Traffic Crash Records and Emerging Security Issues Traffic Records Coordinating Committee (TRCC) Meeting September 7, 2006.

Slides:



Advertisements
Similar presentations
Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Advertisements

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Overview of the Privacy Act
VOTER REGISTRATION AND IDENTIFICATION
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Confidentiality and HIPAA
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA Health Insurance Portability and Accountability Act.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HIPAA Regulations What do you need to know?.
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.
Protecting the Confidentiality of Social Security Numbers Business Procedures Memorandum 66 Revised November 1, 2006 The University of Texas System.
1 The University of Texas at Tyler Protecting the Confidentiality of Social Security Numbers UTS165 Information Resources Use and Security Policy.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Data Classification & Privacy Inventory Workshop
2/16/2010 The Family Educational Records and Privacy Act.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
HIPAA Health Insurance Portability & Accountability Act of 1996.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.
HIPAA PRIVACY AND SECURITY AWARENESS.
CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.
Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.
Health Insurance Portability and Accountability Act (HIPAA)
Florida Information Protection Act of 2014 (FIPA).
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
The Family Educational Rights and Privacy Act FERPA.
HIPAA CASE STUDY- BREACHES OF PHI IN HEALTHCARE Amanda Foster Erin Frankenberger.
Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.
Davis Wright Tremaine LLP Responding to Your Worst Security Breach Nightmare: When Patient Information Is Stolen Rebecca L. Williams, R.N., J.D. Partner.
© Copyright 2010 Hemenway & Barnes LLP H&B
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device.
CHAPTER SIXTEEN The Right to Privacy and Other Protections from Employer Intrusions.
Nassau Association of School Technologists
HIPAA PRIVACY & SECURITY TRAINING
Protection of CONSUMER information
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
Florida Information Protection Act of 2014 (FIPA)
Florida Information Protection Act of 2014 (FIPA)
Chapter 3: IRS and FTC Data Security Rules
Alabama Data Breach Notification Act: What 911 Districts Need to Know
G.D.P.R General Data Protection Regulations
Spencer County Public Schools Responsible Use Policy for Technology and Related Devices Spencer County Public Schools has access to and use of the Internet.
HIPAA Overview.
National HIPAA Audioconferences
Colorado “Protections For Consumer Data Privacy” Law
Data Breach of United States Office of Personnel Management
Data Breach of United States Office of Personnel Management
The Health Insurance Portability and Accountability Act
School of Medicine Orientation Information Security Training
Presentation transcript:

Traffic Crash Records and Emerging Security Issues Traffic Records Coordinating Committee (TRCC) Meeting September 7, 2006

Summary of the Issue Recent improvements in the State’s traffic records infrastructure and data accessibility raises numerous questions related to privacy and security of personal information contained in crash reports/data Recent improvements in the State’s traffic records infrastructure and data accessibility raises numerous questions related to privacy and security of personal information contained in crash reports/data The release of traffic crash data (with personal identifiers) raises issues of particular concern The release of traffic crash data (with personal identifiers) raises issues of particular concern

Types of Access Crash data and image extracts Crash data and image extracts Traffic Crash Reporting System (TCRS) web application Traffic Crash Reporting System (TCRS) web application Crash reports received directly from the source (i.e. law enforcement) Crash reports received directly from the source (i.e. law enforcement)

Courtesy of Sgt. Jeff Yonker, MSP-CID How Could the Data Be Used? Sold to third parties for commercial use/profit Sold to third parties for commercial use/profit Identity Theft Identity Theft Providing false identity to law enforcement at time of an arrest Providing false identity to law enforcement at time of an arrest Producing counterfeit driver license or ID Producing counterfeit driver license or ID Producing counterfeit checks Producing counterfeit checks Affecting credit ratings or criminal history Affecting credit ratings or criminal history Other violations of personal privacy Other violations of personal privacy

In May 2006: Theft of laptop computer containing personal information on millions of veterans stolen from an employees apartment makes national news. In May 2006: Theft of laptop computer containing personal information on millions of veterans stolen from an employees apartment makes national news. “VA hit with two class-action suits over data theft” June 6, 2006 “VA hit with two class-action suits over data theft” June 6, 2006 “Report: VA not doing enough to protect data: GAO finds veterans' information still vulnerable” “Report: VA not doing enough to protect data: GAO finds veterans' information still vulnerable” June 14, 2006 June 14, 2006

July 2006: Laptop computer owned by the USDOT containing personal information on 133,000 pilots was stolen from a vehicle in Florida July 2006: Laptop computer owned by the USDOT containing personal information on 133,000 pilots was stolen from a vehicle in Florida

August 22, 2006: “Laptop theft puts 28,000 IDs at risk - Beaumont home patients caught in tech epidemic” August 22, 2006: “Laptop theft puts 28,000 IDs at risk - Beaumont home patients caught in tech epidemic”

Impact on Traffic Safety Potential data security issues for crash reports on over 350,000 crashes each year. Potential data security issues for crash reports on over 350,000 crashes each year. Criminal and civil liability for state and local users who possess crash data that includes personal information Criminal and civil liability for state and local users who possess crash data that includes personal information Potential for adverse negative political/media fallout for your agency in the event of a security breach Potential for adverse negative political/media fallout for your agency in the event of a security breach

Act 26 Overview HB 4377 introduced March 28, 2979 by Rep. Perry Bullard HB 4377 introduced March 28, 2979 by Rep. Perry Bullard Public Act 26 of 1980 (Section ) Public Act 26 of 1980 (Section ) Purpose was to allow for crash research while ensuring that personal information is protected, and to establish penalties for unauthorized disclosure Purpose was to allow for crash research while ensuring that personal information is protected, and to establish penalties for unauthorized disclosure Amended the Michigan Vehicle Code to permit OHSP to authorize release of crash data/reports only for scientific/medical research/studies Amended the Michigan Vehicle Code to permit OHSP to authorize release of crash data/reports only for scientific/medical research/studies Release of data/reports is not required Release of data/reports is not required Information not admissible in court Information not admissible in court Release of personal information to a third party prohibited with criminal penalties attached Release of personal information to a third party prohibited with criminal penalties attached

History of Security Breach Laws In 2003 CA passed what is considered the first “security breach” law In 2003 CA passed what is considered the first “security breach” law Requires the reporting of any breach or suspected breach in security that results in the disclosure of personal information to unauthorized parties Requires the reporting of any breach or suspected breach in security that results in the disclosure of personal information to unauthorized parties Personal information defined as name plus any one of a number of identifiers (DLN, SSN, or credit card/account/PIN number) Personal information defined as name plus any one of a number of identifiers (DLN, SSN, or credit card/account/PIN number)

Security Breach State Laws To-date, thirty-one states have enacted security breach laws (Michigan not included) To-date, thirty-one states have enacted security breach laws (Michigan not included) Michigan had two bills introduced in 2005 (HB 4658 and SB 309) Michigan had two bills introduced in 2005 (HB 4658 and SB 309) Both bills would require breach notification within 5 days of any affected individuals through written, electronic, or substitute notice ( , website posting, and news release) Both bills would require breach notification within 5 days of any affected individuals through written, electronic, or substitute notice ( , website posting, and news release)

Key Questions Does your agency receive or possess crash data with personal information/identifiers? Does your agency receive or possess crash data with personal information/identifiers? How is the data stored in your agency? Is the data secure? How is the data stored in your agency? Is the data secure? How many people have access to the data? Who are they? (i.e. employees, students, etc.) Do you keep records of those who have access? How many people have access to the data? Who are they? (i.e. employees, students, etc.) Do you keep records of those who have access? How do you ensure that once they leave your agency, they no longer have access? How do you ensure that once they leave your agency, they no longer have access? Could others gain or be provided access without the knowledge of your agency? Could others gain or be provided access without the knowledge of your agency? Could the data be provided to unauthorized users without the knowledge of your agency? Could the data be provided to unauthorized users without the knowledge of your agency? Can you guarantee the security of the data and that it will not be lost, stolen, or shared with unauthorized parties or individuals? Can you guarantee the security of the data and that it will not be lost, stolen, or shared with unauthorized parties or individuals? Does the data ever leave your facility on a laptop or in some other form? Does the data ever leave your facility on a laptop or in some other form? Are there agency policies in place that restrict the transportation of the data to another location? Are there agency policies in place that restrict the transportation of the data to another location? If it is transported, how it is transported? If it is transported, how it is transported? Do you have a data security policy in place? Do you have a data security policy in place? Do you have an Incident Response Plan in place in the event of a security breach? Do you have an Incident Response Plan in place in the event of a security breach? Have you had discussions internally with data security or legal counsel regarding data security, liability, and associated issues? Have you had discussions internally with data security or legal counsel regarding data security, liability, and associated issues? Do you have adequate liability coverage for damages resulting from a breach of security involving personal information? Do you have adequate liability coverage for damages resulting from a breach of security involving personal information?

Agencies Need to Consider That sharing personal information obtained through Act 26 with unauthorized third parties is illegal and subject to criminal prosecution That sharing personal information obtained through Act 26 with unauthorized third parties is illegal and subject to criminal prosecution That the risks associated with possessing un- encrypted personal information, even for legitimate uses, are significant That the risks associated with possessing un- encrypted personal information, even for legitimate uses, are significant How a data breach would impact your agency How a data breach would impact your agency Public confidence Public confidence Credibility Credibility Criminal or civil liability Criminal or civil liability Economic impact Economic impact

Process for Release of Crash Data Data and image extracts Data and image extracts Continue to be processed under Act 26 by OHSP Continue to be processed under Act 26 by OHSP Data fields of concern have been identified Data fields of concern have been identified New Agency Agreement form is in development New Agency Agreement form is in development Release of personal information (i.e. name, address, DLN, DOB) in the future more restrictive Release of personal information (i.e. name, address, DLN, DOB) in the future more restrictive TCRS access TCRS access System security issues System security issues Creation of a TCRS that is “sanitized” of personal information Creation of a TCRS that is “sanitized” of personal information Use of TCRS limited to research under Act 26 approvals Use of TCRS limited to research under Act 26 approvals Authorizing agency transition from OHSP to CJIC Authorizing agency transition from OHSP to CJIC

Data Fields of Concern Form ID Fields Form ID Fields ORI ORI Case Number Case Number Serial Number Serial Number CMV Fields CMV Fields Carrier Name Carrier Name Carrier Street, City, Zip Carrier Street, City, Zip ICCMC Number ICCMC Number USDOT Number USDOT Number MPSC Number MPSC Number Involved Party Fields Involved Party Fields Party City, State, Zip Party City, State, Zip EMS Fields EMS Fields Ambulance Hospital Vehicle Info Fields Vehicle Info Fields VIN Number Plate Number Personal Info Fields Personal Info Fields DLN Name Street Address DOB

Recommended Action Have respect for other people’s personal information Have respect for other people’s personal information Be sensitive to emerging security issues Be sensitive to emerging security issues Determine whether your agency possesses personal information from crash data reports and take steps to mitigate risk Determine whether your agency possesses personal information from crash data reports and take steps to mitigate risk Adhere to all provisions under Act 26 Adhere to all provisions under Act 26 Consult with your security/legal advisors Consult with your security/legal advisors Take prudent and responsible action to protect the security of the data and yourself and your agency from criminal and civil liability Take prudent and responsible action to protect the security of the data and yourself and your agency from criminal and civil liability

Recommended Action Be aware of ongoing changes at the state and national level in response to increased privacy concerns and threats to security Be aware of ongoing changes at the state and national level in response to increased privacy concerns and threats to security Anticipate how these changes may impact your agency Anticipate how these changes may impact your agency

Access to crash data is critical to making advances in improving highway traffic safety Access to crash data is critical to making advances in improving highway traffic safety State and local agencies with planning/research responsibilities need access to crash data State and local agencies with planning/research responsibilities need access to crash data The challenge, and our collective responsibility, is meeting the needs of traffic safety researchers and planners while still preserving security of personal information and maintaining individual privacy

Questions/Discussion

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.