Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dino Tsibouris (614) 360-1160 Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches.

Similar presentations


Presentation on theme: "Dino Tsibouris (614) 360-1160 Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches."— Presentation transcript:

1 Dino Tsibouris (614) Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches

2 Trends for 2010 Increased federal and state regulation of information security Increased enforcement Increased costs to resolve a breach Increased “compliance complexity” as technology changes

3 Examples HITECH Act - Amendments to HIPAA by the Stimulus Act Enforcement Actions under HITECH Medical Data in the Cloud Revisions to State Law Regarding PCI-DSS Anonymization Becoming Difficult Dave & Buster’s, Heartland, and Countrywide Breaches

4 HITECH ACT Amends HIPAA New breach notification rules New penalties Increased levels of minimum security State AG enforcement Business associates must comply

5 HITECH ACT Amends HIPAA Covered entity must notify persons if a breach occurs Must notify HHS for publication if over 500 persons Vendors of PHR must notify individuals if breached

6 HITECH ACT Business Associate Requirements Must comply with Security Rule regarding administrative, physical, and technical safeguards Develop policies Designate a security official Enforcement

7 HITECH ACT Business Associate Requirements If your covered entity violates your BAA, you are violating HIPAA Must cure breach, terminate, or report to DHHS

8 HITECH ACT Business Associate Requirements Does your contract allow for amendment to comply with changes in the law? Sample DHHS OCR contractual clause requires parties to amend to address changes in law

9 HITECH ACT Business Associate Requirements If you have a breach, must notify HIPAA-covered entity Covered entity must then notify individuals

10 HITECH ACT Penalties Tier A – inadvertent - $100 per violation up to $25,000/yr Tier B – reasonable cause, not “willful neglect” - $1,000 per violation up to $100,000/yr

11 HITECH ACT Penalties Tier C – “willful neglect” ultimately corrected - $10,000 per violation up to $250,000/yr Tier D - “willful neglect” uncorrected - $50,000 per violation up to $1.5 M/yr

12 Connecticut Health Net Enforcement Connecticut Attorney General - HIPAA Lost portable computer disk drive Involves privacy of 446,000 Connecticut enrollees Health information, social security numbers, and bank account numbers Failed to notify on time

13 Connecticut Health Net Enforcement Health Net failed to Ensure the confidentiality and integrity of electronic protected health information Implement technical policies and procedures for electronic information systems Implement policies and procedures that govern the receipt and removal of hardware and electronic media

14 Connecticut Health Net Enforcement Health Net failed to Implement policies and procedures to prevent, detect, contain, and correct security violations Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents Effectively train all members of its workforce

15 Connecticut Griffin Hospital Investigation Hospital terminates radiologist and his access to the computer systems Patients call hospital with complaints Audit reveals access to one terminal Ex-radiologist uses usernames and passwords of other radiology employees for 1 month Accesses ~1000 records Solicits patients for service at another hospital

16 HIPAA - Employee Snooping UCLA employee Accesses system 323 times in 3 weeks Snoops on celebrity medical records Similar incident in 2008 UCLA reveals that 165 employees improperly viewed files in 13 years 15 fired for viewing octuplet mom’s records

17 Medical Data in the Cloud Data stored in the cloud more and more frequently Third-party contractors more and more common – Security and background checks for companies a necessity – Conduct audits or obtain results – Ownership of data – Prohibiting sales to others – Return in appropriate format

18 Anonymization Privacy laws provide exceptions for anonymized data It is now more difficult to anonymize data Examples: AOL search results release Netflix million dollar prize release MA health records release Unique ID 87% of the US with ZIP, DoB, Sex

19 Fallout from failed Anonymization AOL CTO resigns MA governor is embarrassed Netflix is sued in court for outing a lesbian mother, settles case, ends prize program DBs are permanently associated

20 HHS Research Current HHS regulations have detail on de- identification HHS realizes the difficulty in anonymizing personal data Funds research on technology to achieve anonymity while maintaining value to research Future laws will likely keep these difficulties in mind

21 Massachusetts Data Security Regulations Creates duty to protect personal data Applies to the personal information of MA residents Sophistication of safeguards increases with size and scope of business Requires encryption for transmission of personal data over public networks Effective date March 1, 2010

22 Nevada PCI-DSS Effective Jan. 1, 2010 Requires encryption when electronically transmitting personal data Requires compliance with PCI-DSS Similar to Minnesota law

23 Washington PCI-DSS Applies to entities processing more than 6 million payment card transactions per year Liability may result in reimbursement of card issuing costs for banks Includes Safe Harbors for encryption and PCI compliance at the time of breach Effective July 1, 2010

24 Heartland Payment Systems Breach 6 th Largest Payment Processor Involved 330 Financial Institutions Heartland was PCI-DSS certified SQL injection attack CC#s, expiration dates, stored magnetic stripe data Lost ~130 million card numbers

25 Heartland Payment Systems Breach Removed from VISA CISP list Reported $105 million in expenses – $90 million to Visa, MasterCard, Banks – $3.5 million to AmEx Settles Cardholder Class Action for $2.4 million Stockholder Class Action in NJ Dismissed

26 Countrywide Breach Countrywide Financial Services Former employees Downloaded and sold customer data Every week for 2 years 19,000 individuals notified of breach Class action settles for over $10 million

27 Dave & Buster’s FTC Enforcement Dave & Buster’s loses 130,000 credit and debit card numbers Failed to take sufficient measures to protect credit card information Failed to limit access by third parties Settles with the FTC

28 Dave & Buster’s FTC Enforcement Consent agreement requires D&B to: – Appoint responsible employee – Conduct Risk assessment – Develop of security program and safeguards – Develop of criteria for selecting 3 rd party access to information – Obtain biennial third-party audits for 10 years

29 Trends for 2010 Increased federal and state regulation of information security Increased enforcement Increased costs to resolve a breach Increased “compliance complexity” as technology changes

30 Dino Tsibouris (614) Questions & Answers


Download ppt "Dino Tsibouris (614) 360-1160 Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches."

Similar presentations


Ads by Google