Colorado “Protections For Consumer Data Privacy” Law

Slides:



Advertisements
Similar presentations
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Advertisements

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Red Flag Rules: What they are? & What you need to do
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014.
HIPAA Health Insurance Portability & Accountability Act of 1996.
April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
HIPAA PRIVACY AND SECURITY AWARENESS.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Arkansas State Law Which Governs Sensitive Information…… Part 3B
Florida Information Protection Act of 2014 (FIPA).
PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008.
FERPA: What you Need to Know The Family Educational Rights and Privacy Act & SEI.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Bryce K. Earl, Esq. and Thomas G. Grace, Esq Presentation To: Association of Corporate Counsel January 26, 2010 ______________________________ Covenants.
© Copyright 2010 Hemenway & Barnes LLP H&B
HIPAA Health Insurance Portability and Accountability Act of 1996.
When Can You Redact Information Without Requesting an Attorney General Decision? Karen Hattaway Assistant Attorney General Open Records Division Views.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
UC Riverside Health Training and Development
HIPAA Privacy Rule Training
Nassau Association of School Technologists
Protecting PHI & PII 12/30/2017 6:45 AM
Protection of CONSUMER information
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
Privacy principles Individual written policies
Florida Information Protection Act of 2014 (FIPA)
Responding to a Data Breach 360° of IT Compliance
Obligations of Educational Agencies: Parents’ Bill of Rights
HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.
Florida Information Protection Act of 2014 (FIPA)
PERSONAL DATA PROTECTION ACT 2010
Data Privacy: Essentials for Payroll
Red Flags Rule An Introduction County College of Morris
Alabama Data Breach Notification Act: What 911 Districts Need to Know
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
DATA BREACHES & PRIVACY Christine M
Current Privacy Issues That May Affect Your Credit Union
Data Breaches in Employee Benefits
Identity Theft Prevention Program Training
Confidentiality of Information Acknowledgment and Agreement 2018
Alabama Data Breach Notification Act: What County Governments Need to Know Morgan Arrington, General Counsel Association of County Commissions of Alabama.
Clemson University Red Flags Rule Training
Student Data Privacy: National Trends and Wyoming’s Role
The Health Insurance Portability and Accountability Act
Presentation transcript:

Colorado “Protections For Consumer Data Privacy” Law Kelly Schroeder - Bastion Technology Consulting

Introduction Who is Kelly Schroeder and Bastion Technology Consulting? Over 15 years of IT security and compliance experience Managed Department of Defence compliance for contractor Implemented NIST SP 800-171 What is House Bill 18-1128: “Protections For Consumer Data Privacy”? Expands responsibilities of companies retaining information on Colorado residents Signed into law May 29th, 2018 Effective September 1st, 2018

What is a Covered Entity? ...a person...that maintains, owns, or licenses personal identifying information (PII) in the course of the person's business, vocation, or occupation… "Person" means an individual, corporation, business trust, estate, trust, partnership, unincorporated association, or two or more thereof having a joint or common interest, or any other legal or commercial entity. Every business has the potential of being a covered entity

Personal Identifying Information (PII) social security number PIN password pass code driver's license or ID card number passport number biometric data employer, student, or military ID number financial transaction device At a minimum every company who has ever taken an I-9 or W-2 has this information on their employees

Third Parties "Third-party service provider" means an entity that has been contracted to maintain, store, or process personal identifying information on behalf of a covered entity. What tools do you use to store information that might fall under the law?

Third Party Management Who is handling your customers’ PII? What are their written policies? How do you evaluate a vendor’s protection of your customers’ information? Do your agreements or contracts specify compliance?

Third Party Management (Continued) Unless a covered entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the covered entity shall require that the third-party service provider implement and maintain reasonable security procedures and practices that are: appropriate to the nature of the PII reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure, or destruction

Notifications 30 days after a determination that information was subject to “unauthorized access, use, modification, disclosure, or destruction” How Postal Mail Phone calls Email Notify the Attorney General’s office if more than 500 Colorado residents are affected

Notification - Personal Information "Personal information" means a colorado resident's first name or first initial and last name in combination with any one or more of the following social security number student, military, or passport identification number driver's license number or identification card number medical information health insurance identification number biometric data username or email address, in combination with a password or security questions and answers that would permit access to an online account account number or credit or debit card number in combination with any required security code, access code or password that would permit access to that account

Written Policy Document Retention (Electronic and physical) Document Destruction “Reasonable Security Procedures and Practices” Employee Training Breach Detection Access Rights and Responsibilities Notification process

Reasonable Security Procedures and Practices “...appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” Encryption Firewall/Antivirus Passwords Mobile Devices

Now What? "Personal identifying information" social security number PIN password pass code driver's license or ID card number passport number biometric data employer, student, or military ID number financial transaction device Discover what customer information you are storing and if it is PII Determine what, if any, PII is stored with third parties Examine your processes for how PII is stored and exchanged Create a written policy Obtain written third party PII policies Involve your IT team Contact Bastion Technology Consulting for further information or assistance

Thank you for your time! Any questions? Kelly Schroeder Bastion Technology Consulting kelly@bastiontechconsulting.com (970) 795-2770

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.