Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

Published byEustace Maurice Allen Modified over 9 years ago

Similar presentations

Presentation on theme: "Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates."— Presentation transcript:

1 Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates

2 Dino Tsibouris (614) 360-3133 Dino@Tsibouris.com Privacy and Information Security Laws and Updates Mehmet Munur (614) 859-6962 Mehmet.Munur@Tsibouris.com

3 Outline 1.Themes and Trends 2.Federal and State Enforcement Actions 3.Federal and State Data Breach Developments 4.Planning Ahead and Contract Negotiations 5.International Data Privacy

4 Themes and Trends

5 The Legal Response Proposed federal legislation Expanding state legislation Federal and state level enforcement Civil liability

6 Closer Look at Wyndham 3 data breaches at hotels in less than 2 years. Privacy and security representations made. FTC alleges that Wyndham failed to: – Use complex IDs and passwords, – Use firewalls and network segmentation, – Patch systems, and – Follow incident response procedures. Compromised 500K credit cards.

7 Typical FTC §5 Enforcement Action Designate employee responsible for privacy or security program. Conduct risk assessment and employee training. Test and monitor risk identified. Implement and maintain protections. Evaluate and adjust program. Biennial third-party assessments. In effect for 20 years.

8 Zappos MA AG Enforcement Zappos agreed to pay $106K Unauthorized access to: – Names, addresses, phone numbers, – Last 4 digits of credit card numbers, and – Login credentials of customers.

9 Zappos MA AG Enforcement Settlement requires: – Maintenance and compliance with information security policies, – Providing the AG with information, – Demonstrating compliance with PCI-DSS for two years, – Third party audit, providing copy to MA AG, and addressing deficiencies, and – Annual training.

10 SHA1 MD5

11 A Push for Federal Data Breach Legislation Personal Data Notification & Protection Act Proposed by President Obama at the State of the Union Address on January 20, 2015 Pre-empts state laws Must notify in 30 days No private right of action FTC enforcement

12 Personal Data Notification & Protection Act Triggers First and last name/or first initial and last name along with any two: – Home address or phone number – Mother’s maiden name – Full birth date SSN, DL, passport, alien registration number Biometric data Unique account ID (user name, routing code)

13 Personal Data Notification & Protection Act Triggers Any combination of the following three elements: – First and last name/first initial and last name – Unique account ID – Any security code/source code that could generate a security code or password

14 Personal Data Notification & Protection Act Risk of harm analysis Must send notice 30 days after discovery Individual notice (email acceptable with consent) Notice to media Notice to Federal law enforcement Notice to credit reporting agencies

15 A Push for State Law and Regulation Timing and content of breach notice Definition of personal data – Email/password information – Non-HIPAA health data Requirements to inform media/regulators

16 Contracting Security and Privacy – Incident or Breach Notification Obligations and Costs – Industry Certifications and Vulnerability Scans – Audits by Customer or Regulator – International Data Flows

17 Contracting 1.2 Your Account. … we and our affiliates are not responsible for unauthorized access to your account.

18 Contracting 3.2. Protection of Your Data. We will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Your Data, as described in the Documentation.

19 Security Breaches Plan ahead Identify response team Identify vendors and contacts PR Aspects Test Insure

20 Security Breaches Federal and state laws govern unauthorized access to personal information – Gramm Leach Bliley (CFPB, SEC, NCUA, OCC, FDIC, FTC) – HIPAA/HITECH Breach Notification Rule (HHS) – Health Breach Notification Rule (FTC) – State laws vary, apply to companies outside the state, require vendor to notify data owner, private right of action to consumers to sue

21 Security Breaches Must get access to cloud provider information Access to vendor staff Must understand vendor data structure and security Identify data involved Identify degree of protection Identify if there was a reportable incident

22 Security Breaches Remediation Notification – Individuals, Regulators, Media Litigation

23 International Data Privacy

24 General Data Protection Regulation EU member states in final stages of negotiations Expected in the next year or so Includes data breach notification obligation Fines as high as 2% of annual turnover

25 Outline 1.Themes and Trends 2.Federal and State Enforcement Actions 3.Federal and State Data Breach Developments 4.Planning Ahead and Contract Negotiations 5.International Data Privacy

26 Dino Tsibouris (614) 360-3133 Dino@Tsibouris.com Questions & Answers Mehmet Munur (614) 859-6962 Mehmet.Munur@Tsibouris.com

Download ppt "Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates."

Similar presentations

Consumer Protection Laws Dino Tsibouris (614) 360-1160

Consumer Protection Laws Dino Tsibouris (614)
Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP www.ScottandScottllp.com.

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
Dino Tsibouris (614) 360-1160 Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches.

Dino Tsibouris (614) Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Responding to a Data Security Breach

Responding to a Data Security Breach
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Dino Tsibouris (614) 360-1160 Information Security – What’s New In the Law?

Dino Tsibouris (614) Information Security – What’s New In the Law?
Dino Tsibouris (614) 360-1160 Technology Contracting 101 What to watch out for in your contracts.

Dino Tsibouris (614) Technology Contracting 101 What to watch out for in your contracts.
What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014.

What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014.

Similar presentations

Ads by Google