Identity Theft Security and Compliance: Issues for Business



Similar documents
YOUR CITY/MUNICIPALITY

Identity Theft Regulation. *Christine Stagnetto-Sarmiento, Oglala Lakota College, USA. *Corresponding Author, 490 Piya Wiconi Road-Kyle, South Dakota

PREVENTING IDENTITY THEFT AT The University of North Carolina at Greensboro. Presented By Roy Davenport Shred-it North Carolina

DSU Identity Theft Prevention Policy No. DSU

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Red Flag Policy and Procedures for Alexander Orthopaedic Associates

Identity Theft and Medical Theft. *Christine Stagnetto-Sarmiento, Oglala Lakota College, USA

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Allianz Global Corporate & Specialty. Cyber Risks. Recent Trends. AIRMIC 15 th June 2015

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

Richard Swed. CEO- The Risk Management Group

Aftermath of a Data Breach Study

Anatomy of a Privacy and Data Breach

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

An Introduction to Identity Theft. Letbighelptoday.com. Your Free Copy

Cybersecurity and the Threat to Your Company

S22 - Employee and Customer Awareness Turning Vulnerabilities Into Sentries John Sapp

WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

POSITION PAPER. A Full Recovery Approach to Data Breach Response

Cyber Liability. What School Districts Need to Know

Cyber Liability. AlaHA Annual Meeting 2013

A Proposal of Employee Benefits. Innovations in IDENTITY THEFT

The City of West Linn Identity Theft Prevention Program


SafeBiz. Identity Theft and Data Breach Program For Small & Medium Size Businesses (SMB)

Keeping watch over your best business interests.

Cyber Exposure for Credit Unions

PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009

Whitepaper. Best Practices for Securing Your Backup Data. BOSaNOVA Phone: Web:

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Certified Red Flag Specialist (CRFS) Program Overview & Curriculum

Tape Vaulting Audit And Encryption Usage Analysis

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

Responding to New Identity Theft Laws

Protecting. Personal Information A Business Guide. Division of Finance and Corporate Securities

Network Security & Privacy Landscape

ACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia (404) (404)

Pacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009

Data Breaches, Identity Theft, and Employees

Guylyn Cummins, Esq. Elizabeth Balfour, Esq.

UNIVERSITY OF CALIFORNIA, MERCED Red Flag and Security Incident Reporting Policy

Facts About FACTA Red Flag Identity Theft Prevention Program

IDENTITY THEFT PREVENTION PROGRAM (RED FLAGS)

The Best Identity Protection

8/13/2014. Types of Identity Theft HOW IS IDENTITY THEFT DISCOVERED? Identity Theft. Run up existing accounts. Create new accounts.

OREGON IDENTITY THEFT RANKING BY STATE: Rank 20, 68.1 Complaints Per 100,000 Population, 2552 Complaints (2007) Updated January 10, 2009

PROGRAM TO PREVENT, DETECT & MITIGATE IDENTITY THEFT

Number of Pages: 5 Number of Forms: 0 Saved As: X:/Policies & Procedures/13. JCAHO STD s (if applicable): N/A

Identity Theft YOUR LEGAL RIGHTS. Professor Katherine Porter UC Irvine School of Law

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

Successful Application Design: Auditing the Process Development Life Cycle

Cybersecurity Risks, Regulation, Remorse, and Ruin

CSR Breach Reporting Service Frequently Asked Questions

How-To Guide: Cyber Security. Content Provided by

Data Privacy and Security: A Primer for Law Firms

Identity Theft Prevention Program

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

Procedure for Managing a Privacy Breach

FINAL May Guideline on Security Systems for Safeguarding Customer Information

PII = Personally Identifiable Information

COUNCIL POLICY NO. C-13

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

FACTA Identity Theft Red Flags Program.

Secure Mobile Shredding and. Solutions

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners

PRIVACY AND IDENTITY THEFT 2003:

IDENTIFYING VENDOR RISK THE CRITICAL FIRST STEP IN CREATING AN EFFECTIVE VENDOR RISK MANAGEMENT PROGRAM

identity Theft - Every Loan Originator Needs to Know This

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

Why Lawyers? Why Now?

Network Security & Privacy Landscape

THE UNIVERSITY OF MICHIGAN IDENTITY THEFT PREVENTION PROGRAM

Privacy Legislation and Industry Security Standards

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

York County Sheriff's Office Identity Theft Victim s Packet

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Identity Theft Victim s Packet

Privacy & Security Matters: Protecting Personal Data. Privacy & Security Project

The National Association of Community Health Centers, Inc. ISSUE BRIEF

CITY OF MARQUETTE, MICHIGAN CITY COMMISSION POLICY

Protecting Yourself from Identity Theft

Statement of. Carlos Minetti. Discover Financial Services. Before the. Subcommittee on Oversight and Investigations. of the

CHAPTER 101: IDENTITY THEFT PREVENTION PROGRAM

IDENTITY THEFT PROCEDURES

HIPAA: Privacy/Info Security

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Data Loss Prevention and HIPAA. Kit Robinson Director

City of Caro Identity Theft Prevention Policy

Lake County Sheriff s Office Identity Theft/Fraud Packet

Identity Theft Prevention Program Red Flag Rules Policy P Issued: May 2009

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Transcription:

Identity Theft Security and Compliance: Issues for Business The Facts Six Common Uses for Stolen Information Financial Criminal Medical DMV Social Security Terrorist The Facts A Chronology of Data Breaches Over 245 million records of U.S. residents have been exposed due to security breaches since January 2005. June 10, 2008 - Wheeler's Moving Company (Boca Raton, FL) Unknown Personal files with tax information, Social Security numbers and license numbers, were found in a Boca Raton dumpster. June 10, 2008 - University of Utah Hospitals and Clinics (Salt Lake City, UT) 2.2 Million Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center. The records, described only as backup information tapes, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years. May 30, 2008 - Circuit Court of Louisville (Louisville, KY) - 312 Louisville Metro Police made an arrest, and during that arrest they found 312 stolen court traffic files in that person's possession. All of the files contain personal information of people in Louisville such as, name, address, date of birth and in some cases Social Security numbers and copies of drivers licenses. May 29, 2008 - State Street Corp/Investors Financial Services (Boston, MA) 45,500 Computer equipment containing personal information on customers and employees of a State Street unit was stolen. The computer equipment was stolen from a vendor hired by Investors Financial Services to provide legal support services. The personal information included names, addresses and social security numbers. The Privacy Rights Clearing House http://www.privacyrights.org 1

The Facts Common Causes of Information Loss or Breach Internal Threats Poorly trained personnel Inadequate security measures Insufficient support from management Unsupervised third party providers Dishonest insiders Inadequate IT systems Human Error the Human Element External Threats Hackers Organized Crime Social Engineers Customers Competitors Think The Facts Fast Rooting Out Identity Fraud and Theft. Identity thieves use the Confidential and Sensitive Information of individuals, groups, and entities to open new accounts or transact on others existing accounts. As a result, their actions create liability for the victims. These liabilities can amount to serious damages financially, medically, criminally, and can ruin a good reputation. Risk Management. The object of an Identity Theft Prevention Program is to safeguard any identifying information that a thief may use to open new, or access existing accounts, with your organization or with a different organization. Legislation, Loss, and Social Responsibility 2

Three Reasons Why Businesses Need to Safeguard Confidential and Sensitive Information. 1. Current State and Federal Legislation Requirements 2. To Limit Financial Loss and Loss of Trust 3. Social Responsibility Which is most damaging? Important Federal Legislation Identity Theft Assumption and Deterrence Act of 1998 Family Education Rights and Privacy Act Health Insurance Portability and Accountability Act (HIPAA): Security Rule Gramm- Leach- Bliley Act: Safeguard Rule Fair and Accurate Credit Transactions Act (FACTA) Identity Theft Red Flags Rule (Sections 114 and 315) Social Security Number Privacy Act The Fair and Accurate Credit Transactions Act (FACTA) Sections 114 & 315 Red Flags Regulations and Guidelines Purpose - The Red Flag Regulations and Guidelines require each financial institution or creditor to develop and implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts. Compliance Deadline - Effective January 1, 2008. Final deadline for compliance is November 1, 2008. Defining Covered Accounts. Both new and existing accounts where a continuing relationship exists between the company and the customer must be addressed in the Identity Theft Prevention Program. They are defined by the regulation as covered accounts. Elements of Red Flags 1. Identify Red Flags 2. Detect Red Flags 3. Respond to Red Flags 4. Update the Program Program Administration Identity Theft Prevention Program must have written approval from Board of Directors. The Program must be designed, implemented, and maintained by the Board, an appointed committee, or a designated member of senior management. Train Staff Service Provider Oversight 3

Common Law State Legislation As a fundamental principle, even before reaching theories applicable to information security, parties are generally responsible under the common law of torts to use due care in handling the information regarding others. Businesses that do not take reasonable steps to protect information could be held civilly liable for criminal acts committed by others with the stolen information. This was the outcome of Bell v. Michigan Council 25 of the AFSCME, 2005 Mich. App. LEXUS 353(Mich. Ct. App. Feb. 15, 5005). June 2005 Electronic Banking Law and Commerce Report State Identity Theft Notification & Encryption Laws To date, 43 states have victim notification laws in place. In general, a business must notify potential victims within a reasonable period of time in the event of a breach. Financial Loss and Loss of Trust If confidential and sensitive information is lost or stolen damages go beyond government fines, penalties, and potential imprisonment. Perhaps the greatest impact to business is negative publicity and loss of trust among consumers. According to the Ponemon Institute, in the event of a breach... 31% percent of your affected customers will terminate their relationship, 57% percent will lose trust and confidence in the company, 8% will file formal complaints (lawyers), 72% said there is a great chance they will become victims of Identity Theft. Obviously, the best way to maintain consumers trust is to avoid a data breach in the first place with safeguards that will secure customer and employee data from loss or theft. Ponemon Institute Research Report, 2008 Social Responsibility Any organization that collects and / or retains personal, financial, medical, and business information has an ethical and a social responsibility to safeguard that information. It s everyone s responsibility to protect each others information 4

Workplace Requirements Workplace Requirements Compliance Standards for the Protection of Confidential and Sensitive Information There can be safe harbor for businesses that make a reasonable effort to safeguard confidential and sensitive information. This includes: 1. The designation of an Information Security Officer. 2. A risk assessment of material internal and external risks to the security of confidential and sensitive information. 3. The design and implementation of a written Information Security Policy. 4. The implementation of a vendor management program. 5. Employees must be trained on security policies. 6. The evaluation and adjustment of the program in light of the results of testing and ongoing monitoring of the program. 7. A plan for security incidents. Thank You! Safeguarding personal, business, financial, medical information is everyone s responsibility! We are here to help. Identity Theft LOSS Prevention, LLC 7330 Turk Road Ottawa Lake, Michigan 49267 888 LOST MY ID www.idtlp.com 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information