GSBlaw.com DATA SECURITY: LEGAL LANDSCAPE AND BEST PRACTICES November 16, 2011 Scott G. Warner Garvey Schubert Barer Seattle, Portland,

Slides:



Advertisements
Similar presentations
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Advertisements

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
NAU HIPAA Awareness Training
© 2014 ACA International. All Rights Reserved. Obtaining Optimum Compliance Performance Foundational Training on ACA’s Professional Practices Management.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
Health information security & compliance
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
Data Classification & Privacy Inventory Workshop
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
Electronic Records Management: What Management Needs to Know May 2009.
Eric J. Pritchard One Liberty Place, 46 th Floor 1650 Market Street Philadelphia, Pennsylvania (215)
HIPAA PRIVACY AND SECURITY AWARENESS.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.
Health Insurance Portability and Accountability Act (HIPAA)
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
AUGUST 25, 2015 Cyber Insurance:
Florida Information Protection Act of 2014 (FIPA).
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Data Security Survival Skills for 21 st Century Evaluators Teresa Doksum & Sean Owen October 17, 2013.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
HIPAA Privacy Rule Training
HIPAA PRIVACY & SECURITY TRAINING
E&O Risk Management: Meeting the Challenge of Change
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
Florida Information Protection Act of 2014 (FIPA)
Responding to a Data Breach 360° of IT Compliance
E&O Risk Management: Meeting the Challenge of Change
Florida Information Protection Act of 2014 (FIPA)
Cyber Issues Facing Medical Practice Managers
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Overview.
Colorado “Protections For Consumer Data Privacy” Law
The Health Insurance Portability and Accountability Act
Presentation transcript:

GSBlaw.com DATA SECURITY: LEGAL LANDSCAPE AND BEST PRACTICES November 16, 2011 Scott G. Warner Garvey Schubert Barer Seattle, Portland, Washington D.C., New York, Beijing

GSBlaw.com 2 Overview Why you should care Context of US data security State and Federal patchwork Data breach laws Best practices

GSBlaw.com 3 Why should you care? As a company doing business in the US you will need to comply Your business partners will require that you comply If you don’t comply, you are exposed to risk: claims and fines –$10 Million in penalties in ChoicePoint The average cost of dealing with data breaches –$7.2 Million per breach Damage to brand and loss of customers

GSBlaw.com 4 Context for US Rules 1973 Department of Health Education and Welfare: Records, Computers and the Rights of Citizens –No secret personal data record-keeping –Right to know what information is collected and how it is used –Right to prevent multi-purpose use –Right to correct or amend records –Assurance of reliability –Prevent misuse Adopted by OECD Endorsed by Dept. of Commerce in 1981

GSBlaw.com 5 No Unified Rule – A Patchwork Silos –Financial information –Healthcare –Children Focus is on access not collection

GSBlaw.com 6 Applicable Law Federal –Privacy Act –Federal Information Security Management Act –Veterans Affairs Information Security Act –Health Insurance Portability and Accountability Act (HIPAA); Health Information Technology for Economic and Clinical Health Act (HITECH) –Gramm-Leach Bliley (GLB) –Children’s Online Privacy Protection Act (COPPA) –FTC Act

GSBlaw.com 7 Patchwork (Con’t.) –Fair Credit Reporting Act (FCRA); Fair and Accurate Transactions Act (FACTA) –Sarbanes Oxley (SOX) State –Privacy Policy –State Privacy Acts –Common Law –Contract

GSBlaw.com 8 Unifying Theme: Manage and Protect Data Problem: –22.4 Million sensitive records breached as of June 2011 –$7.2 Million per data breach event Data Breach Laws –Federal –46 States –Requirements –Private right of action; penalties

GSBlaw.com 9 Data Breach Obligations Breach: Unauthorized access to/acquisition of personal information. Notice to each individual whose personal information was disclosed. –Personal information: first name/initial and last name plus another personal identifier (e.g. soc security number, driver’s license, account number). Some states also cover medical and health insurance information, employer taxpayer id, or biometric data. –Electronic or hard copy

GSBlaw.com 10 Data Breach Obligations (Con’t.) Exceptions –Encrypted –Investigation indicates identity theft is not likely to result Timing of notice –Most expedient time possible and without undue delay –Some states establish times for notice: 45 days after discovery of the breach; California 10 days. Form of notice –Written notice, electronic notice, telephonic notice –Substitute notice: + statewide media + posting

GSBlaw.com 11 Data Breach Obligations (Con’t.) Content of notice –Incident in general terms –Type of information obtained –Telephone number for additional information –Contact number for credit reporting agencies –Advice to monitor accounts and credit reports Notice to third parties –Notice to state agencies and/or credit reporting agencies

GSBlaw.com 12 Best Practices Before data breach –Develop policies and procedures for handling data –Conduct training –Collect the minimum necessary and retain it for the minimum amount of time –Inventory records and devices that contain data

GSBlaw.com 13 Best Practices (Con’t.) Classify data by sensitivity Employ physical and technological safeguards, e.g. access controls, incident logging, etc. Limit the number of mobile devices that contain data and the number of people with access to them Do not use personal data in testing Use encryption De-identify data

GSBlaw.com 14 Best Practices (Con’t.) Dispose of records and devices that contain data securely Audit systems to understand vulnerabilities; Monitor Require service providers to comply –Require remediation plan –Indemnity –Audit rights

GSBlaw.com 15 Best Practices (Con’t.) After the breach –Contain the breach –Engage response team –Analyze the breach –Determine legal requirements and manage to highest requirement –Contact insurance –Develop communications plan –Prepare for litigation, e.g. litigation hold –Perform assessment against your plan

GSBlaw.com 16 Resources “Protecting Personal Information: A Guide for Business”, FTC: “Security Breach Notification Laws” NCSL: “Chronology of Data Breaches”, Privacy Rights Clearinghouse: “U.S. Cost of a Data Breach”, Ponemon: etail.jsp?pkid=ponemon etail.jsp?pkid=ponemon

GSBlaw.com 17 Resources (Con’t.) “Guide to Protecting the Confidentiality of Personally Identifiable Information”, NIST: csrc.nist.gov/publications/nistbul/april-2010_guide- protecting-pii.pdf csrc.nist.gov/publications/nistbul/april-2010_guide- protecting-pii.pdf “Best Practices in Data Protection”, Ponemon: data-protection-study-released data-protection-study-released “Recommended Practices on Notice of Security Breach Involving Personal Information” California Office of Privacy Protection:

GSBlaw.com TAX AND LEGAL CONSIDERATIONS ASSOCIATED WITH OPERATING A DATA STORAGE AND SECURED SYSTEMS BUSINESS November 16, 2011 Gary P. Tober Garvey Schubert Barer Portland, Oregon, and Seattle, Washington

GSBlaw.com 19 Tax and Legal Considerations Associated With Operating a Data Storage and Secured Systems Business I.Tax Considerations II.Sources of Legal Liability III.Contract Strategies 2

GSBlaw.com 20 I.Tax Consideration A.Nexus 1.Permanent Establishment a.“Fixed place of business through which the business of an enterprise is wholly or partly carried on” 2.PE Applied to Electronic Commerce a.Website – not fixed to a physical place b.Server – located at a physical place and can be viewed as a fixed place of business 3

GSBlaw.com 21 I.Tax Consideration (Con’t.) B.Characterization of Revenue 1.How is revenue from electronic commerce characterized? C.Deduction of Expenses 4

GSBlaw.com 22 II. Sources of Legal Liability A.International Privacy Laws and National Breach Laws 1.Supra-national organizations 2.National laws B.Third Party Sources of Risk 1.Data hosts, processors, advertisers, marketing partners, etc. 5

GSBlaw.com 23 III. Contract Strategies A.Notice 1.Immediate notification of any actual, probable or reasonably suspected breach of security B.Cooperation 1.Assistance in investigating, remedying, etc. C.Standard of Care D.Indemnity 1.Any failure to comply with a contractual obligation 6

GSBlaw.com 24 III. Contract Strategies (Con’t.) E.Limitation of Liability 1.Exclusion of indirect and consequential damages F.Arbitration 7

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.