DeMystifying Data Breaches and Information Security Compliance

Similar documents
Cybersecurity in Higher Ed

Cyber Insurance: What is your bank doing to manage risk? presented by

Is Your Compliance Strategy Putting Your Business at Risk?

Cyber Risks in the Boardroom Conference

Cybersecurity and Nonprofit

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

The Impact of Cybersecurity, Data Privacy and Social Media

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Why you MUST protect your customer data

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

SOC for cybersecurity

Hacking and Cyber Espionage

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

HIPAA Privacy, Security and Breach Notification

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

Preparing for a Breach October 14, 2016

Healthcare HIPAA and Cybersecurity Update

Business continuity management and cyber resiliency

Bar The Gates: Cyber Threat. Wednesday, August 12, 2015: ISACA Geek Week

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Sage Data Security Services Directory

The Data Breach: How to Stay Defensible Before, During & After the Incident

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Altius IT Policy Collection Compliance and Standards Matrix

Putting It All Together:

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

Background FAST FACTS

Cyber Security Issues

01.0 Policy Responsibilities and Oversight

mhealth SECURITY: STATS AND SOLUTIONS

Altius IT Policy Collection Compliance and Standards Matrix

What to do if your business is the victim of a data or security breach?

HIPAA Compliance is not a Cybersecurity Strategy

CACUBO Higher Education Accounting Workshop Top 10 Cyber Security Issues for Higher Education Business Managers. May 2017

Legal Aspects of Cybersecurity

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Data Security: Public Contracts and the Cloud

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

PULSE TAKING THE PHYSICIAN S

Cloud Communications for Healthcare

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

Breach Notifications: How to Handle Breaches Across Jurisdictions. Moderated by: Zach Warren, Editor-in-Chief, Legaltech News

CYBERSECURITY: STAYING ONE STEP AHEAD DANIEL D. WHITEHOUSE, ESQ. WHITEHOUSE & COOPER, PLLC

Cybersecurity The Evolving Landscape

Keeping It Under Wraps: Personally Identifiable Information (PII)

SOC Lessons Learned and Reporting Changes

All 3 Billion Yahoo Accounts Were Affected by 2013 Attack NY Times 10/3/17

It Takes the Village to Secure the Village SM

ID Theft and Data Breach Mitigation

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

Cybersecurity and Hospitals: A Board Perspective

Encrypting PHI for HIPAA Compliance on IBM i. All trademarks and registered trademarks are the property of their respective owners.

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Cybersecurity Auditing in an Unsecure World

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

INTELLIGENCE DRIVEN GRC FOR SECURITY

Legal Considerations and Case Studies

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

SOC 3 for Security and Availability

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

HITRUST Common Security Framework - Are you prepared?

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised

Effective Strategies for Managing Cybersecurity Risks

Cyber Attack: Is Your Business at Risk?

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Building a Business Case for Cyber Threat Intelligence. 5Reasons Your. Organization Needs a Risk-Based 5Approach to Cybersecurity

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Keys to a more secure data environment

Background FAST FACTS

Understanding the Impact of Data Privacy January 2012

How to Establish Security & Privacy Due Diligence in the Cloud

Data Breach Trends: What Local Government Lawyers Need to Know

2017 RIMS CYBER SURVEY

Data Compromise Notice Procedure Summary and Guide

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Combating Cyber Risk in the Supply Chain

You ve Been Hacked Now What? Incident Response Tabletop Exercise

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Cybersecurity for Health Care Providers

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Navigating Regulatory Impacts of a Financial Services Data Breach

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

What is Penetration Testing?

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Cyber (In)Security. What Business Leaders Need To Know. Roy Luebke Innovation and Growth Consultant. Presented by:

Playing in the Big (Data) Leagues: Consumer Data Mining Data Privacy and Compliance

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

HIPAA & Privacy Compliance Update

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

Vendor Security Questionnaire

Transcription:

May 22-25, 2016 Los Angeles Convention Center Los Angeles, California DeMystifying Data Breaches and Information Security Compliance Presented by James Harrison OM32 5/25/2016 3:00 PM - 4:15 PM The handouts and presentations attached are copyright and trademark protected and provided for individual use only.

De-Mystifying Data Breaches and Information Security Compliance ALA 2016 Annual Conference James Harrison CEO, INVISUS The Data Security Problem It s a BIG problem, and it s GROWING: Confidential personal and business information is the new global currency of thieves Criminals targeting large and small organizations 164 million SSN s compromised in 2015 112 million health records compromised in 2015 (1 in 3 adults) 1.4 million tax return ID theft victims in 2014 Sources: ITRC, DHHS/OCR, IRS 1

The Data Security Problem 85% of breaches are at small business 49% of breaches caused by employees Ransomware holding businesses hostage 40% of attacks at companies less than 100 employees Downtime a greater cost than the ransom itself Third party risks (vendors, service providers) Shifting accountability (execs under fire) Sources: VISA, Ponemon Institute, LegalTech News Law Firms are a Target Mid-sized law firms between 50 and 150 attorneys will be the most targeted by cybercriminals looking to gain access to sensitive data Planned phishing and ransomware attacks against law firm partners and administrators Hackers are also targeting employees of firms using lists of names, email, and social media accounts Sources: LegalTech News, BusinessInsurance.com 2

How are Law Firms Doing? ABA Data Breach Survey, 2015: 1 in 4 law firms have had a data breach incident 47% have no breach response plan 58% do not have an appointed information security and compliance manager 20% conduct regular 3 rd party security assessments 34% of firms received a security audit request from clients How are Law Firms Doing? Marsh s Law Firm Cyber Survey, 2014: 72% of firms have not assessed how much a breach would cost them with the type of data they retain Less than 50% said their firm was insured against this risk 3

How is YOUR Firm Doing? Doing something? It s the IT guy s job Putting it off? We ve thought about it In denial? It won t happen to us What s your plan of action? Administrator s Role Every firm needs someone who is trained and can manage an information security compliance plan This is typically assigned as an administrator s responsibility Coordinate with partners, IT staff, HR, facilities, etc. Being a compliance manager is a key skill set and resume builder for firm administrators going forward! 4

What You Need to Know What is Information Security COMPLIANCE? How data breaches happen Why this should be among your firm s top priorities 10 things your firm should be doing to help prevent a breach and stay in compliance Defining Information Security The protection of company, customer, employee or other confidential and proprietary information that is processed, stored or handled by the company, including electronic and paper-based information. Often called cyber-security, data security Most think this is just a tech or IT issue But today s information security definition includes the company s overall plan for technical, physical and administrative safeguards 5

Define Compliance Information security compliance: The implementation and management of a formalized Information Security Plan for protecting confidential customer and employee information in accordance with the minimum requirements in federal, state and industry regulations and standards. What is Protected Information? Personally Identifiable Information (PII): SSN DOB/Birth Certificate Email/Password/Username Name/Address/Phone Federal EIN Driver s License Passport Military ID 6

What is Protected Information? Personal Health Information (PHI): Medical Records/History Health Insurance Treatment/Medication Medical Billing/Claims What is Protected Information? Personal Financial Information (PFI): Payment Cards (credit/debit) Checking/Banking Payroll, W2, 1099 Tax Returns, Information Credit Reports/Scores Accounting Records Investments Real Estate 7

What is a Data Breach? An incident in which a person s name and any personally identifiable information (PII), personal health information (PHI), or personal financial information (PFI) is put at risk due to exposure, loss or theft. (electronic data or paper documents) How Breaches Happen Hacking (38%) Employee Error/Negligence (15%) Email/Internet Exposure (13%) Insider Theft (11%) Physical Theft (10%) Source: ITRC 2015 8

How Breaches Happen 3 rd party Service Providers & Business Associates (9%) IT Services CPA Firm Contractors Payroll Services Your Law Firm Insurance Cloud Backup HVAC & Facilities Why should law firms be proactive in breach prevention and compliance? 9

Caught in the Middle A sub-contractor s breach affects YOU and YOUR CLIENTS! Your Healthcare Industry Client CPA Firm Contractor BREACH! IT Services Your Financial Industry Client Your Law Firm HVAC & Facilities Payroll Services Insurance Caught in the Middle Audits! Your firm is caught in the data breach audit trail BREACH! Dept. of Health & Human Services Your Healthcare Industry Client Your Firm Audit! Audit! Audit! Your Contractor 10

The Risk to Firms Failing to take such action means greater regulatory and litigation risk. Non-compliance with cybersecurity norms are likely to damage the firm s reputation in the marketplace and with customers, suppliers, and other business partners. (LegalTech News, March 2016) Financial Risk If your firm suffers a breach: Direct Costs - $201 avg. recovery cost per record Regulatory fines & penalties Customer loss, reputational damage Up to 33% of clients consider leaving Business disruption Civil lawsuits Example Direct Costs: 2,500 records compromised: $170K in customer remediation $500K in total breach cost Source: Cost of Cybercrime Study, Ponemon Institute 2015 11

3 rd Party Audit Risk If one of your business clients or business associates suffers a breach: THEY will likely be audited by federal, state or insurance regulators YOU will likely be audited as a service provider to that business Under Pressure! Law firms face growing demands to meet minimum information security standards and regulations. 12

Regulatory Pressure Federal Laws: HIPAA-HITECH (health related information) Graham Leach Bliley Act (financial info & services) Business Associate requirement Direct enforcement by the federal Office of Civil Rights over business associates of covered entities including law firms 2017 - New federal laws coming Regulatory Pressure State Laws: 47 states with current laws Firms must consider the laws in all states where their clients reside 13

Industry Pressure American Bar Association ABA Resolution 109 - Calling for law firms to implement and maintain an appropriate cybersecurity program Business Client Pressure Security Audits & Proof of Compliance: HIPAA GLBA PCI-DSS AICPA SOC audits and reports ISO 27001/27002 security audits & reports Existing Clients & Prospective Clients 14

The Basics of Breach Prevention & Compliance 10 things your firm should be doing 10 Best Practices 1. Management Commitment Partners, managers must understand the risks and liabilities Translate security into business planning Investment in cybersecurity and a formalized compliance management program Top down culture of security and privacy 2. Assign Responsibility Compliance Program Administrator (or Information Security Officer) Collaborate with all departments, management team 15

10 Best Practices 3. Information Security Plan Fully documented security policies and procedures that meet regulatory and industry standards All administrative, physical and technical safeguards outlined 4. Risk and Compliance Assessments Done at least annually Identify changes or gaps in security and compliance 5. Implement and Maintain Safeguards Administrative, physical and technical security measures Regular updates and vulnerability testing 10 Best Practices 6. Employee Training Information security handbook, employee agreement Initial and ongoing information security training 7. Business Associate Agreements Assess security of 3 rd party service providers, vendors, etc. Information security agreement 8. Incident Response Plan Incident response coordinator Documented plan of action Trial run 16

10 Best Practices 9. Security and Compliance Reports Regulatory compliance reports (HIPAA, GLBA) Industry best practices reports (SOC 2, ISO 27001, NIST) Internal management reporting Maintain legal defensibility 10.Client Trust and Confidence Information privacy notice Be ready for security audit & report requests from clients Consider 3 rd party compliance certification Key Tip for Administrators Make your job easier! Get a Compliance Management System (CMS): Simplify, automate compliance management Compliance documentation & reports Client security audit reports Security training Security testing & reports Automatic compliance updates and reminders 17

Thank you. YOUR OPINION MATTERS! Please take a moment now to evaluate this presentation. 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback