Presentation is loading. Please wait.

Presentation is loading. Please wait.

1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.

Published byAnnice Lawrence Modified over 8 years ago

Similar presentations

Presentation on theme: "1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty."— Presentation transcript:

1 1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty Provin Executive Vice President Jordan Lawrence mprovin@jlgroup.com

2 2Copyright 2009. Jordan Lawrence. All rights reserved. Privacy Breaches Happen Everyday March 24, 2009  Hospital employee left patients records on an train she was taking with her to do billing work over the weekend. March 18 th, 2009  Names, dates of birth and Social Security numbers of roughly 28,000 state retirees were e-mailed without being encrypted by q pharmacy benefit provider. March 18 th, 2009  1,300 university students and faculty members personal information was on a laptop stolen from a professor traveling in Italy. March 11 th, 2009  University kept information (including Social Security numbers and salary information for employees of students), dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. February 2, 2009  Medical records were disposed of in a dumpster behind the office. February 2, 2009  Hundreds of folders containing names, addresses, Social Security numbers and credit card information were found in a dumpster. Source : Privacy Rights Clearinghouse

3 3Copyright 2009. Jordan Lawrence. All rights reserved. After a Privacy Breach Safe Harbor  Possible if data was encrypted  Best Practice is to notify regardless  Credit monitoring and assistance Penalties  Fines  Civil right of action

4 4Copyright 2009. Jordan Lawrence. All rights reserved. Cost of a Privacy Breach Hard Dollar Costs  $6.6 m average expense to an organization Cost of notifying victims Maintaining information hotlines Legal, investigative, and administrative expenses Credit monitoring Reputational Harm  31% of breach notice recipients terminate their business  57% reported losing trust and confidence Source: Ponemon Institute

5 5Copyright 2009. Jordan Lawrence. All rights reserved. Why Companies Struggle Misguided “prevention” efforts  Less then 20% of breaches involve unauthorized network access  More then $5 billion spent on network security Fail to understand the most common risks  53 of 81 data breaches reported 1 in 2009 have involved Lost or stolen laptops, computers or storage devices Backup tapes lost by employees or third-party vendor Employees’ handling of information Dumpster diving 1 Source : Privacy Rights Clearinghouse as of March 24 th, 2009

6 6Copyright 2009. Jordan Lawrence. All rights reserved. People and Policy Its about policy awareness and policy compliance 54% of business representatives don’t think their companies privacy policy applies to email 1 39% of business representatives report saving sensitive 1 company data to personal computer and storage devices One out of ten employees report having had a company computer or storage device lost or stolen in last 12 months 2 1 Source: 2008 Jordan Lawrence Assessment Data 2 Source :2008 Data Leakage Worldwide : The Insider Threat and the Cost of Data Loss by insightexpress

7 7Copyright 2009. Jordan Lawrence. All rights reserved. Taking The First Step Identify the necessary information What personally identifiable data does the company have Where do they have it How is it managed

8 8Copyright 2009. Jordan Lawrence. All rights reserved. How Do You Get This Information Business Representatives understand  The types of sensitive information they work with  What media its in  Who they share it with  How they manage it  What they do with it at end of life Subject Matter Experts understand  Encryption services deployed  Back-up processes  Disposal processes  Third party’s that have access to sensitive information

9 9Copyright 2009. Jordan Lawrence. All rights reserved. What You Will Find 1,272 record type profiles with sensitive information Type of Sensitive Data Human Resources 29 :: on laptop (no encryption) 11 :: on flash drive 14 :: emailed outside organization Accounting 18 :: on laptop (no encryption) 22 :: on flash drive 15 :: emailed outside organization Security 10 :: on laptop (no encryption) 9 :: paper (no shred bin) Location of Data Social Security Numbers Credit History Information Credit/Debit Account Information Employment Information Medical Information Name, Phone, Address Source : Client data from a Jordan Lawrence Assessment

10 10Copyright 2009. Jordan Lawrence. All rights reserved. Putting Policy Into Practice Develop a policy including  Definition of what is considered sensitive information  How to manage sensitive information  How to dispose of sensitive information  Annual acknowledgment  Consequences for not complying Train all employees  Conduct annual training  Make it part of the hiring process

11 11Copyright 2009. Jordan Lawrence. All rights reserved. Enforcing Policy Implement process for safeguarding sensitive information  Information technology for technical safeguards  The business for managing and destroying hardcopy Audit  Formal audit process  Annual spot auditing of business areas Annually re-assess  Identify new risks as business processes change  Ensure compliance with “New” and changing laws  Cross border litigation

12 12Copyright 2009. Jordan Lawrence. All rights reserved. Thank You Marty Provin 636-821-2250 mprovin@jlgroup.com

Download ppt "1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty."

Similar presentations

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Privacy, Security, Confidentiality, and Legal Issues

Privacy, Security, Confidentiality, and Legal Issues
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.
CALEA Compliance in 2006 H. Michael Warren Vice President, Fiduciary Services NeuStar, Inc February 2006.

CALEA Compliance in 2006 H. Michael Warren Vice President, Fiduciary Services NeuStar, Inc February 2006.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Steps to Compliance: Risk Assessment PRESENTED BY.

Steps to Compliance: Risk Assessment PRESENTED BY.

Similar presentations

Ads by Google