Privacy and Data Protection: Practical Approaches to Risk Assessment and Management

Size: px

Start display at page:

Download "Privacy and Data Protection: Practical Approaches to Risk Assessment and Management"

Elizabeth Banks
6 years ago
Views:

Privacy and Data Protection: Practical Approaches to Risk Assessment and Management SCCE 11 th Annual Compliance & Ethics Institute October 16, 2012 About Us Marti Arvin JD, CHC-F, CPC, CCEP-F, CHRC,

1 Privacy and Data Protection: Practical Approaches to Risk Assessment and Management SCCE 11 th Annual Compliance & Ethics Institute October 16, 2012 About Us Marti Arvin JD, CHC-F, CPC, CCEP-F, CHRC, CHPC Chief Compliance Officer, UCLA Health System Courtney Barton CCEP, CIPP/US, CIPP/E Director, Corporate Compliance & Global Data Privacy, Bausch & Lomb, Incorporated [ 2 ] What We Plan to Cover Today Building and implementing an effective Privacy and Data Protection risk assessment and management process Managing Privacy and Data Protection risks in global organizational settings challenges, strategic solutions and effective management Legal considerations and enforcement trends in Privacy and Data Protection compliance [ 3 ] 1

2 Bausch + Lomb: See better. Live Better. We offer the world s most comprehensive portfolio of eye health products and we have one of the oldest, best known and most respected healthcare brands in the world. Our core businesses include soft and rigid gas permeable contact lenses, lens care products and ophthalmic surgical and pharmaceutical products. The company began in 1853 in Rochester, New York, as a small optical shop that grew to become a multi-billion dollar global corporation with approximately 11,000 employees worldwide and with products available in more than 100 countries. [ 4 ] [UCLA Health System] UCLA Health System and the David Geffen School of Medicine is a health system with three hospitals with over 800 beds Faculty practice group with over 1800 providers A school of medicine with clinical research Part of a larger university system of 10 campus [ 5 ] In the course of operating our business We collect, use, maintain, process and disclose information provided by consumers, patients, healthcare professionals, employees, vendors and others. Data Privacy The right of individuals to keep their personal data from being misused or disclosed Personal Data Information that can be used to uniquely identify, contact or locate an individual, including: Government issued identification numbers Financial information Personal history (date of birth, address) Personal Health information Sensitive Personal Data Personal data revealing racial or ethic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or medical details or sexual orientation [ 6 ] 2

Data Privacy and Protection Regulations Continue to Grow in Scope and Complexity Numerous laws have been enacted in countries around the world since the late 1990s, covering privacy, data protection,

3 Data Privacy and Protection Regulations Continue to Grow in Scope and Complexity Numerous laws have been enacted in countries around the world since the late 1990s, covering privacy, data protection, telemarketing, on-line communications and information security. Canada s Personal Information and Electronic Documents Act (2002) United Kingdom s Data Protection Act Amendments (2009) The European Union s Data Protection Directive 95/46/EC The 2009 amendments to the PRC Tort Liability Law now imposes penalties on both government and company personnel for misappropriation of personal information. In the United States, 46 states and the District of Columbia have enacted data breach notification statutes in addition to federal legislation on the appropriate use and disclosure of financial (including credit) and health-related data The United States relies on a mix of sectoral regulation, self enforcement, and state regulation. Argentina s Law for the Protection of Personal Data (2000) India s Information Technology Act amendments (2009) penalizes companies for misappropriation of personal information of individuals. New Zealand s Privacy Act (1993) Australia s Privacy Act (1988) Source: CELC - And, the financial, legal and reputational costs of a potential data breach continue to grow, as well. [ 7 ] 1. Establish a Clear and Defined Governance Structure Design: Who has an appropriate level of expertise and authority to oversee the program? Chief Privacy Officer with oversight of overall program Cross-functional support network Implement: Cross-Functional Data Privacy Steering Committee Establish a group of subject matter experts responsible for setting and implementing Privacy and Information Security strategy, policy and initiatives Formalize roles, responsibilities and authority in a charter or job descriptions [ 8 ] 1. Establish a Clear and Defined Governance Structure Manage: Review your infrastructure on a regular basis. Ensure that you continue have the right level of authority and support to be effective Maintain a connection with the right subject matter experts as your organization evolves [ 9 ] 3

4 2. Understand your risk profile through comprehensive data mapping and assessment. Conduct a data mapping exercise to obtain a robust inventory of sensitive data elements. What sensitive information do we have? Where is it stored? Who has access to the information? Where does the information move? What are we sending to the cloud or other third parties? What protections currently exist? The mapping and assessment results must drive initiatives and corrective actions. [ 10 ] Deep Dive: Comprehensive Data Mapping and Assessment Design: Build a business case for support and collaborate with those responsible for information security and records management. Don t overlook the savings opportunities and the overlap between these disciplines. Working with counsel and leveraging benchmark data for your industry, develop a list of simple, practical questions Remember, most people don t realize the sensitivity of what they have, you need to help them make the connection Review your organizational hierarchy in detail and develop a list of those who deal with the most personally identifiable data on a routine basis. Drill-down to the level of those who actually handle the data Be sure to include every business function and representatives from every geography/operating unit If you don t ask the right people the right questions, you won t get accurate or useful information. [ 11 ] Deep Dive: Comprehensive Data Mapping and Assessment Implement: Plan, communicate and execute. Develop a marketing plan and let people know what s coming; emphasize the importance of active engagement and input Give people a reasonable amount of time to do what you re asking and track progress, sending personalized reminders as necessary Be available for questions and support Manage: Once you have completed the map of applicable data elements, convene cross-functional leadership and counsel to prioritize risk areas and develop an action plan Must be risk-based; there will likely be many opportunities for improvement Be sure to consider how to keep the data map up-to-date to track your progress and enable rapid response to new and changing requirements [ 12 ] 4

5 3. Inventory Applicable Laws and Regulations Design: Align the results of your data map, industry standards and geographic range of your company Implement: Conduct a gap assessment, taking into account the likelihood and impact of enforcement action Manage: Keep the inventory updated through a method to track new and changing laws and regulations [ 13 ] 4. Review, Revise and Create Policies and Procedures Design: Develop a deep understanding of your data map and applicable laws and regulations. Identify any gaps Benchmark, benchmark, benchmark Be aware of what your notice of privacy practices says and whether you have multiple versions in different places with conflicting language Implement: Carefully review existing policies and procedures for areas of opportunity, overlap and potential inconsistency. Draft new policies as needed Senior level, cross-functional approval and support is critical [ 14 ] 4. Review, Revise and Create Policies and Procedures Manage: Assure there is a process for continuous review of policies and procedures Incorporate this into a regular review cycle Identify necessary resources to assure continued support for compliance with policies and procedures [ 15 ] 5

6 5. Design and Implement Training and Awareness Programs Design: Identify specific high-risk areas and leverage data map in choosing content to highlight Consider opportunities to incorporate into other training, such as Code of Conduct and information security training programs Implement: Comprehensive training/awareness program for general population; targeted training for specialized and high-risk areas Manage: Review and update training according to other changes in your program Use methods for assuring that your training is effective Lack of understanding of the rules that apply is probably the biggest risk to information privacy and security [ 16 ] 6. Ensure Coordination with the Company s Information Security Program Design: A typical Information Security Program focuses on the processes, systems and controls designed to protect information from disclosure, inappropriate access or loss of integrity or availability. Consider your organization s infrastructure. Implement: Formalize the link between the Data Privacy and Information Security programs Manage: Have regular meetings between privacy and information security Provide sufficient cross training to assure each recognizes the respective roles and responsibilities [ 17 ] 7. Third-Party Compliance Processes Design: Create or leverage information security protocols and requirements for key Third-Parties Create a process for identifying third-parties who will be receiving, creating or otherwise handling your company s sensitive data and the legal implications of their processing activities Implement: Coordinate with information security team and sourcing or procurement on contractual requirements Track these vendors Assure you workforce is aware of the process for contract negotiation. Manage: Update agreements if necessary for changes in legal provisions Where appropriate, audit and certify third-party privacy and information security measures To the extent possible, identify what actions by a vendor would result in contract termination Assure there is a method to track vendors who retain your company s sensitive data after contract termination. [ 18 ] 6

7 8. Global companies: Understand and implement measures to ensure compliance with national data collection, protection and transfer laws Design: Consult legal counsel and consider the results of your data mapping exercise, along with existing policies, practices and scope of foreign operations. Remember, laws vary by country and sector. Implement: With guidance from legal counsel, execute country-specific compliance plans, taking your risk profile into account. Manage: Continuously monitor the countries in which you do business for changes to laws and regulations Ensure there is a process for tracking changes and developments in all the countries in which you do business Understand the cultural environment in which you do business as well as the legal environment Be aware of any conflicting laws and regulations between countries [ 19 ] 9. Data Breach Incident Plan Design: Establish a data breach response procedure and team Establish perimeters regarding when credit monitoring may be provided Implement: Train response team on breach response tactics and fire-drill scenarios Manage: Consider a contract for breach response assistance services 10. Monitor and Audit Program Performance Design: Ensure that you fully understand your organization s risk profile and tolerance Implement: Develop program metrics to track effectiveness Manage: Review and discuss metrics with senior leadership with an eye towards continuous improvement [ 20 ] Legal Considerations and Enforcement Trends The legal landscape for privacy and information security risk is ever evolving Increased consumer awareness and activism More litigation led by government entities Liability for breaches caused by Third Parties State vs. Federal legislation in the US HIPAA/HITECH Directive vs. Regulation in the EU Global trending towards omnibus data protection laws Over 80 countries have enacted comprehensive data privacy laws [ 21 ] 7

8 Legal Considerations and Enforcement Trends Discussion areas: Enforcement FTC OCR Local Data Protection Authorities Regulatory changes Bills in Congress Regulation vs. Directive in the EU Other countries Australia Brazil Korea [ 22 ] Enforcement Actions The FTC has become increasingly active in enforcing the privacy provisions August Google pays $22.2 million for misrepresenting privacy assurances July FTC Becomes First Enforcement Authority in APEC Cross- Border Privacy Rules System March FTC Puts an End to Tactics of Online Advertising Company That Deceived Consumers Who Wanted to "Opt Out" from Targeted Ads November 2010 LifeLock pays $11 million June 2010 Twitter settles case that if failed to protect consumer data February 2010 FTC notified almost 100 organizations about breaches of sensitive data through peer-to-peer file sharing sites. [ 23 ] OCR Eight resolution agreements since 2008 More to come Representative from the OCR has stated the Director Rodriguez has indicated they are going from HIPAA Lite to HIPAA Jolt regarding enforcement. Remember your health plan is likely a HIPAA covered entity even if your organization has nothing to do with health care services [ 24 ] 8

IAPP 2011 GLOBAL SURVEY ON DATA PROTECTION AUTHORITIES Budgets for DPAs [ 25 ] IAPP 2011 GLOBAL SURVEY ON DATA PROTECTION AUTHORITIES DPA staffing size by country Over 40 FTEs Australia, Bulgaria,

9 IAPP 2011 GLOBAL SURVEY ON DATA PROTECTION AUTHORITIES Budgets for DPAs [ 25 ] IAPP 2011 GLOBAL SURVEY ON DATA PROTECTION AUTHORITIES DPA staffing size by country Over 40 FTEs Australia, Bulgaria, Canada, European Union, Germany, Hong Kong, Hungary, Italy, Mexico, Poland, Spain and Sweden 31 to 40 FTEs Norway, Serbia, Slovak Republic, Slovenia and United Kingdom FTEs Argentina, Ireland, Lithuania and Macao FTEs Cyrpus, Estoria, Finland, Latvia, Mauritius and New Zealand 2 to 10 FTEs Faroe Islands, Gibraltar and Guernsey [ 26 ] IAPP 2011 GLOBAL SURVEY ON DATA PROTECTION AUTHORITIES Staff allocation by activity [ 27 ] 9

IAPP 2011 GLOBAL SURVEY ON DATA PROTECTION AUTHORITIES DPAs oversight authority [ 28 ] Recent Bills in Congress SB 3414 The Cybersecurity Act of 2012 failed in the Senate but Senator Liberman vowed

10 IAPP 2011 GLOBAL SURVEY ON DATA PROTECTION AUTHORITIES DPAs oversight authority [ 28 ] Recent Bills in Congress SB 3414 The Cybersecurity Act of 2012 failed in the Senate but Senator Liberman vowed to bring it back HB The Data Accountability and Trust Act (DATA) reasonable security policies for computerized personal information National notification SB 3333 Data Security and Breach Notification Act of 2012 Security of sensitive data Breach notification [ 29 ] Recent Bills in Congress SB 3742 Data Security and Breach Notification Act of 2010 reasonable security policies for computerized personal information National notification SB 139 Data Breach Notification Act Would require federal agencies and entities engaged in interstate commerce to notify of breach of sensitive personal information [ 30 ] 10

11 Regulations v. Directives Regulations are the most direct form of EU law Binding law as soon as they are passed on every Member State National governments do not have to take action themselves to implement EU regulations. EU directives lay down certain end results that must be achieved in every Member State. National authorities have to adapt their laws to meet these goals, but are free to decide how to do so. Directives may concern one or more Member States, or all of them. [ 31 ] Other countries Australia Key changes to benefit consumers through the changes include: clearer and tighter regulation of the use of personal information for direct marketing extending privacy protections to unsolicited information making it easier for consumers to access and correct information held about them tightening the rules on sending personal information outside Australia a higher standard of protection to be afforded to sensitive information which includes health related information, DNA and biometric data enhancing the powers of the Privacy Commissioner to improve the Commissioner s ability to resolve complaints, conduct [ 32 ] Other countries Brazil Proposed Data Protection Bill would Establish standards for sensitive data Require breach notification Formalize expectations where previously less clear Korea New law passed in 2011 Increased requirements for protection of personal information The Philippines Brand new law just signed in August 2012 Based on the European Directive [ 33 ] 11

12 Contact Information Marti Arvin, JD, CHC F, CCEP-F Chief Compliance Officer, UCLA Health System and David Geffen School of Medicine Courtney R. Barton, CCEP, CIPP (US/E) Bausch & Lomb, Incorporated Director, Corporate Compliance & Global Data Privacy (585) or to [ 34 ] 12

Privacy and Data Protection: Practical Approaches to Risk Assessment and Management

Privacy and Data Protection: Practical Approaches to Risk Assessment and Management SCCE 11 th Annual Compliance & Ethics Institute October 16, 2012 About Us Marti Arvin JD, CHC-F, CPC, CCEP-F, CHRC, CHPC