessment required annually required annually questionnaire Network scan required required annually Network scan required Network scan required Network scan required American Express 2.5M+ transactions 50K 2.5M transactions Less than 50K N/A Data Security Operating Onsite security audit Network scan required transactions Policy (DSOP) required annually Network scan Network scan required recommended Current requirements as of 5/09 Being considered a Level 1 merchant for any brand causes the remainder of the card brands to consider the entity a Level 1 as well. 9 3

4 History In 2004, the PCI DSS version 1.0 was developed by Master Card and agreed to by the other four major credit card companies. In September 2006, the Brands formed the PCI SSC to standardize the compliance requirements and promote the education and awareness of protecting cardholder data. PCI DSS 2.0 is the current version. 10 What is New? 11 New Standards for Mobile Payment Acceptance New mobile security standards were released February Why is mobile different? Tablets and smart phones do not provide the same level of security as you would expect at a traditional retail store. Almost any mobile application could access account data stored in or passing through a mobile device. Trust is important due to the fragmentation of this environment. This environment includes device manufacturers, developers of operating systems, application designers, network carriers and various protocols to link them all together. Ensuring security requires all of these parties to work together. 12 4

5 What if a device is owned by an individual and not the employer? How is the patching process managed without invading the privacy of the owner? Not considered best practice and is not recommended. The ease in which a device can be stolen, modified and returned without being noticed. 13 The Three Objectives of the MPA Guidance Prevent account data from being intercepted when entering into a mobile device. Prevent account data from being compromised while processed or stored with the mobile device. Prevent account data from interception upon transmission out of the mobile device. The guidance consists of 31 control activities that address these 3 objectives. 14 Additional Changes to the Standards Updated the testing standards associated with use of point to point encryption (P2PE) to transmit card data. Introduced new requirements effective June 30, 2012 associated with vulnerability scans of internal networks. These scans must be performed or after a significant change in the processing environment. To obtain a passing grade, the merchant must resolve all high vulnerabilities as defined in requirement 6.2, which requires the merchant to establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. 15 5

6 Future Requirements being Considered PCI_DSS version 3.0 Version 3.0 will include more changes to the framework than version 2.0 Items being considered in the new standard will include EMV chip adoption in the US Strengthening Mobile Payment Acceptance guidelines Greater awareness and education Challenges and lessons learned business as usual Additional guidance regarding Third Party Security Assurance Additional requirements for penetration testing and segmentation Security Policy and Procedures built into each requirement 16 Future Requirements being Considered By October 2015, all merchants will be subjected to the new Europay, MasterCard and Visa (EMV) standards. The new standards marks a shift from magnetic strip credit cards to chip and pin cards. The EMV standards will be required for card acquirers, merchants and processors. If a merchant does not meet the EMV standards, they will be held liable for any fraudulent transactions. The intent is to use both the EMV and PCI standards together to protect cardholder data

7 HIPAA History Passed in 1998 with little or no enforcement activity for 10 years. Congress passes the HiTech act in 2009 as part of ARRA to add teeth to the original act. In 2009, moved the enforcement activities from Centers of Medicare and Medicaid Services to Office of Civil Rights. 19 A Year of Audits Policies and Procedures are outdated or do not exist. Compliance programs were not a priority. Small providers have broad failures. Larger entities continue to struggle with data security. Third parties are not being managed. 20 HIPAA On January 17, 2013, the Department of Health and Human Services Office of Civil Rights released the 563 page final rule detailing the requirements of the Health Insurance Portability and Accountability Act (HIPAA). The final rule made sweeping changes to HIPAA s data security and breach requirements and has a significant impact on covered entities, business associates and subcontractors of business associates. Rule became effective March 26 th and compliance was required by September 23 rd. 21 7

8 HIPAA Changes Covered Entities can be held liable for the actions of their business associates. Holds Business Associates directly liable for compliance with certain HIPAA privacy and security requirements. Changes the definition of business associate to include subcontractors that create, receive, maintain or transmit Protected Health Information (PHI) on behalf of covered entities. Business Associates are required to have full blown written Business Associate agreements with sub contractors. Changes the definition of breach to clarify that an impermissible use or disclosure of PHI is presumed to be a breach, unless the covered entity or Business Associate can demonstrate there is a low probability that the PHI was compromised. Requires covered entities to protect decedent s PHI in accordance with the privacy rule for 50 years, following the date of death. 22 HIPAA Changes (Continued) Under the current requirements, a breach must be reported only if it poses a significant risk of financial, reputational or other harm to the individual. The new rule eliminates the risk of harm threshold and requires covered entities and business associates to consider four factors when determining whether a breach must be reported: 1) The nature and extent of the PHI involved, including the identifiers and the likelihood of re identification; 2) The unauthorized person who used the PHI or to whom the disclosure was made; 3) Whether the PHI was acquired or viewed; and 4) The extent to which the risk to the PHI has been mitigated. With few exceptions, prohibits the sale of PHI without an individual s consent. 23 HIPAA Changes (Continued) HIPAA enforcement is moving toward a penalty based system and away from voluntary compliance by introducing a tiered system of civil penalties based on culpability. Penalties range from $100 to $50,000 per incident with an annual cap of $1.5 million. The Office of Civil Rights released a 169 step audit program to address the new compliance standards. Enhances the patients rights to electronic copies of their records. Covered entities must provide an electronic copy of records in a mutually agreed upon machine readable format. Also requires covered entities to provide the records within 30 days instead of 60. The requests for records must be in writing and signed by the requesting individual. 24 8

9 HIPAA Changes (Continued) Requires that covered entities obtain a valid authorization from individuals before using or disclosing PHI to "market" a product or service. The term "marketing" means "to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. The changes imposed by the final rule will require most organizations to revise their Business Associate agreements. The deadline for having revised agreements in place is September 23, 2014, unless the parties amend or renew an existing contract during the period March 26, 2013 through September 23, Amendments or contracts signed during that time period require the Business Associate agreement to comply with the new regulations by September 23, State Data Breach Laws 26 PA Data Breach Law What Information are You Generally Required by Law to Secure Personally Identifiable Information (PII): Individual s name, consisting of the individual's first name or first initial and last name, in combination with Social Security Number Drivers License Number or State Identification Number Credit Card, Debit Card, Financial Account Numbers Protected Health Information (PHI) Any information that relates to the past, present, or future physical or mental health or condition of an individual; Electronic, Paper or Oral 27 9

10 Jurisdictions that have broader definitions Alaska California Georgia Iowa Kansas Maine Maryland Massachusetts Missouri Nebraska New Jersey New York North Carolina North Dakota Ohio Oregon South Carolina Texas Vermont Virginia Wisconsin Wyoming Washington DC Puerto Rico 28 Data Breach Law If a breach occurs, the organization must contact the individuals and inform them of the circumstances regarding the data breach. Must provide credit monitoring services if more than 1,000 individuals information is breached. If more than 175,000 individuals are effected or the cost to notify is greater than $100,000, then the organization is permitted to use alternative method of notification. With the exception of Alabama, Kentucky, New Mexico and South Dakota data encryption is a get out of jail free card. 29 Federal Cyber Legislation 30 10

11 Federal Cyber Legislation During the State of the Union address, President Obama announced that he had issued and signed executive orders on cyber security. This executive order is directed at federal agencies, but any industry regulated by a federal agency will be impacted by these new compliance requirements. The executive order gives the Director of Homeland Security 150 days to identify critical infrastructure where a cyber incident could result in debilitating impact on national security, national economic security or public health and safety. So, if you are bank, hospital, energy provider or another industry that falls within the critical infrastructure designation, be prepared to comply with these new regulations. 31 Federal Cyber Legislation (Continued) The executive orders call for cooperation and information sharing between the private sector and government so that these entities may better protect and defend themselves against cyber threats. Within 240 days, the National Institute of Security and Technology (NIST) must publish an updated framework to reduce cyber risk to critical infrastructure. The new framework must: Create standards that align policy, business and technology to address cyber risks. Identify areas that need improvement and can benefit from private and government collaboration. Guidance for measuring improvement. Align with international standards. Include best practices. 32 Questions 33 11

The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide

The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide Practising Law Institute January 9, 2012 Melissa J. Krasnow, Partner, Dorsey & Whitney LLP, and Certified Information Privacy Professional

More information

PCI Compliance Overview

PCI Compliance Overview PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

Network Security & Privacy Landscape

Network Security & Privacy Landscape Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

More information

Privacy Legislation and Industry Security Standards

Privacy Legislation and Industry Security Standards Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,

More information

Accepting Payment Cards and ecommerce Payments

Accepting Payment Cards and ecommerce Payments Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont

More information

A Compliance Overview for the Payment Card Industry (PCI)

A Compliance Overview for the Payment Card Industry (PCI) A Compliance Overview for the Payment Card Industry (PCI) Many organizations are aware of the Payment Card Industry (PCI) and PCI compliance but are unsure if they are doing everything necessary. This

More information

PC Encryption Regulatory Compliance

PC Encryption Regulatory Compliance PC Encryption Regulatory Compliance Meeting Statutes for Personal Information Privacy SOLUTION BRIEF Table of Contents Personal Information at Risk... 1 Legislating the threat Three New Categories of Law...

More information

Updates on HITECH and State Breach Notification and Security Requirements Robin Campbell

Updates on HITECH and State Breach Notification and Security Requirements Robin Campbell Who s Afraid Of A Big Bad Breach?: Updates on HITECH and State Breach Notification and Security Requirements Robin Campbell Overview Identifying the laws that protect personal information and protected

More information

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012 Payment Card Industry (PCI) Data Security Standard (DSS) Compliance SIFMA June 13, 2012 EisnerAmper Consulting Services Group Overview of EisnerAmper Fifth fhlargest accounting firm in the Metro New York

More information

PUBLIC HOUSING AUTHORITY COMPENSATION

PUBLIC HOUSING AUTHORITY COMPENSATION PUBLIC HOUSING AUTHORITY COMPENSATION Background After concerns were raised about the level of compensation being paid to some public housing authority (PHA) leaders, in August 2011 HUD reached out to

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

WHITE PAPER. PCI Basics: What it Takes to Be Compliant WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through

More information

Introduction to Compliance:

Introduction to Compliance: Introduction to Compliance: Protecting Customer Information Presented by Joshua Schafer & Rachel Fisher Introductions Joshua Schafer has over 10 years experience in information technology and is currently

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards January 19, 2011 Marc S. Reisler, Holland & Knight Copyright 2011 Holland & Knight LLP All Rights Reserved Data Breaches Remain a Serious Concern PCI Standards

More information

Payment Card Industry Compliance Overview

Payment Card Industry Compliance Overview January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260

More information

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History

More information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

Licensure Resources by State

Licensure Resources by State Licensure Resources by State Alabama Alabama State Board of Social Work Examiners http://socialwork.alabama.gov/ Alaska Alaska Board of Social Work Examiners http://commerce.state.ak.us/dnn/cbpl/professionallicensing/socialworkexaminers.as

More information

HOW SECURE IS YOUR PAYMENT CARD DATA?

HOW SECURE IS YOUR PAYMENT CARD DATA? HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,

More information

What a Processor Needs from a University to Validate Compliance

What a Processor Needs from a University to Validate Compliance What a Processor Needs from a University to Validate Compliance Lisa T. Conroy Merchant Compliance Manager Vantiv May 24, 2016 Disclosures The information included in this presentation is for information

More information

what your business needs to do about the new HIPAA rules

what your business needs to do about the new HIPAA rules what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or

More information

2.1.2 CARDHOLDER DATA SECURITY

2.1.2 CARDHOLDER DATA SECURITY University of Oxford Finance Division FINANCIAL POLICY 2.1.2 CARDHOLDER DATA SECURITY Date: 21 March 2013 Version: 2.1.2 Status: Approved Author: Simon Blee Bridget Midwinter TABLE OF CONTENTS Page EXECUTIVE

More information

A-79. Appendix A Overview and Detailed Tables

A-79. Appendix A Overview and Detailed Tables Table A-8a. Overview: Laws Expressly Granting Minors the Right to Consent Disclosure of Related Information to Parents* Sexually Transmitted Disease and HIV/AIDS** Treatment Given or Needed Alabama 14

More information

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On

More information

Frequently Asked Questions

Frequently Asked Questions PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply

More information

PCI Risks and Compliance Considerations

PCI Risks and Compliance Considerations PCI Risks and Compliance Considerations July 21, 2015 Stephen Ramminger, Senior Business Operations Manager, ControlScan Jon Uyterlinde, Product Manager, Merchant Services, SVB Agenda 1 2 3 4 5 6 7 8 Introduction

More information

The benefits you need... from the name you know and trust

The benefits you need... from the name you know and trust The benefits you need... Privacy and Security Best at Practices the price you can afford... Guide from the name you know and trust The Independence Blue Cross (IBC) Privacy and Security Best Practices

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

AISA Sydney 15 th April 2009

AISA Sydney 15 th April 2009 AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

Real Progress in Food Code Adoption

Real Progress in Food Code Adoption Real Progress in Food Code Adoption August 27, 2013 The Association of Food and Drug Officials (AFDO), under contract to the Food and Drug Administration, is gathering data on the progress of FDA Food

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

Chex Systems, Inc. does not currently charge a fee to place, lift or remove a freeze; however, we reserve the right to apply the following fees:

Chex Systems, Inc. does not currently charge a fee to place, lift or remove a freeze; however, we reserve the right to apply the following fees: Chex Systems, Inc. does not currently charge a fee to place, lift or remove a freeze; however, we reserve the right to apply the following fees: Security Freeze Table AA, AP and AE Military addresses*

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

PCI Standards: A Banking Perspective

PCI Standards: A Banking Perspective Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control

More information

List of State DMV Websites

List of State DMV Websites List of State DMV Websites Alabama Alabama Department of Revenue Motor Vehicle Division http://www.ador.state.al.us/motorvehicle/index.html Alaska Alaska Department of Administration Division of Motor

More information

Network Security and Data Privacy Insurance for Physician Groups

Network Security and Data Privacy Insurance for Physician Groups Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit

More information

DATA BREACH CHARTS (Current as of December 31, 2015)

DATA BREACH CHARTS (Current as of December 31, 2015) DATA BREACH CHARTS (Current as of December 31, 2015) The charts below provide summary information about data breach notification statutes across the country. California adopted the first data breach notification

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

OCR Reports on the Enforcement. Learning Objectives

OCR Reports on the Enforcement. Learning Objectives OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Public School Teacher Experience Distribution. Public School Teacher Experience Distribution

Public School Teacher Experience Distribution. Public School Teacher Experience Distribution Public School Teacher Experience Distribution Lower Quartile Median Upper Quartile Mode Alabama Percent of Teachers FY Public School Teacher Experience Distribution Lower Quartile Median Upper Quartile

More information

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP Auditing your institution's cybersecurity incident/breach response plan Objectives > Provide an overview of incident/breach response plans and their intended benefits > Describe regulatory/legal requirements

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,

More information

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455 Notification of Security Breach Policy Purpose: This policy has been adopted for the purpose of complying with the Health

More information

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP

More information

Project Title slide Project: PCI. Are You At Risk?

Project Title slide Project: PCI. Are You At Risk? Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

More information

PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates

PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates PCI-DSS Compliance Ron Dinwiddie Chief Technology Officer J. Spargo & Associates Agenda What is PCI Compliance Why is PCI Important How does this impact me? Becoming PCI Compliant JSA PCI Strategy Risk

More information

115 th Annual Convention

115 th Annual Convention 115 th Annual Convention Date: Saturday, October 12, 2013 Time: 11:00 am 12:00 pm Location: The Walt Disney World Swan and Dolphin Resort, Southern Hemisphere Salon 4-5 Title: Activity Type: Speaker: Data

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card

More information

Real Progress in Food Code Adoption

Real Progress in Food Code Adoption Real Progress in Food Code Adoption The Association of Food and Drug Officials (AFDO), under contract to the Food and Drug Administration, is gathering data on the progress of FDA Food Code adoptions by

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW David Kittle Chief Information Officer Chris Ditmarsch Network & Security Administrator Smoker Friendly International / The Cigarette Store Corp

More information

Intelligent Vendor Risk Management

Intelligent Vendor Risk Management Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach

More information

HIPAA Privacy Breach Notification Regulations

HIPAA Privacy Breach Notification Regulations Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification

More information

State-Specific Annuity Suitability Requirements

State-Specific Annuity Suitability Requirements Alabama Alaska Arizona Arkansas California Colorado Connecticut Delaware District of Columbia Effective 10/16/11: Producers holding a life line of authority on or before 10/16/11 who sell or wish to sell

More information

Texas Medical Records Privacy Act

Texas Medical Records Privacy Act A COALFIRE PERSPECTIVE Texas Medical Records Privacy Act Texas House Bill 300 (HB 300) Rick Dakin, CEO & Co-Founder Rick Link, Director Andrew Hicks, Director Overview The State of Texas has pushed ahead

More information

Credit Card Processing, Point of Sale, ecommerce

Credit Card Processing, Point of Sale, ecommerce Credit Card Processing, Point of Sale, ecommerce Compliance, Self Auditing, and More John Benson Kurt Willey HACKS REGULATIONS Greater Risk for Merchants Topics Compliance Changes Scans Self Audits

More information

Community First Health Plans Breach Notification for Unsecured PHI

Community First Health Plans Breach Notification for Unsecured PHI Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance

More information

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters

More information

Business Associate Liability Under HIPAA/HITECH

Business Associate Liability Under HIPAA/HITECH Business Associate Liability Under HIPAA/HITECH Joseph R. McClure, JD, CHP Siemens Healthcare WEDI Security & Privacy SNIP Co-Chair Reece Hirsch, CIPP, Partner Morgan Lewis & Bockius LLP ` Fifth National

More information

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment

More information

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

More information

PC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

PC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?

More information

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security

More information

SECTION 109 HOST STATE LOAN-TO-DEPOSIT RATIOS. The Board of Governors of the Federal Reserve System (Board), the Federal Deposit

SECTION 109 HOST STATE LOAN-TO-DEPOSIT RATIOS. The Board of Governors of the Federal Reserve System (Board), the Federal Deposit SECTION 109 HOST STATE LOAN-TO-DEPOSIT RATIOS The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency

More information

Impacts of Sequestration on the States

Impacts of Sequestration on the States Impacts of Sequestration on the States Alabama Alabama will lose about $230,000 in Justice Assistance Grants that support law STOP Violence Against Women Program: Alabama could lose up to $102,000 in funds

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Presented by Jack Kolk President ACR 2 Solutions, Inc. HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security

More information

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures 1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred

More information

SECTION 109 HOST STATE LOAN-TO-DEPOSIT RATIOS. or branches outside of its home state primarily for the purpose of deposit production.

SECTION 109 HOST STATE LOAN-TO-DEPOSIT RATIOS. or branches outside of its home state primarily for the purpose of deposit production. SECTION 109 HOST STATE LOAN-TO-DEPOSIT RATIOS The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (the agencies)

More information

US Department of Health and Human Services Exclusion Program. Thomas Sowinski Special Agent in Charge/ Reviewing Official

US Department of Health and Human Services Exclusion Program. Thomas Sowinski Special Agent in Charge/ Reviewing Official US Department of Health and Human Services Exclusion Program Thomas Sowinski Special Agent in Charge/ Reviewing Official Overview Authority to exclude individuals and entities from Federal Health Care

More information

Legislative & Regulatory Information

Legislative & Regulatory Information Americas - U.S. Legislative, Privacy & Projects Jurisdiction Effective Date Author Release Date File No. UFS Topic Citation: Reference: Federal 3/26/13 Michael F. Tietz Louis Enahoro HIPAA, Privacy, Privacy

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

Sales Rep Frequently Asked Questions

Sales Rep Frequently Asked Questions V 02.21.13 Sales Rep Frequently Asked Questions OMEGA Processing Data Protection Program February 2013 - Updated In response to a national rise in data breaches and system compromises, OMEGA Processing

More information

2014 INCOME EARNED BY STATE INFORMATION

2014 INCOME EARNED BY STATE INFORMATION BY STATE INFORMATION This information is being provided to assist in your 2014 tax preparations. The information is also mailed to applicable Columbia fund non-corporate shareholders with their year-end

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY

More information

Data Breach Notification: State and Federal Law Requirements. Good News

Data Breach Notification: State and Federal Law Requirements. Good News Data Breach Notification: State and Federal Law Requirements Donna Maassen, CHC Director of Compliance Extendicare Health Services, Inc. & Andrew G. Conkovich, CHC Director of Regulatory Affairs & Compliance

More information

TJ Maxx Settlement Requires Creation of Information Security Program and Funding of State Data Protection and Prosecution Efforts

TJ Maxx Settlement Requires Creation of Information Security Program and Funding of State Data Protection and Prosecution Efforts Litigation Privacy & Data Protection Global Sourcing July 1, 2009 TJ Maxx Settlement Requires Creation of Information Security Program and Funding of State Data Protection and Prosecution Efforts by Tara

More information

The following are responsible for the accuracy of the information contained in this document:

The following are responsible for the accuracy of the information contained in this document: AskUGA 1 of 5 Credit/Debit Cards Responsible administrator: Senior Vice President for Finance and Administration Related Procedure: The Credit/Debit Card Processing Procedures Responsible department: Bursar's

More information

Josiah Wilkinson Internal Security Assessor. Nationwide

Josiah Wilkinson Internal Security Assessor. Nationwide Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges

More information

Workers Compensation State Guidelines & Availability

Workers Compensation State Guidelines & Availability ALABAMA Alabama State Specific Release Form Control\Release Forms_pdf\Alabama 1-2 Weeks ALASKA ARIZONA Arizona State Specific Release Form Control\Release Forms_pdf\Arizona 7-8 Weeks by mail By Mail ARKANSAS

More information

Achieving Compliance with the PCI Data Security Standard

Achieving Compliance with the PCI Data Security Standard Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),

More information

MAINE (Augusta) Maryland (Annapolis) MICHIGAN (Lansing) MINNESOTA (St. Paul) MISSISSIPPI (Jackson) MISSOURI (Jefferson City) MONTANA (Helena)

MAINE (Augusta) Maryland (Annapolis) MICHIGAN (Lansing) MINNESOTA (St. Paul) MISSISSIPPI (Jackson) MISSOURI (Jefferson City) MONTANA (Helena) HAWAII () IDAHO () Illinois () MAINE () Maryland () MASSACHUSETTS () NEBRASKA () NEVADA (Carson ) NEW HAMPSHIRE () OHIO () OKLAHOMA ( ) OREGON () TEXAS () UTAH ( ) VERMONT () ALABAMA () COLORADO () INDIANA

More information

University Policy Accepting Credit Cards to Conduct University Business

University Policy Accepting Credit Cards to Conduct University Business BROWN UNIVERSITY University Policy Accepting Credit Cards to Conduct University Business Purpose Brown University requires all departments that are involved with credit card handling to do so in compliance

More information

Three-Year Moving Averages by States % Home Internet Access

Three-Year Moving Averages by States % Home Internet Access Three-Year Moving Averages by States % Home Internet Access Alabama Alaska Arizona Arkansas California Colorado Connecticut Delaware Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana

More information

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)

More information