Presented by: Jason C. Gavejian Morristown Office

Similar documents
Data Compromise Notice Procedure Summary and Guide

Keeping It Under Wraps: Personally Identifiable Information (PII)

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

COMMENTARY. Information JONES DAY

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Employee Security Awareness Training Program

Summary Comparison of Current Data Security and Breach Notification Bills

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

HIPAA For Assisted Living WALA iii

Frequently Asked Question Regarding 201 CMR 17.00

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

HIPAA-HITECH: Privacy & Security Updates for 2015

The HIPAA Omnibus Rule

PRIVACY-SECURITY INCIDENT REPORT

Putting It All Together:

Information Security Incident Response Plan

Security and Privacy Breach Notification

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

PTLGateway Data Breach Policy

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

When the Other Brother Steps Up: State Privacy Enforcement Actions

Breaches and Remediation

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

Regulation P & GLBA Training

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

Data Breach Preparation and Response. April 21, 2017

Credit Card Data Compromise: Incident Response Plan

Beam Technologies Inc. Privacy Policy

Information Security Incident Response Plan

DATA BREACH NUTS AND BOLTS

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

Breach Notification Remember State Law

Privacy Breach Policy

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Breach Notification Assessment Tool

Data Processing Agreement

Overview of Presentation

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

LCU Privacy Breach Response Plan

Breach Notifications: How to Handle Breaches Across Jurisdictions. Moderated by: Zach Warren, Editor-in-Chief, Legaltech News

HIPAA UPDATE. Michael L. Brody, DPM

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Privacy & Information Security Protocol: Breach Notification & Mitigation

UTAH VALLEY UNIVERSITY Policies and Procedures

University of Wisconsin-Madison Policy and Procedure

The Relationship Between HIPAA Compliance and Business Associates

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Cyber Risks in the Boardroom Conference

Red Flags/Identity Theft Prevention Policy: Purpose

HIPAA and HIPAA Compliance with PHI/PII in Research

Audits Accounting of disclosures

FinFit will request and collect information in order to determine whether you qualify for FinFit Loans*.

HIPAA & Privacy Compliance Update

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Integrating HIPAA into Your Managed Care Compliance Program


Why you MUST protect your customer data

Security Breach Notification Reflections on the U.S. Experience

SECURITY STATE OF THE INDUSTRY

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

INFORMATION SECURITY AND SECURITY BREACH NOTIFICATION GUIDANCE Preventing, Preparing for, and Responding to Breaches of Information Security

[Utility Name] Identity Theft Prevention Program

Security Breaches: How to Prepare and Respond

Ferrous Metal Transfer Privacy Policy

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

University of North Texas System Administration Identity Theft Prevention Program

University of Pittsburgh Security Assessment Questionnaire (v1.7)

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

GOCO.IO, INC TERMS OF SERVICE

Top Five Privacy and Data Security Issues for Nonprofit Organizations

01.0 Policy Responsibilities and Oversight

Breaches and Remediation

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

DATA PROTECTION LAWS OF THE WORLD. United States

DeMystifying Data Breaches and Information Security Compliance

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

SANMINA CORPORATION PRIVACY POLICY. Effective date: May 25, 2018

Managing Cybersecurity Risk

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Social Media and Texting: A Growing Concern

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

IDENTITY THEFT PREVENTION Policy Statement

HIPAA Privacy and Security Training Program

Privacy Policy on the Responsibilities of Third Party Service Providers

HIPAA Federal Security Rule H I P A A

Shaw Privacy Policy. 1- Our commitment to you

Baseline Information Security and Privacy Requirements for Suppliers

What to do if your business is the victim of a data or security breach?

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

HIPAA Security and Privacy Policies & Procedures

Checklist: Credit Union Information Security and Privacy Policies

Information Technology Standards

Transcription:

Presented by: Jason C. Gavejian Morristown Office jason.gavejian@jacksonlewis.com 973.538.6890 } Unauthorized use of, or access to, records or data containing personal information Personal Information (PI) typically includes First name or first initial and last name in combination with: Social Security Number Drivers License or State identification number Account number or credit or debit card number in combination with access or security code Biometric Information (e.g. NC, NE, IA, WI) Medical Information (e.g. CA, VA) PI typically maintained by employers? Human Resources-Applications, FMLA, Disability, etc. Accounting-Payroll documents Benefits-Health, Vision, Dental 2 1

} Fines, Penalties, Settlements: State Attorney Generals Vary By State Multipliers: Michigan permits civil fines of not more than $250 per failure (each person), with a maximum of $750,000. Length of notification delay: Florida imposes fines when notification is not provided within the statute s mandated time frame (45 days). Calculate the fine as $1,000 per day for the first 30 days, and $50,000 for each 30 day period thereafter with a maximum fine of $500,000. Health and Human Services Penalties and settlements in the millions of dollars } Private Cause of Action 14 states have some form of private action 3 } Employment Context Loss, Theft, Improper Access, Inadvertent Disclosure Laptop iphone, Droid, ipad, Tablet, Blackberry Thumb Drive, Hard Drive Email Shared Documents } Other Instances Click/Turn On News 4 2

Need to take a number of steps to address the incident: Identify The Internal Team Who Will Be Handling The Incident Executives/management level employees Too much involvement must be managed carefully Adhere to existing internal procedures/data Incident Response Plan, document steps taken Data Incident response/hipaa Notify/Coordinate with insurance carrier 5 } Finalize the investigation and review results To respond to the incident and complete the required notifications, you will need to determine some key information: Nature of incident Date incident occurred Date incident was discovered Number of persons affected: Total number of affected persons - how many residents of each state were affected. Names of persons affected (LA only) Contact person: Who will be the contact person in the notification letter. Does not have to be the same person for all notifications-could be multiple persons Signatory of notification letters: Same as bullet above 6 3

Where is this information available? A review of activity logs on the company systems or backup tapes related to this employee Conducting a formal interview with the employee/others to help learn more about what information might have been saved on the device Consider also: The projects the employee worked on, the life of the device, how long the employee has been with the company. More information here may shape the steps that need to be taken below Careful of unreasonable delays to the notification 7 } File police report } Litigation hold } Data Security Agreements Review and confirm there is a data security agreement in place with the vendors that will be assisting Work with your insurance carrier as they may have preferred vendors 8 4

} Determine whether this is a reportable breach State breach notification statutes and regulations 46 states have a data breach notification requirement Definitions vary state by state Residency of the affected individual is key Risk of harm trigger What is it? How can you make this decision? Document your decision Employee Relations Concerns? 9 } Verify persons affected and contact information before and after sending notifications Last known mailing addresses Check all data bases for current information, not just the personnel or payroll files. For former employees, consider looking at COBRA or retirement plan records. If you are are unable to obtain accurate contact information additional measures may be advisable/required. Even after letters are sent, you will need to have a system for collecting and addressing letters that were undeliverable. 10 5

Determine whether credit monitoring services will be offered State laws do not require entities to provide credit monitoring services in the case of a data breach Protection? (e.g. only names and medical information, but not social security numbers or financial account numbers) Peace of mind for those affected, especially employees? Company image to state agency investigator Review the services agreements with the vendor(s) and coordinate with the vendor(s) to obtain language to include in the notification letters 11 } Set up call center Why/Why Not Size of the breach Review services agreements with the vendors and include the appropriate contact information in the letters Lead time Develop a script for call center employees to use when responding to questions about the incident Public Relations Develop an escalation process to address situations where the call center is not able to resolve a caller s concerns 12 6

} Coordinate with public relations (PR) department You will want to have public relations involved to review all communications - ensure consistent overall messaging Notice to statewide media Depending on state and number of persons affected What if no PR department? Who will handle this? Human Resources? Legal? Both? 13 } Connect with letter fulfillment company Using a vendor to finalize and send the notices to the affected individuals - similar concerns regarding vendor agreements Consider the number of persons affected and the cost of notification Substitute notice provisions. This usually involves providing notice by all of the following email, posting on website, and notification in state wide media. 14 7

} Prepare and send breach notifications Federal law HIPAA or SEC regulations/guidance (public companies) State law Notice to individuals - Risk of harm/employee relations Specific content and timing requirements Notice to state agencies If breach notice is required to be provided to residents of the state, some states require notice be provided to certain state agencies in the state Notice to credit reporting agencies May need to notify the consumer reporting agencies of the breach (Transunion, Equifax and Experian) Notice to owner of data. If you are not the owner of the data but maintain it on behalf of another, your obligation generally is to notify the owner 15 } Be prepared for complaints and agency inquiry Complaints with the FTC or the state Attorney General s office concerning the handling of the breach notification or the obligations to safeguard the information in the first place Consider the following: Ensure a complaint process is in place and effective for responding timely Review existing data privacy and security policies and procedures to ensure compliance and have them at the ready to be responsive to agency inquiry. Be sure appropriate parties are involved in the response 16 8

17 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback