IMPROVING COMPLIANCE IN THE FACE OF COMPLEX PRIVACY AND SECURITY REGULATIONS

Similar documents
How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

COMMENTARY. Information JONES DAY

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Employee Security Awareness Training Program

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

01.0 Policy Responsibilities and Oversight

Effective Strategies for Managing Cybersecurity Risks

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cyber Risks in the Boardroom Conference

Cyber Security Program

DETAILED POLICY STATEMENT

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

ACM Retreat - Today s Topics:

Checklist: Credit Union Information Security and Privacy Policies

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

The Honest Advantage

ISE North America Leadership Summit and Awards

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Information Technology General Control Review

The Impact of Cybersecurity, Data Privacy and Social Media

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites

Cybersecurity in Higher Ed

Oracle Data Cloud ( ODC ) Inbound Security Policies

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Lakeshore Technical College Official Policy

The Data Breach: How to Stay Defensible Before, During & After the Incident

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Canada Life Cyber Security Statement 2018

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Security Architecture

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Jeff Wilbur VP Marketing Iconix

Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

Data Compromise Notice Procedure Summary and Guide

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Avanade s Approach to Client Data Protection

Managing SaaS risks for cloud customers

Automotive Privacy. A discussion of privacy and security legal compliance for the automotive industry

CCISO Blueprint v1. EC-Council

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Version 1/2018. GDPR Processor Security Controls

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Daxko s PCI DSS Responsibilities

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

An Introduction to the ISO Security Standards

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

MNsure Privacy Program Strategic Plan FY

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Not Just Another Day of HIPAA

Data Protection Policy

Security Policies and Procedures Principles and Practices

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Sage Data Security Services Directory

SECURITY & PRIVACY DOCUMENTATION

NYDFS Cybersecurity Regulations

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

Education Network Security

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Cybersecurity The Evolving Landscape

Baseline Information Security and Privacy Requirements for Suppliers

CYBER SECURITY AND MITIGATING RISKS

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Incident Response and Cybersecurity: A View from the Boardroom

Managing Cybersecurity Risk

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

locuz.com SOC Services

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Electronic Communication of Personal Health Information

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

PCI Compliance. What is it? Who uses it? Why is it important?

External Supplier Control Obligations. Cyber Security

Five Ways that Privacy Shield is Different from Safe Harbor and Five Simple Steps Companies Can Take to Prepare for Certification

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

NY DFS Cybersecurity Regulations August 8, 2017

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Protecting your data. EY s approach to data privacy and information security

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

NSDA ANTI-SPAM POLICY

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

The HIPAA Omnibus Rule

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Transcription:

Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500 IMPROVING COMPLIANCE IN THE FACE OF COMPLEX PRIVACY AND SECURITY REGULATIONS Peter McLaughlin Senior Counsel Foley & Larder LLP Patrick Manzo Chief Privacy Officer Monster Worldwide Cartoon by Peter Steiner published July 5, 1993 in The New Yorker

Agenda Outlining the issues Creating an effective privacy compliance program Building privacy and security into your products and services Complying with Massachusetts data security regulations Addressing the PR issues of a data incident Outlining the Issues

Privacy Quotes We need to stop talking about privacy and start talking about control over data... Users may be overwhelmed when first setting up an account, but when they get more comfortable with an application, they will exert more control. Esther Dyson Privacy is not just a compliance issue for the legal department. It should be a priority for everyone. You have to translate privacy into a customer issue because this is really becoming the holy grail of doing business for everyone in an on-line world. Larry Ponemon Privacy Quotes Privacy is not something that I'm merely entitled to, it's an absolute prerequisite. Marlon Brando AND, in a nod to the Facebook generation It is no use to keep private information which you can't show off. Mark Twain

Personal Data is Increasingly Migrating Online

New Collection and Analysis Techniques Make More and Better Data Available Consumer Behavior Changes in Response to Security Issues

Data Security Data Privacy Trust Privacy Compliance Program

Privacy Compliance Program Key reasons for creating a privacy function Maintain data about employees and customers What data your company is managing? Where does it reside? Who has access? How is it used? Need to participate in business decisions with a privacy lens Industry requirements may feed legal requirements (e.g., PCI) Changing legal and regulatory environment Changing business models - ecommerce, international, email marketing Getting Started Several key areas addressed in first months of program development Stakeholder engagement Create Privacy Council, evaluate membership and schedule quarterly meetings and deliverables Identify key business partners and clarify data privacy roles - Legal, IT Security, Corporate Security, Corporate Compliance Data Inventory Partner with Internal Audit Begin a PII inventory Data Incident Response Plan Roadmap for investigating all suspected incidents of data loss Include stakeholders from all key groups Socialize plan with stakeholders and gain approval of process/roles Include templates and processes for notification Created a log of all incidents investigated to identify trends to address through procedural change, policy and/or education

Key Program Deliverables Incident Investigation (Legal, Corporate Security, IT, Communications, Business Owners) Investigate incidents using Data Incident Response Plan (DIRP) Keep log of all investigations and report up to Council Update DIRP as needed and review completely annually including reaching out to all stakeholders to ensure they are the appropriate contacts Run test of DIRP if no incident within one year Stakeholder Engagement (Business Owners) Continue Quarterly Privacy Council meetings and ongoing evaluation/adjustment of members and agenda Semi-annual reports to Corporate Compliance Committee on privacy work Issue-specific presentations to cross functional groups or committees Identifying data incidents FTC Red Flags requirements Key Program Deliverables Vendor Management (Legal, Procurement, IT, Internal Audit, Business Owners) Appropriate data security and privacy language in vendor contracts Awareness of privacy and data security as an important criteria in the vendor selection process Inventory of all vendors managing PII Business Process Issues (Corporate Security, IT, HR) Product design and review Laptops - reporting loss, replacement process, evaluating encryption Employment applications Retail PII issues- POS, training, secured storage, shredders Business issues involving PII i.e. customer relationship binders, customer email International Data Transfers Awareness of international initiatives Determination of best method to address i.e. model contract, Safe Harbor

Security Tools Risk, Risk Management & Responses

So far this year Security Issues Online crime is organized (La Cosa Nostra) Increasing sophistication of tools and techniques Surprising value of simple bits of information (structure and content) Application of business principles to crime specialization, barter, Software-as-a-service Challenges applying effective security controls - Convenience Store - Airport Spectrum

Security Issues Prevalence of phishing Spread to retail, ecommerce and social networking Must assume compromise FTC Reasonableness Standard Process-oriented approach that emphasizes identifying and mitigating risks There is no one size fits all solution take into account the size and complexity of the business operations and the sensitivity of the information at stake

Massachusetts regulations (201 CMR 17.00) The Regulations impose two main requirements: (i) the duty to develop, implement and maintain a very comprehensive written information security program that meets very specific requirements; and (ii) the obligation to meet specific computer information security requirements Computer System Security Requirements 1. Secure Access Protocols (cont.) control of data security passwords to ensure that passwords are kept in a location and/or format that does not compromise the security of the data they protect restricting access to active users and active user accounts only blocking access to records and files containing personal information to those who need such information to perform their job duties; and assigning unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls

Computer System Security Requirements 2. Encryption requirement in transmission: Encryption of all transmitted records and files containing personal information on public networks, and encryption of all data to be transmitted wirelessly 3. Reasonable monitoring of systems: Monitoring for unauthorized use of or access to personal information 4. Encryption requirement in stored information: Encryption of all personal information stored on laptops or other portable devices Computer System Security Requirements 5. Firewall protection: For files containing personal information on a system that is connected to the Internet, the system must have reasonably up-todate firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information 6. Malware and virus protection: The system must have reasonably up-todate versions of the system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis 7. Education and training: Each covered entity must train employees on the proper use of the computer security system and the importance of personal information security.

It Is Not About Strong Security Measures Strong security measures do not, per se, provide reasonable security Recent case involving laptop theft Full disk encryption With the password taped to the laptop Industry Practice? May represent minimum requirements Company must implement standard practices where such standards have gained sufficient industry acceptance and adoption such that adherence to the standards would not unreasonably place [company] at a competitive disadvantage. Ziff-Davis FTC Consent Decree But not necessarily a guarantee of compliance [An industry] never may set its own tests, however persuasive be its usages. Courts must in the end say what is required; there are precautions so imperative that even their universal disregard will not excuse their omission. T.J. Hooper case, 60 F.2d 737 (2d Cir. 1932)

Incident Response and Massachusetts Data Security Regulations Have a plan (DIRP) Know what data is (generally) where Consider engaging external forensic specialists Do not delay Be proactive in communicating Know the facts and discuss remediation Product Development Considerations

Product Development Considerations Consider the nature of the data Data minimization Data elements (Name, SSN, c/c number, diagnosis) Regulatory environment Applicable guidance and standards CCHIT certifications for EHRs Your product is not HIPAA Compliant NIST Mobility, Wireless and Internet Encryption Software coding weaknesses (SQL attacks, an FTC favorite) Technical Support and Lease Returns Privacy by Design ISO/IEC 27002:2005 Contains best practices of control objectives and controls in the following areas of information security management: security policy organization of information security asset management human resources security physical and environmental security communications and operations management access control information systems acquisition, development and maintenance information security incident management business continuity management compliance 32

Looming challenges More outsourcing of non-core activities Cloud computing Expanded use of social networking sites for business purposes 33 Legacy Systems Not Built for Privacy Access Controls a significant issue Systems built for Information Sharing Not Privacy Systems were built for Cross-sharing of information without provisions to capture client preferences (e.g. Do Not Solicit /Opt Out) Challenge: respecting clients preferences and choices, then getting this integrated with front office systems (front line staff/marketing)

Security Challenges Related Privacy Issues In order to insure the continued availability of data with which to provide relevant products to consumers, business may need to go beyond regulatory minimums to meet the reasonable expectations of consumers. Sometimes, uninformed consumer expectations (or regulator expectations) may not be reasonable. Managing those expectations is critical. This data has significant value to businesses, to criminal organizations to governments and perhaps most importantly, to consumers.

It Is All In the Process Identify the assets to be protected Both under company control and outsourced Conduct a risk assessment Identify and evaluate threats, vulnerabilities, and damages Consider available options Identify & implement appropriate security controls That are responsive to the risk assessment That address the required categories of controls Continually monitor, reassess, and adjust To ensure that it is effective To address new threats, vulnerabilities, and business changes Address third parties THANK YOU Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback