Presentation is loading. Please wait.

Presentation is loading. Please wait.

Subpoenas Regulations and Law Internal Policy.

Published byMohamed Hosking Modified over 9 years ago

Similar presentations

Presentation on theme: "Subpoenas Regulations and Law Internal Policy."— Presentation transcript:

1

2

3

4

5

6 Subpoenas Regulations and Law Internal Policy

7 Who It Applies ToIn a NutshellMore detailWhat, and where software can help 168 companies with average revenues of $4.7 billion, the average compliance costs were $1.7 million (0.036% of revenue).[[ States have ruled that even zip codes fall into this category: California in 2011, Massachusetts in 2013 The Supreme Court ruled that non-profits operated for the benefit of their members' commercial activities are subject to FTC regulation and consequently also COPPA Publicly Traded Companies “Don’t play games with your financial reporting” CXOs are responsible Your favorite consultant and best friend can’t be your auditor Analysts shouldn’t talk to investment bankers Sarbanes Oxley 302, 404: Disclose and assess Internal Controls 401:Disclose Off-balance sheet items Many Countries, including USA, Australia, Canada, EU “Don’t disclose enough info to be able to identify a person” If you can figure out who it is with the information disclosed even if it’s vague, it was TMI PII NSIT (Dept of Commerce): Any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." Privacy Act of 1974, California OPP Act of 2003 Websites and online services “Be careful what you do, website, with stuff typed in by children under 13” Post a privacy policy for children Protect the information and get rid of it when it no longer applies Do you best to provide parent’s notice and a change to review Children’s Online Privacy Protection Act Not CIPA: K-12 schools and libraries need to protect against harmful online content Organizations who handle personal health information “Don’t share someone’s health info” The company I work for“Don’t give away valuable intellectual property” Don’t share this new product code word with anyone All docs for the new awesome device we’re building can only be stored here Employer Confidentiality Agreements Data Loss Prevention rules before the fact Ediscovery + Auditing after the fact Patients own their health data It can be released without patients consent in a limited and well-defined set of circumstances HIPAA Didn’t know? $100-$25K Reasonable? $1K-$100K Willfull neglect, corrected <30 days? $10K-$250K Willful neglect? $50K-$1.5 million

8

9 Put Controls in Place Archive and Hold: Keep what you need Deletion Policies: Get rid of what you need to get rid of DLP and Encryption: Control, and help user control, sensitive content Show Compliance, Investigate a User EDiscovery: Search for important content Auditing: Show that people did the right thing, or didn’t

10 Internal Policies Regulations and Law Subpoenas Demonstrate Reporting ComplianceSampling Investigate a Search User I need to: I do this via: “I followed the Legal Discovery process” “Only doctors viewed this HIPAA doc” “All PPTs marked ‘Microsoft Confidential’ were viewed only by FTEs” Financial Policy Violation, Confidentiality Breach Insider Trading Sensititive Data Loss to public Wrongful Termination

11 HIPAA Business Associate Agreement (HIPAA BAA) FISMA authority to operate (ATO) from a federal agency FERPA use and disclosure restrictions related to student data EU model clause addressing international transfers of data CJIS Security Policy 5.2 requirements met for CA and TX law enforcement DPA (Data Processing Agreement) to address the privacy, security, and handling of customer data Supporting Customer Compliance ISO 27001: First major business productivity public cloud service to have implemented ISO 27001 mgmt. controls SAS 70 Type I and Type II attestation O365 Accreditations Protecting Against Government Snooping: http://blogs.technet.com/b/microsoft_blog/archive/2013/12/04/protecting-customer-data-from-government- snooping.aspx Transparency Advocacy: https://www.reformgovernmentsurveillance.com/ DC Ops Auditing Numbers of govt requests for data http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/02/03/providing-additional-transparency-on-us- government-requests-for-customer-data.aspx Law enforcement requests report: http://www.microsoft.com/about/corporatecitizenship/en- us/reporting/transparency/ Transparency and Government Snooping “We are committed to notifying business and government customers if we receive legal orders related to their data. Where a gag order attempts to prohibit us from doing this, we challenge it in court. “ “http://office.microsoft.com/e n-us/business/office-365- security-and-privacy-verified- by-a-third-party- FX103089231.aspx

12 CountryPIIFinancialHealth US US State Security Breach Laws, US State Social Security Laws, COPPA GLBA & PCI-DSS (Credit, Debit Card, Checking and Savings, ABA, Swift Code) Limited Investment: US HIPPA, UK Health Service, Canada Health Insurance card Rely on Partners and ISVs Germany EU data protection, Drivers License, Passport National Id EU Credit, Debit Card, IBAN, VAT, BIC, Swift Code UK Data Protection Act, UK National Insurance, Tax Id, UK Driver License, Passport EU Credit, Debit Card, IBAN, BIC, VAT, Swift Code Canada PIPED Act, Social Insurance, Drivers License Credit Card, Swift Code France EU data protection, Data Protection Act, National Id (INSEE), Drivers License, Passport EU Credit, Debit Card, IBAN, BIC, VAT, Swift Code Japan PIPA, Resident Registration, Social Insurance, Passport, Driving License Credit Card, Bank Account, Swift Code Australia Drivers License, Passport, Social InsuranceCredit Card, Bank Account, Swift Code Predefined rules targeted at sensitive data types Advanced content detection Combination of regular expressions, dictionaries, and internal functions (e.g. validate checksum on credit card numbers) Extensibility for customer and ISV defined data types

13 Why Compliance Subpoenas Laws and Regulations Internal Policy Today’s Challenges Duplicate storage Add-ons for users Complex experience The Asks Lower the cost One experience Easier to manage Content Lifecycle Compliance

14

15 EX SP Default Retention: 3 months Default Retention: 1 month

16

17

18

19

20 EX SP Default Retention: 3 months Default Retention: 1 month Roadmap Calendar and delegate changes SP Tenant Admin and O365 AD Activity OneDrive for Business Auditing Sharepoint Sharing User and Item Pivoted Reporting Report when Content became Sensitive Simple, Unified Configuration Unified Reporting Years and Years of Storage

21

22

23 Workload (Exchange) Backend FFO/EOP UCC – Auditing console Policy Store Policy WebService Policy cmdlet Arbitration Mailbox (per tenant policy store) Local Queue, Uploader (per BE server) Policy DAL Policy Sync Service Backend 1 Backend N Exchange Auditing Hooks Workload (SharePoint) Backend Policy Store (per tenant policy store) Local Queue, Uploader (per BE server) Policy Sync Service Content FE SP Content Front End Node Audit Storage (EXO) Audit Long Term Storage Audit Upload Web Service FFO/EOP UCC – Auditing console Reporting cmdlets Reporting UX Reporting Web Service Content BE SQL Long term storage Reports, while you wait: 1 hour freshness, 15 second wait Anything manual, including bulk events, shown as individual events System Events are captured by the cmdlet that enabled them

24 Contoso Site Activity ACTION Viewed Modified Viewed Modified Shared Modified Deleted Modified Deleted Viewed Visa Application (Turkey) Gene W… Visa Application (Turkey) Gene W… Visa Application (Turkey) Gene W… OFFER FORM.docx OFFER FORM.docx Visa Application (Turkey) Gene W… Visa Application (Turkey) Walter T… PricingInfo-November2014.xlsx PaulsDocumentAppendix.docx DocumentAppendix.docx TARGET 2/24/2014 4:28 2/24/2014 6:21 2/25/2014 7:17 2/25/2013 14:14 2/25/2013 22:44 2/26/2013 13:40 2/26/2013 23:27 2/27/2013 3:15 2/28/2013 9:57 2/28/2013 16:35 2/28/2013 21:36 3/1/2013 1:00 3/1/2013 3:07 3/1/2013 20:16 3/2/2013 8:41 3/2/2013 13:20 3/2/2013 19:06 TIME Cem Aykan Olaf Hubel Julia White Olaf Hubel Cem Aykan Michal Gideoni Paul Andrew Julia White PERSON IP Address: 54.33.191.12Saved from Word Web Viewer IP Address: 101.12.19.233 IP Address: 54.33.191.11 IP Address: 54.33.191.12 Saved from Word Web Viewer Shared with user@contoso.com Shared with jim@otherco.com Saved from Word desktop IP Address: 101.12.19.200 Saved from PowerPoint Web IP Address: 101.12.19.1 IP Address: 55.66.123.101 IP Address: 101.12.19.1 DETAILS

25

26

27

28

Download ppt "Subpoenas Regulations and Law Internal Policy."

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
FERPA: UPDATE ON THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Presented by Brenda V. S. Selman University Registrar-MU University of Missouri-Columbia.

FERPA: UPDATE ON THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Presented by Brenda V. S. Selman University Registrar-MU University of Missouri-Columbia.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
HIPAA Myths and Realities for Physician Practice Managers Presented by Shana Wolfe, CHC Corporate Compliance Officer, Washington County Health System Co-chair.

HIPAA Myths and Realities for Physician Practice Managers Presented by Shana Wolfe, CHC Corporate Compliance Officer, Washington County Health System Co-chair.
Overview of the Privacy Act

Overview of the Privacy Act
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Health information security & compliance

Health information security & compliance
CCHAP Practice Manager’s Meeting HIPAA Guidelines and Updates for Primary Care Practices Thursday October 24 th 2013 Noon – 1:00PM Instructions to join.

CCHAP Practice Manager’s Meeting HIPAA Guidelines and Updates for Primary Care Practices Thursday October 24 th 2013 Noon – 1:00PM Instructions to join.
Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)
IS3350 Security Issues in Legal Context

IS3350 Security Issues in Legal Context
WELCOME Annual Meeting & Compliance Seminar. Code of Conduct - Impact on Corporate Culture by Andy Greenstein Knight Capital Group, Inc.

WELCOME Annual Meeting & Compliance Seminar. Code of Conduct - Impact on Corporate Culture by Andy Greenstein Knight Capital Group, Inc.
FERPA 2008 New regulations enact updates from over a decade of interpretations.

FERPA 2008 New regulations enact updates from over a decade of interpretations.

Similar presentations

Ads by Google