1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.

Slides:



Advertisements
Similar presentations
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Advertisements

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA Regulations What do you need to know?.
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Privacy, Security, Confidentiality, and Legal Issues
Springfield Technical Community College Security Awareness Training.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Critical Data Management Indiana University HR Summit April 24, 2014.
Responding to a Data Security Breach
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
Developing a Records & Information Retention & Disposition Program:
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
New Data Regulation Law 201 CMR TJX Video.
Protecting Sensitive Information PA Turnpike Commission.
Practical Information Management
April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
2015 ANNUAL TRAINING By: Denise Goff
HIPAA PRIVACY AND SECURITY AWARENESS.
Security and Privacy Strategic Global Partners, LLC.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Arkansas State Law Which Governs Sensitive Information…… Part 3B
Florida Information Protection Act of 2014 (FIPA).
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Privacy and Information Management ICT Guidelines.
HIPAA Training Developed for Ridgeview Institute 2012 Hospital Wide Orientation.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
SPH Information Security Update September 10, 2010.
© Copyright 2010 Hemenway & Barnes LLP H&B
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Privacy and Data Breach Issues Kirk Herath, VP, Chief Privacy Officer, Nationwide & Dino Tsibouris, Founding Principal, Tsibouris & Associates.
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
Government Agency’s Name April Identity Theft is when someone steals your personal information and uses it as their own, usually for some financial.
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
HOW TO AVOID COMMON DATA BREACH PITFALLS IAPP Privacy Academy 2014.
The Privacy Symposium: Transferring Risk of a Privacy Event Paul Paray & Scott Ernst August 20, 2008.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Data Minimization Framework
Protection of CONSUMER information
Responding to a Data Breach 360° of IT Compliance
Chapter 3: IRS and FTC Data Security Rules
Red Flags Rule An Introduction County College of Morris
Disability Services Agencies Briefing On HIPAA
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Cyber Security: What the Head & Board Need to Know
Move this to online module slides 11-56
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection Between Information Management and Privacy Law May 21, 2009 Marty Provin Executive Vice President Jordan Lawrence

2Copyright Jordan Lawrence. All rights reserved. Privacy Breaches Happen Everyday May 7 th, 2009  3,400 individuals information from a benefits report may have been pulled out of a dumpster. May 5 th, 2009  Documents that included SS numbers, addresses, phone numbers and names were found in an unlocked public container sitting off a side street in their apartment complex. May 5 th, 2009  Boxes found in a trash bin contained 75,000 voter registration application cards and 24,000 precinct cards. Many of the documents contained personal information on active voters, such as full names and Social Security numbers. April 29 th, 2009  A spreadsheet with worker names and Social Security numbers was found on the Internet. The data was released to a so-called peer-to-peer network during a music transfer to an agency laptop. April 29 th, 2009  A laptop computer containing the personal information of about 225,000 individuals was stolen from a home. The names, Social Security numbers, tax identification numbers, birth dates and addresses. March 24, 2009  Hospital employee left patients records on an train she was taking with her to do billing work over the weekend. March 11 th, 2009  University kept information (including Social Security numbers and salary information for employees of students), dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. Source : Privacy Rights Clearinghouse

3Copyright Jordan Lawrence. All rights reserved.3 Current Standard Definition of Personally Identifiable Information  Resident’s first and last name, or first initial and last name Social Security number Driver’s license or state-issued ID card number Financial account number Credit or debit card number  Possibly medical or biometric information

4Copyright Jordan Lawrence. All rights reserved.4 Who & What Who privacy laws apply to  A resident of the particular state  Not location of the business or breach Always apply to electronic information  May apply to hardcopy as well Trigger of notification period  Disclosure should be expedient, and without unreasonable delay following the discovery of the breach  “Timeliness” of response will be scrutinized

5Copyright Jordan Lawrence. All rights reserved. After a Privacy Breach Safe Harbor  Possible if data was encrypted  Best Practice is to notify regardless  Credit monitoring and assistance Penalties  Fines  Civil right of action

6Copyright Jordan Lawrence. All rights reserved. Cost of a Privacy Breach Hard Dollar Costs  $6.6 m average expense to an organization Cost of notifying victims Maintaining information hotlines Legal, investigative, and administrative expenses Credit monitoring Reputational Harm  31% of breach notice recipients terminate their business  57% reported losing trust and confidence Source: Ponemon Institute

7Copyright Jordan Lawrence. All rights reserved. Privacy Laws & Cross Border Litigation EU privacy laws vs. FRCP Blocking statutes restrict discovery of information meant for disclosure in a foreign jurisdiction  Switzerland, France and the United Kingdom EU Data Protection Authorities intend on limiting U.S. discovery within the EU Doubtful U.S. judges will be sympathetic

8Copyright Jordan Lawrence. All rights reserved. Why Companies Struggle Misguided “prevention” efforts  Less then 20% of breaches involve unauthorized network access  More then $5 billion spent on network security Fail to understand the most common risks  73 of125 data breaches reported 1 in 2009 have involved Lost or stolen laptops, computers or storage devices Backup tapes lost by employees or third-party vendor Employees’ handling of information Dumpster diving 1 Source : Privacy Rights Clearinghouse as of May 20 th, 2009

9Copyright Jordan Lawrence. All rights reserved. People and Policy Its about policy awareness and policy compliance 54% of business representatives don’t think their companies privacy policy applies to 1 39% of business representatives report saving sensitive 1 company data to personal computer and storage devices One out of ten employees report having had a company computer or storage device lost or stolen in last 12 months 2 1 Source: 2008 Jordan Lawrence Assessment Data 2 Source :2008 Data Leakage Worldwide : The Insider Threat and the Cost of Data Loss by insightexpress

10Copyright Jordan Lawrence. All rights reserved. Taking The First Step Identify the necessary information What personally identifiable data does the company have Where do they have it How is it managed

11Copyright Jordan Lawrence. All rights reserved. How Do You Get This Information Business Representatives understand  The types of sensitive information they work with  What media its in  Who they share it with  How they manage it  What they do with it at end of life Subject Matter Experts understand  Encryption services deployed  Back-up processes  Disposal processes  Third party’s that have access to sensitive information

12Copyright Jordan Lawrence. All rights reserved. What You Will Find 1,272 record type profiles with sensitive information Type of Sensitive Data Human Resources 29 :: on laptop (no encryption) 11 :: on flash drive 14 :: ed outside organization Accounting 18 :: on laptop (no encryption) 22 :: on flash drive 15 :: ed outside organization Security 10 :: on laptop (no encryption) 9 :: paper (no shred bin) Location of Data Social Security Numbers Credit History Information Credit/Debit Account Information Employment Information Medical Information Name, Phone, Address Source : Client data from a Jordan Lawrence Assessment

13Copyright Jordan Lawrence. All rights reserved. Putting Policy Into Practice Develop a policy including  Definition of what is considered sensitive information  How to manage sensitive information  How to dispose of sensitive information  Annual acknowledgment  Consequences for not complying Train all employees  Conduct annual training  Make it part of the hiring process

14Copyright Jordan Lawrence. All rights reserved. Enforcing Policy Implement process for safeguarding sensitive information  Information technology for technical safeguards  The business for managing and destroying hardcopy Audit  Formal audit process  Annual spot auditing of business areas Annually re-assess  Identify new risks as business processes change  Ensure compliance with “New” and changing laws  Cross border litigation

15Copyright Jordan Lawrence. All rights reserved. Thank You Marty Provin

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.