Data Security Laws and the Rising Cybersecurity Debate

Slides:



Advertisements
Similar presentations
What is the Obama Administrations Consumer Financial Protection Agency? The Consumer Financial Protection Agency, or CFPA, is a newly proposed independent.
Advertisements

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Unified Carrier Registration (UCR) Update August 24, 2006.
Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
The New Rules of F&I with Peter Jones The New Rules of F&I What are the Rules? Red Flag Rule Graham / Leach / Bliley Act Privacy Notice Safeguard Rule.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Information Security Policies Larry Conrad September 29, 2009.
E-Commerce: Legal and Practical Issues Legal Issues: Security – December 2, 2005 Stephen M. Foxman Philadelphia.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
IT Security Challenges In Higher Education Steve Schuster Cornell University.
Practical Steps to Minimize Privacy Risks: Understanding The Intersection Between Information Management and Privacy Law Presented by Alexandria McCombs.
Information Security in 2015 What to Expect Presented by: Noor Aarohi Senior Risk and Compliance Analyst GW Division of Information Technology 1.
© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
LAW SEMINARS INTERNATIONAL New Developments in Internet Marketing & Selling November 13 & 14, 2006 San Francisco, California Moderator : Maureen A. Young.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission COMPLYING WITH THE RED FLAGS RULE & ADDRESS DISCREPANCY RULE.
Understanding the Fair and Accurate Credit Transaction Act, the “Red Flag” Regulations, and their impact on Health Care Providers Raising a “Red Flag”
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
1 General Awareness Training Security Awareness Module 1 Overview and Requirements.
Identity Protection (Red Flag/PCI Compliance/SSN Remediation) SACUBO Fall Workshop Savannah, GA November 3, 2009.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.
Update on Federal HIT Legislation Kirsten Beronio Mental Health America.
Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.
Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.
Safeguarding Research Data Policy and Implementation Challenges Miguel Soldi February 24, 2006 THE UNIVERSITY OF TEXAS SYSTEM.
Federal Trade Commission U.S. Rules on Privacy and Data Security Organization for International Investment General Counsel Conference October 16, 2009.
FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.
The Internet of Things and Consumer Protection
Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
Chapter 4: Laws, Regulations, and Compliance
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
EUROPEAN SECURITY POLICY A SNAPSHOT ON SURVEILLANCE AND PRIVACY DESSI WORKSHOP, CPH 24 JUNE 2014 Birgitte Kofod Olsen, Chair Danish Council for Digital.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
What Business Owners Need to Know About Data Privacy
By: Eamon Callahan and Wilston Johnston
DATA BREACHES & PRIVACY Christine M
Information Security Law Update
Concerns of a Privacy Advocate – and How to Respond
Enforcement and Policy Challenges in Health Information Privacy
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Objectives Describe the purposes of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 Explore how the HITECH Act.
Getting the Green Light on the Red Flags Rule
Anatomy of a Common Cyber Attack
Presentation transcript:

Data Security Laws and the Rising Cybersecurity Debate Corey M. Dennis, Governo Law Firm LLC Ellen M. Giblin, Ashcroft Law Firm February 7, 2013

Overview State Data Security Laws Payment Card Industry Data Security Standard Federal Data Security Laws The Cybersecurity Debate

State Data Security Laws Data Breach Notification Laws Enacted in 46 states, District of Columbia, Puerto Rico, U.S. Virgin Islands, and Guam Require notification of a data security breach to consumers “in the most expedient time possible” or “without unreasonable delay”

State Data Security Laws Source: Imation Corp. (http://www.imation.com/en-US/Mobile-Security/Mobile-Security-Products/Secure-Data/-Resources-/Compliance-Heat-Map)

State Data Security Laws Data Security Standards Enacted in a minority of states (e.g., MA, CT, RI, CA, OR, MD, NV) Mandate data security standards to protection to safeguard state residents’ personal information Typically require “reasonable security measures” MA data privacy regulations (201 CMR 17.00 et seq.) among most burdensome and far-reaching

Payment Card Industry Data Security Standard Established by credit card companies (VISA, Mastercard, American Express, Discover) Contractually requires merchants to safeguard cardholder data Sets forth extensive information security requirements, including: build and maintain a secure network protect cardholder data (e.g., through encryption) regularly monitor and test networks maintain a written information security policy train employees on compliance with data security policies maintain an incident response plan monitor service providers

Federal Data Security Laws Fair Credit Reporting Act (“FCRA”)—imposes requirements for the collection, disclosure, and disposal of data collected by consumer reporting agencies Gramm-Leach-Bliley Act (“GLBA”)—mandates data security requirements for “financial institutions” (broadly defined to include banks, mortgage companies, insurance companies, financial advisors, investment firms, etc.) Children’s Online Privacy Protection Act (“COPPA”)—requires covered website operators to maintain reasonable procedures to protect the personal information of children

Federal Data Security Laws Health Insurance Portability and Accountability Act (“HIPAA”)—requires health care providers to maintain security standards for protected health information Health Information Technology for Economic and Clinical Health (HITECH) Act—strengthens penalties for HIPAA violations and extends HIPAA violation liability to “business associates” to whom protected health information is disclosed FTC’s Red Flags Rule—requires financial institutions and creditors holding consumer accounts to maintain a written identity theft prevention program

FTC’s Authority Over Data Security Section 5 of the FTC Act (15 U.S.C. § 45) bars “unfair or deceptive acts or practices in or affecting commerce” Scope of FTC’s authority over data security unresolved FTC v. Wyndham Worldwide Corporation—FTC’s authority to enforce data security standards

Recent Proposed Legislation Data Security and Breach Notification Act of 2012—would require companies to maintain “reasonable” security measures to protect personal information and would establish a uniform breach notification law Cybersecurity Act of 2012—would create “cybersecurity performance requirements” and voluntary cyber threat information sharing standards among private sector companies operating critical infrastructure (e.g., energy, water, transportation)

Recent Proposed Legislation Cyber Intelligence Sharing and Protection Act and the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 (SECURE IT)—would promote voluntary sharing of cyber threat information between private companies and the government Personal Data Privacy and Security Act of 2011—would establish a uniform breach notification law and require businesses handling sensitive personal information of more than 10,000 individuals in the course of interstate commerce to maintain a comprehensive data privacy and security program Data Security Act of 2011—would require businesses to maintain “reasonable policies and procedures” to protect the confidentiality and security of sensitive personal information that they maintain or communicate

Cybersecurity Executive Order White House prepared draft Executive Order in Sept. 2012 (revised Nov. 2012) Creates information sharing mechanisms between private industry and government Federal agencies must develop voluntary cybersecurity guidelines for critical infrastructure (e.g., energy, water, transportation)

Cybersecurity Executive Order

Senator Rockefeller Letter Source: U.S. Senate Committee on Commerce, Science, and Transportation (http://commerce.senate.gov/public/index.cfm?p=PressReleases&ContentRecord_id=18db690c-c237-4358-9097-3d53f4762cc0&ContentType_id=77eb43da-aa94-497d-a73f-5c951ff72372&Group_id=4b968841-f3e8-49da-a529-7b18e32fd69d&MonthDisplay=9&YearDisplay=2012).

Senator Rockefeller Letter Has your company adopted a set of best practices to address its own cybersecurity needs? If so, how were these cybersecurity practices developed? Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institution, association, or entity that developed them. When were these cybersecurity practices developed? How frequently have they been updated? Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices? Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices? What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012? What are your concerns, if any, with the federal government conducting risk assessments in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012? What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?

The Cybersecurity Debate Cybersecurity debate has intensified in recent months Cybersecurity is a “top legislative priority” in 2013 Should further federal data security legislation regulating the nation’s critical infrastructure be enacted? Should federal legislation be enacted establishing general data security requirements across all industries? What should those requirements be?

The Cybersecurity Debate Proponents The “threat is real and must be stopped” (Senator Joseph Lieberman) The “cyber threat to our nation is one of the most serious economic and national security challenges we face” (President Obama) We are facing a potential “cyber Pearl Harbor” (Secretary of Defense Leon Panetta) Opponents More regulation is not the answer Complying with new legislation and Executive order would be costly and burdensome Executive Order wrongly circumvents Congress

Questions Corey M. Dennis (cdennis@governo.com) Ellen M. Giblin (egiblin@ashcroftlawfirm.com)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.