Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Law Update

Published byOphelia Dixon Modified over 6 years ago

Similar presentations

Presentation on theme: "Information Security Law Update"— Presentation transcript:

1 Information Security Law Update
2018 Dave Ries

2

3 PA AG v. Uber Filed: March 5, 2018 Over 13,500 PA residents Penalties up to $13.5 million

4 HHS (HIPAA) Fresenius Medical Care North America
Feb. 1, 2018 5 data breaches over 6 months $3.5 million penalty

5 FTC v. Lenovo Jan. 2, 2018 Pre-installed advertising software that compromised security

6 U.S. v. Laoutaris Jan. 29, 2018 Criminal case Former employee accessed and destroyed data

7 Information Governance

8 Defining Security Requirements
Legal requirements Legal needs Business needs

9 Legal Requirements Federal statutes and regulations State statutes and regulations Contracts Common law – “reasonable security”

10 What Is “Reasonable Security”?
It depends!

11 “Reasonable Security?”
Judge Jury Agency 20/20 Hindsight

12 “Reasonable” “Appropriate”
Contracts Legal / regulatory requirements Standards / benchmarks / best practices

13 Standards and Frameworks
NIST Framework ISO series standards: Information Security Management Systems NIST Special Publication , Rev 4 + numerous additional standards

14 NIST Cybersecurity Framework
Draft Version 1.1 – Jan. and Dec. 2017

15 Standards and Frameworks
Small Firms: NIST’s Small Business Information Security: The Fundamentals, NISTR 7621 Rev. 1 (Nov. 3, 2016) (32 pages + appendices) U.S.-CERT: resources for SMBs

16 “Top 20 Controls” Center for Internet Security CIS Controls for Effective Cyber Defense Version 6.1 = “specific and actionable ways to stop today’s most pervasive and dangerous cyber attacks.” - “…updated by cyber experts based on actual attack data pulled from a variety of public and private threat sources.”

17 Security is a Team Effort!
Board Executive Team Managers All employees Customers Service Providers & Contractors Supply chain

18 Comprehensive Security Program
Assignment of responsibility for security, An inventory of information assets and data, A risk assessment, Appropriate administrative, technical and physical safeguards, Training, An incident response plan, A backup and disaster recovery plan, Management of third-party security risks, and Periodic review and updating.

19 Addressing Risks Apply security controls to manage the risk.
Transfer the risk (e.g., through an insurance policy or contract). Eliminate the risk (by stopping the activity or doing it in a different way). Accept the risk.

20 Identify & Protect + Detect, Respond & Recover

21 CIS Top 5 Part of the CIS Controls for Effective Cyber Defense Version 6.1 Inventory of Authorized and Unauthorized devices. Inventory of Authorized and Unauthorized software. Secure configurations… Continuous Vulnerability Assessment and Remediation. Controlled Use of Administrative privileges.

22 Reasonable Security

23

24 NIST Framework

25 Laws Requiring Safeguards
Statutes Regulations Guidance Federal + State

26 Laws Requiring Safeguards
Federal Information Security Management Act Financial Industries Modernization Act (GLB) Health Insurance Portability and Accountability Act (HIPAA) Children’s Online Privacy Protection Act

27 Laws Requiring Safeguards
Fair Credit Reporting Act (FACTA) Sarbanes-Oxley Act Family Educational Rights and Privacy Act Federal Trade Commission Act State Laws

28 Feb. 26, 2018

29

30 Federal Breach Notice HIPAA Gramm-Leach- Bliley Rules Veterans’ Information Proposed Laws

31 State Laws Data Breach Notice - 48 (all but AL and SD)
Credit Freeze Reasonable Security Encryption Secure Disposal SSN Protection PCI Liability

32 Cal. Database Security Breach Notification Act
State Breach Notice Cal. Database Security Breach Notification Act 48 states PA law 73 P.S. § List of laws: “Doing Business”

33 State Breach Notice Information covered Entities covered
Definition of “breach” Who must be notified Risk of harm Time of notice Form or method of notice Exceptions Safe Harbor Encryption

34

35 Contracting for Security
“Reasonable security” Detailed requirements Incorporate standards Third-parties / supply chain Contract

36 Federal Enforcement Federal Trade Commission
Dept. of Health and Human Services Federal Communications Commission Securities and Exchange Commission Banking Agencies Financial Industry Regulatory Authority (independent regulator) Commodity Futures Trading Commission Consumer Financial Protection Bureau

37 Encryption Mass. Law - M.G.L. c. 93H HIPAA G-L-B FTC

38 FTC Enforcement Violation of laws & regulations Misrepresentations or false promises -“Deceptive trade practices” “Unfair trade practices”

39 FTC Security Guides June 2015 October 2016

40

41 Litigation Complaint Motion to Dismiss Discovery Motion for Summary Judgment Trial Appeal

42 Issues for Plaintiffs Lack of standing No compensable injury No contract or disclaimers Economic loss doctrine

43 Consumers Attias v. Care First D.C. Cir. (Aug. 1, 2017) (U.S. Supreme Court declined review) Threat of future identity theft from data breach

44 Employees Dittman v. UPMC, Pa. Super 8 (Jan. 12, 2017) Pending before Pa. Supreme Court (Class action by employees whose personal information, including social security numbers, was stolen from their employers’ computer systems. Complaint dismissed: negligence claim precluded by the Pennsylvania economic loss doctrine and no implied contract to protect data in absence of evidence of a meeting of the minds.)

45

46 Additional Cases

47 Questions Dave Ries

Download ppt "Information Security Law Update"

Similar presentations

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Recent Trends and Insurance Considerations March 2015

Recent Trends and Insurance Considerations March 2015
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.

Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
GSBlaw.com DATA SECURITY: LEGAL LANDSCAPE AND BEST PRACTICES November 16, 2011 Scott G. Warner Garvey Schubert Barer Seattle, Portland,

GSBlaw.com DATA SECURITY: LEGAL LANDSCAPE AND BEST PRACTICES November 16, 2011 Scott G. Warner Garvey Schubert Barer Seattle, Portland,
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
Risk Assessment. InfoSec and Legal Aspects Risk assessment Laws governing InfoSec Privacy.

Risk Assessment. InfoSec and Legal Aspects Risk assessment Laws governing InfoSec Privacy.
Security of the Distributed Electronic Patient Record: A Case-Based Approach James G. Anderson, Ph.D. Purdue University.

Security of the Distributed Electronic Patient Record: A Case-Based Approach James G. Anderson, Ph.D. Purdue University.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, 2014 -WITH THANKS TO.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Similar presentations

Ads by Google