Dino Tsibouris Mehmet Munur (614) 360-1160 (614) 360-1160 Information Security: Changes in the Law, Cost,

Slides:



Advertisements
Similar presentations
The Evolving Law of E-Discovery Joseph J. Ortego, Esq. Nixon Peabody LLP New York, NY Jericho, NY.
Advertisements

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.
United States District Court for the Southern District of New York, 2004 District Justice Scheindlin Zubulake v. UBS Warburg LLC Zubulake V.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Considerations for Records and Information Management Programs in Light of the Pension Committee and Rimkus Consulting 2010 Decisions.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Dino Tsibouris (614) Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Ronald J. Shaffer, Esq. Beth L. Weisser, Esq. Lorraine K. Koc, Esq., Vice President and General Counsel, Deb Shops, Inc. © 2010 Fox Rothschild DELVACCA.
Cache La Poudre Feeds, LLC v. Land O’Lakes, Inc.  Motion Hearing before a Magistrate Judge in Federal Court  District of Colorado  Decided in 2007.
Ethical Issues in Data Security Breach Cases Presented by Robert J. Scott Scott & Scott, LLP
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
OCR HITECH Enforcement Tips: Prevent, Detect and Quickly Correct HIPAA COW 2010 Spring Conference Privacy/Security Session 1 HIPAA Privacy Best Practices:
Information Security and Electronic Discovery
Dino Tsibouris (614) Information Security – What’s New In the Law?
Developing a Records & Information Retention & Disposition Program:
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.
April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
Investigating & Preserving Evidence in Data Security Incidents Robert J. Scott Scott & Scott, LLP
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
E-Discovery in Health Care Litigation By Tracy Vigness Kolb.
Discussion Peggy Beeley, MD 2/11/14 Mitigating Medical Malpractice Risks Through Documentation.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Against: The Liberal Definition and use of Litigation Holds Team 9.
P RINCIPLES 1-7 FOR E LECTRONIC D OCUMENT P RODUCTION Maryanne Post.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
© Copyright 2010 Hemenway & Barnes LLP H&B
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
U.S. District Court Southern District of New York 229 F.R.D. 422 (S.D.N.Y. 2004)
EDiscovery Also known as “ESI” Discovery of “Electronically Stored Information” Same discovery, new form of storage.
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.
1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.
Patient Privacy for the Life Sciences Industry: 2012 Update Drew Gantt and David Sclar Cooley LLP 1.
Chapter 3: IRS and FTC Data Security Rules
Red Flags Rule An Introduction County College of Morris
Disability Services Agencies Briefing On HIPAA
Presentation transcript:

Dino Tsibouris Mehmet Munur (614) (614) Information Security: Changes in the Law, Cost, and Complexity of Responding to Breaches & Electronic Discovery: Litigation Holds and More

Information Security Trends for 2010 Increased federal and state regulation of information security Increased enforcement Increased costs to resolve a breach Increased compliance complexity

Information Security Overview HITECH Act Enforcement Actions under HITECH Revisions to State Law on Data Security Enforcement Actions regarding Financial Security

HITECH ACT Amends HIPAA New breach notification rules New penalties Increased levels of minimum security State Attorney General enforcement Business Associates must comply

HITECH ACT Amends HIPAA Covered Entity must notify individuals if a breach occurs Must notify HHS in annual log if less than 500 individuals Must notify HHS immediately if over 500 individuals May need to notify FTC

HITECH ACT Business Associate Requirements Must comply with Security Rule regarding administrative, physical, and technical safeguards Develop policies Designate a security official Enforcement

HITECH ACT Business Associate Requirements If your Covered Entity violates your BAA, you are violating HIPAA Must cure breach, terminate, or report to HHS Must amend Business Associate Agreements

HITECH ACT Business Associate Requirements If the Business Associate has a breach, then it must notify the HIPAA Covered Entity Covered Entity must then notify individuals and HHS

HITECH ACT Penalties Tier A – inadvertent - $100 per violation up to $25,000/yr Tier B – reasonable cause, not willful neglect - $1,000 per violation up to $100,000/yr

HITECH ACT Penalties Tier C – willful neglect ultimately corrected - $10,000 per violation up to $250,000/yr Tier D - willful neglect uncorrected - $50,000 per violation up to $1.5 M/yr

CT Health Net Enforcement Connecticut Attorney General - HIPAA Lost portable computer disk drive Involves privacy of 446,000 Connecticut enrollees Health information, social security numbers, and bank account numbers Failed to notify on time

CT Health Net Enforcement Health Net failed to Ensure the confidentiality and integrity of electronic protected health information Implement technical policies and procedures for electronic information systems Implement policies and procedures that govern the receipt and removal of hardware and electronic media

CT Health Net Enforcement Health Net failed to Implement policies and procedures to prevent, detect, contain, and correct security violations Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents Effectively train all members of its workforce

CT Griffin Hospital Investigation Hospital terminates radiologist and his access to the computer systems Patients call hospital with complaints Audit reveals access to one terminal Ex-radiologist uses usernames and passwords of other radiology employees for 1 month Accesses ~1000 records Solicits patients for service at another hospital

Employee Snooping UCLA Cardiothoracic Surgeon Accesses system 323 times in 3 weeks Snoops on celebrity medical records Sentenced to 4 months in prison Similar incident in 2008 UCLA reveals that 165 employees improperly viewed files in 13 years 15 fired for viewing octuplet moms records

MA Data Security Regulations Creates duty to protect personal data Applies to the personal information of MA residents Sophistication of safeguards increases with size and scope of business Requires encryption for transmission of personal data over public networks Effective date March 1, 2010

State Laws and PCI-DSS Minnesota, Washington, Nevada Requires encryption when electronically transmitting personal data Requires compliance with PCI-DSS May result in liability to Card Issuing Banks Some include Safe Harbors

Heartland Payment Systems Breach 6 th Largest Payment Processor Involved 330 Financial Institutions Heartland was PCI-DSS certified SQL injection attack CC#s, expiration dates, stored magnetic stripe data Lost ~130 million card numbers

Heartland Payment Systems Breach Removed from VISA CISP list Reported $105 million in expenses – $90 million to Visa, MasterCard, Banks – $3.5 million to AmEx Settles Cardholder Class Action for $2.4 million Stockholder Class Action in NJ Dismissed

Countrywide Breach Countrywide Financial Services Former employees Downloaded and sold customer data Every week for 2 years 19,000 individuals notified of breach Class action settles for over $10 million

Dave & Busters FTC Enforcement Dave & Busters loses 130,000 credit and debit card numbers Failed to take sufficient measures to protect credit card information Failed to limit access by third parties Settles with the FTC

Dave & Busters FTC Enforcement Consent agreement requires D&B to: – Appoint responsible employee – Conduct risk assessment – Develop security program and safeguards – Develop criteria for selecting 3 rd party access to information – Obtain biennial third-party audits for 10 years

Preparing for the Inevitable Update Business Associate Agreements Update Privacy and Security Policies Update IT Systems for Proper Access & Security Update Security Incident Policies and Procedures Update or Create Breach Notification Procedures

Electronic Discovery Overview of Electronic Discovery Sanctions Requirements for Compliance Zubulake Revisited Case Examples

Electronic Discovery Basics of Electronic Discovery Electronically Stored Information (ESI) is potentially discoverable Proportionality test Obligation to preserve Pending or threatened litigation Primary source should be active data Costs usually borne by producing party

Electronic Discovery Sanctions usually require: Clear duty to preserve Culpable failure to Produce and Preserve Relevant ESI Reasonable Probability of Material Prejudice Due to Loss of ESI

E-Discovery Sanctions Monetary Sanctions – Shifting or Awarding Discovery Costs, Fines Adverse Inference or Inability to use Affirmative Defense Terminating Sanctions or Default Judgment

Electronic Discovery Compliance requires: – Record Retention Policies and Procedures – Litigation Hold Procedures – IT Policies, Procedures, and Systems for Preservation and Collection Search Production Destruction

Zubulake Revisited When the duty to preserve has attached, the following failures constitute gross negligence – Failure to issue a written litigation hold – Failure to identify all of the key players and to ensure that their electronic and paper records are preserved

Zubulake Revisited – Failure to cease the deletion of or to preserve the records of former employees that are in a party's possession, custody, or control – Failure to preserve backup tapes when they are the sole source of relevant information or when they relate to key players, if the relevant information maintained by those players is not obtainable from readily accessible sources

Pinstripe Inc. v. Manpower Inc. Defendant failed to distribute litigation hold notice Possibly relevant s destroyed 700 s recovered from recipients Significant cost to defendant + $30K to outside vendor Court finds lack of intentional conduct Court awards sanctions of $2,500

Southeastern Mechanical Services v. Brody Plaintiff SMS alleges spoliation for deleted laptop and Blackberry data Defendant argues that laptop s were stored on server Blackberries wiped Blackberries contained data other than s Blackberries contained data before being synchronized with the server

Southeastern Mechanical Services v. Brody Court finds bad faith in deletion of Blackberry data Lack of , text messages, telephone records was suspicious Court finds employees, not the corporations, culpable Court issues adverse inference

Starbucks v. ADT Starbucks seeks archived s ADT argues that s are not accessible Archived s stored in a Plasmon System Exaggerates production costs at $834K Starbucks obtains two estimates at $17K and $26K

Starbucks v. ADT Court ordered an immediate plan to make copies of the archived discs to an appropriate searchable storage medium Court ordered the production of relevant s Court ordered the parties to confer and agree on fees

Conclusion Proper record retention policies Identify all key people and documents Preserve all relevant ESI IT Policies, Procedures, and Systems Proper and searchable archive technology Written litigation holds

Questions & Answers Dino Tsibouris Mehmet Munur (614) (614)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.