Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Slides:



Advertisements
Similar presentations
Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP
Advertisements

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Springfield Technical Community College Security Awareness Training.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Responding to a Data Security Breach
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
Overview of Cybercrime
HIPAA PRIVACY AND SECURITY AWARENESS.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.
1 General Awareness Training Security Awareness Module 1 Overview and Requirements.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
AUGUST 25, 2015 Cyber Insurance:
Florida Information Protection Act of 2014 (FIPA).
ENCRYPTION Team 2.0 Pamela Dornan, Thomas Malone, David Kotar, Nayan Thakker, and Eddie Gallon.
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
© Copyright 2010 Hemenway & Barnes LLP H&B
FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.
Insurance of the risk Policy covers & underwriting issues Stephen Ridley, Senior Development Underwriter.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
Chapter 4: Laws, Regulations, and Compliance
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
NCBFAA Annual Conference 2015 Orlando Converging Logistics: Realities vs. Possibilities Cyber Insurance Bernie Cissek, Chairman.
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Cyber Security and how to safeguard data in the ‘Cloud’ Claire Jacques 21 April 2016.
The Privacy Symposium: Transferring Risk of a Privacy Event Paul Paray & Scott Ernst August 20, 2008.
PCI COMPLIANCE Compliance is mandatory for all organizations that accept credit cards.
Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.
BlueCross BlueShield of Tennessee, Inc., an Independent Licensee of the BlueCross BlueShield Association. This document has been classified as public Information.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Information Security and Privacy in HRIS
Pioneers in secure data storage devices. Users have become more accustomed to using multiple devices, are increasingly mobile, and are now used to storing.
Cyber Insurance - Risk Exposures and Strategic Solutions
Cyber Insurance Risk Transfer Alternatives
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Managing a Cyber Event Steven P. Gibson President
Regulatory Compliance
Florida Information Protection Act of 2014 (FIPA)
Responding to a Data Breach 360° of IT Compliance
Florida Information Protection Act of 2014 (FIPA)
Chapter 3: IRS and FTC Data Security Rules
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Cyber Issues Facing Medical Practice Managers
Red Flags Rule An Introduction County College of Morris
Cyber Trends and Market Update
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
DATA BREACHES & PRIVACY Christine M
Cyber Security: What the Head & Board Need to Know
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security & Privacy Team November 5, 2015

2 The Reality Data and systems security and related privacy issues are critical operational considerations for every organization that: Handles sensitive personal and financial information, including customer and employee information; Uses computer networks to process sensitive information Threats to this data come from every angle: Negligent employees Disgruntled employees or former employees Hackers Organized crime Unethical competitors Terrorist or other rogue organizations Most experts say it’s a matter of “when” not “if” you will be faced with a data breach event.

3 Key Laws & Regulations Laws and regulations exist or are pending in all 50 states: generally data breach notification laws Federal Laws such as Gramm-Leach-Bliley, HIPAA, HITECH Act and Mass. data security regulations require protective steps Generally cover electronic and paper records containing: Name plus one of following: Social Security Number Drivers license or state ID members Account numbers & passwords Health information Financial information Credit card information Other sensitive personally identifiable information Overarching Goal: Protect individuals (primarily) and organizations against identity theft, financial fraud, other related harms No uniform federal statute re: data breach so each state has its own requirements covering its citizens

4 Key Laws & Regulations (cont.) Presidential Executive Order – Feb. 12, 2013 Covers recommendations for cyber security measures for critical infrastructure systems In data protection space, Massachusetts law imposes the most stringent state-level requirements for proactive data protection PCI Standards – payment card security standards – Industry- developed standards European Union Data Privacy Directive The United States “Safe Harbor” has been overruled by the EU legal tribunal Laws and regulations provide a wide range of fines, penalties, civil liability Officers and Directors of public companies and companies in certain regulated industries (healthcare, financial, etc.) could face certain liability for failure to employ mitigation tactics

5 Fundamental Data Protection Requirements HIPAA/HITECH, Mass. Data Security Regulations: Active efforts to protect subject information by: Technical means (encryption, passwords, firewalls, etc.) Physical security (locked doors, swipe cards, storage cabinets, etc.) Administrative procedures (training, written policies or storage, training incident response) Training and education – ongoing Case law also developing around negligence and “reasonable actions” Ongoing process review to maintain the protections Annual review of policies and actions

6 Risk Mitigation Tactics Operational/Administrative Actions Up-to-date technology (encryption, passwords, biometrics, etc.) Technical intrusion testing – external & internal Written information security policy – assessment of risks and protocols for addressing (required by Mass. Statute and HIPAA) Regular training of employees Contractual Protections Contractual – with third parties and own personnel Insurance – your own and vendors Representations and Warranties from Payment and Data Processors Beware the unknowns of “cloud computing” – understand the risks and responsibilities and be very precise in contracts for such services

7 Risk Mitigation Tactics (cont.) Insurance Coverage Insurance coverage is more widely available and cost-effective Key is to work with a broker who understands the space and then review coverage, exclusions and limits closely Policy coverage varies significantly among carriers Key coverage: Data loss Business interruption Breach notification, PR, credit monitoring Employee privacy Defense costs

Questions & Answers