Data Privacy & Security: Essential Questions Every Business Must Ask



Similar documents
Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Data Privacy, Security, and Risk Management in the Cloud

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Data Breach and Senior Living Communities May 29, 2015

White Paper on Financial Institution Vendor Management

Data Security Incident Response Plan. [Insert Organization Name]

Network Security & Privacy Landscape

Mastering Data Privacy, Protection, & Forensics Law

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Privacy Law Basics and Best Practices

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Mitigating and managing cyber risk: ten issues to consider

Mastering Data Privacy, Social Media, & Cyber Law

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Vendor Management. Outsourcing Technology Services

Rogers Insurance Client Presentation

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Cybersecurity y Managing g the Risks

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

Big Data, Big Risk, Big Rewards. Hussein Syed

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Top Ten Technology Risks Facing Colleges and Universities

plantemoran.com What School Personnel Administrators Need to know

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

FINAL May Guideline on Security Systems for Safeguarding Customer Information

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano

Cyber Liability Insurance: It May Surprise You

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Information Security Program Management Standard

Information Governance Roadmap

Managing Cyber & Privacy Risks

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

BUSINESS ASSOCIATE AGREEMENT

Network & Information Security Policy

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

Anatomy of a Cloud Computing Data Breach

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Standard: Information Security Incident Management

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Legal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms. v , rev

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

HIPAA BUSINESS ASSOCIATE AGREEMENT

What Data? I m A Trucking Company!

Beazley presentation master

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

Cyber Risks in the Boardroom

College of DuPage Information Technology. Information Security Plan

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

INFORMATION SECURITY FOR YOUR AGENCY

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

Altius IT Policy Collection Compliance and Standards Matrix

Transcription:

Data Privacy & Security: Essential Questions Every Business Must Ask Presented by: Riddell Williams P.S. Riddell Williams P.S. May 6, 2015 #4841-4703-9779 Innocent? 2 Overview 3 basic questions every business should ask Are you ready to respond to a hack or data loss? Do you have appropriate insurance? Emerging risks and issues 3 1

Why Make Privacy and Data Security a Priority? 4 Data Security Risk Is Real and Imminent 19% chance of data breach involving at least 10,000 records in next 24 months (2014 Ponemon Institute Research Report) 60% of small businesses that are hacked go out of business within six months. (Ted Devine, CEO of Insureon, a small business insurer) 5 Consequences Are Serious and Long-Lasting Reputational damage Business interruption Response costs Liability to partners and vendors Regulatory action Lawsuits 6 2

3 Questions Everyone Should Ask 1. What are you collecting? 2. How are you using it? 3. How are you protecting it? 7 Question 1: What Data Are You Collecting (and Why)? 8 What Do Customers Consider Private? 9 3

Personal Information, Generally Information that separately or in combination reveals a person s identity Washington = name plus: SSN Driver s license Number and access code 4/23/15 amendment: Is personal information secured? Did intruder have access to encryption key or ability to decipher? Standard for encryption 10 Other Personal Information Health information Employee information E-mail address Utility and service use Zip code 11 Why Are You Collecting That Information? Don t have it = can t get in trouble for it How does the consumer benefit from data collection? Collecting the least you need? Authorized to collect it? 12 4

Do You Disclose Data Collection? Does your website need a privacy statement? YES, unless you are sure you do not collect personal information. 13 Privacy Statement Tips Talk to an expert Keep it current Key elements: What you collect How you collect it What do you do with it What do you share with third parties Additional issues: Opt-out Changes to the statement 14 Question 2: How Are You Using Information You Collect? 15 5

What Are You Doing With It? Existing legitimate business purpose versus possible future use Using only for the purposes you disclosed to consumers Disclosing it to third parties? 16 Laws May Limit Collection and Use HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH) Gramm-Leach-Bliley Act (GLBA) FTC Act and other consumer protection laws CAN-SPAM Act Telephone Consumer Protection Act (TCPA) Children s Online Privacy Protection Act (COPPA) State laws, e.g., California s Eraser Button law 17 Data Retention Are you retaining personal information for longer than necessary? Does your company s data retention policy: Require destruction of records when they no longer serve a business purpose? Have procedures for secure destruction? 18 6

Question 3: How Are You Protecting Information You Collect? 19 When and How Much Protection Do You Need? Protection should be proportionate to the sensitivity of the information Protect at all stages Collection Storage Handling Transit Disposal 20 Five Simple Steps (WSJ April 19, 2015) 1. Accelerate software patch timelines 2. Limit online doors (many devices don t need to be online) 3. Encrypt your data 4. Eliminate or supplement passwords 5. Improve due diligence on vendors 21 7

Four Administrative Measures 1. Implement a cybersecurity framework or information security program (NIST, etc.) 2. Institute an employee training program 3. Develop and practice an incident response plan 4. Evaluate available insurance (every year) 22 Risks Posed By Vendors Any party who shares customer or employee information with a vendor is at risk Claims based on vendor selection (FTC, private lawsuits) 23 Vendor Due Diligence Web sites and sales materials Gartner and other third parties Create a checklist/application Financial condition and insurance Information security controls Employee training and awareness Incident response 24 8

Provisions to Consider in Vendor Contracts Confidentiality Ownership and use of data Use of subcontractors Requirement to notify and to disclose breach Information security provisions Indemnity 25 Are You Ready to Respond to a Hack or Data Loss? 26 Response Readiness Checklist Do you have a disaster recovery plan? Internal incident response team identified and trained Finders, fixers, communicators, regulators Responding well Assess Mitigate and preserve Privilege Notification Contractual requirements? 27 9

Do You Have Appropriate Insurance? 28 Which Coverages Align With Your Risks? Regulatory response Notification costs Crisis management Credit monitoring Media liability Theft and fraud Forensic investigation Business interruption Computer data loss and restoration Extortion 29 Do You Have Appropriate Coverage? 1. Understand the coverage you have 2. Investigate additional coverage options and costs 3. Select the right coverage for your business 30 10

Legal Challenges from the Internet of Things 31 Internet of Things What is it? Not computers, phones, tablets Any product or sensor that connects to the Internet Car or Home or Wearables 32 The Mission and The Team The Mission To provide reasonable security The Team Who is in charge of privacy and security issues? Single Individual or a Team? Employee training? Involve outside counsel early Privilege Expertise 33 11

Emerging Risks and Issues with Big Data 34 General Principles What characterizes it? Large amounts of data (duh) Often originally collected for other purposes Use of advanced analytics Machine learning What laws apply? No special laws (yet) Should we have a right to have certain things forgotten? 35 Emerging Issues With Big Data Adequate Disclosure Does disclosure clearly cover all uses? Unexpected correlations Analytics and machine learning anticipate consumer decisions and behavior Sensitive/personal situations can be revealed especially through combined data sets Public Relations Risk Just because you can, doesn t mean you should 36 12

Questions? Please contact us any time with additional questions. Bruce Goto Riddell Williams P.S. 206.389.1567 bgoto@riddellwilliams.com Gavin Skok Riddell Williams P.S. 206.389.1731 gskok@riddellwilliams.com Shata Stucky Riddell Williams P.S. 206.389.1786 sstucky@riddellwilliams.com 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information