Navigating Regulatory Impacts of a Financial Services Data Breach

Similar documents
Data Compromise Notice Procedure Summary and Guide

Security Breaches: How to Prepare and Respond

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Why you MUST protect your customer data

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Red Flags/Identity Theft Prevention Policy: Purpose

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

UCOP ITS Systemwide CISO Office Systemwide IT Policy

HIPAA For Assisted Living WALA iii

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

Data Leak Protection legal framework and managing the challenges of a security breach


U.S. Private-sector Privacy Certification

Cybersecurity in Higher Ed

Mastering Data Privacy, Social Media, & Cyber Law

DeMystifying Data Breaches and Information Security Compliance

What To Do When Your Data Winds Up Where It Shouldn t

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Jeff Wilbur VP Marketing Iconix

Putting It All Together:

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

COMMENTARY. Information JONES DAY

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

What is Cybersecurity?

Regulation P & GLBA Training

Emsi Privacy Shield Policy

LCU Privacy Breach Response Plan

HIPAA and HIPAA Compliance with PHI/PII in Research

2017 RIMS CYBER SURVEY

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Breach Notifications: How to Handle Breaches Across Jurisdictions. Moderated by: Zach Warren, Editor-in-Chief, Legaltech News

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Altius IT Policy Collection Compliance and Standards Matrix

Checklist: Credit Union Information Security and Privacy Policies

Privacy & Information Security Protocol: Breach Notification & Mitigation

HIPAA & Privacy Compliance Update

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

By accessing your Congressional Federal Credit Union account(s) electronically with the use of Online Banking through a personal computer or any other

Workday s Robust Privacy Program

Legal Considerations and Case Studies

The Impact of Cybersecurity, Data Privacy and Social Media

Cyber Risks in the Boardroom Conference

Prevention of Identity Theft in Student Financial Transactions AP 5800

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

NYDFS Cybersecurity Regulations

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Data Privacy Breach Policy and Procedure

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Starflow Token Sale Privacy Policy

Keeping It Under Wraps: Personally Identifiable Information (PII)

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

HIPAA Security and Privacy Policies & Procedures

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Presented by: Jason C. Gavejian Morristown Office

Elders Estates Privacy Notice

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

University of North Texas System Administration Identity Theft Prevention Program

Security Breach Notification Reflections on the U.S. Experience

Altius IT Policy Collection Compliance and Standards Matrix

Beam Technologies Inc. Privacy Policy

Data Privacy and Cybersecurity

Cyber Security Issues

Cybersecurity and Nonprofit

HIPAA UPDATE. Michael L. Brody, DPM

SOC 3 for Security and Availability

Critical Information Infrastructure Protection Law

This website is managed by Club Systems International on behalf of the Hoburne and Burry and Knight Groups.

HIPAA Security Manual

Protecting your data. EY s approach to data privacy and information security

University of Pittsburgh Security Assessment Questionnaire (v1.7)

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

The HIPAA Omnibus Rule

HIPAA FOR BROKERS. revised 10/17

Identity Theft Prevention Program. Effective beginning August 1, 2009

Understanding the Impact of Data Privacy January 2012

[Utility Name] Identity Theft Prevention Program

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Privacy Breach Policy

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Information Technology Standards

What to do if your business is the victim of a data or security breach?

Data Security Essentials

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

Data Privacy & Protection

Data Security: Public Contracts and the Cloud

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Protecting Your Gear, Your Work & Cal Poly

Employee Security Awareness Training Program

Breach Notification Assessment Tool

Privacy Shield Policy

01.0 Policy Responsibilities and Oversight

Transcription:

Navigating Regulatory Impacts of a Financial Services Data Breach Stacey C. Bolton, CIPP SVP, Global Head of Privacy and Information Management The Northern Trust Company Email: scb8@ntrs.com Phone: 312-557-1558

Data Loss Incidents Over Time 1200 Data Loss Incidents Over Time 1000 986 895 800 641 770 695 667 600 400 200 156 142 21 43 0 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 http://datalossdb.org/statistics

2011 Incidents by Vector Incidents by Vector - Last Year Inside-Accidental - 19% Inside-Malicious - 11% Unknown - 9% Inside - 8% Outside - 53% http://datalossdb.org/statistics

2011 Incidents Incidents by Data Type - Last Year Incidents by Business Type - Last Year Date of Birth - 9% Medical - 8% Medical - 20% Gov ernment- 16% Social Security Number - 10% Address - 8% Educational - 11% Miscellaneous - 15% Names - 24% Business - 53% http://datalossdb.org/statistics

Incidents by Breach Type - 2011 Incidents by Breach Type - Last Year Stolen Document - 5% Disposal Document - 7% Stolen Laptop - 8% Unknown - 4% Stolen Computer - 3% Snail Mail - 3% Lost Drive - 3% Email - 2% Lost Document - 2% Virus - 2% Stolen Drive - 2% Web - 9% Lost Media - 2% Lost Tape - 0% Missing Document - 0% Lost Computer - 0% Disposal Computer - 0% Stolen Mobile - 0% Missing Laptop - 0% Stolen Tape - 0% Stolen Media - 0% Missing Media - 0% Lost Laptop - 0% Fraud, Social Engineering - 13% Hack - 32% http://datalossdb.org/statistics

Key US Privacy Laws and Regulations Gramm-Leach Bliley Act FIs must protect non-public personal info of consumers and customers Initial and annual privacy notices Consent requirements and Opt-out Notice Interagency Guidelines requires written Info Security Plan with appropriate incident response procedures Fair Credit Reporting Act Governs uses and disclosure of information in consumer reports by consumer reporting agencies Provides access rights to consumer Red Flag Rules requires creditors to develop identity theft prevention programs HIPAA/HITECH Act Governs use and disclosure of Protected Health Information (PHI) Individuals have right of access to inspect PHI HITECH amends HIPAA to include security breach notification requirements & expands applicability of HIPAA to business associates Employer-sponsored Health Plans must certify compliance with HIPAA Privacy Standards State Data Security Laws Massachusetts law requires covered entities to implement administrative, physical, and technical safeguards around PII. 46 states, DC, Puerto Rico & BVI have enacted notification laws involving security breaches of PII. (CA, IL, NY, ND, OK, SC, TN, TX, ME, MA, MN, NV unauthorized acquisition)

Key International Privacy Laws and Regulations EU Data Protection Directive EU and US Safe Harbor Includes European Union Member states: Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, Netherlands, Portugal, Spain, Sweden, UK (also new members states) Six tenants: Notice, Choice, Use, Security, Correction & Enforcement Includes natural person identified by an identification number or physical, physiological, mental, economic, cultural, or social identity To qualify for Safe Harbor, organization must: (1) adhere to the 7 guiding privacy principles, and (2) publicly announce its compliance through certification letters filed annually with the Dept. of Commerce Banks, investment houses, credit unions, savings & loan institutions, non-profit organizations, insurances companies and meat processing facilities currently ineligible for Safe Harbor Various Implementing EU Country Laws and Regulations Many member states have enacted laws implementing the EU Data Protection Directed (i.e. UK Data Protection Act 1998) New Proposed UK Privacy Law Other Country laws (e.g. Canada, Japan, Mexico) Canada - PIPEDA governs the topic of data privacy, and how private-sector companies can collect, use and disclose personal information. Japan - Act aims to "protect the rights and interests of individuals while taking consideration of the usefulness of personal information. Mexico - Federal law deals with data subjects' rights, security and breach notification provisions, cloud computing, consent and notice requirements, and data transfers.

Data Privacy AND Confidential/Proprietary Information Organizations often have a very robust level of security and communication around the protection of personally identifiable information (PII) to prevent it being shared, intentionally or unintentionally, with parties not authorized to view that data. Many organizations also have created controls around Confidential and/or Proprietary Information What is personally identifiable information (PII)? PII is information which can be used to determine the identity of any individual, or to permit access to or to create a new personal account, specifically: a person s name, address, or telephone number, in combination with Social Security number, Social Insurance number or any other tax identification number Drivers license number, Account number, credit card number or debit card number, or a personal identification number or password that would permit access to the customer s account. Account access information: information which would permit access to any (personal or corporate/institutional) customer s account, specifically an account number/username in combination with a PIN, password, passphrase or any other information that can be used to access a client s account. What is Confidential and/or Proprietary Information? Confidential and Proprietary Information generally means non-public information where disclosure could result in serious damage to a company or a client. Examples include but are not limited to: All information about company s past, present and prospective clients and all information received from them, including the fact that an individual or entity is a customer. Competitive matters, such as confidential plans and activities, its technology and its trading positions. Nonpublic information that might affect the price of a public company s stock, such as information about its current or projected earnings or a potential transaction, such as an acquisition. Nonpublic financial reports or projections.

Common Events Laptops or portable media devices (e.g. PDA, CD, flash drive etc.) are lost or stolen Client statements, confirmations, tax information, checks are sent to another client A hacker illegally gains access to systems and customer information Fax is sent to the wrong location A courier delivers a package to the wrong address System Access is granted to the wrong customer

The Biggest Culprit Email Reminders You MUST Communicate to Employees Before forwarding or replying to an email, check the history of a message. Make sure that the content of the email is appropriate for the recipients. Delete or mask PII or Account Access Information when possible. Check the attachments for any sensitive or incorrect client data (check for hidden fields in Excel files) Do not email information to your personal address in order to "work from home" - use the institution s approved remote access solutions. Double check the recipients of any message you send, especially when distribution lists or external email addresses. A pop-up message box will indicate when an email is going to a non-nt recipient. Read and follow the message carefully.

Example Pop-up Message

How Employees Report Potential Breaches Communicate clearly and often how employees are to notify the Privacy Office of any potential breach (loosely defined as any incident in which sensitive information has been sent or received by an unauthorized third party) Send an e-mail to Privacy Office or call a Privacy Hotline, with detailed information about the incident or potential breach so that the Security Breach Response Team (SBRT) can begin an investigation. Notify your manager

Role of the Privacy Office Receive Assess Contain Escalate Notify Remediate Validate

KNOW Your Key Stakeholders Insurance Sr. Management or Business Unit Execs Technology Counsel (inhouse/external) Enforcement Call Center Regulators/Law enforcement Public Relations

Privacy Breach Response Protocol If yes, PO follows Breach Notification Protocol (See Breach Notification Chart) PO follows remediation protocol (See Remediation Protocol Chart) Privacy Office (PO) alerted of potential Breach and analyses if breach is reportable based on Breach Notification Laws If no, PO determines if non-reportable incident requires remediation If yes, PO follows remediation protocol (See Remediation Protocol Chart) If no, PO logs incident and formally closes

Privacy Breach Notification Protocol Analyze both regulatory and contractual disclosure requirements Provide notice to regulatory authorities (Federal, State, International) Draft customer/consumer notifications in compliance with state, national and international regulations. Consider staggered notification for large breaches, and make sure that PR is involved and call centers are briefed with approved responses.

Remediation Protocol Root Cause Analysis Privacy Office commissions a detailed report from the business/department concerning the cause of the incident. Control Assessment Privacy Office analyzes the cause to determine if the incident was the result of a control weakness Remediation Plan & Closure Privacy Office works with business/department to create a remediation plan that addresses future breach risk. This action formally closes the incident. Control Validation Periodically, business/department engages audit/testing function to validate effectiveness of mitigating controls.

Top Ten Privacy Threats

Loss Recovery The Role of Insurance Legal and Defense Expenses Offers coverage for legal liability, defense costs and expense reimbursement for liability from a personal identity event. Notification Expense Coverage for the reasonable and necessary costs incurred for correspondence or other communication directed to individuals whose personal information is subject of personal identity event. Regulator Expenses Coverage for reasonable attorney s fees and expenses for legal services incurred in the defense of regulatory action against the insured because of identity event. Crisis Management Response Coverage for charges and fees for the services of a public relations, crisis management or law firm to help restore confidence of the insured s customers and investors. Identity Theft Recovery Expense Coverage for reasonable fees and expenses incurred by an insured for any service specifically approved, including identity theft education and assistance and credit file monitoring. Security Breach Insurance Third party liability coverage for claims resulting from a failure of computer security, including privacy claims. Business Interruption Protection for business interruption losses arising from the interruption or suspension of an insured s computer network due to failure of network security. Cyber Extortion Coverage that provides protection for both first-party loss and third-party liability resulting from acts of cyber terrorism.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback