Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy and Data Breach Issues Kirk Herath, VP, Chief Privacy Officer, Nationwide & Dino Tsibouris, Founding Principal, Tsibouris & Associates.

Published byCora Bates Modified over 9 years ago

Similar presentations

Presentation on theme: "Privacy and Data Breach Issues Kirk Herath, VP, Chief Privacy Officer, Nationwide & Dino Tsibouris, Founding Principal, Tsibouris & Associates."— Presentation transcript:

1 Privacy and Data Breach Issues Kirk Herath, VP, Chief Privacy Officer, Nationwide & Dino Tsibouris, Founding Principal, Tsibouris & Associates

2 “Big Data” What is Big Data? 1. Exponential Growth in Data Generation Web Tracking Techniques Internet-Enabled Mobile Devices 2. Innovations in Data Use Increase in Computing Capability Falling Cost of Data Storage Advances in Statistical Analysis Risks?

3 GLBA and State Law Progeny Data Lakes – Data accumulates from a variety of sources Customers, Consumers, Affiliates, and 3 rd Parties Data Governance & Preference Management – Data accuracy, completeness, and security – Is data “fit for a particular purpose?” Record Retention – Is the data “expired?” Opt-Out Preferences or a Failure to Opt-In?

4 TCPA Collecting Phone Numbers – Notice and Consent? – Use Limitations? July 10, 2015 FCC Declaratory Ruling and Order – Key: Definition of an Auto Dialer

5 Using “Big Data” to Gauge Risk Traditional Consumer Reporting Agencies v. ZestFinancial – FICO = 10-15 Variables to Derive a Risk Score – ZestFinancial = 1,000+ Variables to Derive a Risk Score Is this better? What are the risks? – Regulator Uncertainty and Scrutiny – Consumer Protection Considerations

6 FCRA Consumer Reporting Agencies – 3 rd Party Reports – 7 Factor Data – Used for a Permissible Purpose Duties – Accuracy and Completeness – Transparency and Redress Private Right of Action & Statutory Damages

7 Fair Lending Laws – ECOA/Reg B – Fair Housing Act – UDAAP Discrimination – Disparate Treatment – Disparate Impact

8 Themes and Trends

9 Closer Look at Wyndham 3 data breaches at hotels in less than 2 years. Privacy and security representations made. FTC alleges that Wyndham failed to: – Use complex IDs and passwords, – Use firewalls and network segmentation, – Patch systems, and – Follow incident response procedures. Compromised 500K credit cards.

10 Typical FTC §5 Enforcement Action Designate employee responsible for privacy or security program. Conduct risk assessment and employee training. Test and monitor risk identified. Implement and maintain protections. Evaluate and adjust of program. Biennial third-party assessments. In effect for 20 years.

11 Zappos MA AG Enforcement Zappos agreed to pay $106K Unauthorized access to: – Names, addresses, phone numbers, – Last 4 digits of credit card numbers, and – Login credentials of customers.

12 Zappos MA AG Enforcement Settlement requires: – Maintenance and compliance with information security policies, – Providing the AG with information, – Demonstrating compliance with PCI-DSS for two years, – Third party audit, providing copy to MA AG, and addressing deficiencies, and – Annual training.

13 SHA1 MD5

14 The Legal Response Proposed federal legislation Expanding state legislation Federal and state level enforcement Civil liability

15 A Push for Federal Data Breach Legislation Personal Data Notification & Protection Act Proposed by President Obama at the State of the Union Address on January 20, 2015 Pre-empts state laws Must notify in 30 days No private right of action FTC enforcement

16 Personal Data Notification & Protection Act Triggers First and last name/or first initial and last name along with any two: – Home address or phone number – Mother’s maiden name – Full birth date SSN, DL, passport, alien registration number Biometric data Unique account ID (user name, routing code)

17 Personal Data Notification & Protection Act Triggers Any combination of the following three elements: – First and last name/first initial and last name – Unique account ID – Any security code/source code that could generate a security code or password

18 Personal Data Notification & Protection Act Risk of harm analysis Must send notice 30 days after discovery Individual notice (email acceptable with consent) Notice to media Notice to Federal law enforcement Notice to credit reporting agencies

19 A Push for State Law and Regulation Timing and content of breach notice Definition of personal data – Email/password information – Non-HIPAA health data Requirements to inform media/regulators

20 Contracting 3.2. Protection of Your Data. We will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Your Data, as described in the Documentation.

21 Security Breaches Remediation Notification – Individuals, Regulators, Media Litigation

22

23 General Data Protection Regulation EU member states in final stages of negotiations. Expected in the next year or so. Includes data breach notification obligation. Fines as high as %2 of annual turnover.

24 Dino Tsibouris (614) 360-3133 Dino@Tsibouris.com Questions & Answers Kirk Herath HerathK@Nationwide.com

Download ppt "Privacy and Data Breach Issues Kirk Herath, VP, Chief Privacy Officer, Nationwide & Dino Tsibouris, Founding Principal, Tsibouris & Associates."

Similar presentations

© 2014 ACA International. All Rights Reserved. Obtaining Optimum Compliance Performance Foundational Training on ACA’s Professional Practices Management.

© 2014 ACA International. All Rights Reserved. Obtaining Optimum Compliance Performance Foundational Training on ACA’s Professional Practices Management.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Health information security & compliance

Health information security & compliance
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Consumer Privacy & Protection Joanna Acocella May 22, 2007.

Consumer Privacy & Protection Joanna Acocella May 22, 2007.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Dino Tsibouris (614) 360-1160 Information Security – What’s New In the Law?

Dino Tsibouris (614) Information Security – What’s New In the Law?
What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014.

What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.

1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.

Similar presentations

Ads by Google