Regulatory Updates Eric M. Wright, CPA, CITP Schneider Downs & Co., Inc. December 5, 2013 Eric M. Wright, CPA, CITP Eric has been involved with Information Technology with Schneider Downs since 1983. He specializes in and oversees the design, setup installation and implementation of automated accounting, distribution and manufacturing systems. Eric also is responsible for the firm s IT compliance services. Eric has performed IT audits on a number of systems and different organizations. In addition to helping our clients with their IT audit initiatives, he has also assisted clients with becoming PCI DSS, HIPAA and SOX compliant, ISO 27001 certified and performed NIST security audits. 2 Eric M. Wright, CPA, CITP Member Pennsylvania Institute of Certified Public Accountants Member The American Institute of Certified Public Accountants Information Management and Technology Assurance Section Certified Information Technology Professional (CITP) Chair PICPA IT Assurance Committee B.S. Mathematics and Computer Science, Waynesburg College, Magna Cum Laude 3 1
Payment Card Industry Topics to be Covered HIPAA State Data Breach Law Federal Cyber Legislation 4 Why all the Fuss? Number of Hacks 700 600 500 400 300 200 100 0 2006 2007 2008 2009 2010 2011 2012 5 Number of Records Breached 250,000,000 200,000,000 150,000,000 100,000,000 50,000,000 0 2006 2007 2008 2009 2010 2011 2012 6 2
Payment Card Industry Data Security Standards 7 What is PCI DSS? The PCI Data Security Standard (DSS) represents a set of fundamental security requirements, industry tools and measurements, that address the handling of cardholder information. The first thing to note, PCI compliance is not required by any federal law. 48 states have or are in the process of enacting data breach legislation addressing the loss of credit card data, but for most organizations, this compliance requirement is strictly voluntary. PCI compliance requirements originally start as multiple programs administered by individual credit card companies. Applicable to everyone who stores, processes, or transmits payment card data. Enforced by contract with banks that provide payment card processing. 8 Merchant Compliance Validation Requirements Payment Brand Level 1 Level 2 Level 3 Level 4* Visa 6M+ transactions 1 6M transactions 20K 1M e commerce Less than 20K e regardless of transactions commerce or 1M Cardholder Information acceptance channel Self assessment overall transactions Security Program (CISP) questionnaire Self assessment Onsite security audit required annually questionnaire Self assessment required annually required annually questionnaire Network scan required recommended Network scan required Network scan required annually Network scan recommended MasterCard 6M+ transactions 1 6M transactions Over 20K e commerce All other merchants regardless of transactions and less Site Data Protection acceptance channel Self assessment than 1M total Self assessment (SDP) Program questionnaire questionnaire Onsite security audit required annually Self assessment required annually required annually questionnaire Network scan required required annually Network scan required Network scan required Network scan required American Express 2.5M+ transactions 50K 2.5M transactions Less than 50K N/A Data Security Operating Onsite security audit Network scan required transactions Policy (DSOP) required annually Network scan Network scan required recommended Current requirements as of 5/09 Being considered a Level 1 merchant for any brand causes the remainder of the card brands to consider the entity a Level 1 as well. 9 3
History In 2004, the PCI DSS version 1.0 was developed by Master Card and agreed to by the other four major credit card companies. In September 2006, the Brands formed the PCI SSC to standardize the compliance requirements and promote the education and awareness of protecting cardholder data. PCI DSS 2.0 is the current version. 10 What is New? 11 New Standards for Mobile Payment Acceptance New mobile security standards were released February 2013. Why is mobile different? Tablets and smart phones do not provide the same level of security as you would expect at a traditional retail store. Almost any mobile application could access account data stored in or passing through a mobile device. Trust is important due to the fragmentation of this environment. This environment includes device manufacturers, developers of operating systems, application designers, network carriers and various protocols to link them all together. Ensuring security requires all of these parties to work together. 12 4
What if a device is owned by an individual and not the employer? How is the patching process managed without invading the privacy of the owner? Not considered best practice and is not recommended. The ease in which a device can be stolen, modified and returned without being noticed. 13 The Three Objectives of the MPA Guidance Prevent account data from being intercepted when entering into a mobile device. Prevent account data from being compromised while processed or stored with the mobile device. Prevent account data from interception upon transmission out of the mobile device. The guidance consists of 31 control activities that address these 3 objectives. 14 Additional Changes to the Standards Updated the testing standards associated with use of point to point encryption (P2PE) to transmit card data. Introduced new requirements effective June 30, 2012 associated with vulnerability scans of internal networks. These scans must be performed or after a significant change in the processing environment. To obtain a passing grade, the merchant must resolve all high vulnerabilities as defined in requirement 6.2, which requires the merchant to establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. 15 5
Future Requirements being Considered PCI_DSS version 3.0 Version 3.0 will include more changes to the framework than version 2.0 Items being considered in the new standard will include EMV chip adoption in the US Strengthening Mobile Payment Acceptance guidelines Greater awareness and education Challenges and lessons learned business as usual Additional guidance regarding Third Party Security Assurance Additional requirements for penetration testing and segmentation Security Policy and Procedures built into each requirement 16 Future Requirements being Considered By October 2015, all merchants will be subjected to the new Europay, MasterCard and Visa (EMV) standards. The new standards marks a shift from magnetic strip credit cards to chip and pin cards. The EMV standards will be required for card acquirers, merchants and processors. If a merchant does not meet the EMV standards, they will be held liable for any fraudulent transactions. The intent is to use both the EMV and PCI standards together to protect cardholder data. 17 18 6
HIPAA History Passed in 1998 with little or no enforcement activity for 10 years. Congress passes the HiTech act in 2009 as part of ARRA to add teeth to the original act. In 2009, moved the enforcement activities from Centers of Medicare and Medicaid Services to Office of Civil Rights. 19 A Year of Audits Policies and Procedures are outdated or do not exist. Compliance programs were not a priority. Small providers have broad failures. Larger entities continue to struggle with data security. Third parties are not being managed. 20 HIPAA On January 17, 2013, the Department of Health and Human Services Office of Civil Rights released the 563 page final rule detailing the requirements of the Health Insurance Portability and Accountability Act (HIPAA). The final rule made sweeping changes to HIPAA s data security and breach requirements and has a significant impact on covered entities, business associates and subcontractors of business associates. Rule became effective March 26 th and compliance was required by September 23 rd. 21 7
HIPAA Changes Covered Entities can be held liable for the actions of their business associates. Holds Business Associates directly liable for compliance with certain HIPAA privacy and security requirements. Changes the definition of business associate to include subcontractors that create, receive, maintain or transmit Protected Health Information (PHI) on behalf of covered entities. Business Associates are required to have full blown written Business Associate agreements with sub contractors. Changes the definition of breach to clarify that an impermissible use or disclosure of PHI is presumed to be a breach, unless the covered entity or Business Associate can demonstrate there is a low probability that the PHI was compromised. Requires covered entities to protect decedent s PHI in accordance with the privacy rule for 50 years, following the date of death. 22 HIPAA Changes (Continued) Under the current requirements, a breach must be reported only if it poses a significant risk of financial, reputational or other harm to the individual. The new rule eliminates the risk of harm threshold and requires covered entities and business associates to consider four factors when determining whether a breach must be reported: 1) The nature and extent of the PHI involved, including the identifiers and the likelihood of re identification; 2) The unauthorized person who used the PHI or to whom the disclosure was made; 3) Whether the PHI was acquired or viewed; and 4) The extent to which the risk to the PHI has been mitigated. With few exceptions, prohibits the sale of PHI without an individual s consent. 23 HIPAA Changes (Continued) HIPAA enforcement is moving toward a penalty based system and away from voluntary compliance by introducing a tiered system of civil penalties based on culpability. Penalties range from $100 to $50,000 per incident with an annual cap of $1.5 million. The Office of Civil Rights released a 169 step audit program to address the new compliance standards. Enhances the patients rights to electronic copies of their records. Covered entities must provide an electronic copy of records in a mutually agreed upon machine readable format. Also requires covered entities to provide the records within 30 days instead of 60. The requests for records must be in writing and signed by the requesting individual. 24 8
HIPAA Changes (Continued) Requires that covered entities obtain a valid authorization from individuals before using or disclosing PHI to "market" a product or service. The term "marketing" means "to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. The changes imposed by the final rule will require most organizations to revise their Business Associate agreements. The deadline for having revised agreements in place is September 23, 2014, unless the parties amend or renew an existing contract during the period March 26, 2013 through September 23, 2013. Amendments or contracts signed during that time period require the Business Associate agreement to comply with the new regulations by September 23, 2013. 25 State Data Breach Laws 26 PA Data Breach Law What Information are You Generally Required by Law to Secure Personally Identifiable Information (PII): Individual s name, consisting of the individual's first name or first initial and last name, in combination with Social Security Number Drivers License Number or State Identification Number Credit Card, Debit Card, Financial Account Numbers Protected Health Information (PHI) Any information that relates to the past, present, or future physical or mental health or condition of an individual; Electronic, Paper or Oral 27 9
Jurisdictions that have broader definitions Alaska California Georgia Iowa Kansas Maine Maryland Massachusetts Missouri Nebraska New Jersey New York North Carolina North Dakota Ohio Oregon South Carolina Texas Vermont Virginia Wisconsin Wyoming Washington DC Puerto Rico 28 Data Breach Law If a breach occurs, the organization must contact the individuals and inform them of the circumstances regarding the data breach. Must provide credit monitoring services if more than 1,000 individuals information is breached. If more than 175,000 individuals are effected or the cost to notify is greater than $100,000, then the organization is permitted to use alternative method of notification. With the exception of Alabama, Kentucky, New Mexico and South Dakota data encryption is a get out of jail free card. 29 Federal Cyber Legislation 30 10
Federal Cyber Legislation During the State of the Union address, President Obama announced that he had issued and signed executive orders on cyber security. This executive order is directed at federal agencies, but any industry regulated by a federal agency will be impacted by these new compliance requirements. The executive order gives the Director of Homeland Security 150 days to identify critical infrastructure where a cyber incident could result in debilitating impact on national security, national economic security or public health and safety. So, if you are bank, hospital, energy provider or another industry that falls within the critical infrastructure designation, be prepared to comply with these new regulations. 31 Federal Cyber Legislation (Continued) The executive orders call for cooperation and information sharing between the private sector and government so that these entities may better protect and defend themselves against cyber threats. Within 240 days, the National Institute of Security and Technology (NIST) must publish an updated framework to reduce cyber risk to critical infrastructure. The new framework must: Create standards that align policy, business and technology to address cyber risks. Identify areas that need improvement and can benefit from private and government collaboration. Guidance for measuring improvement. Align with international standards. Include best practices. 32 Questions 33 11