Presentation is loading. Please wait.

Presentation is loading. Please wait.

1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.

Published byPatience Dickerson Modified over 8 years ago

Similar presentations

Presentation on theme: "1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection."— Presentation transcript:

1 1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection Between Information Management and Privacy Law May 21, 2009 Marty Provin Executive Vice President Jordan Lawrence mprovin@jlgroup.com

2 2Copyright 2009. Jordan Lawrence. All rights reserved. Privacy Breaches Happen Everyday May 7 th, 2009  3,400 individuals information from a benefits report may have been pulled out of a dumpster. May 5 th, 2009  Documents that included SS numbers, addresses, phone numbers and names were found in an unlocked public container sitting off a side street in their apartment complex. May 5 th, 2009  Boxes found in a trash bin contained 75,000 voter registration application cards and 24,000 precinct cards. Many of the documents contained personal information on active voters, such as full names and Social Security numbers. April 29 th, 2009  A spreadsheet with worker names and Social Security numbers was found on the Internet. The data was released to a so-called peer-to-peer network during a music transfer to an agency laptop. April 29 th, 2009  A laptop computer containing the personal information of about 225,000 individuals was stolen from a home. The names, Social Security numbers, tax identification numbers, birth dates and addresses. March 24, 2009  Hospital employee left patients records on an train she was taking with her to do billing work over the weekend. March 11 th, 2009  University kept information (including Social Security numbers and salary information for employees of students), dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. Source : Privacy Rights Clearinghouse

3 3Copyright 2009. Jordan Lawrence. All rights reserved.3 Current Standard Definition of Personally Identifiable Information  Resident’s first and last name, or first initial and last name Social Security number Driver’s license or state-issued ID card number Financial account number Credit or debit card number  Possibly medical or biometric information

4 4Copyright 2009. Jordan Lawrence. All rights reserved.4 Who & What Who privacy laws apply to  A resident of the particular state  Not location of the business or breach Always apply to electronic information  May apply to hardcopy as well Trigger of notification period  Disclosure should be expedient, and without unreasonable delay following the discovery of the breach  “Timeliness” of response will be scrutinized

5 5Copyright 2009. Jordan Lawrence. All rights reserved. After a Privacy Breach Safe Harbor  Possible if data was encrypted  Best Practice is to notify regardless  Credit monitoring and assistance Penalties  Fines  Civil right of action

6 6Copyright 2009. Jordan Lawrence. All rights reserved. Cost of a Privacy Breach Hard Dollar Costs  $6.6 m average expense to an organization Cost of notifying victims Maintaining information hotlines Legal, investigative, and administrative expenses Credit monitoring Reputational Harm  31% of breach notice recipients terminate their business  57% reported losing trust and confidence Source: Ponemon Institute

7 7Copyright 2009. Jordan Lawrence. All rights reserved. Privacy Laws & Cross Border Litigation EU privacy laws vs. FRCP Blocking statutes restrict discovery of information meant for disclosure in a foreign jurisdiction  Switzerland, France and the United Kingdom EU Data Protection Authorities intend on limiting U.S. discovery within the EU Doubtful U.S. judges will be sympathetic

8 8Copyright 2009. Jordan Lawrence. All rights reserved. Why Companies Struggle Misguided “prevention” efforts  Less then 20% of breaches involve unauthorized network access  More then $5 billion spent on network security Fail to understand the most common risks  73 of125 data breaches reported 1 in 2009 have involved Lost or stolen laptops, computers or storage devices Backup tapes lost by employees or third-party vendor Employees’ handling of information Dumpster diving 1 Source : Privacy Rights Clearinghouse as of May 20 th, 2009

9 9Copyright 2009. Jordan Lawrence. All rights reserved. People and Policy Its about policy awareness and policy compliance 54% of business representatives don’t think their companies privacy policy applies to email 1 39% of business representatives report saving sensitive 1 company data to personal computer and storage devices One out of ten employees report having had a company computer or storage device lost or stolen in last 12 months 2 1 Source: 2008 Jordan Lawrence Assessment Data 2 Source :2008 Data Leakage Worldwide : The Insider Threat and the Cost of Data Loss by insightexpress

10 10Copyright 2009. Jordan Lawrence. All rights reserved. Taking The First Step Identify the necessary information What personally identifiable data does the company have Where do they have it How is it managed

11 11Copyright 2009. Jordan Lawrence. All rights reserved. How Do You Get This Information Business Representatives understand  The types of sensitive information they work with  What media its in  Who they share it with  How they manage it  What they do with it at end of life Subject Matter Experts understand  Encryption services deployed  Back-up processes  Disposal processes  Third party’s that have access to sensitive information

12 12Copyright 2009. Jordan Lawrence. All rights reserved. What You Will Find 1,272 record type profiles with sensitive information Type of Sensitive Data Human Resources 29 :: on laptop (no encryption) 11 :: on flash drive 14 :: emailed outside organization Accounting 18 :: on laptop (no encryption) 22 :: on flash drive 15 :: emailed outside organization Security 10 :: on laptop (no encryption) 9 :: paper (no shred bin) Location of Data Social Security Numbers Credit History Information Credit/Debit Account Information Employment Information Medical Information Name, Phone, Address Source : Client data from a Jordan Lawrence Assessment

13 13Copyright 2009. Jordan Lawrence. All rights reserved. Putting Policy Into Practice Develop a policy including  Definition of what is considered sensitive information  How to manage sensitive information  How to dispose of sensitive information  Annual acknowledgment  Consequences for not complying Train all employees  Conduct annual training  Make it part of the hiring process

14 14Copyright 2009. Jordan Lawrence. All rights reserved. Enforcing Policy Implement process for safeguarding sensitive information  Information technology for technical safeguards  The business for managing and destroying hardcopy Audit  Formal audit process  Annual spot auditing of business areas Annually re-assess  Identify new risks as business processes change  Ensure compliance with “New” and changing laws  Cross border litigation

15 15Copyright 2009. Jordan Lawrence. All rights reserved. Thank You Marty Provin 636-821-2250 mprovin@jlgroup.com

Download ppt "1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Privacy, Security, Confidentiality, and Legal Issues

Privacy, Security, Confidentiality, and Legal Issues
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
Responding to a Data Security Breach

Responding to a Data Security Breach
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)

HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)

Similar presentations

Ads by Google