Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches Dino Tsibouris (614) 360-1160 dino@tsibouris.com Trends for 2010 • Increased federal and state regulation of information security • Increased enforcement • Increased costs to resolve a breach • Increased “compliance complexity” as technology changes Examples • • • • • • HITECH Act - Amendments to HIPAA by the Stimulus Act Enforcement Actions under HITECH Medical Data in the Cloud Revisions to State Law Regarding PCI-DSS Anonymization Becoming Difficult Dave & Buster’s, Heartland, and Countrywide Breaches HITECH ACT Amends HIPAA • New breach notification rules • New penalties • Increased levels of minimum security • State AG enforcement • Business associates must comply HITECH ACT Amends HIPAA • Covered entity must notify persons if a breach occurs • Must notify HHS for publication if over 500 persons • Vendors of PHR must notify individuals if breached HITECH ACT Business Associate Requirements • Must comply with Security Rule regarding administrative, physical, and technical safeguards • Develop policies • Designate a security official • Enforcement HITECH ACT Business Associate Requirements • If your covered entity violates your BAA, you are violating HIPAA • Must cure breach, terminate, or report to DHHS HITECH ACT Business Associate Requirements • Does your contract allow for amendment to comply with changes in the law? • Sample DHHS OCR contractual clause requires parties to amend to address changes in law HITECH ACT Business Associate Requirements • If you have a breach, must notify HIPAA-covered entity • Covered entity must then notify individuals HITECH ACT Penalties • Tier A – inadvertent - $100 per violation up to $25,000/yr • Tier B – reasonable cause, not “willful neglect” - $1,000 per violation up to $100,000/yr HITECH ACT Penalties • Tier C – “willful neglect” ultimately corrected - $10,000 per violation up to $250,000/yr • Tier D - “willful neglect” uncorrected $50,000 per violation up to $1.5 M/yr Connecticut Health Net Enforcement Connecticut Attorney General - HIPAA • Lost portable computer disk drive • Involves privacy of 446,000 Connecticut enrollees • Health information, social security numbers, and bank account numbers • Failed to notify on time Connecticut Health Net Enforcement Health Net failed to • Ensure the confidentiality and integrity of electronic protected health information • Implement technical policies and procedures for electronic information systems • Implement policies and procedures that govern the receipt and removal of hardware and electronic media Connecticut Health Net Enforcement Health Net failed to • Implement policies and procedures to prevent, detect, contain, and correct security violations • Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents • Effectively train all members of its workforce Connecticut Griffin Hospital Investigation • Hospital terminates radiologist and his access to the computer systems • Patients call hospital with complaints • Audit reveals access to one terminal • Ex-radiologist uses usernames and passwords of other radiology employees for 1 month • Accesses ~1000 records • Solicits patients for service at another hospital HIPAA - Employee Snooping • • • • • UCLA employee Accesses system 323 times in 3 weeks Snoops on celebrity medical records Similar incident in 2008 UCLA reveals that 165 employees improperly viewed files in 13 years • 15 fired for viewing octuplet mom’s records Medical Data in the Cloud • Data stored in the cloud more and more frequently • Third-party contractors more and more common – Security and background checks for companies a necessity – Conduct audits or obtain results – Ownership of data – Prohibiting sales to others – Return in appropriate format Anonymization • Privacy laws provide exceptions for anonymized data • It is now more difficult to anonymize data • Examples: • AOL search results release • Netflix million dollar prize release • MA health records release • Unique ID 87% of the US with ZIP, DoB, Sex Fallout from failed Anonymization • AOL CTO resigns • MA governor is embarrassed • Netflix is sued in court for outing a lesbian mother, settles case, ends prize program • DBs are permanently associated HHS Research • Current HHS regulations have detail on deidentification • HHS realizes the difficulty in anonymizing personal data • Funds research on technology to achieve anonymity while maintaining value to research • Future laws will likely keep these difficulties in mind Massachusetts Data Security Regulations • Creates duty to protect personal data • Applies to the personal information of MA residents • Sophistication of safeguards increases with size and scope of business • Requires encryption for transmission of personal data over public networks • Effective date March 1, 2010 Nevada PCI-DSS • Effective Jan. 1, 2010 • Requires encryption when electronically transmitting personal data • Requires compliance with PCI-DSS • Similar to Minnesota law Washington PCI-DSS • Applies to entities processing more than 6 million payment card transactions per year • Liability may result in reimbursement of card issuing costs for banks • Includes Safe Harbors for encryption and PCI compliance at the time of breach • Effective July 1, 2010 Heartland Payment Systems Breach • • • • • 6th Largest Payment Processor Involved 330 Financial Institutions Heartland was PCI-DSS certified SQL injection attack CC#s, expiration dates, stored magnetic stripe data • Lost ~130 million card numbers Heartland Payment Systems Breach • Removed from VISA CISP list • Reported $105 million in expenses – $90 million to Visa, MasterCard, Banks – $3.5 million to AmEx • Settles Cardholder Class Action for $2.4 million • Stockholder Class Action in NJ Dismissed Countrywide Breach • • • • • • Countrywide Financial Services Former employees Downloaded and sold customer data Every week for 2 years 19,000 individuals notified of breach Class action settles for over $10 million Dave & Buster’s FTC Enforcement • Dave & Buster’s loses 130,000 credit and debit card numbers • Failed to take sufficient measures to protect credit card information • Failed to limit access by third parties • Settles with the FTC Dave & Buster’s FTC Enforcement • Consent agreement requires D&B to: – Appoint responsible employee – Conduct Risk assessment – Develop of security program and safeguards – Develop of criteria for selecting 3rd party access to information – Obtain biennial third-party audits for 10 years Trends for 2010 • Increased federal and state regulation of information security • Increased enforcement • Increased costs to resolve a breach • Increased “compliance complexity” as technology changes Questions & Answers Dino Tsibouris (614) 360-1160 dino@tsibouris.com