Cloudy With a Chance Of Risk Management

Similar documents
TRENDS IN CYBER LIABILITY Presented by Chris DiIenno Data Privacy and Network Security Group Lewis Brisbois Bisgaard & Smith

LEGAL AND REGULATORY RAMIFICATIONS OF A DATA BREACH

Privacy & Data Security

New Developments in Cyber Security & Data Breaches San Diego, California May 2014

CYBER RISK Threats, Loss Control, Liability & Claims

Are Data Breaches a Real Concern? Protecting Your Sensitive Information. Phillips Auction House NY- 03/24/2015

Privacy Legislation and Industry Security Standards

T H E R E A L C O S T O F A D ATA B R E A C H

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services

CLOUD SECURITY LAW MICHAEL KEELING, PE, ESQ. KEELING LAW OFFICES, PC PHOENIX AND CORONADO

Data Breach Reporting: Summary of Governing Bodies with Reporting Requirements in the United States

Network Security & Privacy Landscape

Cloud Computing Contracts. October 11, 2012

Privacy Law in Canada

Helpful Tips. Privacy Breach Guidelines. September 2010

Updates on HITECH and State Breach Notification and Security Requirements Robin Campbell

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Network Security & Privacy Landscape

HCCA Compliance Institute 2013 Privacy & Security

Privacy Law Basics and Best Practices

Health Care Data Breach Discovery Strategies for Immediate Response

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Managing Cyber & Privacy Risks

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Cloud Computing: Privacy and Other Risks

Issue #5 July 9, 2015

Procedure for Managing a Privacy Breach

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

The Matrix Reloaded: Cybersecurity and Data Protection for Employers. Jodi D. Taylor

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies

WELCOME. Data Security Seminar November 7, 2012

Privacy Law in Canada

Prepare for the Worst: Best Practices for Responding to Cybersecurity Breaches Trivalent Solutions Expo June 19, 2014

Data Breach and Senior Living Communities May 29, 2015

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Solutions Brief. PC Encryption Regulatory Compliance. Meeting Statutes for Personal Information Privacy. Gerald Hopkins Cam Roberson

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

HIPAA & HITECH AND THE DISCOVERY PROCESS

Cyber Risk in Healthcare AOHC, 3 June 2015

DATA PRIVACY ENFORCEMENT EFFORTS BY STATE ATTORNEYS GENERAL

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

Privacy Breach Protocol

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Tape Vaulting Audit And Encryption Usage Analysis

BUSINESS ASSOCIATE AGREEMENT TERMS

Legal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms. v , rev

what your business needs to do about the new HIPAA rules

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

A LIST OF PRIVACY AND DATA SECURITY TRAINING REQUIREMENTS

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS

HOW DID NETWORK SECURITY AND PRIVACY ISSUES BECOME D&O EXPOSURES?

HIPAA & Costly Data Breaches. Healthcare: Evolving Claims, Exposures and Regulatory Enforcement

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Data Breach Notification: State and Federal Law Requirements. Good News

COMPLIANCE ALERT 10-12

HIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Data Privacy and Security: A Primer for Law Firms

IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS. Boston, MA Richmond, Virginia Tel. (617) Tel. (804)

Data security: A growing liability threat

Am I a Business Associate?

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

Roxio Secure Solutions for Law Firms

CSR Breach Reporting Service Frequently Asked Questions

Discussion on Network Security & Privacy Liability Exposures and Insurance

HIPAA BUSINESS ASSOCIATE AGREEMENT

Texas Medical Records Privacy Act

Brian Beamish. Commissioner (Acting) Ontario Information and Privacy Commission. Cyber Risk National Conference February 9, 2015

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

Disclaimer: Template Business Associate Agreement (45 C.F.R )

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Jeff M. Bauman, Psy.D. P.A. and Associates FLORIDA-HIPAA PRIVACY NOTICE FORM

The need for companies to have a predetermined plan in place in the

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

A Year in Review: Data Breaches and Lessons Learned Monday, October 29, :00-10:00 a.m.

A Year in Review: CIHI s Annual Privacy Report

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

A Privacy and Data Security Checklist for All

Comparison of US State and Federal Security Breach Notification Laws. Current through August 26, 2015

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

Cloud Computing: Trust But Verify

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

Transcription:

Proudly presents Cloudy With a Chance Of Risk Management Toby Merrill, ACE USA John Mullen, Nelson Levine de Luca & Hamilton Shawn Melito, Immersion Ltd. Michael Trendler, ACE INA Canada

What is Cloud Computing?

Traditional Computing Cloud Computing The Evolution Traditionally all the applications we used and the storage we had access to was located on site. Data and information resided on the computer we used or on the server we connected directly to. Products were purchased by us directly and typically we had to install and maintain them ourselves.

Cloud Computing Cloud Computing The Evolution With the evolution of cloud computing there is no longer a need for the software and hardware we use to exist locally. Products are sold as a service which means an individual or organization no longer needs to purchase them outright. The cloud provider is now responsible for service upgrades, maintenance, etc.

Cloud Computing Defined

Cloud computing

Cloud Computing Defined

Cloud Computing Defined

The Three Service Models of Cloud Computing

The Three Service Models of Cloud Computing

Risk Management Considerations of Cloud Computing

Benefits of the Cloud

Risk Management Considerations of Cloud Computing

Risk Management Considerations of Cloud Computing

Canadian Legislation

Relevant Canadian Legislation Privacy Act (Federal Government Agencies) Personal Information Protection and Electronic Documents Act (PIPEDA) or substantially similar Provincial legislation: 1. Alberta Personal Information Protection Act (PIPA) 2. British Columbia Personal Information Protection Act (PIPA & PIPA Regulations) 3. Ontario Personal Health Information Protection Act (PHIPA Healthcare information only) 4. Quebec Protection of Personal Information in the Private Sector (PPIPS) NB - BC s Freedom of Information and Protection of Privacy Act (FIPPA Public Bodies only): Cannot store or access PI outside of Canada without consent

Relevant Canadian Legislation - Definitions Personal Information (PI): related to an identifiable individual Data Controller = company Data Processor = cloud service provider Storing of data considered processing under PIPEDA Data controller is always responsible for PI, not processor. Shall use contractual or other means to provide a comparable level of protection. Principal Based Laws Notice: explain to customers data storage procedures Consent: customers must provide explicit (opt-in) consent Security: An organization shall take physical, organizational and technological measures to ensure PI is protected.

Relevant Canadian Legislation Data Breach Alberta Notify Commissioner if a reasonable person would consider there exists a real risk of significant harm. Commissioner orders notification Ontario, New Brunswick & Nova Scotia (Healthcare data breaches only) Guidance - Key Steps for Organizations in Responding to Privacy Breaches

U.S. STATE REGULATORY State level breach notice: 46 states (plus Puerto Rico, Wash. D.C., Virgin Islands) require notice to customers after unauthorized access to PII/PHI. EXPOSURES Require firms that conduct business in state to notify resident consumers of security breaches of unencrypted computerized personal information Many require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies

EVOLVING EXPOSURES California Expanded definition of PII includes user name/email address in combination with password or security question and answer Vermont Notice to affected individuals within 45 days of breach discovery Notice to VT AG within 14 days of breach discovery or affected individual notice (whichever is sooner) Texas Notice to affected individuals pursuant to law of individual s state of residence or, if none, then pursuant to TX Massachusetts Written information security plan for businesses storing MA resident personal information Connecticut Notice to CT AG not later than time when notice provided to Connecticut residents New Jersey, Maryland Notice to regulators prior to notice being provided to residents Nevada Data collectors doing business in NV to comply with PCI-DSS

FACTA Red Flags Program Regulatory Exposures Mandates creditors create Identity Theft Prevention Program. HITECH Act SEC/SOX Must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. Ability of creditor to monitor red flag on a cloud? First national breach notification requirement > 500 HHS < 500 year end Permits state Attorneys General to enforce HIPAA Extends HIPAA to business associates of HIPAA covered entities Is cloud provider permitted access to PHI? Mandate certain disclosures in Financial Statements and to shareholders related to data security/exposure and data breach. Mass. CMR 17.00 GLBA Shift (increasing) exposure and risk to cloud docs not relieve duties Mandate written info security plan (specific requirements like encrypted portable devices). If using cloud, should address cloud providers info security plan. For financial institutions ---> security, notice duties, written security plan. Again, shift in IT location is not shift in responsibility to comply with law.

DEFENSE ERODING Stollenwerk v. Tri West assert actual identity theft Krottner v. Starbucks Corp. increased risk of identity theft resulting from actual theft of personal information constitutes an injury-in-fact Claridge v. RockYou breach of PII is sufficient basis for harm in common law contract/negligence claims because PII contains inherent property right Anderson v. Hannaford alleged fraud in population and money spent in mitigation efforts sufficient (instead of time/effort) Resnick v. AvMed when ID theft is fairly traceable to defendant s actions, monetary loss and financial injury related to restoration are cognizable injuries under FL law In re Heartland economic loss doctrine under NJ law does not preclude negligence claim Yunker v. Pandora no standing where no allegation of actual identity theft or harm exists ---------------------------------------------------------------------------------------------------------------------- ITERA (Identity Theft Enforcement and Restitution Act) pay an amount equal to the value of the time reasonably spent In re Hannaford Bros. Data Security Breach Litigation does time equal money? No. But if there is fraud, credit monitoring damages may be due. ChoicePoint Data Breach Settlement FTC paid for time they may have spent monitoring their credit or taking other steps in response

Legal Considerations in the Cloud Contract Issues Be aware of aggregate risk scenarios. Ensure that language makes clear data cannot/will not be used by the cloud provider other than for insured... even if de-identified. Don t waive right to subrogate. Are indemnity clauses fair? (Defense and indemnity.) If indemnity fair, trigger should be possible event not just lawsuit. Notice duty regarding possible security event. Require appropriate responsive insurance and proof from carrier (not just cert from broker.) Choice of Law. Definitions: event. Access Right to pre-event audit and review of security and ongoing policies and procedures relating to data security Cooperation in the event of a security incident (forensic access?)

Legal Considerations in the Cloud Event Response Efficiency and timing are critical when responding to a possible compromise event. How does the introduction of a cloud service into a data compromise scenario impact these factors? Timing of notice of breach event from cloud service to data owner Level of cooperation between cloud service and data owner following a possible compromise. Access granted to third party forensics team; or Responsiveness to requests for information from forensics.

Proactive Measures - Considerations Governance corporate policies, procedures and standards. Identity and Access Management controls surrounding access by cloud provider employees as well as employees and users of the public body s systems. Infrastructure Security the management and ongoing maintenance of network, system and application security including layered security controls and patch management. Encryption encryption during transmission as well as in storage at the cloud provider s facilities. Contractual provisions Include a requirement to notify as soon as possible in the event of an actual or suspected breach. Conduct site visits. Ability to ask employees about the ways in which the third party is managing PI. Contracts should also limit the right of the third party to use or disclose the personal information. Paraphrased from the Office of the Privacy Commissioner of British Columbia s document: CLOUD COMPUTING GUIDELINES FOR PUBLIC BODIES - UPDATED JUNE 2012

Proactive Measures Questions to Ask Does the cloud provider guarantee the security and privacy of your data? Who owns the data once it is in the cloud? What are the procedures should there be a data breach? Will you have the ability to investigate the breach? Who will handle (and pay for) the breach response? And how much of all of the above can you actually get in a contract? Has anyone done a Privacy Impact Assessment (PIA)?

Enjoy the rest of the 2013 RIMS Canada Conference!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information