Information Governance Roadmap



Similar documents
PREPARING FOR THE NEW PCI DATA SECURITY STANDARDS

Privacy Law Basics and Best Practices

Online Lead Generation: Data Security Best Practices

Data Privacy & Security: Essential Questions Every Business Must Ask

ISE Northeast Executive Forum and Awards

Governance, Risk, and Compliance (GRC) White Paper

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Big Data, Big Risk, Big Rewards. Hussein Syed

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Introduction to Data Privacy & ediscovery Intersection of Data Privacy & ediscovery

FINRA Publishes its 2015 Report on Cybersecurity Practices

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Cyber Insurance: How to Investigate the Right Coverage for Your Company

PCI Compliance for Cloud Applications

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Cyber Risks in the Boardroom

And Take a Step on the IG Career Path

The Impact of HIPAA and HITECH

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Top Ten Technology Risks Facing Colleges and Universities

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

[Company Name] HIPAA Security Awareness and Workforce Training Program Manual

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

What We ll Cover. Defensible Disposal of Records and Information Litigation Holds Information Governance the future of records management programs

How To Write An Management Strategy

Client Security Risk Assessment Questionnaire

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

INCIDENT RESPONSE CHECKLIST

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Payment Card Industry Data Security Standard

Data Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :

SECURITY RISK MANAGEMENT

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Logging In: Auditing Cybersecurity in an Unsecure World

Information Technology: This Year s Hot Issue - Cloud Computing

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

Cybersecurity y Managing g the Risks

INFORMATION TECHNOLOGY POLICY

I. U.S. Government Privacy Laws

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Leveraging Regulatory Compliance to Improve Cyber Security

John Essner, CISO Office of Information Technology State of New Jersey

CYBERSECURITY RISK MANAGEMENT

plantemoran.com What School Personnel Administrators Need to know

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline)

Responses: Only a 0% Only b 100% Both a and b 0% Neither a nor b 0%

Sustainable Compliance: A System for Ongoing Audit Readiness

PCI DSS. Payment Card Industry Data Security Standard.

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Table of Contents. Table of Contents Chapter 1 Introduction Sample. Chapter 2 Monitoring and Quality Control... 8

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

TOY INDUSTRY CHECKLIST FOR MOBILE APPS AND PROMOTIONS

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Transcription:

Information Governance Roadmap Mitigating Privacy Risks, Reducing Costs And Meeting Obligations

Speakers Heather Buchta Quarles & Brady Partner Rebecca Perry Jordan Lawrence CIPP/US/G Director of Professional Services

Over Retention Is Costly and Dangerous 3

Defensible Deletion Solves the Problems 4

What is Information Governance? 5

Gartner s Definition: The specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. 6

Multi-Faceted Information security Data science Electronic discovery Business management Compliance Business intelligence Analytics Records management Finance Audit Privacy Risk Management IT and Infrastructure Management - Information Governance Initiative 7

ABC Company s Retention Schedule DOOM 9

Start With a Solid Foundation MEDIA DATA SUBJECTS SENSITIVITY PRIVACY RECORD TYPE DNA STORAGE REGULATORY USAGE & RETENTION 10

What Do You Have? Accident/Incident Records Advertising Records Benefit Records Budget Records Contracts & Agreements Coupon Records Credit Approvals Customer Information Customer Orders Employee Medical Files Gift Card Functions Payment Records Sales Receipts 11

Where Is It? 1010100011 1001010011 0 1 1 0 1 0 0 1 0 0 1 0 1 1 0 1 0 0 1 1 0 1 0 0 1 1 0 1 1 0 0 0 1 0 0 1 12

What Are the Requirements? BUSINESS NEEDS SENSITIVITY REQUIREMENTS Cardholder Data Corporate Sensitive Government IDs Intellectual Property PII Bio Metric Patient Health Info. DOL FSMA GLB HIPAA OSHA SEC State Privacy Laws 13

14

15

16

17

Actionable Retention Schedule 18

Retention For All Information Valid Business Records LEGITIMATE RETENTION REQUIREMENTS Litigation Holds Reference Value RETENTION VARIES Most Information HAS LITTLE RETENTION VALUE 19

Deletion Strategy for Email INBOX = 180 DAYS NON-ESSENTIAL COMMUNICATION SENT ITEMS = 180 DAYS DELETED ITEMS = 2 DAYS BUSINESS NEED COMMUNICATIONS 18 MONTH RETENTION (ALL DEPARTMENTS) DEPARTMENTAL EXCEPTIONS 6 YEAR RETENTION HR 7 YEAR RETENTION LEGAL 7 YEAR RETENTION TAX 20 DISABILITY RECORDS 6 YEARS

Leverage Technology RECORDS NON-RECORDS 6 Years 3 Years 18 Months

Eliminate Obsolete Paper Records 44% Of Boxes Eligible for Immediate Destruction Remaining Boxes 56% Destroyed Boxes 44% 22

Training ABC Company s Records Management Training 23

Build Your Audit Trail Require Regular Policy Attestation Records Retention Policy 24

Mitigating Privacy Risks Assessing Privacy Risks and Steps to Risk Reduction 25

Privacy Assessment Privacy Audit Due Diligence INTERVIEWS INVESTIGATION Identify Who? What? When? Where? Why? DATA CONSUMER OR BUSINESS? SOURCE ONLINE OR OFFLINE? GEOGRAPHY US OR FOREIGN? CONTEXT PURCHASES OR SWEEPSTAKES? STORAGE ONSITE OR OFFSITE? USAGE SHARED OR USED INTERNALLY? 26

Categorize your Data Create a data map Is your data sensitive? PERSONALLY IDENTIFIABLE? FINANCIAL? HEALTH RELATED? EMPLOYEE RELATED? Resulting risk profile and potential exposure 27

Regulatory Review UNITED STATES PERSONAL INFORMATION HEALTH INFORMATION FINANCIAL INFORMATION EMPLOYEE INFORMATION FEDERAL FTC Act COPPA CAN-SPAM TCPA FERPA STATE Breach Notification Point of Sale Collection State Consumer Protection Security Obligations FEDERAL HIPAA HITECH Health Breach Notification Rule GINA STATE HIPAA-like FEDERAL GLB FCRA FACTA STATE GLB-like FEDERAL ERISA FMLA Whistleblower Protection Act STATE Contract law 28

Industry Review CREDIT CARD DATA PCI DSS V.3 NEVADA 603A.215 MINNESOTA 325E.64 ONLINE TRACKING DIGITAL ADVERTISING ALLIANCE OBA AND RETARGETING NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY (NIST) MEDIA SANITATION CYBERSECURITY FRAMEWORK NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION (NERC) 29

Self-Imposed Obligations Contractual VENDORS CUSTOMERS Privacy Policies and Privacy Notices 30

Security Appropriate and Reasonable Security audit SYSTEMATIC, MEASURABLE TECHNICAL ASSESSMENT OF HOW THE ORGANIZATION'S SECURITY POLICY IS EMPLOYED AT A SPECIFIC SITE (SYMANTEC 2003) What is involved? PERSONAL INTERVIEWS VULNERABILITY SCANS (PEN-TESTING) EXAMINATIONS OF OPERATING SYSTEM SETTINGS ANALYSES OF NETWORK SHARES AND OTHER DATA 31

When, Not If WISP Consider Insurance Options Identify Key Team Members KEY EXECUTIVES COMPLIANCE CISO? LEGAL MARKETING/HR PR IT/FORENSICS INCIDENT RESPONSE VENDOR? Incident Response Plan Tabletop Exercises 32

Next Steps.. 1. Internal Privacy Program 2. Data Retention Schedule 3. Regularly Review 4. Continuing process. 33

Heather Buchta 602.229.5228 heather.buchta@quarles.com Partner Quarles & Brady Rebecca Perry 636.821.2251 rperry@jordanlawrence.com CIPP/US Director of Professional Services Jordan Lawrence 35

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information