Presentation is loading. Please wait.

Presentation is loading. Please wait.

1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.

Similar presentations


Presentation on theme: "1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty."— Presentation transcript:

1 1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty Provin Executive Vice President Jordan Lawrence mprovin@jlgroup.com

2 2Copyright 2009. Jordan Lawrence. All rights reserved. Privacy Breaches Happen Everyday March 24, 2009  Hospital employee left patients records on an train she was taking with her to do billing work over the weekend. March 18 th, 2009  Names, dates of birth and Social Security numbers of roughly 28,000 state retirees were e-mailed without being encrypted by q pharmacy benefit provider. March 18 th, 2009  1,300 university students and faculty members personal information was on a laptop stolen from a professor traveling in Italy. March 11 th, 2009  University kept information (including Social Security numbers and salary information for employees of students), dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. February 2, 2009  Medical records were disposed of in a dumpster behind the office. February 2, 2009  Hundreds of folders containing names, addresses, Social Security numbers and credit card information were found in a dumpster. Source : Privacy Rights Clearinghouse

3 3Copyright 2009. Jordan Lawrence. All rights reserved. After a Privacy Breach Safe Harbor  Possible if data was encrypted  Best Practice is to notify regardless  Credit monitoring and assistance Penalties  Fines  Civil right of action

4 4Copyright 2009. Jordan Lawrence. All rights reserved. Cost of a Privacy Breach Hard Dollar Costs  $6.6 m average expense to an organization Cost of notifying victims Maintaining information hotlines Legal, investigative, and administrative expenses Credit monitoring Reputational Harm  31% of breach notice recipients terminate their business  57% reported losing trust and confidence Source: Ponemon Institute

5 5Copyright 2009. Jordan Lawrence. All rights reserved. Why Companies Struggle Misguided “prevention” efforts  Less then 20% of breaches involve unauthorized network access  More then $5 billion spent on network security Fail to understand the most common risks  53 of 81 data breaches reported 1 in 2009 have involved Lost or stolen laptops, computers or storage devices Backup tapes lost by employees or third-party vendor Employees’ handling of information Dumpster diving 1 Source : Privacy Rights Clearinghouse as of March 24 th, 2009

6 6Copyright 2009. Jordan Lawrence. All rights reserved. People and Policy Its about policy awareness and policy compliance 54% of business representatives don’t think their companies privacy policy applies to email 1 39% of business representatives report saving sensitive 1 company data to personal computer and storage devices One out of ten employees report having had a company computer or storage device lost or stolen in last 12 months 2 1 Source: 2008 Jordan Lawrence Assessment Data 2 Source :2008 Data Leakage Worldwide : The Insider Threat and the Cost of Data Loss by insightexpress

7 7Copyright 2009. Jordan Lawrence. All rights reserved. Taking The First Step Identify the necessary information What personally identifiable data does the company have Where do they have it How is it managed

8 8Copyright 2009. Jordan Lawrence. All rights reserved. How Do You Get This Information Business Representatives understand  The types of sensitive information they work with  What media its in  Who they share it with  How they manage it  What they do with it at end of life Subject Matter Experts understand  Encryption services deployed  Back-up processes  Disposal processes  Third party’s that have access to sensitive information

9 9Copyright 2009. Jordan Lawrence. All rights reserved. What You Will Find 1,272 record type profiles with sensitive information Type of Sensitive Data Human Resources 29 :: on laptop (no encryption) 11 :: on flash drive 14 :: emailed outside organization Accounting 18 :: on laptop (no encryption) 22 :: on flash drive 15 :: emailed outside organization Security 10 :: on laptop (no encryption) 9 :: paper (no shred bin) Location of Data Social Security Numbers Credit History Information Credit/Debit Account Information Employment Information Medical Information Name, Phone, Address Source : Client data from a Jordan Lawrence Assessment

10 10Copyright 2009. Jordan Lawrence. All rights reserved. Putting Policy Into Practice Develop a policy including  Definition of what is considered sensitive information  How to manage sensitive information  How to dispose of sensitive information  Annual acknowledgment  Consequences for not complying Train all employees  Conduct annual training  Make it part of the hiring process

11 11Copyright 2009. Jordan Lawrence. All rights reserved. Enforcing Policy Implement process for safeguarding sensitive information  Information technology for technical safeguards  The business for managing and destroying hardcopy Audit  Formal audit process  Annual spot auditing of business areas Annually re-assess  Identify new risks as business processes change  Ensure compliance with “New” and changing laws  Cross border litigation

12 12Copyright 2009. Jordan Lawrence. All rights reserved. Thank You Marty Provin 636-821-2250 mprovin@jlgroup.com


Download ppt "1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty."

Similar presentations


Ads by Google