Data Privacy and Data Security Compliance Issues

advertisement
Responding to a Data
Security Breach
Presented By:
Gerald J. Ferguson
gferguson@bakerlaw.com
Twitter: @JerryFergusonNY
A Simplified View of a Data Breach
Discovery of a Data
Breach
Evaluation of
the Data
Breach
Managing the
Short-Term
Crisis
Handling the
Long-Term
Consequences
Class-Action
Lawsuits
Theft, loss, or Unauthorized
Disclosure of Personally
Identifiable Non-Public
Information or Third Party
Corporate Information that is in
the care, custody or control of the
Insured Organization, or a third
party for whom the Insured
Organization is legally liable
Notification and
Credit Monitoring
Forensic
Investigation and
Legal Review
Regulatory Fines,
Penalties, and
Consumer Redress
Reputational
Damage
Public Relations
Income Loss
What is a Data Breach?
•
•
Actual release or disclosure of information to an unauthorized
individual/entity that relates to a person and that:
– May cause the person inconvenience or harm
(financial/reputational)
• Names, home addresses, email addresses, usernames,
passwords, family-member information, etc.
– May cause inconvenience or harm to your patients, employees
or business partners (financial/reputational)
• Information that relates to patients (see above)
• Information that relates to current/former employees &
applicants
• Information relating to internal matters (business plans,
employment disputes, Union negotiations)
Paper or electronic
Commonalities of Breaches
• Lost laptop or device
• Administrative error
• External attack involving hacking and
malware
• Vulnerability created by third party vendor
• Not detected for months
• Breached entity will learn from third party
• Initial exploit relatively simple and avoidable
4
Compliance Complexity
INDUSTRY
SELF
REGULATION
PCI-DSS
FERPA
STATE BREACH
HIPAA
NOTIFICATION
HITECH
LAWS
COMPLIANCE
STATE
GLBA
PRIVACY LAWS
INTERNATIONAL
DATA
FTC
PROTECTION
(e.g. EU, CANADA)
5
State Laws
• 46 states, D.C., & U.S. territories
• Laws vary between jurisdictions
• Varying levels of enforcement
by state attorneys general
• Limited precedent
6
What is a Data Breach?
(That may trigger state notification laws)
• Unauthorized access to and acquisition of
specific types of information associated
with a named individual
–
–
–
–
SSN
Driver's license number
Credit card number
Bank account Information
7
State Law Differences: P11
• Employee ID Numbers (N. Dakota)
• User Name and Password (California)
• Other numbers or information that would
permit access to financial resources
(Multiple)
• Health Information (Multiple)
8
State Law Differences (Triggers)
• Acquisition or Access
• Electronic Only or Paper
• Risk of Harm Analysis
• Encryption Safe Harbor
9
Other State Law Differences
• Notification of AG or Agency
• Timing of Notice
–
–
–
–
45 day rule
De facto 30 day rule
Early notice to AG or regulator
Law enforcement delay
• Private Right of Action
• Text of Notice
10
Massachusetts Law
• Written Information Security Program
• Encryption Requirements
• Chief Privacy Officer
• Employee training
• Business associate obligations
11
FERPA
•
•
•
•
•
The intent of the Act is to protect the rights of students and to
insure the privacy and accuracy of education records.
Act applies to all institutions that are recipients of federal aid
administered by the Secretary of Education
No requirement to notify if education records are stolen/subject to
unauthorized release, however, a record should be maintained for
each disclosure (34 CFR 99.32(a)(1)
Students who are or have been “in attendance” at the institution, in
person, or by paper correspondence, video conference, satellite,
internet, or other electronic information and telecommunications
technologies for students who are not physically present in the
classroom regardless of their age or status in regard to parental
dependency are protected by FERPA
Students who have applied to but have not “attended” an institution,
and deceased students, are not protected by FERPA.
12
FERPA
•
An “education record” is any record that is:
–
–
•
Notification may be necessary for postsecondary
institutions under the FTC’s Standards for Insuring
the Security, Confidentiality, Integrity and Protection
of Customer Records and Information (“Safeguards
Rule”) in 16 CFR part 314.
–
•
Directly related to a student; and
Maintained by an educational agency or institution, or by
a party acting for the agency or institution.
Related to finanical aid records
Direct student notification may be advisable if the
compromised data includes student SSNs and other
identifying information that could lead to identity theft
13
HIPAA / HITECH
(“Acquisition” “Access” “Use” Trigger w/ Risk of Harm)
•
•
•
•
•
•
•
HIPAA Privacy Regulations (45 CFR §164): Breach by a
Covered Entity
Applies To: A health plan, health care clearinghouse and health
care provider who transmits any health information in electronic
form in connection with a covered transaction.
Information Covered: Unsecured protected health information –
individually identifiable health information that is transmitted or
maintained in electronic media or any other form or media.
Definition of Breach: The acquisition, access, use, or disclosure
of PHI in a manner not permitted by the HIPAA Privacy Rule, which
compromises the security or privacy of the PHI.
Who Must Be Notified: The patient or their personal
representative, HHS and the media if more than 500 residents of a
state or jurisdiction are affected.
Notification Timeframe: Without unreasonable delay and in no
case later than sixty (60) calendar days after the breach is
discovered
Preemption: Preempts state law to the extent it is more strict
14
Definition of Breach in Final Rule
• An acquisition, access, use, or disclosure of
protected health information in a manner not
permitted . . . is presumed to be a breach.
• Unless, the Covered Entity can demonstrate
that there is a low probability that the PHI has
been compromised based on a risk
assessment.
• Compromise is not defined.
15
Definition of Breach in Final Rule
Risk Assessment
– Documented
– Based on at least 4 factors
•
•
•
•
The nature and extent of the PHI.
The unauthorized person involved.
Whether the PHI was actually acquired or viewed.
Extent to which any risk has been mitigated.
16
HIPAA/HITECH
Notification Contents
•
•
•
•
•
•
Covered entities must provide this individual notice in written form by first-class mail,
or alternatively, by e-mail if the affected individual has agreed to receive such
notices electronically.
If the covered entity has insufficient or out-of-date contact information for 10 or more
individuals, the covered entity must provide substitute individual notice by either
posting the notice on the home page of its web site or by providing the notice in
major print or broadcast media where the affected individuals likely reside.
If the covered entity has insufficient or out-of-date contact information for fewer than
10 individuals, the covered entity may provide substitute notice by an alternative
form of written, telephone, or other means.
These individual notifications must be provided without unreasonable delay and in
no case later than 60 days following the discovery of a breach
Individual notifications must include, to the extent possible, a description of
the breach, a description of the types of information that were involved in the
breach, the steps affected individuals should take to protect themselves from
potential harm, a brief description of what the covered entity is doing to
investigate the breach, mitigate the harm, and prevent further breaches, as
well as contact information for the covered entity.
Additionally, for substitute notice provided via web posting or major print or
broadcast media, the notification must include a toll-free number for individuals to
contact the covered entity to determine if their protected health information was
involved in the breach.
17
PCI DSS
• A contractual framework
–
–
–
–
Card Brands
Acquirers
Merchants
Processors
• Industry self-regulators
• A data security standard
18
Mandiant M-Trends 2013 Security Threat Report
20
PCI DSS Breaches
• Obligations after a PCI Breach
– Rapid notification to Card Companies
– PCI Forensic Examination
– Fines and penalties
21
Costs of Breach Response
• Forensic investigators
• Legal expenses
• Mailing notifications to individuals
• Call Centers
• Credit Monitoring and other compensation
• Crisis Management
22
Costs After the Breach Notice
• Regulatory inquiries and enforcement
actions
• Customer questions and demands
• Lost profits
• Lawsuits
23
Decisions, Decisions, Decisions
•
•
•
•
•
•
•
•
Is it a breach?
Do you involve law enforcement?
Do you hire a forensics company?
Do you retain counsel?
Do you involve regulatory agencies?
Is crisis management necessary?
Do you offer credit monitoring?
Do you get relief from a “law enforcement” delay?
Questions?
• gferguson@bakerlaw.com
• 212-589-4230
• Twitter: @JerryFergusonNY
25
Download