Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

Slides:

Advertisements

Similar presentations

Consumer Protection Laws Dino Tsibouris (614)

Advertisements

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

Dino Tsibouris (614) Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Regulations What do you need to know?.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Responding to a Data Security Breach

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

Information Security Policies Larry Conrad September 29, 2009.

Security Controls – What Works

Dino Tsibouris (614) Information Security – What’s New In the Law?

Dino Tsibouris (614) Technology Contracting 101 What to watch out for in your contracts.

What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014.

Network security policy: best practices

Vendor Risk: Effective Management is Essential

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.

An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Florida Information Protection Act of 2014 (FIPA).

© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Dino Tsibouris (614) Vendor Contracts: What You Need and What You May Be Missing.

Working with HIT Systems

FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

The Internet of Things and Consumer Protection

STANFORD UNIVERSITY RESEARCH COMPUTING Are we outliers? Institutional minimum security requirements RUTH MARINSHAW OCTOBER 14, 2015.

1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Data Security for Lawyers: What You Need to Know

Privacy and Data Breach Issues Kirk Herath, VP, Chief Privacy Officer, Nationwide & Dino Tsibouris, Founding Principal, Tsibouris & Associates.

Dino Tsibouris (614) Updates on Cloud, Contracting, Privacy, Security, and International Privacy Issues Mehmet Munur (614)

Data Security in the Cloud and Data Breaches: Lawyer’s Perspective Dino Tsibouris Mehmet Munur

Final HIPAA-HITECH Rules, Cybersecurity, and Privacy Dino TsibourisMehmet Munur (614) (614)

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.

Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.

Responding to a Data Breach 360° of IT Compliance

Responding to Intrusions

Microsoft 365 Get help with regulatory compliance

What Business Owners Need to Know About Data Privacy

Chapter 3: IRS and FTC Data Security Rules

Move this to online module slides 11-56

Security Awareness Training: System Owners

Red Flags Rule An Introduction County College of Morris

DATA BREACHES & PRIVACY Christine M

County HIPAA Review All Rights Reserved 2002.

HIPAA Security Standards Final Rule

Cyber Security: What the Head & Board Need to Know

Colorado “Protections For Consumer Data Privacy” Law

Anatomy of a Common Cyber Attack

Presentation transcript:

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates

Dino Tsibouris (614) Privacy and Information Security Laws and Updates Mehmet Munur (614)

Outline 1.Themes and Trends 2.Federal and State Enforcement Actions 3.Federal and State Data Breach Developments 4.Planning Ahead and Contract Negotiations 5.International Data Privacy

Themes and Trends

The Legal Response Proposed federal legislation Expanding state legislation Federal and state level enforcement Civil liability

Closer Look at Wyndham 3 data breaches at hotels in less than 2 years. Privacy and security representations made. FTC alleges that Wyndham failed to: – Use complex IDs and passwords, – Use firewalls and network segmentation, – Patch systems, and – Follow incident response procedures. Compromised 500K credit cards.

Typical FTC §5 Enforcement Action Designate employee responsible for privacy or security program. Conduct risk assessment and employee training. Test and monitor risk identified. Implement and maintain protections. Evaluate and adjust program. Biennial third-party assessments. In effect for 20 years.

Zappos MA AG Enforcement Zappos agreed to pay $106K Unauthorized access to: – Names, addresses, phone numbers, – Last 4 digits of credit card numbers, and – Login credentials of customers.

Zappos MA AG Enforcement Settlement requires: – Maintenance and compliance with information security policies, – Providing the AG with information, – Demonstrating compliance with PCI-DSS for two years, – Third party audit, providing copy to MA AG, and addressing deficiencies, and – Annual training.

SHA1 MD5

A Push for Federal Data Breach Legislation Personal Data Notification & Protection Act Proposed by President Obama at the State of the Union Address on January 20, 2015 Pre-empts state laws Must notify in 30 days No private right of action FTC enforcement

Personal Data Notification & Protection Act Triggers First and last name/or first initial and last name along with any two: – Home address or phone number – Mother’s maiden name – Full birth date SSN, DL, passport, alien registration number Biometric data Unique account ID (user name, routing code)

Personal Data Notification & Protection Act Triggers Any combination of the following three elements: – First and last name/first initial and last name – Unique account ID – Any security code/source code that could generate a security code or password

Personal Data Notification & Protection Act Risk of harm analysis Must send notice 30 days after discovery Individual notice ( acceptable with consent) Notice to media Notice to Federal law enforcement Notice to credit reporting agencies

A Push for State Law and Regulation Timing and content of breach notice Definition of personal data – /password information – Non-HIPAA health data Requirements to inform media/regulators

Contracting Security and Privacy – Incident or Breach Notification Obligations and Costs – Industry Certifications and Vulnerability Scans – Audits by Customer or Regulator – International Data Flows

Contracting 1.2 Your Account. … we and our affiliates are not responsible for unauthorized access to your account.

Contracting 3.2. Protection of Your Data. We will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Your Data, as described in the Documentation.

Security Breaches Plan ahead Identify response team Identify vendors and contacts PR Aspects Test Insure

Security Breaches Federal and state laws govern unauthorized access to personal information – Gramm Leach Bliley (CFPB, SEC, NCUA, OCC, FDIC, FTC) – HIPAA/HITECH Breach Notification Rule (HHS) – Health Breach Notification Rule (FTC) – State laws vary, apply to companies outside the state, require vendor to notify data owner, private right of action to consumers to sue

Security Breaches Must get access to cloud provider information Access to vendor staff Must understand vendor data structure and security Identify data involved Identify degree of protection Identify if there was a reportable incident

Security Breaches Remediation Notification – Individuals, Regulators, Media Litigation

International Data Privacy

General Data Protection Regulation EU member states in final stages of negotiations Expected in the next year or so Includes data breach notification obligation Fines as high as 2% of annual turnover

Outline 1.Themes and Trends 2.Federal and State Enforcement Actions 3.Federal and State Data Breach Developments 4.Planning Ahead and Contract Negotiations 5.International Data Privacy

Dino Tsibouris (614) Questions & Answers Mehmet Munur (614)