HOW TO RESPOND TO A DATA BREACH: ITS NOT JUST ABOUT HIPAA ANYMORE The Fourteenth National HIPAA Summit March 29, 2007 Renee H. Martin, JD, RN, MSN Tsoules,

Slides:



Advertisements
Similar presentations
Secure IT 2005 Panel Discussion Felecia Vlahos, SDSU Sally Brainerd, UCSD Brooke Banks, CSU Chico.
Advertisements

Consumer Protection Laws Dino Tsibouris (614)
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA Regulations What do you need to know?.
HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Health Insurance Portability & Accountability Act (HIPAA)
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
Responding to a Data Security Breach
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Data Classification & Privacy Inventory Workshop
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
IT Security Challenges In Higher Education Steve Schuster Cornell University.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
2015 ANNUAL TRAINING By: Denise Goff
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Arkansas State Law Which Governs Sensitive Information…… Part 3B
Florida Information Protection Act of 2014 (FIPA).
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.
Configuring Electronic Health Records Privacy and Security in the US Lecture c This material (Comp11_Unit7c) was developed by Oregon Health & Science University.
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
Davis Wright Tremaine LLP Responding to Your Worst Security Breach Nightmare: When Patient Information Is Stolen Rebecca L. Williams, R.N., J.D. Partner.
© Copyright 2010 Hemenway & Barnes LLP H&B
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
Managing your Institution-Specific HIPAA Compliance Policies and Procedures Cutting Edge Issues Thursday, December 13, 2007.
HOW TO RESPOND TO A DATA BREACH: IT’S NOT JUST ABOUT HIPAA ANYMORE The Thirteenth National HIPAA Summit  September 26, 2006 Renee H. Martin, JD, RN, MSN.
We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey Broadway Albany,
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
Status of identity and privacy related AZ Legislative bills April 20, 2006 Mike Keeling ATIC, Chair.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
PHI Breach PHI Breach Dealing Breach With HIPAA Guidelines Guidelines.
Protection of CONSUMER information
Florida Information Protection Act of 2014 (FIPA)
PENNSYLVANIA BAR ASSOCIATION PROFESSIONAL LIABILITY COMMITTEE
What Business Owners Need to Know About Data Privacy
Florida Information Protection Act of 2014 (FIPA)
Red Flags Rule An Introduction County College of Morris
Alabama Data Breach Notification Act: What 911 Districts Need to Know
Alabama Data Breach Notification Act: What County Governments Need to Know Morgan Arrington, General Counsel Association of County Commissions of Alabama.
Clemson University Red Flags Rule Training
National HIPAA Audioconferences
Cyber Security: What the Head & Board Need to Know
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

HOW TO RESPOND TO A DATA BREACH: ITS NOT JUST ABOUT HIPAA ANYMORE The Fourteenth National HIPAA Summit March 29, 2007 Renee H. Martin, JD, RN, MSN Tsoules, Sweeney, Martin & Orr, LLC 29 Dowlin Forge Road Exton, PA

Copyright © Tsoules, Sweeney, Martin & Orr, LLC2 Data Breaches 2006 – Total Number of Reported Data Breach Incidents Involved unprecedented disclosures of information security 100,453,730 total number of personal information potentially compromised

Copyright © Tsoules, Sweeney, Martin & Orr, LLC3 Data Breaches AARP Study – Analyzed 16 months of data breaches maintained by the Identity Theft Resource Center Breaches result of illegal or fraudulent attacks by hackers and careless practices Half of the breaches occurred at institutions of higher education – healthcare second Hackers most frequent cause of a breach Stolen computers the second most frequent cause of breaches

Copyright © Tsoules, Sweeney, Martin & Orr, LLC4 Data Breaches Real Repercussions Loss of customer (patient) loyalty Federal regulatory penalties/obligations State regulatory penalties/obligations Class action suits Tort claims Contractual damages/business loss

Copyright © Tsoules, Sweeney, Martin & Orr, LLC5 Federal Information Security Law HIPAA Computer Fraud & Abuse Law Electronic Communications Privacy Act

Copyright © Tsoules, Sweeney, Martin & Orr, LLC6 Federal Information Security Law USA Patriot Act Gramm – Leach Bliley FTC Act Sarbanes - Oxley

Copyright © Tsoules, Sweeney, Martin & Orr, LLC7 Federal Information Security Law No Federal data breach legislation – several bills proposed

Copyright © Tsoules, Sweeney, Martin & Orr, LLC8 Federal Information Security Law HIPAA and Data Breach Notification Covered entity: has duty to mitigate impermissible uses and disclosures has duty to account for impermissible uses and disclosures. Covered entity may use and disclose PHI with business associate; business associate must report to covered entity any breach of which it becomes aware No express requirement for business associate to notify others or to mitigate effect of breach

Copyright © Tsoules, Sweeney, Martin & Orr, LLC9 Federal Information Security Law HIPAA preemption and state law State law more protective State law not contrary

Copyright © Tsoules, Sweeney, Martin & Orr, LLC10 State Data Breach Notification 35 states have enacted - California led the way and is model/benchmark Seven states have pending legislation (AL, AZ, IL, MA, MI, MN, NJ, SC, WY)

Copyright © Tsoules, Sweeney, Martin & Orr, LLC11 California Data Breach Notification Targets entities not covered by GLBA, HIPAA or other similar Federal privacy laws

Copyright © Tsoules, Sweeney, Martin & Orr, LLC12 California Data Breach Notification Requires person, business or state agency that owns or licenses computerized data that includes personal information about California residents to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification or disclosure

Copyright © Tsoules, Sweeney, Martin & Orr, LLC13 California Data Breach Notification Application Any person, business or state agency that does business in CA and owns or licenses computerized data that contains personal information (PI). Implications for entities which possess but do not own PI

Copyright © Tsoules, Sweeney, Martin & Orr, LLC14 California Data Breach Notification Personal Information. An individuals first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: SSN; Drivers license number of CA ID card number; or Account number, credit or debit card number, in combination with any required security code, access code, or password (e.g., a PIN) that would permit access to an individuals financial account.

Copyright © Tsoules, Sweeney, Martin & Orr, LLC15 California Data Breach Notification Security Breach Definition. An unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by the person, business, or state agency. Notification Obligation. Disclose any breach of the security of the system following discovery or notification of breach in the security of the data to any resident of CA whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.

Copyright © Tsoules, Sweeney, Martin & Orr, LLC16 California Data Breach Notification Third Party Data Notification. If any entity maintains computerized data that includes PI that the entity does not own, the entity must notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person. Timing of Notification. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Copyright © Tsoules, Sweeney, Martin & Orr, LLC17 California Data Breach Notification Notice Provisions. Notice of breaches may be provided by one of the following methods: Written notice (form not specified). Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 et seq. (E-Sign). (Continued)

Copyright © Tsoules, Sweeney, Martin & Orr, LLC18 California Data Breach Notification Substitute notice, if the entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the entity does not have sufficient contact information. Substitute notice shall consist of all of the following: – notice when the entity has an address for the subject persons. – Conspicuous posting of the notice on the entitys Web site page, if the entity maintains one. – Notification to major statewide media. (Continued)

Copyright © Tsoules, Sweeney, Martin & Orr, LLC19 California Data Breach Notification Exception: Own Notification Policy. Any entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of the statute shall be deemed in compliance with the notification requirements of the statute if it notifies subject persons in accordance with its policies in the event of a security breach.

Copyright © Tsoules, Sweeney, Martin & Orr, LLC20 California Data Breach Notification The California Office of Privacy Protection Recommendations for Notice: A general description of what happened The type of personal information involved: SSN, drivers license or state ID card number, bank account number, credit card number, or other financial account number. What you have done to protect the individuals personal information from further unauthorized acquisition. (Continued)

Copyright © Tsoules, Sweeney, Martin & Orr, LLC21 California Data Breach Notification The California Office of Privacy Protection Recommendations for Notice: What your organization will do to assist individuals, including providing your toll-free contact telephone number for more information and assistance. Information on what individuals can do to protect themselves from identity theft, including contact information for the three credit reporting agencies. Contact information for the California Office of Privacy Protection and/or the Federal Trade Commission for additional information on protection against identity theft.

Copyright © Tsoules, Sweeney, Martin & Orr, LLC22 California Data Breach Notification Penalties Civil Action Civil Penalties Cumulative remedies

Copyright © Tsoules, Sweeney, Martin & Orr, LLC23 Data Breach Most businesses have not addressed adequately how to respond. What usually happens? Circle Wagons Finger Pointing Uncertainty After the breach, too late!

Copyright © Tsoules, Sweeney, Martin & Orr, LLC24 Data Breach What Should Happen? An Investigation The scope and nature of the breach The cause of the breach An Assessment of Potential Coverage of Specific State Statutes An Evaluation of Contractual Obligations Coordination of Possible Governmental and Media Concerns Liability Evaluation

Copyright © Tsoules, Sweeney, Martin & Orr, LLC25 The Investigative Phase What Happened? How did it happen? Who was involved? Precision and Specificity is Critical!!! Notification and remediation rely on your ability to say with certainty what happened Formal or informal statements from witnesses may be necessary How much time do you have to complete the investigation?

Copyright © Tsoules, Sweeney, Martin & Orr, LLC26 Assessment of Specific State Statutes Is statute electronic or broader in coverage? What data accessed? Was system accessed? Was data misappropriated or could it be misappropriated? Does it fit within reasonable expectation of harm as defined in state statute? Affirmative or negative tests on a state-by-state basis –critical issue

Copyright © Tsoules, Sweeney, Martin & Orr, LLC27 Assessment of Contractual Requirements What do your contracts say? Are you a business associate or covered entity? Are you a third party? Regardless of HIPAA, state law or contractual obligations, who should make notification?

Copyright © Tsoules, Sweeney, Martin & Orr, LLC28 Notice and Consumer Assistance What is the Scope of the Notice to be provided? Must Notice be delayed while law enforcement officials investigate? What is statutory time frame for transmitting Notice? Will credit monitoring be offered? Who pays? Will accounts be monitored? Who pays? Do you have telephone line or contact person established? Are scripts and customer relations staff adequate?

Copyright © Tsoules, Sweeney, Martin & Orr, LLC29 Possible Government and Media Involvement There may be an affirmative duty to notify civil or criminal agencies or officials Notice to state consumer privacy agency or consumer protection agency and state attorney generals office

Copyright © Tsoules, Sweeney, Martin & Orr, LLC30 Possible Government and Media Involvement The Media will go on a feeding frenzy The buzz word is Identity Theft Leaking or misstatement of breach situation common Significant reputation risk Inclination by companies to downplay status

Copyright © Tsoules, Sweeney, Martin & Orr, LLC31 Liability Evaluation – Legal Risk Probability of Lawsuits Good corporate citizen approach may not work – but necessary Specific statutory damages Administrative costs Alternative notice procedures may be available under state law Is this an insurable loss? Utilize attorney/client privilege to conduct investigation Manage your s!!!!

Copyright © Tsoules, Sweeney, Martin & Orr, LLC32 Contract Negotiations Implementation of security breach response plan Indemnification Damages and liability limitations – cap damages Termination Who pays for notification process?

Copyright © Tsoules, Sweeney, Martin & Orr, LLC33 Questions? Questions?? Are There Any Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.