Privacy Breach Response and Reporting

Similar documents
Building a Privacy Management Program

Privacy Breach Policy

Breaches and Remediation

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

LCU Privacy Breach Response Plan

Data Privacy Breach Policy and Procedure

Data Processing Agreement

Breaches and Remediation

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Security Breaches: How to Prepare and Respond

Clyst Vale Community College Data Breach Policy

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Data Breach Incident Management Policy

Employee Security Awareness Training Program

SECURITY & PRIVACY DOCUMENTATION

Security and Privacy Breach Notification

Cyber Risks in the Boardroom Conference

DATA SECURITY - DATA PROTECTION ACT

ADMA Briefing Summary March

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Red Flags/Identity Theft Prevention Policy: Purpose

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Keeping It Under Wraps: Personally Identifiable Information (PII)

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

TECHLAW AUSTRALIA. Update on cyber security and data protection. Thursday, 22 June Thursday, 22 June

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Michigan Department of Education

Post-Secondary Institution Data-Security Overview and Requirements

Upcoming PIPEDA Changes What is changing and what to do about it

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Cybersecurity in Higher Ed

Stopsley Community Primary School. Data Breach Policy

Integrating HIPAA into Your Managed Care Compliance Program

Cyber Security Issues

HIPAA For Assisted Living WALA iii

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

The Data Breach: How to Stay Defensible Before, During & After the Incident

Security and Privacy Governance Program Guidelines

Red Flags Program. Purpose

APF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.!

Breach Notification Assessment Tool

Cybersecurity for Health Care Providers

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Regulation P & GLBA Training

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

GDPR Compliance. Clauses

Data Protection Policy

2015 HFMA What Healthcare Can Learn from the Banking Industry

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Subject: University Information Technology Resource Security Policy: OUTDATED

Baseline Information Security and Privacy Requirements for Suppliers

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Information Security Policy

PTLGateway Data Breach Policy

MNsure Privacy Program Strategic Plan FY

Information Governance Incident Reporting Policy

Adopter s Site Support Guide

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Building Privacy into Cyber Threat Information Sharing Cyber Security Symposium Securing the Public Trust

Data Breach Preparation and Response. April 21, 2017

Breach Notification Form

Information Security Strategy

Cybersecurity: Pre-Breach Preparedness and Post-Breach Duties

CCISO Blueprint v1. EC-Council

Data Loss Assessment and Reporting Procedure

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Business continuity management and cyber resiliency

What is a Breach? 8/28/2017

Outline. Other Considerations Q & A. Physical Electronic

Member of the County or municipal emergency management organization

Eco Web Hosting Security and Data Processing Agreement

Real-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Data Breach Notification: what EU law means for your information security strategy

Information Governance Incident Reporting Procedure

ALBERTA OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER P2010-ND-007 IPSOS NORTH AMERICA. November 10, (Case File #P1704)

Unified Communications Phase 2 Presentation to IT Services Users Group

Data Leak Protection legal framework and managing the challenges of a security breach

NMHC HIPAA Security Training Version

The University of British Columbia Board of Governors

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

NYDFS Cybersecurity Regulations

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Putting It All Together:

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

DATA BREACH POLICY [Enniskillen Presbyterian Church]

HIPAA Security Checklist

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017

HIPAA Security Checklist

Heavy Vehicle Cyber Security Bulletin

Security Audit What Why

Privacy: Pre- and Post-Breach

Electronic Communication of Personal Health Information

PS 176 Removable Media Policy

Transcription:

Privacy Breach Response and Reporting AFNIGC - Privacy Education Series October 18, 2017 Chris Stinner Senior Information and Privacy Manager Office of the Information and Privacy Commissioner of Alberta 1

Agenda Overview Before a Breach Responding to a Breach 2

What is a privacy breach? Occurs when there is unauthorized: access to, or collection, use, disclosure, or disposal or loss of personal or health information. unauthorized if it is in contravention of FOIP, HIA or PIPA 3

Causes of Privacy Breaches Lack of privacy and security training Human Error misdirect correspondence Security Incidents Social engineering such as phishing Hacks leading to unauthorized access to information Lack of adequate & appropriate privacy and security controls Weak or no privacy & security policies Poor IT change management Legacy systems 4

Breach Reporting Requirements FOIP Voluntary Breach Reporting Most public bodies report serious incidents HIA Voluntary Breach Reporting Serious breaches reported to us May become mandatory in future PIPA Mandatory Breach Reporting Breaches with RROSH must be reported And individuals affected notified 5

Does a breach mean you failed the duty to protect? Yes and no Does not necessarily mean a failure to meet the duty to protect under FOIP, PIPA or HIA. May experience privacy breach despite reasonable safeguards. However, may reveal gaps in your security arrangements that should be addressed. 6

What does Reasonable Steps Mean? NOT a standard of perfection Fit and appropriate to the end in view Depends on circumstances 7

BEFORE A BREACH Work to avoid them Addressing privacy risks Be in the know Mitigate their impact 8

How to avoid breaches (as much as possible) Review organization practices Conduct privacy impact assessments for new systems, processes Security review/audits, penetration tests Policy & procedures reviews Training and awareness 9

Mitigating privacy risks Mitigation plans should address each of these risks. Unauthorized c/u/d by internal or authorized parties. Unauthorized c/u/d by external parties. Loss of integrity. Loss, destruction, or loss of use. Unauthorized c/u/d by contractor or business partner 10

Be in the know Stay abreast of developments in your sector Review OIPC Breach Notification Decisions, Investigation Reports Involve your stakeholders Encourage reporting of near-misses 11

Mitigating the Impact of Breaches Assume you will have a privacy breach, despite your efforts Identify a breach response team ahead of time Establish a policy and plan regarding breaches Practice makes perfect test your plan and make sure staff is aware 12

Summary of Tips to Prevent Breaches Put someone in charge Implement Policies and Procedures Train Staff Review OIPC online reports Communicate regularly with staff 13

BREACH RESPONSE Step 1. Contain the Breach Step 2. Evaluate the Risks Step 3. Notification Step 4. Prevention 14

Step 1 Contain the breach Take immediate steps to stop the breach Take remedial action Investigate what happened Gather information and start the risk assessment 15

Step 2 Evaluate the Risks What information is involved? What was the cause and extent of the breach? Who are the affected individuals? What is the foreseeable harm? 16

Step 3 Notification Who Internally Externally Why Legislation Contract Policy When 17

Step 3 Notification continued No need to wait for us! Be open and honest Explain what happened Explain what you are doing Offer support Be prepared to answer questions or develop FAQs 18

Step 3 Reporting Deciding whether to report Reporting to Authorities or organizations Reporting to OIPC or counterparts 19

Step 4 Prevention Take time to thoroughly investigate the cause of the breach. Develop or improve long term safeguards against further breaches. Review and update policies and training based on lessons learned. Audit to ensure the prevention plan has been implemented. 20

Breach Response Pitfalls 1. No written breach response and report plan 2. No backup person when decision makers are away 3. Scrambling to secure external agencies such as forensic audit company, law firm, etc... 4. Waiting for "perfect" information 5. Improper risk assessment of the harm to individuals 6. Contact person for affected individuals difficult to reach 7. No internal communication and/or action plan 8. Vague notification to affected individuals 9. Not reporting a privacy breach at all 21

Wrapping things up Manage your privacy function Prepare for contingencies Breach response plan BCP / DRP Know when / how to notify Keep yourself / your staff up-to-date Periodically assess 22

Questions? 23

Resources OIPC Breach reporting resources https://www.oipc.ab.ca/action-items/how-to-report-a-privacybreach.aspx OIPC AB Breach Notification decisions https://www.oipc.ab.ca/decisions/breach-notification-decisions.aspx OPC Federal Privacy Commissioner key steps in responding to a breach https://www.priv.gc.ca/information/guide/2007/gl_070801_02_e.asp Alberta Health Legislation page - Guidelines and Practices Manual http://www.health.alberta.ca/documents/hia-guidelines-practices- Manual.pdf Service Alberta PIPA http://www.servicealberta.ca/pipa-overview.cfm Service Alberta FOIP http://www.servicealberta.ca/foip/ 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback