Responding to a Data Security Breach

Slides:

Advertisements

Similar presentations

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

Advertisements

An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

Breach SHOULD Be a Four Letter Word HIPAA Omnibus.

1 HIPAA Privacy and Security Cindy Cummings, RHIT.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.

HIPAA Regulations What do you need to know?.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

Health Insurance Portability & Accountability Act (HIPAA)

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

Data Classification & Privacy Inventory Workshop

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.

Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1.

Electronic Records Management: What Management Needs to Know May 2009.

Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.

Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.

Quality Integrity Stewardship Courtesy Care Accountability Medical Records ARMA Florida Gulf Coast Chapter Michael Spake Lakeland Regional Medical Center.

LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

Arkansas State Law Which Governs Sensitive Information…… Part 3B

Florida Information Protection Act of 2014 (FIPA).

ENCRYPTION Team 2.0 Pamela Dornan, Thomas Malone, David Kotar, Nayan Thakker, and Eddie Gallon.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.

© Copyright 2010 Hemenway & Barnes LLP H&B

HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.

HOW TO RESPOND TO A DATA BREACH: IT’S NOT JUST ABOUT HIPAA ANYMORE The Thirteenth National HIPAA Summit  September 26, 2006 Renee H. Martin, JD, RN, MSN.

We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey Broadway Albany,

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

Data Security in the Cloud and Data Breaches: Lawyer’s Perspective Dino Tsibouris Mehmet Munur

Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

Enforcement, Business Associates and Breach Notification. Oh my!

Regulatory Compliance

Florida Information Protection Act of 2014 (FIPA)

Responding to a Data Breach 360° of IT Compliance

What Business Owners Need to Know About Data Privacy

Florida Information Protection Act of 2014 (FIPA)

Preparing for a Security Incident Response: Are You Compromise Ready?

Cyber Issues Facing Medical Practice Managers

Cyber Trends and Market Update

Alabama Data Breach Notification Act: What 911 Districts Need to Know

Data Breaches in Employee Benefits

National HIPAA Audioconferences

Colorado “Protections For Consumer Data Privacy” Law

Presentation transcript:

Responding to a Data Security Breach Presented By: Gerald J. Ferguson gferguson@bakerlaw.com Twitter: @JerryFergusonNY

A Simplified View of a Data Breach Theft, loss, or Unauthorized Disclosure of Personally Identifiable Non-Public Information or Third Party Corporate Information that is in the care, custody or control of the Insured Organization, or a third party for whom the Insured Organization is legally liable Forensic Investigation and Legal Review Notification and Credit Monitoring Class-Action Lawsuits Regulatory Fines, Penalties, and Consumer Redress Public Relations Reputational Damage Income Loss Discovery of a Data Breach Evaluation of the Data Breach Managing the Short-Term Crisis Handling the Long-Term Consequences

What is a Data Breach? Actual release or disclosure of information to an unauthorized individual/entity that relates to a person and that: May cause the person inconvenience or harm (financial/reputational) Names, home addresses, email addresses, usernames, passwords, family-member information, etc. May cause inconvenience or harm to your patients, employees or business partners (financial/reputational) Information that relates to patients (see above) Information that relates to current/former employees & applicants Information relating to internal matters (business plans, employment disputes, Union negotiations) Paper or electronic

Commonalities of Breaches Lost laptop or device Administrative error External attack involving hacking and malware Vulnerability created by third party vendor Not detected for months Breached entity will learn from third party Initial exploit relatively simple and avoidable

Compliance Complexity PCI-DSS HIPAA HITECH PRIVACY LAWS STATE INTERNATIONAL DATA (e.g. EU, CANADA) PROTECTION FTC GLBA STATE BREACH NOTIFICATION LAWS FERPA INDUSTRY SELF REGULATION

State Laws 46 states, D.C., & U.S. territories Laws vary between jurisdictions Varying levels of enforcement by state attorneys general Limited precedent

What is a Data Breach? (That may trigger state notification laws) Unauthorized access to and acquisition of specific types of information associated with a named individual SSN Driver's license number Credit card number Bank account Information

State Law Differences: P11 Employee ID Numbers (N. Dakota) User Name and Password (California) Other numbers or information that would permit access to financial resources (Multiple) Health Information (Multiple)

State Law Differences (Triggers) Acquisition or Access Electronic Only or Paper Risk of Harm Analysis Encryption Safe Harbor

Other State Law Differences Notification of AG or Agency Timing of Notice 45 day rule De facto 30 day rule Early notice to AG or regulator Law enforcement delay Private Right of Action Text of Notice

Massachusetts Law Written Information Security Program Encryption Requirements Chief Privacy Officer Employee training Business associate obligations

FERPA The intent of the Act is to protect the rights of students and to insure the privacy and accuracy of education records. Act applies to all institutions that are recipients of federal aid administered by the Secretary of Education No requirement to notify if education records are stolen/subject to unauthorized release, however, a record should be maintained for each disclosure (34 CFR 99.32(a)(1) Students who are or have been “in attendance” at the institution, in person, or by paper correspondence, video conference, satellite, internet, or other electronic information and telecommunications technologies for students who are not physically present in the classroom regardless of their age or status in regard to parental dependency are protected by FERPA Students who have applied to but have not “attended” an institution, and deceased students, are not protected by FERPA.

FERPA An “education record” is any record that is: Directly related to a student; and Maintained by an educational agency or institution, or by a party acting for the agency or institution. Notification may be necessary for postsecondary institutions under the FTC’s Standards for Insuring the Security, Confidentiality, Integrity and Protection of Customer Records and Information (“Safeguards Rule”) in 16 CFR part 314. Related to finanical aid records Direct student notification may be advisable if the compromised data includes student SSNs and other identifying information that could lead to identity theft

HIPAA / HITECH (“Acquisition” “Access” “Use” Trigger w/ Risk of Harm) HIPAA Privacy Regulations (45 CFR §164): Breach by a Covered Entity Applies To: A health plan, health care clearinghouse and health care provider who transmits any health information in electronic form in connection with a covered transaction. Information Covered: Unsecured protected health information – individually identifiable health information that is transmitted or maintained in electronic media or any other form or media. Definition of Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule, which compromises the security or privacy of the PHI. Who Must Be Notified: The patient or their personal representative, HHS and the media if more than 500 residents of a state or jurisdiction are affected. Notification Timeframe: Without unreasonable delay and in no case later than sixty (60) calendar days after the breach is discovered Preemption: Preempts state law to the extent it is more strict

Definition of Breach in Final Rule An acquisition, access, use, or disclosure of protected health information in a manner not permitted . . . is presumed to be a breach. Unless, the Covered Entity can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment. Compromise is not defined.

Definition of Breach in Final Rule Risk Assessment Documented Based on at least 4 factors The nature and extent of the PHI. The unauthorized person involved. Whether the PHI was actually acquired or viewed. Extent to which any risk has been mitigated.

HIPAA/HITECH Notification Contents Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means. These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach Individual notifications must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity. Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.

PCI DSS A contractual framework Industry self-regulators Card Brands Acquirers Merchants Processors Industry self-regulators A data security standard

Mandiant M-Trends 2013 Security Threat Report

PCI DSS Breaches Obligations after a PCI Breach Rapid notification to Card Companies PCI Forensic Examination Fines and penalties

Costs of Breach Response Forensic investigators Legal expenses Mailing notifications to individuals Call Centers Credit Monitoring and other compensation Crisis Management

Costs After the Breach Notice Regulatory inquiries and enforcement actions Customer questions and demands Lost profits Lawsuits

Decisions, Decisions, Decisions Is it a breach? Do you involve law enforcement? Do you hire a forensics company? Do you retain counsel? Do you involve regulatory agencies? Is crisis management necessary? Do you offer credit monitoring? Do you get relief from a “law enforcement” delay?

Questions? gferguson@bakerlaw.com 212-589-4230 Twitter: @JerryFergusonNY