Dino Tsibouris (614) Information Security – What’s New In the Law?
Trends for 2010 Increased federal and state regulation of information security Increased enforcement Increased costs to resolve a breach Increased “compliance complexity” as technology changes
Examples HITECH Act - Amendments to HIPAA by the Stimulus Act Enforcement Actions under HITECH Medical Data in the Cloud Revisions to State Law Regarding PCI-DSS Anonymization Becoming Difficult Heartland and Countrywide Breaches
HITECH ACT Amends HIPAA New breach notification rules New penalties Increased levels of minimum security State AG enforcement
Connecticut Health Net Enforcement Connecticut Attorney General - HIPAA Lost portable computer disk drive Involves privacy of 446,000 Connecticut enrollees Health information, social security numbers, and bank account numbers Failed to notify on time
Connecticut Health Net Enforcement Health Net failed to Ensure the confidentiality and integrity of electronic protected health information Implement technical policies and procedures for electronic information systems Implement policies and procedures that govern the receipt and removal of hardware and electronic media
Connecticut Health Net Enforcement Health Net failed to Implement policies and procedures to prevent, detect, contain, and correct security violations Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents Effectively train all members of its workforce
Medical Data in the Cloud Data stored in the cloud more and more frequently Third-party contractors more and more common – Security and background checks for companies a necessity – Conduct audits or obtain results – Ownership of data – Prohibiting sales to others – Return in appropriate format
Anonymization Privacy laws provide exceptions for anonymized data It is now more difficult to anonymize data Examples: AOL search results release Netflix million dollar prize release MA health records release Unique ID 87% of the US with ZIP, DoB, Sex
Fallout from failed Anonymization AOL CTO resigns MA governor is embarrassed Netflix is sued in court for outing a lesbian mother DBs are permanently associated
HHS Research Current HHS regulations have detail on de- identification HHS realizes the difficulty in anonymizing personal data Funds research on technology to achieve anonymity while maintaining value to research Future laws will likely keep these difficulties in mind
HIPAA - Employee Snooping UCLA employee Accesses system 323 times in 3 weeks Snoops on celebrity medical records Similar incident in 2008 UCLA reveals that 165 employees improperly viewed files in 13 years 15 fired for viewing octuplet mom’s records
Massachusetts Data Security Regulations Creates duty to protect personal data Applies to the personal information of MA residents Sophistication of safeguards increases with size and scope of business Effective date delayed – March 1, 2010
Nevada PCI-DSS Effective Jan. 1, 2010 Requires encryption when electronically transmitting personal data Requires compliance with PCI-DSS Similar to Minnesota law
Heartland Payment Systems Breach 6 th Largest Payment Processor Involved 330 Financial Institutions Heartland was PCI-DSS certified SQL injection attack CC#s, expiration dates, stored magnetic stripe data Lost ~130 million card numbers
Heartland Payment Systems Breach Removed from VISA CISP list Reported $105 million in expenses – $90 million to Visa, MasterCard, Banks $60 million to card issuers – $3.5 million to AmEx Settles Cardholder Class Action for $2.4 million Stockholder Class Action in NJ Dismissed
Countrywide Breach Countrywide Financial Services Former employees Downloaded and sold customer data Every week for 2 years 19,000 individuals notified of breach Class action settles for over $10 million
Trends for 2010 Increased federal and state regulation of information security Increased enforcement Increased costs to resolve a breach Increased “compliance complexity” as technology changes
Dino Tsibouris (614) Questions & Answers