Privacy Breach Panel 11/16/2009

Slides:



Advertisements
Similar presentations
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Advertisements

Overview of the Privacy Act
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA Regulations What do you need to know?.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Data Breach Notification Toolkit Mary Ann Blair Director of Information Security Carnegie Mellon University September 2005 CSG Sponsored by the EDUCAUSE.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
PII Breach Management and Risk Assessment
The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Data Classification & Privacy Inventory Workshop
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Safeguarding Personally Identifiable Information (PII) Samuel P. Jenkins Director for Privacy Defense Privacy.
Protecting Sensitive Information PA Turnpike Commission.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next Office of Management Privacy, Information and Records Management Services Privacy Safeguards Division.
2015 ANNUAL TRAINING By: Denise Goff
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
PRIVACY AND INFORMATION SECURITY ESSENTIALS Information Security Policy Essentials Melissa Short, IT Specialist Office of Cyber Security- Policy.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
INFORMATION TECHNOLOGY SERVICES Privacy 101 Information Security and Privacy Office.
Arkansas State Law Which Governs Sensitive Information…… Part 3B
PII BREACH MANAGEMENT Army Privacy Office 7701 Telegraph Road Casey Building, Room 144 Alexandria, VA DSN: Fax:
Protecting Your Organization Identity Theft and Data Breach.
(Compliance Training)
Panel Discussion on Identity Theft and PII Facilitated by Barry West, CIO Department of Commerce –Panelists: Kenneth Mortensen, DOJ Marc Groman, FTC Hillary.
Update on Privacy Issues at USU October 10, 2013.
FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.
Sample only Order at Security Awareness Training A threat awareness briefing. A defensive security briefing. An overview of the.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Research & Economic Development Office of Grants and Contracts Administration Data Security Presented by Debbie Bolick September 24, 2015.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
Annual PII Training Certificate This is to certify that I have received my 2013 annual PII training. I understand that I am responsible for safeguarding.
We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey Broadway Albany,
Privacy Act United States Army (Managerial Training)
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
FOIA Processing and Privacy Awareness at NOAA Prepared by Mark H. Graff NOAA FOIA Officer OCIO/GPD (301)
HR SECURITY  EGBERT PESHA  ALLOCIOUS RUZIWA  AUTHER MAKUVAZA  SAKARIA IINOLOMBO
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
Information Security and Privacy Office
Enforcement, Business Associates and Breach Notification. Oh my!
Student Data Privacy and Security
Protection of CONSUMER information
Office of Health, Safety and Security
Responding to a Data Breach 360° of IT Compliance
HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.
FOIA, Privacy & Records Management Conference 2009
GDPR support January GDPR support January 2018.
Privacy Breach Response and Reporting
FOIA, Privacy & Records Management Conference 2009
Red Flags Rule An Introduction County College of Morris
DATA BREACHES & PRIVACY Christine M
Mandatory Coordination
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Detecting, reporting & investigating data breaches under GDPR
Alabama Data Breach Notification Act: What County Governments Need to Know Morgan Arrington, General Counsel Association of County Commissions of Alabama.
Clemson University Red Flags Rule Training
Move this to online module slides 11-56
HQ Expectations of DOE Site IRBs
TRACE INITIATIVE: Confidentiality, Data Security, and Procedures for Protocol Violation or Adverse Event.
Colorado “Protections For Consumer Data Privacy” Law
Anatomy of a Common Cyber Attack
Presentation transcript:

Privacy Breach Panel 11/16/2009 Brian T. Zickel, HQDA Privacy Office…….Background & Process Chris Kaloudis, HQDA Privacy Office……..Metrics and Template Walkthrough Jennifer Nikolaisen, National Guard…………….Major Breach Best Practices Anastasia Kakel, TRADOC……………….................Remedial Action Richard Frank, Corps of Engineers……………Notification Linda Genovese, Corps of Engineers………..Reporting

Personally Identifiable Information (PII) Defined Personally Identifiable Information (PII) is data that links or can be combined with other PII elements to link to an individual. PII can be used to distinguish or trace an individual’s identity * OMB M-07-16 PII can be on stored in hard copy or electronic media form. The type of storage does not affect its status as PII or alter reporting requirements* Types of PII* Social Security Number regardless of truncation Physical Characteristics Race/Ethnicity, Biometrics etc) ID Numbers (i.e. badge numbers, driver's license etc.) Civilian Information (Dependant data, emergency contact info) Social/non-business data (religious affiliation, marital status) Truncated SSN Name You Home Address Ethnicity = FOUO Name SSN Brian T. Zickel 703-428-6791 brian.t.zickel@us.army.mil 11/162009

Reporting Loss or Suspected Breach of PII Flow Chart A BREACH OCCURS WHEN….* AN ACTUAL OR POSSIBLE LOSS OF CONTROL, UNAUTHORIZED DISCLOSURE, OR ACCESS, OCCURS REGARDLESS OF WHETHER DATA WAS EXPOSED INTERALLY OR EXTERNALLY *OMB M-07-16 Discoverer of the PII Breach Your Chain of Command cc: piireporting@us.army.mil Within 24 hours U.S. Computer Emergency Response Team (USCERT) http://www.us-cert.gov HQDA Privacy Office https://www.rmda.army.mil/privacy/foia-incidentreport1.asp Immediately Within 1 hour Remedial Training Work with local Privacy Office to determine notification procedures Internal/External Investigation Notify Affected Individuals Within 10 days DAASA DoD Privacy Office Public Affairs CIO-G6 Brian T. Zickel 703-428-6791 brian.t.zickel@us.army.mil 11/16/2009 2

Tracking PII Incidents Keep leadership informed Track success of PII Safeguarding Training Purposes Trends of Breach Chris Kaloudis 703-428-7499 Chris.kaloudis@us.army.mil 11/16/2009

Laptop Incidents Chris Kaloudis 703-428-7499 Chris.kaloudis@us.army.mil 11/16/2009

Thumbdrive Incidents Chris Kaloudis 703-428-7499 Chris.kaloudis@us.army.mil 11/16/2009

Individuals Potentially Affected Chris Kaloudis 703-428-7499 Chris.kaloudis@us.army.mil 11/16/2009

DoD - PII Reporting Template DoD Component and organization involved: Component Name       Organization POC Title/Organization Telephone Email 6. Total number of individuals affected by the breach: # Unknown       6a. Breakout number by category: Government Civilians       Government Contractors Military (Reserve) Military (Dependent) Military (Active) Military (Retired) Other/Unknown (please specify)       Chris Kaloudis 703-428-7499 11/16/2009

PII Breach Lessons Learned Establishment of call center procedures/script News release template & public website Leadership brief/daily SITREP templates Media inquiries/interview requests Privacy complaint handling procedures Internal announcements about incident Contract review/accountability Process for non-deliverable notice letters Answering Congressional committee inquiries Jennifer Nikolaisen 11/16/2009

What to Expect After A Major Breach Increased Privacy focus from leadership Requests for privacy training for personnel DoD attention on PIA completion on systems Scrutiny and more review of program Revision/development of procedures Possible increase in complaints/FOIAs Credit monitoring requests from those impacted Planning/preparation to avoid another one! Jennifer Nikolaisen 9/18/2018

Remediation Remedial actions: If negligence or failure to follow established policy and procedures Counseling/additional training/removal of authority to access information or systems /administrative and/or disciplinary actions Financial liability investigation of property loss (FLIPL) or statement of charges Criminal penalties (Privacy Act – guilty of a misdemeanor and fined up to $5,000) Anastasia Kakel / DSN 680-2035 11/16/2009

TRADOC Case Study Soldier left laptop unsecure in car at mall Failure to follow policy Investigation FLIPL: Soldier required to pay for replacement of computer ($1200.00) Counseling Anastasia Kakel / DSN 680-2035 11/16/2009

Good to know Conduct spot checks of security and data at rest encryption Information Assurance Manager (NETCOM/TNOSC/DOIM) – force protection and OPSEC review info loss Scrutinize the collection of PII, in particular SSNs; ensure the DTM 07-015-USD(P&R) – DOD SSN Reduction Plan DOD “acceptable uses” apply Anastasia Kakel / DSN 680-2035 11/16/2009

Good to know Sources of breach identification Data mining to verify PII is contained Update PII loss policy for common issues New system of records in APMS Follow record disposition schedules Anastasia Kakel / DSN 680-2035 11/16/2009

External Notification Is Breach Notification Required? Response Team Risk of Harm (5 factors) and Level of Risk/Impact Timeliness of Notification Within 10 days of discovering breach and identifying individuals Source of Notification Component Head or Senior Official Contents of Notification What happened, type of data, was it protected, individual steps, agency actions, agency contact - See DoD list Means of Providing Notification First Class Mail, Telephone, E-mail, Generalized (substitute) Who Receives Notification Individuals, Media, Businesses POC: Richard Frank, (202)761-8557 11/16/2009

External Notification Is Breach Notification Required? Response Team Risk of Harm (5 Factors) Nature of Data Elements - Type of Data in Context Number Affected Accessible and Usable Likelihood Breach May Lead to Harm Ability to Mitigate Risk of Harm Level of Risk/Impact Mitigating Factors - Protections, Chilling Effects, Ongoing Investigation, false alarm 15 POC: Richard Frank, (202) 761-8557 11/16/2009

US Army Corps of Engineers PII Incident Reporting Business Process Linda Genovese 11/16/2009 16

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.