Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.

Slides:

Advertisements

Similar presentations

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Advertisements

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

Legislative Update Pat Burns, CSU and Jeanette VanGalder, UNC.

Responding to a Data Security Breach

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

Security Breach Notification © 2009 Fox Rothschild A Webinar for the Medical Society of New Jersey October 28, 2009 Presented by Helen Oscislawski, Esq.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Data Classification & Privacy Inventory Workshop

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

Data Incident Notification Policies and Procedures Mary Ann Blair Tracy Mitrano Steven Schuster April 10, 2006 Copyright Mary Ann Blair, Tracy Mitrano,

Data Incident Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University William L. Custer Information Security Policy.

Data Incident Notification Policies and Procedures Tracy Mitrano Steven Schuster ICPL 2006.

Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.

FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,

LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.

Arkansas State Law Which Governs Sensitive Information…… Part 3B

Florida Information Protection Act of 2014 (FIPA).

Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Oregon Consumer Identity Theft Protection Act Communications Forum Theresa Masse, Chief Information Security Officer Department of Administrative Services.

New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.

CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.

Configuring Electronic Health Records Privacy and Security in the US Lecture c This material (Comp11_Unit7c) was developed by Oregon Health & Science University.

Davis Wright Tremaine LLP Responding to Your Worst Security Breach Nightmare: When Patient Information Is Stolen Rebecca L. Williams, R.N., J.D. Partner.

FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc

© 2008, Consumer Data Industry Association Congressional Privacy Policy Panel Stuart K. Pratt.

HOW TO RESPOND TO A DATA BREACH: IT’S NOT JUST ABOUT HIPAA ANYMORE The Thirteenth National HIPAA Summit  September 26, 2006 Renee H. Martin, JD, RN, MSN.

We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey Broadway Albany,

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

Data Security in the Cloud and Data Breaches: Lawyer’s Perspective Dino Tsibouris Mehmet Munur

Sharing Information (FERPA) FY07 REMS Initial Grantee Meeting December 5, 2007, San Diego, CA U.S. Department of Education, Office of Safe and Drug-Free.

AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc

Data Security Survival Skills for 21 st Century Evaluators Teresa Doksum & Sean Owen October 17, 2013.

Status of identity and privacy related AZ Legislative bills April 20, 2006 Mike Keeling ATIC, Chair.

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.

Nassau Association of School Technologists

Florida Information Protection Act of 2014 (FIPA)

Obligations of Educational Agencies: Parents’ Bill of Rights

HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.

Florida Information Protection Act of 2014 (FIPA)

Notifiable data breaches Roundtable

Red Flags Rule An Introduction County College of Morris

Alabama Data Breach Notification Act: What 911 Districts Need to Know

DATA BREACHES & PRIVACY Christine M

Identity Theft Prevention Program Training

Alabama Data Breach Notification Act: What County Governments Need to Know Morgan Arrington, General Counsel Association of County Commissions of Alabama.

National HIPAA Audioconferences

Cyber Security: What the Head & Board Need to Know

Upcoming PIPEDA Changes

Colorado “Protections For Consumer Data Privacy” Law

Anatomy of a Common Cyber Attack

Presentation transcript:

Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator EDUCAUSE

Notification of Security Breach Risk The following is based upon proposed S. 1408: Identity Theft Protection Act (109 th Congress) Reporting the Breach to the Federal Trade Commission!!! Notification of Consumers

Consumer Notification... Use due diligence to investigate any suspected breach of security affecting sensitive personal information [that you] maintain. If, after the exercise of such due diligence, [you] discover a breach of security and determine that the breach of security creates a reasonable risk of identity theft, [you] shall notify each such individual.

Reasonable Risk of ID Theft In determining whether a reasonable risk of identity theft exists, [you] shall consider such factors as whether the data containing sensitive personal information is usable by an unauthorized third party and whether the data is in the possession and control of an unauthorized third party who is likely to commit identity theft.

Methods of Notification Written notice Electronic notice Substitute notice  Cost of notice exceeds $250,000  The individuals to be notified exceeds 500,000  You do not have sufficient contact information

Substitute Notice Notice by electronic mail when you have an address for affected individuals Conspicuous posting of such notice on your Internet website Notification to major State-wide media

Content of the Notice Name of the individual whose information was the subject of the breach of security The name of the “covered entity” that was the subject of the breach of security A description of the categories of sensitive personal information of the individual that were the subject of the breach of security The specific dates between the breach of security of the sensitive personal information of the individual and discovery The toll-free numbers necessary to contact:  Each entity that was the subject of the breach of security  Each nationwide credit reporting agency  The Federal Trade Commission

Timing of Notification Most expedient manner practicable, but not later than 45 days after the date on which the breach of security was discovered by the covered entity In a manner that is consistent with any measures necessary to determine the scope of the breach and restore the security and integrity of the data system There is a provision for law enforcement and homeland security related delays

Implications Application of state laws  Conflicting requirements  Potential for Federal preemption Congressional record may prove important Absence of case law Unfunded mandate