Changes in the Law, Cost, and Complexity of

Information Security – Changes in the Law,
Cost, and Complexity of Responding to
Breaches
Dino Tsibouris
(614) 360-1160
dino@tsibouris.com
Trends for 2010
• Increased federal and state regulation of
information security
• Increased enforcement
• Increased costs to resolve a breach
• Increased “compliance complexity” as
technology changes
Examples
•
•
•
•
•
•
HITECH Act - Amendments to HIPAA by the
Stimulus Act
Enforcement Actions under HITECH
Medical Data in the Cloud
Revisions to State Law Regarding PCI-DSS
Anonymization Becoming Difficult
Dave & Buster’s, Heartland, and Countrywide
Breaches
HITECH ACT
Amends HIPAA
• New breach notification rules
• New penalties
• Increased levels of minimum security
• State AG enforcement
• Business associates must comply
HITECH ACT
Amends HIPAA
• Covered entity must notify persons if a
breach occurs
• Must notify HHS for publication if over
500 persons
• Vendors of PHR must notify individuals
if breached
HITECH ACT
Business Associate Requirements
• Must comply with Security Rule
regarding administrative, physical, and
technical safeguards
• Develop policies
• Designate a security official
• Enforcement
HITECH ACT
Business Associate Requirements
• If your covered entity violates your
BAA, you are violating HIPAA
• Must cure breach, terminate, or report
to DHHS
HITECH ACT
Business Associate Requirements
• Does your contract allow for
amendment to comply with changes in
the law?
• Sample DHHS OCR contractual clause
requires parties to amend to address
changes in law
HITECH ACT
Business Associate Requirements
• If you have a breach, must notify
HIPAA-covered entity
• Covered entity must then notify
individuals
HITECH ACT
Penalties
• Tier A – inadvertent - $100 per
violation up to $25,000/yr
• Tier B – reasonable cause, not “willful
neglect” - $1,000 per violation up to
$100,000/yr
HITECH ACT
Penalties
• Tier C – “willful neglect” ultimately
corrected - $10,000 per violation up to
$250,000/yr
• Tier D - “willful neglect” uncorrected $50,000 per violation up to $1.5 M/yr
Connecticut Health Net
Enforcement
Connecticut Attorney General - HIPAA
• Lost portable computer disk drive
• Involves privacy of 446,000 Connecticut
enrollees
• Health information, social security
numbers, and bank account numbers
• Failed to notify on time
Connecticut Health Net
Enforcement
Health Net failed to
• Ensure the confidentiality and integrity of
electronic protected health information
• Implement technical policies and procedures
for electronic information systems
• Implement policies and procedures that
govern the receipt and removal of hardware
and electronic media
Connecticut Health Net
Enforcement
Health Net failed to
• Implement policies and procedures to
prevent, detect, contain, and correct security
violations
• Identify and respond to suspected or known
security incidents; mitigate, to the extent
practicable, harmful effects of security
incidents
• Effectively train all members of its workforce
Connecticut Griffin Hospital
Investigation
• Hospital terminates radiologist and his access
to the computer systems
• Patients call hospital with complaints
• Audit reveals access to one terminal
• Ex-radiologist uses usernames and passwords
of other radiology employees for 1 month
• Accesses ~1000 records
• Solicits patients for service at another hospital
HIPAA - Employee Snooping
•
•
•
•
•
UCLA employee
Accesses system 323 times in 3 weeks
Snoops on celebrity medical records
Similar incident in 2008
UCLA reveals that 165 employees improperly
viewed files in 13 years
• 15 fired for viewing octuplet mom’s records
Medical Data in the Cloud
• Data stored in the cloud more and more
frequently
• Third-party contractors more and more common
– Security and background checks for companies
a necessity
– Conduct audits or obtain results
– Ownership of data
– Prohibiting sales to others
– Return in appropriate format
Anonymization
• Privacy laws provide exceptions for anonymized
data
• It is now more difficult to anonymize data
• Examples:
• AOL search results release
• Netflix million dollar prize release
• MA health records release
• Unique ID 87% of the US with ZIP, DoB, Sex
Fallout from failed Anonymization
• AOL CTO resigns
• MA governor is embarrassed
• Netflix is sued in court for outing a lesbian
mother, settles case, ends prize program
• DBs are permanently associated
HHS Research
• Current HHS regulations have detail on deidentification
• HHS realizes the difficulty in anonymizing
personal data
• Funds research on technology to achieve
anonymity while maintaining value to
research
• Future laws will likely keep these difficulties in
mind
Massachusetts
Data Security Regulations
• Creates duty to protect personal data
• Applies to the personal information of MA
residents
• Sophistication of safeguards increases with
size and scope of business
• Requires encryption for transmission of
personal data over public networks
• Effective date March 1, 2010
Nevada PCI-DSS
• Effective Jan. 1, 2010
• Requires encryption when electronically
transmitting personal data
• Requires compliance with PCI-DSS
• Similar to Minnesota law
Washington PCI-DSS
• Applies to entities processing more than 6
million payment card transactions per year
• Liability may result in reimbursement of card
issuing costs for banks
• Includes Safe Harbors for encryption and PCI
compliance at the time of breach
• Effective July 1, 2010
Heartland Payment Systems Breach
•
•
•
•
•
6th Largest Payment Processor
Involved 330 Financial Institutions
Heartland was PCI-DSS certified
SQL injection attack
CC#s, expiration dates, stored magnetic stripe
data
• Lost ~130 million card numbers
Heartland Payment Systems Breach
• Removed from VISA CISP list
• Reported $105 million in expenses
– $90 million to Visa, MasterCard, Banks
– $3.5 million to AmEx
• Settles Cardholder Class Action for $2.4
million
• Stockholder Class Action in NJ Dismissed
Countrywide Breach
•
•
•
•
•
•
Countrywide Financial Services
Former employees
Downloaded and sold customer data
Every week for 2 years
19,000 individuals notified of breach
Class action settles for over $10 million
Dave & Buster’s FTC Enforcement
• Dave & Buster’s loses 130,000 credit and debit
card numbers
• Failed to take sufficient measures to protect
credit card information
• Failed to limit access by third parties
• Settles with the FTC
Dave & Buster’s FTC Enforcement
• Consent agreement requires D&B to:
– Appoint responsible employee
– Conduct Risk assessment
– Develop of security program and safeguards
– Develop of criteria for selecting 3rd party
access to information
– Obtain biennial third-party audits for 10
years
Trends for 2010
• Increased federal and state regulation of
information security
• Increased enforcement
• Increased costs to resolve a breach
• Increased “compliance complexity” as
technology changes
Questions & Answers
Dino Tsibouris
(614) 360-1160
dino@tsibouris.com