Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.

Slides:

Advertisements

Similar presentations

Freshfields Bruckhaus Deringer LLP Global investigations What to advise your board Marius Berenbrok Edward Braham Matthew Herman Melissa Thomas 29 February.

Advertisements

Copyright © 2009, IMRE, LLC SETTING SOCIAL MEDIA POLICY Novemeber 5, 2009.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Fraud Auditing Chapter 11.

©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Fraud Auditing Chapter 11.

Developing a Records & Information Retention & Disposition Program:

Information Systems Security Officer

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

Corporate Ethics Compliance *

The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.

Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.

National Association of College and University Attorneys 1 November 11, 2009 NACUA Fall 2009 Workshop November 2009.

Internal Auditing and Outsourcing

Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or

Session No. 3 ICAO Safety Management Standards ICAO SMS Framework

1.  The views expressed are those of the speaker and do not necessarily reflect the views of the Federal Reserve Board of Governors, or the Federal Reserve.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

© 2010 Dorsey & Whitney LLP Social Media Friday, September 17, 2010 The Committee on Finance & Information Technology (CFIT)

The Institutionalization of Business Ethics

Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

ADB Project TA 3696-PAK, Regulation for Corporate Governance 1 REGULATION FOR CORPORATE GOVERNANCE IN PAKISTAN CAPITAL MARKETS.

Developing and Implementing an Effective Compliance Program Mary Sacilotto,BA,CHC Chief Compliance Officer Alliance, Inc.

Compliance and Ethics Training Overview

Developing an Effective Ethics Program

Establishing A Compliance Program: It Makes Sense

© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.

Implementing and Auditing Ethics Programs

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

The Third Annual Medical Device Regulatory, Reimbursement and Compliance Congress How to establish a Compliance Program that will Minimize the Impact of.

INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.

Department of Human Services

1.Summary of Needs Analysis 2.Summary of Action Plan 3.Systems Analysis between Microsoft SharePoint® and OpenText Content Server 4.System Recommendation.

Balance Between Audit/Compliance and Risk Management- Best Practices FIRMA 21 st National Training Conference Julia Fredricks, U.S. Chief Compliance Officer.

Conducting Clinical Risk Assessments And Implementing Compliance Practices Jane L. Stratton Chiron Corporation VP/Associate General Counsel Chief Compliance.

Journey Towards Implementing Enterprise Risk Management at Federal Student Aid Cynthia Vitters | Director Department of Education – Federal Student Aid.

Jeff Miller Tamra Pawloski IT Procurement Summit headline news…

Victor Kourenkov ICAO EUR/NAT Regional Officer Almaty, 5 to 9 September 2005 LEGISLATION AND ORGANISATION CONSIDERATIONS.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

Information Security IBK3IBV01 College 3 Paul J. Cornelisse.

Chief Compliance Officer

Sandler & Travis Trade Advisory Services, Inc. Reducing Risk Through Internal Training: Measurement tools to assess training success WESCCON October 16,

Vector INTERNAL CONTROL Mike Trigg. vector WHAT IS INTERNAL CONTROL? A key part of effective corporate governance Policies and processes to: - make operations.

Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

1 Compliance vs. the Law Department: How to Work Together Michael Dusseau Senior Director, Compliance North America Schering-Plough David Ralston, Esq.

The Privacy Symposium August 22, 2007 ©2007. Goodwin Procter LLP The Ethics and Responsibilities of a Privacy Professional.

1 Building a Compliance Program in a Small Cap Company The Seventh Annual Pharmaceutical Compliance and Best Practices Forum November 9, 2006 Colleen CravenJanice.

Compliance at the Crossroads: How can the Compliance Profession Move to the Second Generation? A Practical Approach to Integrating Compliance, Risk and.

Valiants Verify Compliance Program Judith W. Spain, J.D., CCEP ® Chief Ethics and Compliance Officer General Counsel (Effective March 2016) 1.

Copyright © Houghton Mifflin Company. All rights reserved.8-1 Chapter 8 Developing an Effective Ethics Program.

Security – 2015’s Biggest Threat to Client Confidentiality A Panel Discussion Joseph Abrenio, VP of Cyber Advisory Services & General Counsel Delta Risk.

HOW TO AVOID COMMON DATA BREACH PITFALLS IAPP Privacy Academy 2014.

©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Fraud Auditing Chapter 11.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

MGMT 452 Corporate Social Responsibility

The Institutionalization of Business Ethics

Microsoft 365 Get help with regulatory compliance

Auditing Cloud Services

LSGL ANTI-CORRUPTION COMPLIANCE CONTROL IN COMPANY

General Counsel and Chief Privacy Officer

Privacy Project Framework & Structure

Chapter 8 Developing an Effective Ethics Program

Tips on Privacy Audits and Assessments Insurance Consumer Affairs Exchange October 2, 2005 Kirk Herath, CPO & Associate General Counsel, Nationwide Insurance.

Michael J. Bridwell John F. Kuckelman

Managing Privacy Risk in Your Commercial Practices

Kenya Mann Faulkner Chief Ethics & Compliance Officer April 2019

Internal Audit’s Role in Preventing Fraud and Corruption

Anatomy of a Common Cyber Attack

Management commitment and responsibility Safety accountability of managers Appointment of key safety personnel SMS Implementation Plan Coordination.

Presentation transcript:

Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.

Privacy Program Organizational structure Staffing Policy and procedure development and implementation Interdepartmental collaboration External collaboration Subsidiaries/affiliates Privacy breach investigations and incident response Culture

Organizational Structure Centralized Model –Accountability and oversight known to all –Management hierarchy allows issues to be resolved quickly –Better able to match strategic direction with corporate mission and value statement Decentralized Model –Everyone accountable for his/her own actions –Compliance more embedded in minds of individuals and more part of overall corporate culture

Staffing Chief Privacy Officer –Management level (executive, senior management recommended) –Visible –Attorney? –Information security accountability? Subject matter experts –Legal compliance –Information security –Customer service –Sales, marketing? –Other? Operational staffing –Ability to communicate well with others –Ability to lead projects –Some subject matter expertise

Policy & Procedure Development and Implementation Legislative review and comment Identification of regulatory obligations and risk management posture Consumer attitude survey review Provide analysis and requirements to affected business units Oversight of business unit compliance or direct project oversight Executive steering committee? Training and communication of new policy/procedure/process (multi-channel) to all or to management (train the trainer) Compliance monitoring, assessment, enforcement

Interdepartmental Collaboration Legal Other compliance departments Internal audit Customer-focused business units Physical security and safety Information security Sales and marketing Public relations, media relations Informatics and reporting Information systems Government/regulatory affairs eCommerce Human resources/employee relations Risk management

External collaboration Federal and state government and regulatory bodies Customers Media Vendors Outside counsel Business partners Data protection authorities (global) Law enforcement Professional organizations

Subsidiaries and Affiliates Reporting relationships Oversight and accountability Ownership and status designation Committees Differing business needs Differing regulatory requirements Global versus domestic

Privacy Breach Investigations and Incident Response Fact gathering, interviews, forensics Corrective action plan Mitigation of damages Employee discipline Security incident per state or federal law? Notifications Post-incident reporting to management (Compliance Committee) Privacy incident response team –Privacy Officer –Information Security Officer –Safety and Security Officer –Legal –Corporate communications, media relations –Affected party –Affected business unit

Culture Legal compliance requirements Risk management posture Consumer attitude considerations Ethics (“doing the right thing”) Treating the confidential information as if it were your own