1 / 30

Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches

Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches. Dino Tsibouris (614) 360-1160 dino@tsibouris.com. Trends for 2010. Increased federal and state regulation of information security Increased enforcement Increased costs to resolve a breach

edan
Download Presentation

Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches Dino Tsibouris (614) 360-1160 dino@tsibouris.com

  2. Trends for 2010 • Increased federal and state regulation of information security • Increased enforcement • Increased costs to resolve a breach • Increased “compliance complexity” as technology changes

  3. Examples • HITECH Act - Amendments to HIPAA by the Stimulus Act • Enforcement Actions under HITECH • Medical Data in the Cloud • Revisions to State Law Regarding PCI-DSS • Anonymization Becoming Difficult • Dave & Buster’s, Heartland, and Countrywide Breaches

  4. HITECH ACT Amends HIPAA • New breach notification rules • New penalties • Increased levels of minimum security • State AG enforcement • Business associates must comply

  5. HITECH ACT Amends HIPAA • Covered entity must notify persons if a breach occurs • Must notify HHS for publication if over 500 persons • Vendors of PHR must notify individuals if breached

  6. HITECH ACT Business Associate Requirements • Must comply with Security Rule regarding administrative, physical, and technical safeguards • Develop policies • Designate a security official • Enforcement

  7. HITECH ACT Business Associate Requirements • If your covered entity violates your BAA, you are violating HIPAA • Must cure breach, terminate, or report to DHHS

  8. HITECH ACT Business Associate Requirements • Does your contract allow for amendment to comply with changes in the law? • Sample DHHS OCR contractual clause requires parties to amend to address changes in law

  9. HITECH ACT Business Associate Requirements • If you have a breach, must notify HIPAA-covered entity • Covered entity must then notify individuals

  10. HITECH ACT Penalties • Tier A – inadvertent - $100 per violation up to $25,000/yr • Tier B – reasonable cause, not “willful neglect” - $1,000 per violation up to $100,000/yr

  11. HITECH ACT Penalties • Tier C – “willful neglect” ultimately corrected - $10,000 per violation up to $250,000/yr • Tier D - “willful neglect” uncorrected - $50,000 per violation up to $1.5 M/yr

  12. Connecticut Health Net Enforcement Connecticut Attorney General - HIPAA • Lost portable computer disk drive • Involves privacy of 446,000 Connecticut enrollees • Health information, social security numbers, and bank account numbers • Failed to notify on time

  13. Connecticut Health Net Enforcement Health Net failed to • Ensure the confidentiality and integrity of electronic protected health information • Implement technical policies and procedures for electronic information systems • Implement policies and procedures that govern the receipt and removal of hardware and electronic media

  14. Connecticut Health Net Enforcement Health Net failed to • Implement policies and procedures to prevent, detect, contain, and correct security violations • Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents • Effectively train all members of its workforce

  15. Connecticut Griffin Hospital Investigation • Hospital terminates radiologist and his access to the computer systems • Patients call hospital with complaints • Audit reveals access to one terminal • Ex-radiologist uses usernames and passwords of other radiology employees for 1 month • Accesses ~1000 records • Solicits patients for service at another hospital

  16. HIPAA - Employee Snooping • UCLA employee • Accesses system 323 times in 3 weeks • Snoops on celebrity medical records • Similar incident in 2008 • UCLA reveals that 165 employees improperly viewed files in 13 years • 15 fired for viewing octuplet mom’s records

  17. Medical Data in the Cloud • Data stored in the cloud more and more frequently • Third-party contractors more and more common • Security and background checks for companies a necessity • Conduct audits or obtain results • Ownership of data • Prohibiting sales to others • Return in appropriate format

  18. Anonymization • Privacy laws provide exceptions for anonymized data • It is now more difficult to anonymize data • Examples: • AOL search results release • Netflix million dollar prize release • MA health records release • Unique ID 87% of the US with ZIP, DoB, Sex

  19. Fallout from failed Anonymization • AOL CTO resigns • MA governor is embarrassed • Netflix is sued in court for outing a lesbian mother, settles case, ends prize program • DBs are permanently associated

  20. HHS Research • Current HHS regulations have detail on de-identification • HHS realizes the difficulty in anonymizing personal data • Funds research on technology to achieve anonymity while maintaining value to research • Future laws will likely keep these difficulties in mind

  21. MassachusettsData Security Regulations • Creates duty to protect personal data • Applies to the personal information of MA residents • Sophistication of safeguards increases with size and scope of business • Requires encryption for transmission of personal data over public networks • Effective date March 1, 2010

  22. Nevada PCI-DSS • Effective Jan. 1, 2010 • Requires encryption when electronically transmitting personal data • Requires compliance with PCI-DSS • Similar to Minnesota law

  23. Washington PCI-DSS • Applies to entities processing more than 6 million payment card transactions per year • Liability may result in reimbursement of card issuing costs for banks • Includes Safe Harbors for encryption and PCI compliance at the time of breach • Effective July 1, 2010

  24. Heartland Payment Systems Breach • 6th Largest Payment Processor • Involved 330 Financial Institutions • Heartland was PCI-DSS certified • SQL injection attack • CC#s, expiration dates, stored magnetic stripe data • Lost ~130 million card numbers

  25. Heartland Payment Systems Breach • Removed from VISA CISP list • Reported $105 million in expenses • $90 million to Visa, MasterCard, Banks • $3.5 million to AmEx • Settles Cardholder Class Action for $2.4 million • Stockholder Class Action in NJ Dismissed

  26. Countrywide Breach • Countrywide Financial Services • Former employees • Downloaded and sold customer data • Every week for 2 years • 19,000 individuals notified of breach • Class action settles for over $10 million

  27. Dave & Buster’s FTC Enforcement • Dave & Buster’s loses 130,000 credit and debit card numbers • Failed to take sufficient measures to protect credit card information • Failed to limit access by third parties • Settles with the FTC

  28. Dave & Buster’s FTC Enforcement • Consent agreement requires D&B to: • Appoint responsible employee • Conduct Risk assessment • Develop of security program and safeguards • Develop of criteria for selecting 3rd party access to information • Obtain biennial third-party audits for 10 years

  29. Trends for 2010 • Increased federal and state regulation of information security • Increased enforcement • Increased costs to resolve a breach • Increased “compliance complexity” as technology changes

  30. Questions & Answers Dino Tsibouris (614) 360-1160 dino@tsibouris.com

More Related