Protect Your Privates

From this document you will learn the answers to the following questions:

What are the regulations that govern privacy?

What is one reason for more privacy laws and regulations?

Who is in charge of the White House Big Data Initiative?

Similar documents
Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

HIPAA Compliance: Are you prepared for the new regulatory changes?

Network Security & Privacy Landscape

HCCA Compliance Institute 2013 Privacy & Security

How To Protect Your Organization From Liability From A Cell Phone (For Business)

Big Data, Big Risk, Big Rewards. Hussein Syed

WELCOME TO SECURE

Data Privacy & Security: Essential Questions Every Business Must Ask

Tape Vaulting Audit And Encryption Usage Analysis

Understanding changes to the Trust Services Principles for SOC 2 reporting

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

CSR Breach Reporting Service Frequently Asked Questions

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

plantemoran.com What School Personnel Administrators Need to know

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

Privacy Legislation and Industry Security Standards

Data, Data Everywhere - What Are You Doing to Protect Yourself?

PII Personally Identifiable Information Training and Fraud Prevention

Updates within Network Security and Privacy Risk Management

Data Breach 101 How to Avoid a Virtual Catastrophe

Hot Topics in IT. CUAV Conference May 2012

Network Security & Privacy Landscape

Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things

WebEx guide. > Everyone is muted to avoid background noise. Please use the chat box if you need to communicate with the host.

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

Top Ten Technology Risks Facing Colleges and Universities

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Data Breach and Senior Living Communities May 29, 2015

03/06/2014. Bring Your Own Device: A Framework for Audit. Acknowledgement

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

FACTA Identity Theft Red Flags Program.

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Cybersecurity: Protecting Your Business. March 11, 2015

Identity Theft Security and Compliance: Issues for Business

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Big Data Analytics: Answering the Unanswered Questions

The Future of Data Breach Risk Management Response and Recovery. The Cybersecurity Forum April 14, 2016

Adding Cloud Solutions to Customer Contracts Robert J. Scott

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

Impact of Data Breaches

Mastering Data Privacy, Social Media, & Cyber Law

HIPAA Compliance and Reporting Requirements

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

Lessons Learned from HIPAA Audits

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Big Data & Analytics: Your concise guide (note the irony) Wednesday 27th November 2013

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies

2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

Privacy Law Basics and Best Practices

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

How To Buy Cyber Insurance

Mastering Data Privacy, Protection, & Forensics Law

Managing Cyber & Privacy Risks

Privacy Policy and Notice of Information Practices

Cyberprivacy and Cybersecurity for Health Data

Information Governance Roadmap

Presented by Dave Olsen, CPA, President

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Information Security Addressing Your Advanced Threats

The University of North Carolina at Charlotte Identity Theft Prevention Program

Introduction to Compliance:

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

PII = Personally Identifiable Information

Current Developments Concerning Cybersecurity. ICI General Membership Meeting Legal Forum Jillian Bosmann and Nancy O Hara Thursday, May 19, 2016

Managing data security and privacy risk of third-party vendors

INFORMATION SECURITY FOR YOUR AGENCY

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Compromises in Healthcare Privacy due to Data Breaches

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

HIPAA Health & Medical Billing Requirements and Risk Management

Legal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms. v , rev

Presentation to ACC Charlotte. Data Security & Privacy. November 2, Presented by: William J. Cook C. Andrew Konia Mark J.

Instructor Introduction

Cloudy With a Chance Of Risk Management

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Hot Topics and Trends in Cyber Security and Privacy

[Company Name] HIPAA Security Awareness and Workforce Training Program Manual

Pacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009

THE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK

IT Compliance Volume II

Plan of Attack 5 Step Plan

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

New York Privacy Officers Forum. Online Behavioral Advertising: Emerging Legal and Business Issues

The Business Case for Security Information Management

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

PCI Compliance for Healthcare

Transcription:

Protect Your Privates Session 502 June 10, 2014 1:45 PM IASA 86 TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

Agenda Introductions Objectives Overview of Privacy Laws and Regulations Recent Breaches Current and Future Trends Risk Mitigation Strategies

Chris Tait, CISA, CCSK Principal Baker Tilly Virchow Krause, LLP chris.tait@bakertilly.com

Mike Cullen, CISA, CISSP, CIPP/US Senior Manager Baker Tilly Virchow Krause, LLP mike.cullen@bakertilly.com

POLL Poll Everywhere Online = pollev.com/mc99 Text = 22333

Objectives Review the definition and certain standards for privacy Review insurance specific privacy specific laws and regulations Learn about recent data breaches Discuss current and future trends in privacy Debate risk mitigation strategies with session participants

Overview of Privacy What is privacy? The rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information.» Source: American Institute of Certified Public Accountants (AICPA) Generally Accepted Privacy Principles

Overview of Privacy What is the difference between privacy and security? Privacy is concerned with enabling individuals to have say over how their personal information is collected, used, retained, and disclosed. Security is concerned with protecting information from inappropriate access, modification, or destruction. To achieve privacy, you must have security. Both security and privacy are business issues. 9

Overview of Privacy What is personally identifiable information (PII)? Information that can be attributable and used to identify a specific individual may include: Name Social Security Number Residential and Office addresses Phone numbers Account numbers (e.g., driver s license, financial) Demographics (e.g., age, gender, race, ethnicity) Identification numbers (e.g., student ID, driver s license, IP address) Claims records Physical characteristics (e.g., face, eyes, fingerprints, handwriting) Profile (e.g., buying history, browsing history,

Overview of Privacy Why does privacy matter to insurance companies? Exceptional volume and variety of personal information (e.g., policies, health records, incident history) Increased complexity and oversight challenges Subject to many privacy laws and regulations due to breadth and nature of business operations Intrinsic reputational importance of services

Overview of Privacy Benefits Brand protection Market confidence Customer Loyalty Trust Competitive differentiation Risks Negative publicity Lost business Damaged relationships Legal liability and financial loss Regulatory or industry sanctions 12

Laws and Regulations CAN-SPAM Gramm Leach Bliley Act (GLBA) Drivers Privacy Protection Act (DPPA) Fair Credit Reporting Act (FCRA) Genetic Information Nondiscrimination Act (GINA) HIPAA and HITECH Act Identity Theft Red Flags International Laws PCI DSS State Data Protection and Breach Notification Laws

PCI DSS Version 3.0 PCI DSS - Version 3.0 (effective on January 1, 2014) Have until January 1, 2015 to be in compliance Some changes are future dated requirements and are best practices until July 1, 2015 Three change types clarification (vast majority), additional guidance, and evolving requirements

State Data Protection and Breach Notification Laws Data protection and breach notification laws 47 states, DC, Guam, Puerto Rico, US Virgin Islands Exception Alabama, New Mexico, South Dakota Kentucky joined the club April 11, 2014 Minnesota, Nevada, and Washington have all passed laws that codify some or all aspects of PCI DSS Generally these laws apply to all entities that have data about the respective state s residents, regardless if the entity does business in that state Laws dictate specific info types (PII, financial, genetic)

Laws and Regulations Future laws and regulations Federal Breach Notification White House Big Data Initiative http://www.whitehouse.gov/issues/technology/big-data-review

Federal Breach Notification Personal Data Privacy and Security Act of 2014 Sen. Patrick Leahy In committee Application Privacy, Protection, and Security Act of 2013 Rep. Hank Johnson In committee

Federal Breach Notification Federal Agency Data Breach Notification Act of 2014 Rep. Gerry Connolly In committee Personal Data Protection and Breach Accountability Act of 2014 Sen. Richard Blumenthal In committee

White House Big Data Initiative President s Council of Advisors on Science and Technology (PCAST) issued report May 1, 2014 Recommendations: Advance the Consumer Privacy Bill of Rights Pass National Data Breach Legislation Extend Privacy Protections to non-u.s. Persons Ensure Data Collected on Students in School is used for Educational Purposes Expand Technical Expertise to Stop Discrimination Amend the Electronic Communications Privacy Act

Recent Breaches Nationwide Insurance AppleCare Insurance Services Continental American Insurance BCBS NJ

Recent Warnings sans.org FBI Warns Healthcare Industry of Cyber Security Risks (April 2014) The FBI has issued two private industry notices (PINs) to the healthcare sector, warning that cyber attacks against devices and systems in that industry are likely to increase. The transition to electronic health records (EHRs), weak security, and the value of medical data on black market are all indicators that the number of attacks will rise.

Recent Warnings sans.org Medical Devices Lack Adequate Security (April 2014) A study of medical equipment at a chain of health care facilities in the Midwest found drug infusion pumps that could be remotely controlled to alter dosages; Bluetooth enabled defibrillators that could be manipulated to deliver or prevent shocks; and electronic medical records with inadequate protections, leaving them vulnerable to alteration and theft. Many devices lacked access authentication requirements, and many had weak or hardcoded passwords. Of particular concern were embedded web services that let devices communicate with each other and deliver data to electronic medical records.

Recent Warnings sans.org Study Shows More than 40 Percent of Identity Theft is Medical-Related (April 2014) A survey recently released by the Identity Theft Resource Center found that 43 percent of all identity thefts reported in the US in 2013 were medicalrelated. Stolen medical identity information has been used to obtain treatment and prescription medicines; medical identity fraud also places incorrect information in the patients health records.

Data Costs Ponemon Institute (2013 study) Mean = $136 Financial industry = $215 Krebs on Security Black market worth itunes accounts for $8 Groupon.com accounts for $5 Facebook and Twitter retail for $2.50

Breach Stats Verizon Data Breach Report 50 CONTRIBUTING GLOBAL ORGANIZATIONS 1,367 CONFIRMED DATA BREACHES 63,437 SECURITY INCIDENTS 95 COUNTRIES REPRESENTED

Incident Types

Who Got Hit 20% Companies that were sought out 80% Victims of opportunity 90+% could have been stopped using fundamental precautions

Current and Future Trends Big Data Alternative Scoring Products Mobile Devices Lawsuits and Cyber Insurance Internet of Things

Current and Future Trends Big Data Definition Meta Data Third party Data

Big Data Gartner = Data encompassing the three Vs : Volume, Velocity and Variety Oracle = Derivation of value from traditional relational database-driven business decision making, augmented with new sources of unstructured data Intel = Data analyzed in this way are business transactions stored in relational databases, followed by documents, e- mail, sensor data, blogs, and social media

Big Data Microsoft = The process of applying serious computing power to seriously massive and often highly complex sets of information Method for an Integrated Knowledge Environment (MIKE) open-source project = A function of the complexity of a data set with a high degree of permutations and interactions within the set National Institute of Standards and Technology (NIST) = Data that exceed(s) the capacity or capability of current or conventional methods and systems

What is Big Data? High volume, high velocity, and/or high variety information assets that require new forms of processing to enable enhanced decision making, insight discovery, and process optimization Doug Laney, "The Importance of Big Data: A Definition, Gartner

Big Data Meta Data Third-party Data

Source: GAO

Data Broker Characteristics (FTC Report May 2014) Data Brokers Collect Consumer Data from Numerous Sources, Largely Without Consumers Knowledge The Data Broker Industry is Complex, with Multiple Layers of Data Brokers Providing Data to Each Other Data Brokers Collect and Store Billions of Data Elements Covering Nearly Every U.S. Consumer Data Brokers Combine and Analyze Data About Consumers to Make Inferences About Them, Including Potentially Sensitive Inferences Data Brokers Combine Online and Offline Data to Market to Consumers Online

Current and Future Trends Alternative Scoring Products Built using predictive modeling. Predictive modeling uses copious amounts of information fed through analytical methods to predict the future, based on past information.

Example Scores Energy consumption scores Scores that identify the approximate credit capacity of neighborhoods instead of individuals Health risk scores Target s Pregnancy Predictor Score

Example Scores Acxiom offers a Consumer Prominence Indicator Score that quantifies the size of a specific consumer s economic footprint, indicating the historical consumer purchasing and relative amount of marketing activity surrounding that individual. World Privacy Forum, The Scoring of America Report

One company states they use 300 billion data attributes in compiling their predictive scores, compiled from 8,000 data files World Privacy Forum, The Scoring of America Report

Risks/Challenges: Why and How? HOW? Volume = Capture, store, process data Notice and consent Storage costs Processing power limits Velocity = Different rates, systems Correlation Analysis Variety = Integrity of data Completeness Structured vs. unstructured

Source: FTC

Current and Future Trends Mobile Devices Data Apps Devices Organization owned vs. Bring Your Own Device (BYOD) People

Mobile Device Framework DATA WEB/APPS DEVICES PEOPLE Data App Phone Policy Confidential Data Web Tablet Agreement Restricted Practices Data App Laptop Procedures Internal Use Data Web Practices Public Data App Risk Assessment

Current and Future Trends Lawsuits Curry v. AvMed, Inc.

Current and Future Trends Cyber Insurance

Current and Future Trends Internet of Things Cameras Alarm systems Thermostats Smoke detectors Automobiles/OBD RFID (state use restrictions)

Internet of Things Autos AAA recently estimated that one in five new cars sold this year will collect and transmit data outside the vehicle. According to one survey, cars may make up over five percent of connected devices by 2025.

Internet of Things Autos The recent Government Accounting Office (GAO) report on in-car, location-based services assessed industry practices regarding connected car location data against the Fair Information Practice Principles. This report focused specifically on disclosures, consumer consent and control, data safeguards and retention policies and company accountability. The GAO s report was generally positive, reflecting the obvious attention companies in the connected car ecosystem are paying to privacy issues. The companies understand that consumer adoption of the new technologies requires consumer trust, and consumer trust requires a demonstration of robust privacy and security controls.

Internet of Things (IoT) Privacy issues: Notice Purpose limitation Proportionality Data accuracy People's rights Security

Risk Mitigation Strategies Accept Manage Transfer Avoid

Risk Mitigation Strategies Accept Is it a formal process or just acceptance by implicit consent?

Risk Mitigation Strategies Manage Policies Practices Audits

Risk Mitigation Strategies Transfer Vendor management SOC Reports

Risk Mitigation Strategies Avoid

Disclosure Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan, or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. The information provided here is of a general nature and is not intended to address specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. 2014 Baker Tilly Virchow Krause, LLP 55

Contact information Chris Tait, CISA, CFSA, CCSK Principal Baker Tilly Virchow Krause, LLP chris.tait@bakertilly.com Mike Cullen, CISA, CISSP, CIPP/US Senior Manager Baker Tilly Virchow Krause, LLP mike.cullen@bakertilly.com 56

Please complete the Session Evaluation Form on the conference app and include your conference Registration ID# to be included in a drawing for a free conference registration for the 2014 Annual Conference! NOTE: Your conference Registration ID# is located at the bottom left hand corner of your badge. IASA 86 TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information