Privacy and Information Security - PowerPoint PPT Presentation

Slide1 l.jpg
Download
1 / 35

Privacy and Information Security. Privacy and Information Security: Laws and Regulations Susan Freund Managing Director Larrimer Associates, Inc. Laws Governing Data Breach. Consumer Financial Privacy and Regulation S-P The FACT Act Consumer Report Disposal Rule

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Privacy and Information Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Slide2 l.jpg

Privacy and Information Security


Slide3 l.jpg

Privacy and Information Security:Laws and RegulationsSusan FreundManaging DirectorLarrimer Associates, Inc.


Laws governing data breach l.jpg

Laws Governing Data Breach

  • Consumer Financial Privacy and Regulation S-P

  • The FACT Act Consumer Report Disposal Rule

  • State Data Breach Notification Laws


Slide5 l.jpg

Regulation S-P

  • Safeguard Rules

  • Written Policies and Procedures

    • Insure the security of customer information

    • Protect against threats

    • Protect against unauthorized access


Slide6 l.jpg

  • TheFact Act

    • Consumer Report Disposal Rule

    • Proper disposal of customer information must be done in a way that protects against unauthorized access


Slide7 l.jpg

  • State Data Breach Notification Laws

    • Who must comply?

    • What is Personal Information?

    • What Constitutes a Breach?

    • What Data is Covered?

    • When should Notice be Made?

    • Other Requirements


Slide8 l.jpg

  • Who Must Comply?

    • “any person or company that acquires, maintains, handles, collects, disseminates, owns, licenses, sells, or otherwise deals with nonpublic information.”


Slide9 l.jpg

  • What is Personal Information?

    • Name in combination with at least one other data element, such as social security number, medical information, credit card number, password, etc.


Slide10 l.jpg

  • What Constitutes a Breach?

    • Unlawful and unauthorized acquisition of personal information


Slide11 l.jpg

  • What Data is Covered?

    • Computerized and electronic data

    • Trend is to include notification obligation to non-electronic documents as well


Slide12 l.jpg

  • When should notice be made?

    • “the most expedient time possible and without unreasonable delay”


Slide13 l.jpg

Encryption

  • Safe HarborLaw Enforcement Delay

  • Delay if notification would impede a criminal investigation

    Substitute Notice

    Substitute notice permitted when costs exceed $250,000 or more than 500,000 people affected

    -

    -


Slide14 l.jpg

  • Cases Involving Security Breaches

    • Stephen Bauman

    • LPL Financial

    • Commonwealth Financial Network


Slide15 l.jpg

Privacy and Information Security: Internal Risks and Best PracticesNick NicholsExecutive Vice PresidentVenio LLC


Security management challenges l.jpg

Security Management Challenges

  • Hyper-Extended/Borderless Environments

  • Combination of Human/Business/Technical Factors

  • Escalating threats

  • Who/How and What of Data Breaches


Hyper extended enterprises l.jpg

Hyper-Extended Enterprises*

  • Extreme levels of connectivity and info exchange

    • Shareholders, brokers, banks, lawyers……

    • Digital information growth to increase 5-fold

      IDC, May 09

  • Powered by new web and communication strategies

    • Nearly 75% of the workforce will be mobile by 2011BNET, FEB 09

    • Social networks? Facebook to exceed 300m users by Y/E

      All Facebook, Feb 09

* Source RSA/EMC


Hyper extended enterprises18 l.jpg

Hyper-Extended Enterprises*

  • Integrates a vast array of third-party technology

    • Cloud Computing (e.g., virtual servers and web-based applications) to capture 25% IT spending growth by 2012IDC, Feb 09

    • Companies to virtualize 34% of servers

  • Network Worlds, Feb 09

    • 25%+ Global 1,000 IT jobs to move offshore by 2010CIO, Dec 08

    • Anybody know Vasyl Smyrnov?

* Source RSA/EMC


Human business technical factors l.jpg

Human/Business/Technical Factors

  • Human

    • Lack of security culture and training

    • Different Perceptions of Risk

  • Business

    • Risk-versus-reward; Security is expenses driven

    • Need to compete in an open complex environment

  • Technical

    • Need to balance ‘enabling’ and securing an organization


Escalating threats l.jpg

Escalating threats

  • Cyber attacks have surged 322%*

  • 40% of all data lost in a security breach is private consumer information **

  • A 585% spike in malicious anti-malware***

  • Compromised PCs rose 66% to over 12 million**

* McAfee 2009

** Anti-Phishing Working Group 1H 2009

*** Websense Q1-Q2 2009


Escalating threats cont l.jpg

Escalating threats (cont.)

  • Banking Trojan/password-stealing crimeware detected..rose 186%*

  • 95% of comments in chat rooms is spam/malicious**

  • 87.7% of email messages were spam **

* Anti-Phishing Working Group 1H 2009

** Websense Q1-Q2 2009


Who is behind data breaches l.jpg

Who is behind data breaches?

  • 74% resulted from external sources

  • 20% were caused by insiders

  • 32% implicated business partners

  • 39% involved multiple parties

* Verizon 2009 DBIR report


How do breaches occur l.jpg

How do breaches occur?

  • 67% were aided by significant errors in security

  • 64% resulted from hacking

  • 38% utilized malware

  • 22% involved privilege misuse

  • 9% occurred via physical attacks

* Verizon 2009 DBIR report


What needs to be done l.jpg

What needs to be done?

  • Encrypt EVERYTHING

  • Incorporate security into business strategy decisions

  • Ensure essential controls are met

  • Collect and monitor event logs

  • Audit user accounts and credentials

  • Test and review web applications


Oh one more thing invest l.jpg

Oh…one more thing! INVEST

  • 71 % of IT directors believe there is some chance of a serious security breach*

  • 70 % had to freeze or cut their security budgets this year*

*McAfee 2009 SMB survey


Slide26 l.jpg

Privacy and Information Security: Vendor Due DiligenceJoe Kardek Chief Technology OfficerDodge and Cox


Vendor expectations for protection of npi l.jpg

Vendor Expectations for Protection of NPI

  • The cost of a data breach rose to $202 for each compromised record last year, an increase of 2.5% over 2007.

  • Average expense to an organization was $6.6M in direct and indirect costs, which includes the cost of notifying victims and maintaining information hot lines as well as legal, investigative and administrative expenses.

  • The vast majority of data breaches were caused by negligence.

  • Portable storage devices, including laptops, are responsible for the growing number of breaches.

  • Many data breaches are caused by third party providers, including contractors, consultants and business partners – approximately 44% up from 40% in 2007.

  • **Source: Ponemon Institute Annual Survey


What should you know about your vendors l.jpg

What should you know about your Vendors?

  • What are our vendors’ data breach procedures?

  • Have we protected our organization and our shareholders in contracts with vendors?

    • Data transportation, storage and handling

    • Workspace requirements

    • Insurance considerations


Vendor data breach procedures l.jpg

Vendor data breach procedures

  • Do they have a documented procedure?

  • Does it have timeframes and escalation steps, and do they meet State timeframes?

  • Does it include Vendor “C” level executives ?


Data transportation storage and handling l.jpg

Data Transportation, Storage and Handling

  • Ensure secured methods of file transfer are leveraged between:

    • You and your Vendors

    • Your Vendors and THEIR Vendors

    • Internally on your Vendor’s network (multiple offices? Remote employees?)

  • How is data stored/protected on your Vendor’s network?

    • Encryption “at rest” (Servers/Laptops/PCs) and “in motion” (data traveling across the network)

    • Established security solutions in place (e.g. RSA, McAfee, Symantec, etc)

    • Firewalls, Intrusion Prevention, etc.


Data transportation storage and handling31 l.jpg

Data Transportation, Storage and Handling

  • Safe data handling processes that extend beyond the “techies”

    • Employee training for safe handling of data

    • Limitations of what can be printed, scan/shred processes where possible

    • Surveillance in “paper intensive” areas

  • Third party attestations:

    • Are they comprehensive (e.g. SAS 70 Type II, ISO certification) and done by accredited firm?

    • What services do they cover?

    • What locations do they cover?


Workspace requirements if it s required of you consider it for your vendors l.jpg

Workspace Requirements If it’s required of you, consider it for your vendors

  • Secured offices

    • Building access

    • Office access

    • Server room (limited access)

    • Monitoring of entry points

  • Use of external storage drives and handheld devices

    • Lock down USB ports (“thumb drives”)

    • Ensure confidential data cannot be accessed by PDAs

  • Limited access to external messaging

    • External POP-email access (yahoo, Gmail, etc)

    • Instant Messaging (AOL, Trillion, etc)


Insurance considerations the gaps l.jpg

Insurance Considerations – The gaps

  • Commercial General Liability Insurance: Typically covers bodily injury and damage to “tangible” property. Data and software are considered to be “intangible”

  • Fidelity/Crime Insurance: Typically provides coverage to the organization for losses resulting from the theft of money, securities and “other tangible property.” Information theft is not covered under a standard fidelity bond. “Other property” does not include proprietary information, confidential information or copyrights, trademarks, etc.

  • Professional E&O: Typically only covers financial loss arising out of professional services to others. Computer attacks do not fall within “professional services,” and some E&O policies exclude coverage caused by “unauthorized access.”

  • Technology E& O: Covers only financial loss arising out of technology services performed for others. If negligence leads to breach, coverage would apply. However, if an employee commits an intentional act or if an outside hacker, causes a financial loss, no coverage would apply under a typical technology E&O policy. *Most Technology E&O policies can be extended to cover network security and privacy related exposures.


Insurance considerations what should i require l.jpg

Insurance Considerations – What should I Require?

  • Request E&O to include network security/privacy coverage

    • Be specific! Some Technology E&O policies have security/privacy exclusions

  • Cyber Liability – what you need, what your vendor needs:

    • Policies must cover THIRD PARTY data!

    • Non-network Privacy Breaches: What happens if a breach does not arise out of a failure of security of your computer system? e.g. paper, PDA’s, lost data tapes.

    • Regulatory Defense Expenses: Defense costs involved with a regulatory proceeding, a request for information, suit or civil investigation by or on behalf of a government agency arising from allegations of violation of a privacy regulation.

    • Notification Expenses: Costs to notify your clients of privacy breaches.

    • Credit Monitoring Expenses: Costs to provide your clients with credit monitoring services as a result of privacy violation, if you have the duty to provide.

    • Crisis Management Expenses: Reasonable and necessary expenses incurred by you in retaining public relations firm, law firm for advertising/communications to assist with mitigating harm to your reputation.


Summary l.jpg

Summary

  • Ask questions!

  • Get documentation/proof of coverage, policies, audits, etc

  • Make site visits!


  • Login