Privacy & Data Security
|
|
- Kerrie Butler
- 8 years ago
- Views:
Transcription
1 Privacy & Data Security May 9, 2014 Presented at: SWBA 39 TH ANNUAL CONFERENCE by: James E. Prendergast, Esq.
2 Overview Data Privacy Concerns: Unauthorized access, use, acquisition or disclosure of information
3 What information is at stake? Personally identifiable information (PII) Social Security numbers, driver s license numbers, financial account information, medical information Broader view: addresses, phone numbers, dates of birth CA: Effective 2014: adds , user names, passwords, security questions Protected Health Information (PHI) Payment Card Industry (PCI) Zip Codes? (CA and MA)
4 WHOSE INFO? Employees Clients and customers Vendors Insureds, claimants and beneficiaries Business partners WHAT THREATS? Malicious Employees Business partners
5 Regulations & Statutes State notice and compliance regulations Federal statutes Proposed federal legislation PCI DSS (Data Security Standard) Cyber security Executive Order International laws
6 State Regulations: Notice 46 states & 4 U.S. jurisdictions require notice to customers after unauthorized access to PII Follow timing requirements for notifying resident consumers - without unreasonable delay but not later than 45 days Notify State Attorneys General, law enforcement, consumer protection agencies and credit reporting agencies Follow timing requirements for notifying regulators and credit reporting agencies - 48 hours; fourteen days; before notice to residents Some states require specific notice content
7 State Regulations: Examples Massachusetts 201 CMR 17: Standards for the Protection of Personal Information Mandates procedures to reduce likelihood and impact of breaches Requires a written information security program Specific requirements for user IDs, passwords, encryption, firewalls, data storage on laptops Applies to all businesses, wherever situated, that store residents PII
8 State Regulations: Examples California Confidentiality of Medical Information Act (CMIA): Cal. Civ. Code 56 Requires notice to California Department of Health and affected individuals within 5 days State fines of up to $250,000 per violation Allows for private right of action ie., UCLA breach litigation
9 Federal Laws Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health Act (HITECH) Fair and Accurate Credit Transactions Act (FACTA) Gramm-Leach-Bliley Act Sarbanes-Oxley
10 HIPAA HIPAA Privacy Rule - set of national standards for protection of certain health information HIPAA Security Rule - set of national standards to protect ephi that is created, received, used, or maintained applies to covered entities and business associates when a data event occurs, a breach is presumed risk of harm now low probability
11 HITECH Act 2009 expansion of Health Insurance Portability and Accountability Act (HIPAA) Allows State AGs to bring civil actions in federal court Provides for mandatory audits by DHHS Civil monetary penalties range from $100 - $50K per violation and $25K - $1.5M within a calendar year Mandates physical and technical safeguards Final Rule went into effect September 2013.
12 Gramm-Leach-Bliley Act Applies to financial services industry Enacted in 1999 to reform industry and address concerns relating to consumer financial privacy Includes insurance companies! GLBA Privacy Rule notification GLBA Safeguards Rule written security plan
13 Sarbanes-Oxley Applies to publicly held companies and accounting firms Rigorous data protection requirements Affects storage, access and retrieval of customer records Guidance disclosure factors: Probability of cyber incident Magnitude of the risk Potential costs and consequences of an incident
14 Identity Theft Enforcement and Restitution Act (ITERA) Identity theft offenders must pay an amount equal to the value of the time reasonably spent by the victim in an attempt to remediate the intended or actual harm incurred by the victim from the offense. 18 U.S.C.A. 3663(b)(6). Potential impact on class actions
15 PCI DSS Payment Card Industry Security Standards Council AmEx, Discover, JCB International, Mastercard, Visa Created in 2006 to establish and control industry standards, including Data Security Standards (DSS) Requires merchants and service providers to abide by certain protocols to protect customers credit card information
16 PCI DSS (cont.) Imposes fines and penalties on offending merchants and service providers Violations of PCI DSS have multiple consequences Significant financial penalties Impact on standard of care industry investigations, outside lawsuits Small minority of states have incorporated PCI-DSS requirements into data protection laws
17 Cyber-security Executive Order Goal- safeguarding the nation s critical infrastructure against cyber-attacks by developing and implementing baseline cyber-security standards NIST required to develop a cyber-security framework to include a set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks by February 2014 DHS to encourage designated owners and operators of critical infrastructure to adopt voluntary cybersecurity program
18 International Laws EU and more than 45 other countries have data protection or privacy laws, with more coming U.S. companies with control of PII for international customers must consider notification requirements of foreign jurisdictions
19 International Laws (cont.) Canada National Law PIPEDA Act (Personal Information Protection and Electronic Documents Act) applies to all businesses and organizations Some provinces (e.g., Alberta, Ontario) have passed notification and compliance laws
20 Response Discovery of data event/ clock starts Incident Response Plan Facts Law Vendors Regulatory Investigation
21 Case Studies Online retailer sees customers blogging about credit card fraud finds it was victim of SQL attack through its website storefront exposing 50,000 individuals credit cards - Forensics and PFI (PCI Forensic Investigation) - Public relations - Substitute notice, notice to regulators - PCI Fines - Remediation and PCI compliance
22 Case Studies State College shares database with State University system University student accesses 120,000 College alumni/student Social Security numbers - Forensics coordinated with University and with law enforcement - Notification timing and messaging coordinated with University (who had over 450,000 affected) - Call center and credit monitoring
23 Case Studies Hospital employee steals info. from medical records to obtain credit fraudulently. - Complicated forensics to distinguish authorized employee activity from criminal activity (otherwise notice to the 11 individuals affected would have been notice to over 70,000 potentially accessed!) - Law enforcement subpoena of employee computer further complicated forensics - HIPAA/HITECH notice imposed deadlines.
24 Case Studies Business Associate document conversion company loses volume of non-electronic hospital records. - Notice under HIPAA due to the hospital, but hospital will seek recovery of all costs from the Business Associate - Exposed documents recovered had to be analyzed manually to identify affected population and details of exposure - $500K investigation costs alone.
25 Case Studies Municipality posts employee benefits info online exposing individuals Social Security numbers and dates of birth. - Unique public relations issues: During election cycle, challenger uses incident for political gain - Entire response, including web site notice, individual notice, credit monitoring, assistance with responses to inquiries and notice to state regulators
26 Case Studies Bank website collecting loan application information is hacked exposing hundreds (maybe thousands) of applicants sensitive information. - Public relations messaging must ensure account holders who were not affected are distinguished from applicants. - Although small numbers affected at client, attack was part of larger operation under investigation by FBI and Secret Service involved Syrian Electronic Army and Anonymous - Banks can be subject to higher regulatory scrutiny
27 Response Counsel Data Breach Coach Expert outside counsel Manage investigation Legal compliance Litigation position client to avoid or defend class, regulatory, and/or individual action. Document preservation Best Practices - Analysis of system security/company procedures
28 Response Counsel (cont.) Vendors Forensic IT investigators/ PFI Public relations Document review (e-discovery) Printing, mailing, call-center and substitute notice services Identity/credit monitoring, identity theft restoration
29 Evaluation of Breach What systems/networks/records were accessed? computerized vs. paper What is nature of breach? Is it over? What kind of data was accessed/copied/stolen/ viewed? access vs. acquisition Individuals affected? individual vs. business Are duties triggered?
30 Notification Must comply even where no theft or damage Effects of poor breach response: Reputational harm Higher out-of-pocket expenses Target on back
31 Notification Checklist Electronic data or paper documents? What type of data elements are at stake? Has the personal information been misused? Is it likely to be misused? What type of entity suffered the breach? How many individuals affected?
32 Notification Checklist (cont.) What laws apply? Does a federal statute apply? If so, is the state statute preempted? Is there a preexisting security protocol in place? Should fraud protection and credit monitoring services be offered preemptively? Notify state authorities? Notify consumer reporting agencies?
33 Overreact or underreact? Quick responders spend 54% more than slow responders. Source: Ponemon Institute BUT Response can factor into lawsuits and reputational harm!
34 Lawsuits/Actions Single Plaintiff Class Action Government Action Banks PCI Subrogation/ Indemnity
35 Defending the Lawsuit/Action Specialized considerations when defending a data breach class action Multi-District Litigation Class certification discovery Joinder of all necessary and appropriate parties E-Discovery Experts Spoliation
36 Defending the Lawsuit Stollenwerk v. Tri West 9 th Cir. must assert actual identity theft. Krottner v. Starbucks Corp. 9 th Cir. increased risk of identity theft constitutes an injury-in-fact. Anderson v. Hannaford 1 st Cir. alleged actual fraud and money spent in mitigation efforts defeat dismissal Resnick v. AvMed 11 th Cir. Similar to Anderson; also held unjust enrichment claims viable for failure to keep promise to protect information. Heartland 5 th Cir. banks and credit unions not barred by economic loss doctrine from recouping card reissuance costs.
37 Preparation 96% of breaches were avoidable through simple or intermediate controls Source: Verizon 2011 Data Breach Investigations Report The cost of data breach has lowered, suggesting that companies are investing more resources in prevention and detection, such as improving their data protection practices and implementing incidence response plans Source: Ponemon Institute
38 Evaluate the Risks Has insured ever experienced a data event? Does insured collect, store, or transact any personal, financial or health data? Does insured outsource any computer network operations, data storage or network management? Does insured share data with business partners or vendors?
39 Evaluate the Risks (cont.) Does a posted Privacy Policy actually align with internal data management practices? Has insured had a recent cyber risk assessment? How long does insured maintain records? Are insureds electronic devices encrypted? Is insureds intrusion detection software/protocol current?
40 Safeguard Controls People: proper security budget, supervision, training and vigilance during and after employment Processes/policies: ISO27002, HITECH ready employee education and training, change management processes, incident response plan Technology: proven IDS/IPS capabilities, hardened and patched servers (tested), full encryption of PII
41 Managing the Risks Education: Learn about the various types of privacy violations that can occur Handheld devices Manage BYOD Limit data maintained or made available Encrypting laptops, smartphones, etc.
42 Managing the Risks (cont.) Mock breaches aka tabletop exercises Limit online access to data storage servers Policies not enough Destruction of hard drives to remove all PII
43 Managing the Risks (cont.) Incident Response Plans (IRPs) Various laws and regulations require IRPs Financial institutions, Oregon entities Many laws imply IRPs must be developed Gramm Leach Bliley, Sarbanes Oxley, HIPAA, Massachusetts, FACTA Existence of an IRP is best practice mitigate chances of breach, mitigate damages when a breach that occurs
44 Emerging Issues Cloud Computing Pre-breach Security Standards Subrogation Social Media Geo-location Tracking Collection and Use
45 Cloud Computing A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Source: U.S. Department of Commerce National Institute of Standards and Technology
46 Cloud Computing Assessment of Cloud Server Selecting the right company Physical capabilities: storage, backup Ability to respond to breaches, coverage Adequate services agreement Private, community, or public? Jurisdictional/geographic issues
47 Subrogation Data breach response laws impose costly duties on data owners regardless of intent or negligence Possibility to transfer cost to responsible parties Vendors Sub-contractors Negligence grounds lost laptops Breach of contract failure to provide adequate security
48 Conclusion What to do? Assess Address Plan and Insure Repeat
49 Questions?
50 Contact Information Jim Prendergast: (215)
TRENDS IN CYBER LIABILITY Presented by Chris DiIenno Data Privacy and Network Security Group Lewis Brisbois Bisgaard & Smith
TRENDS IN CYBER LIABILITY Presented by Chris DiIenno Data Privacy and Network Security Group Lewis Brisbois Bisgaard & Smith Types of Data at Stake Residents, constituents, employees PII Personally Identifiable
More informationCloudy With a Chance Of Risk Management
Proudly presents Cloudy With a Chance Of Risk Management Toby Merrill, ACE USA John Mullen, Nelson Levine de Luca & Hamilton Shawn Melito, Immersion Ltd. Michael Trendler, ACE INA Canada What is Cloud
More informationPrivacy Legislation and Industry Security Standards
Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,
More informationData breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd
Data breach, cyber and privacy risks Brian Wright Lloyd Wright Consultants Ltd Contents Data definitions and facts Understanding how a breach occurs How insurance can help to manage potential exposures
More informationAre Data Breaches a Real Concern? Protecting Your Sensitive Information. Phillips Auction House NY- 03/24/2015
Are Data Breaches a Real Concern? Protecting Your Sensitive Information Phillips Auction House NY- 03/24/2015 1 Agenda Current Data Breach Issues & Legal Implications Data Breach Case Study Risk Management
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationCSR Breach Reporting Service Frequently Asked Questions
CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationData breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC
Data breach! cyber and privacy risks Brian Wright Michael Guidry Lloyd Guidry LLC Collaborative approach Objective: To develop your understanding of a data breach, and risk transfer options to help you
More informationLEGAL AND REGULATORY RAMIFICATIONS OF A DATA BREACH
LEGAL AND REGULATORY RAMIFICATIONS OF A DATA BREACH NLC- RISC STAFF CONFERNCE Octobegffgfdadadddffffdfddfadr NLC- RISC STAFF CONFERENCE October 22nd, 2013 Portland, Oregon Jim Prendergast Partner, Data Privacy
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationplantemoran.com What School Personnel Administrators Need to know
plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of
More informationData Breach Cost. Risks, costs and mitigation strategies for data breaches
Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,
More informationSINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry
SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry DATA BREACH A FICTIONAL CASE STUDY THE FIRST SIGNS OF TROUBLE Friday, 5.20 pm :
More informationDATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT
Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security
More informationSolutions Brief. PC Encryption Regulatory Compliance. Meeting Statutes for Personal Information Privacy. Gerald Hopkins Cam Roberson
Solutions Brief PC Encryption Regulatory Compliance Meeting Statutes for Personal Information Privacy Gerald Hopkins Cam Roberson March, 2013 Personal Information at Risk Legislating the threat Since the
More information12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013
Regulatory Updates Eric M. Wright, CPA, CITP Schneider Downs & Co., Inc. December 5, 2013 Eric M. Wright, CPA, CITP Eric has been involved with Information Technology with Schneider Downs since 1983. He
More informationKeeping watch over your best business interests.
Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation
More informationPage 1 of 15. VISC Third Party Guideline
Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision
More informationData Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015
Data Privacy: What your nonprofit needs to know Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015 Overview 2 Data privacy versus data security Privacy polices and best practices Data security
More informationIntroduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide
Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf Directors, Privacy and Information Management Practice Hogan Lovells US LLP christopher.wolf@hoganlovells.com
More informationJefferson Glassie, FASAE Whiteford, Taylor & Preston
Jefferson Glassie, FASAE Whiteford, Taylor & Preston 2 * 3 PII = An individuals first name and last name or first initial and last name in combination with any one or more of the following data elements
More informationThe Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano
The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments Robin B. Campbell Ethan P. Schulman Jennifer S. Romano HIPAAPrivacy and Security Breach Overview of the Laws Developments Incident
More informationPrivacy Law Basics and Best Practices
Privacy Law Basics and Best Practices Information Privacy in a Digital World Stephanie Skaff sskaff@fbm.com What Is Information Privacy? Your name? Your phone number or home address? Your email address?
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationManaging Cyber & Privacy Risks
Managing Cyber & Privacy Risks NAATP Conference 2013 NSM Insurance Group Sean Conaboy Rich Willetts SEAN CONABOY INSURANCE BROKER NSM INSURANCE GROUP o Sean has been with NSM Insurance Group for the past
More informationCYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
More informationBridging the HIPAA/HITECH Compliance Gap
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)
More informationDiscussion on Network Security & Privacy Liability Exposures and Insurance
Discussion on Network Security & Privacy Liability Exposures and Insurance Presented By: Kevin Violette Errors & Omissions Senior Broker, R.T. Specialty, LLC February, 25 2014 HFMA Washington-Alaska Chapter
More informationCybersecurity Workshop
Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationData Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked
Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Linda Vincent, R.N., P.I., CITRMS Vincent & Associates Founder The Identity Advocate San Pedro, California The opinions expressed
More informationCybersecurity: Protecting Your Business. March 11, 2015
Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks
More informationRISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION
RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION October 23, 2015 THREAT ENVIRONMENT Growing incentive for insiders to abuse access to sensitive data for financial gain Disgruntled current and former
More informationThe Importance of Privacy & Data Security in a Changing World
Cyber, PrivaCy & Data SeCurity 360 www.mpplaw.com about our PraCtiCe Data is the lifeblood of our global economy. Collected, stored and transmitted, digital data not only imparts great opportunities, but
More informationChecklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @
Checklist for Breach Readiness Enabling a Resilient Organization Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Agenda Facts about breach violation impact
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
More informationChecklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security
Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Agenda Review the
More informationGALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability
GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the
More informationNavigating the New MA Data Security Regulations
Navigating the New MA Data Security Regulations Robert A. Fisher, Esq. 2009 Foley Hoag LLP. All Rights Reserved. Presentation Title Data Security Law Chapter 93H Enacted after the TJX data breach became
More informationCYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS
CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS 1 As regulators around the world move to tighten compliance requirements for financial institutions, improvement in cyber security controls will become
More informationThe Matrix Reloaded: Cybersecurity and Data Protection for Employers. Jodi D. Taylor
The Matrix Reloaded: Cybersecurity and Data Protection for Employers Jodi D. Taylor Why Talk About This Now? Landscape is changing Enforcement by federal and state governments on the rise Legislation on
More informationPrivacy and Data Breach Protection Modular application form
Instructions The Hiscox Technology, Privacy and Cyber Portfolio Policy may be purchased on an a-la-carte basis. Some organizations may require coverage for their technology errors and omissions, while
More information6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013
Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
More informationBest practices and insight to protect your firm today against tomorrow s cybersecurity breach
Best practices and insight to protect your firm today against tomorrow s cybersecurity breach July 8, 2015 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently
More informationPrepare for the Worst: Best Practices for Responding to Cybersecurity Breaches Trivalent Solutions Expo June 19, 2014
Prepare for the Worst: Best Practices for Responding to Cybersecurity Breaches Trivalent Solutions Expo June 19, 2014 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved Presented by: Jennifer A.
More informationImplementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind
Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and
More informationNerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.
Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches Gerard M. Stegmaier gstegmaier@wsgr.com @1sand0slawyer Data Breach Trends 2011 Average Loss to Organization = $5.5 million
More informationBrief. The BakerHostetler Data Security Incident Response Report 2015
Brief The BakerHostetler Data Security Incident Response Report 2015 The rate of disclosures of security incidents in 2015 continues at a pace that caused many to call 2013 and then 2014 the year of the
More informationCyber Exposure for Credit Unions
Cyber Exposure for Credit Unions What it is and how to protect yourself L O C K T O N 2 0 1 2 www.lockton.com Add Cyber Title Exposure Here Overview #1 financial risk for Credit Unions Average cost of
More informationProtecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)
Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00) May 15, 2009 LLP US Information Security Framework Historically industry-specific HIPAA Fair Credit Reporting
More informationIDENTITY THEFT: DATA SECURITY FOR EMPLOYERS. Boston, MA 02110 Richmond, Virginia 23219 Tel. (617) 502.8238 Tel. (804) 783.7579
IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS Daniel J. Blake, Esq. Vijay K. Mago, Esq. LeClairRyan, A Professional Corporation LeClairRyan, A Professional Corporation One International Place, Eleventh Floor
More informationHackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common
Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable Steven J. Fox (sjfox@postschell.com) Peter D. Hardy (phardy@postschell.com) Robert Brandfass (BrandfassR@wvuh.com) (Mr. Brandfass
More informationCLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013
CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street
More informationCyber/Information Security Insurance. Pros / Cons and Facts to Consider
1 Cyber/Information Security Insurance Pros / Cons and Facts to Consider 2 Presenters Calvin Rhodes, Georgia Chief Information Officer Ron Baldwin, Montana Chief Information Officer Ted Kobus, Partner
More informationData Breach Notification Burden Grows With First State Insurance Commissioner Mandate
Privacy, Data Security & Information Use September 16, 2010 Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate by John L. Nicholson and Meighan E. O'Reardon Effective
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Pam Townley, AVP / Eastern Zonal Manager AIG Professional Liability Division Jennifer Bolling, Account Executive Gallagher Management Liability Division
More information3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?
HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? 1 DEFINITIONS HIPAA Health Insurance Portability and Accountability Act of 1996 Primarily designed
More informationACE Advantage PRIVACY & NETWORK SECURITY
ACE Advantage PRIVACY & NETWORK SECURITY SUPPLEMENTAL APPLICATION COMPLETE THIS APPLICATION ONLY IF REQUESTING COVERAGE FOR PRIVACY LIABILITY AND/OR NETWORK SECURITY LIABILITY COVERAGE. Please submit with
More informationThe Evolving Legal Framework Regulating Commercial Data Security Standards
The Evolving Legal Framework Regulating Commercial Data Security Standards By Bret Cohen Late one evening in December 2010, an employee of a commercial blood bank left his office with four backup tapes
More informationData Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com
Data Security 101 A Lawyer s Guide to Ethical Issues in the Digital Age Christopher M. Brubaker cbrubaker@clarkhill.com November 4-5, 2015 Pennsylvania Bar Institute 21 st Annual Business Lawyers Institute
More informationData Privacy & Security: Essential Questions Every Business Must Ask
Data Privacy & Security: Essential Questions Every Business Must Ask Presented by: Riddell Williams P.S. Riddell Williams P.S. May 6, 2015 #4841-4703-9779 Innocent? 2 Overview 3 basic questions every business
More informationInsulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015
Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact February 10, 2015 Overview 1 The Legal Risks And Issues/The Role Of Legal Counsel: The Breach Coach The Slippery
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationCybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015
Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission June 25, 2015 1 Your Panelists Kenneth L. Chernof Partner, Litigation, Arnold & Porter LLP Nicholas
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationCyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029
Cyber Liability Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029 Today s Agenda What is Cyber Liability? What are the exposures? Reality of a
More informationCyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day
Lloyd s of London (Reuters) May 8, 2000 Cyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day Rivers Casino, Pittsburgh November 17, 2014
More informationDisclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)
HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute
More informationMitigating and managing cyber risk: ten issues to consider
Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed
More informationHow To Protect Yourself From Cyber Threats
Cyber Security for Non- Profit Organizations Scott Lawler CISSP- ISSAP, ISSMP, HCISPP Copyright 2015 LP3 May 2015 Agenda IT Security Basics e- Discovery Compliance Legal Risk Disaster Plans Non- Profit
More informationManaging Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec
Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec Jeremy Ong Divisional Vice-President Great American Insurance Company November 13, 2010 1 Agenda Overview of data breach statistics
More informationEmail Archiving for the Financial Industry
jatheon technologies whitepaper hot ISSUE Email Archiving for the Financial Industry 2... I ntroduction 2... Challenges Faced b y the Financial Sector 2... Why Financial Firms Need to Comply 3... Compliance
More informationIntelligent Vendor Risk Management
Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach
More informationThe Legal Pitfalls of Failing to Develop Secure Cloud Services
SESSION ID: CSV-R03 The Legal Pitfalls of Failing to Develop Secure Cloud Services Cristin Goodwin Senior Attorney, Trustworthy Computing & Regulatory Affairs Microsoft Corporation Edward McNicholas Global
More informationThe Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide
The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide Practising Law Institute January 9, 2012 Melissa J. Krasnow, Partner, Dorsey & Whitney LLP, and Certified Information Privacy Professional
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationData Privacy and Security: A Primer for Law Firms
Data Privacy and Security: A Primer for Law Firms All We Do Is Work. Workplace Law. In four time zones and 46 major locations coast to coast. www.jacksonlewis.com JACKSON LEWIS SERVING THE DIVERSE NEEDS
More informationThe Impact of HIPAA and HITECH
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationInternet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler
Internet Gaming: The New Face of Cyber Liability Presented by John M. Link, CPCU Cottingham & Butler 1 Presenter John M. Link, Vice President jlink@cottinghambutler.com 2 What s at Risk? $300 billion in
More informationDelaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP
Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats
More informationHCCA Compliance Institute 2013 Privacy & Security
HCCA Compliance Institute 2013 Privacy & Security 704 Conducting a Privacy Risk Assessment A Practical Guide to the Performance, Evaluation and Response April 23, 2013 Presented By Eric Dieterich Session
More informationCyber, Security and Privacy Questionnaire
Cyber, Security and Privacy Questionnaire www.fbinsure.com Please note: This is an electronic application. When completed please save and email to: Ed McGuire emcguire@fbinsure.com Cyber, Security & Privacy
More informationAuditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP
Auditing your institution's cybersecurity incident/breach response plan Objectives > Provide an overview of incident/breach response plans and their intended benefits > Describe regulatory/legal requirements
More informationData Breach Response Basic Principles Under U.S. State and Federal Law. ABA Litigation Section Core Knowledge January 2015 1
Data Breach Response Basic Principles Under U.S. State and Federal Law ABA Litigation Section Core Knowledge January 2015 1 I. Introduction Data breaches have become an unfortunate reality for many of
More information3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.
Cybersecurity: Minimizing Risk & Responding to Breaches March 5, 2015 Andy Chambers Michael Kelly Jimmie Pursell Scope of Problem Data Breaches A Daily Phenomenon Anthem JP Morgan / Chase Sony Home Depot
More informationWhat Data? I m A Trucking Company!
What Data? I m A Trucking Company! Presented by: Marc C. Tucker 434 Fayetteville Street, Suite 2800 Raleigh, NC, 27601 919.755.8713 marc.tucker@smithmoorelaw.com Presented by: Rob D. Moseley, Jr. 2 West
More informationNine Network Considerations in the New HIPAA Landscape
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
More informationDATA BREACH COVERAGE
THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ THIS CAREFULLY. DATA BREACH COVERAGE SCHEDULE OF COVERAGE LIMITS Coverage Limits of Insurance Data Breach Coverage $50,000 Legal Expense Coverage $5,000
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY
More informationPROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS
PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS The following claim scenarios are hypothetical and are offered solely to illustrate the types of situations that may result in claims. Although sorted by industry,
More informationIntroduction to Data Privacy & ediscovery Intersection of Data Privacy & ediscovery
Today s Topics Introduction to Data Privacy & ediscovery General Overview Data Privacy in the United States Data Privacy in Foreign Countries Intersection of Data Privacy & ediscovery Preservation of Data
More informationWhat Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act
What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act
More information