Data Privacy and Breaches

Slides:

Advertisements

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Advertisements

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Springfield Technical Community College Security Awareness Training.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.

Data Classification & Privacy Inventory Workshop

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.

Northern Insuring Agency 1. 2 Important Notice ●This presentation is not a representation that coverage does or does not exist for any particular claim.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

General Awareness Training

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

Security considerations for mobile devices in GoRTT

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

SPH Information Security Update September 10, 2010.

CYBER INSURANCE Luxury or necessary protection?. What is a data breach? A breach is defined as an event in which an individual’s name plus personal information.

TOP 10 TECHNOLOGY INITIATIVES © Robert G. Parker S-1 Issues Loss or theft of mobile devices Lack of MDM (mobile device management) software Cloud.

J. Rick Mihalevich Dean of Information Technology Linn State Technical College June 18, 2009.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

Friday, October 23, Jacqueline Harris, CPM®, CCIM® Director of Training & Administration Digital Realty Jacqueline Harris, CPM®, CCIM® Director.

Territory Insurance Conference, resilient future Mr Ralph Bönig, Special Counsel, Finlaysons Cyber Times and the Insurance Industry Territory Insurance.

Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.

MIS5001: Information Technology Management Ethics and Continuity Management Larry Brandolph

WHEN, NOT IF THE CYBER SECURITY CHALLENGES AMONG LOCAL GOVERNMENT UMBC Public Policy Forum Baltimore Maryland April 15, 2016 Gayle B. Guilford CISO Baltimore.

The Privacy Symposium: Transferring Risk of a Privacy Event Paul Paray & Scott Ernst August 20, 2008.

Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.

October 28, 2015 Cyber Security Awareness Update.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.

Cyber Insurance Overview July 30, 2016 Wesley Griffiths, FCAS International Association of Black Actuaries.

Pioneers in secure data storage devices. Users have become more accustomed to using multiple devices, are increasingly mobile, and are now used to storing.

Presented by: Mike Gerdes Director, Information Security Center of Expertise Cybersecurity State of the Union.

Cyber Insurance Risk Transfer Alternatives

HIPAA Privacy and Security

Michael Wright • Chief Security Officer • Tech Lock

Protecting PHI & PII 12/30/2017 6:45 AM

CYBERSECURITY INCIDENCE IN THE FINANCIAL SERVICES SECTOR March 28, 2017 Presented by Osato Omogiafo Head IT Audit.

Hot Topics in the Financial Industry: Cybersecurity

An Update on FERPA and Student Privacy

Fusion Center ITS security and Privacy Operations Joe Thomas

E&O Risk Management: Meeting the Challenge of Change

Managing a Cyber Event Steven P. Gibson President

Privacy & Confidentiality

Data Compromises: A Tax Practitioners “Nightmare”

Forensics Week 11.

Cyber Insurance Overview

I have many checklists: how do I get started with cyber security?

Cyber Issues Facing Medical Practice Managers

Threat Landscape for Data Security

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Cyber Trends and Market Update

Cybersecurity Am I concerned?

Ransomware and Data breaches in public libraries

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

Anthem Data Breach Group 2: Jing Jiang, Dongjie Wang, Haitao Huang, Binju Gaire, Parneet Toor.

Move this to online module slides 11-56

Colorado “Protections For Consumer Data Privacy” Law

Anatomy of a Common Cyber Attack

School of Medicine Orientation Information Security Training

Presentation transcript:

Data Privacy and Breaches Creating a culture of privacy awareness and how to respond to a breach Carrie O’Brien

Agenda Data Privacy Data Breaches in Arizona Data Breach exercise

Security and Privacy Data Security—systems of protections around your data to adequately protect it. Data Privacy—laws, regulations, public expectations on the data you maintain

Data Privacy should NOT be the Wild West

How to tackle it?

Sensitivity and Privacy Needs What data and what level of access is needed? Regulations and Laws State, federal and local laws dictate the sensitivity of data. Sensitivity and Privacy Stakeholder Concerns What level of confidentiality do the owners of the data demand?

Do you know your data’s impact? LOW: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. MODERATE: The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. HIGH: The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. National Institute of Standards and Technology FIPS-199

Examine what data you maintain internally Student Records Teacher Records Financial Records Federal and State Programs HR Records

Not All Data Are Created Equal - Group Exercise Restricted Sensitive Public

Procedures for reporting or releasing data Internal Controls Use ID numbers to de-identify student data Role-based access to PII in Databases Data Management (record retention) IT Security Physical security; authentication; firewalls/intrusion protection Procedures for reporting or releasing data Limit access to data to public schools through end user authentication (ADE Connect) Aggregation and redaction in data reports Application and review of all research requests Data Sharing Agreements with all outside parties

How ADE Processed Requests Public Records Request Public Records Request Tracking Legal Aggregated Data Request On-line data request form Data Governance tracking Peer reviewed prior to release PII Data Request Application Packet Reviewed by Chief Privacy Officer/ Chief Data Officer Data Sharing Agreement

Public Records Requests Email! Attachments Looking for a needle in a haystack that might not be there Custom Data Requests ACLU v. DCS (2016) Inadvertent Disclosures

Requests for aggregate data Subgroup Asian Native Amer. African Amer. Hispanic White Total All Students 216 * 217 ELL Free Lunch 171 172 Migrant SPED 30

Creating Workplace Awareness of Data Privacy Frequent and Relevant Employee Trainings on Privacy (and Security) Educate employees on their responsibility to maintain privacy of data and report concerns Mandatory reporting of potential privacy and security breaches by employees to remediate (no privacy JAIL).

Maricopa County Colleges Computer Hack Cost tops $26M Auditors were able to hack Arizona DES during routine cybersecurity review State auditors were able to access confidential information when testing cybersecurity a the Arizona Department of Economic Security, revealing vulnerabilities that could have put residents’ personal information at risk. Jerod MacDonald-Evoy , The Republic | azcentral.com 12:27 p.m. MT April 20, 2017 Maricopa County Colleges Computer Hack Cost tops $26M Mary Beth Faller , The Republic | azcentral.com Published 11:15 a.m. MT Dec. 17, 2014 | Updated 12:58 p.m. MT Dec. 17, 2014 Spear Phishing Attacks are Often the Root Cause of Security Breaches More than one third (34%) of respondents who reported experiencing a spear phishing attack in the past year believe that such an attack resulted in the compromise of user login credentials (e.g., usernames passwords) or unauthorized access to corporate IT systems.

Headlines You Never Want for Your City Target breach exposes personal data of 110 million customers County government settles potential HIPAA violations for $215k Global cyberattack targets 300,000 machines in 150 countries, taking data hostage with ransomware

What are Network Security and Privacy Risks and Costs ? Legal liability to others for breach of credit/debit cards Legal liability to others for breach of personally identifiable info (PII) Legal liability to others for breach of personal health info (PHI)

What are Network Security and Privacy Risks and Costs ? Cyber extortion Loss or damage of data (internal) Loss of Community Confidence

Data Breach Costs

Causes of Data Loss Other 11.4% 3rd Party vendor 4.3% Hacker 18.6% Theft 5.7% System Glitch 3.6% Staff Error 5% Lost / Stolen Device 20.7% Rogue Employee 12.1% Paper Records 8.6% Malware/Virus 10% 2013 NetDiligence® Cyber Liability & Data Breach Insurance Claims A Study of Actual Payouts for Covered Data Breaches. 21

Factors Affecting Public Sector Enormous amount of personal data on employees (birthdates, SSNs, direct deposit/banking info) Data is kept for decades IT equipment not always state-of-the-art Budgetary constraints

Takeaways Expectations for data protection have increased Where is your city or town vulnerable? How will you increase awareness of data privacy expectations? How will you respond to a breach?

Questions? Please contact the presenters: Carrie O’Brien, Gust Rosenfeld (602) 257-7952 CO’Brien@gustlaw.com

Thank You.