Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Law

Changes in the Law, Cost, and Complexity of

Information Security – Changes in the Law,
Cost, and Complexity of Responding to
Breaches
Dino Tsibouris
(614) 360-1160
dino@tsibouris.com
Trends for 2010
• Increased federal and state regulation of
information security
• Increased enforcement
• Increased costs to resolve a breach
• Increased “compliance complexity” as
technology changes
Examples
•
•
•
•
•
•
HITECH Act - Amendments to HIPAA by the
Stimulus Act
Enforcement Actions under HITECH
Medical Data in the Cloud
Revisions to State Law Regarding PCI-DSS
Anonymization Becoming Difficult
Dave & Buster’s, Heartland, and Countrywide
Breaches
HITECH ACT
Amends HIPAA
• New breach notification rules
• New penalties
• Increased levels of minimum security
• State AG enforcement
• Business associates must comply
HITECH ACT
Amends HIPAA
• Covered entity must notify persons if a
breach occurs
• Must notify HHS for publication if over
500 persons
• Vendors of PHR must notify individuals
if breached
HITECH ACT
Business Associate Requirements
• Must comply with Security Rule
regarding administrative, physical, and
technical safeguards
• Develop policies
• Designate a security official
• Enforcement
HITECH ACT
Business Associate Requirements
• If your covered entity violates your
BAA, you are violating HIPAA
• Must cure breach, terminate, or report
to DHHS
HITECH ACT
Business Associate Requirements
• Does your contract allow for
amendment to comply with changes in
the law?
• Sample DHHS OCR contractual clause
requires parties to amend to address
changes in law
HITECH ACT
Business Associate Requirements
• If you have a breach, must notify
HIPAA-covered entity
• Covered entity must then notify
individuals
HITECH ACT
Penalties
• Tier A – inadvertent - $100 per
violation up to $25,000/yr
• Tier B – reasonable cause, not “willful
neglect” - $1,000 per violation up to
$100,000/yr
HITECH ACT
Penalties
• Tier C – “willful neglect” ultimately
corrected - $10,000 per violation up to
$250,000/yr
• Tier D - “willful neglect” uncorrected $50,000 per violation up to $1.5 M/yr
Connecticut Health Net
Enforcement
Connecticut Attorney General - HIPAA
• Lost portable computer disk drive
• Involves privacy of 446,000 Connecticut
enrollees
• Health information, social security
numbers, and bank account numbers
• Failed to notify on time
Connecticut Health Net
Enforcement
Health Net failed to
• Ensure the confidentiality and integrity of
electronic protected health information
• Implement technical policies and procedures
for electronic information systems
• Implement policies and procedures that
govern the receipt and removal of hardware
and electronic media
Connecticut Health Net
Enforcement
Health Net failed to
• Implement policies and procedures to
prevent, detect, contain, and correct security
violations
• Identify and respond to suspected or known
security incidents; mitigate, to the extent
practicable, harmful effects of security
incidents
• Effectively train all members of its workforce
Connecticut Griffin Hospital
Investigation
• Hospital terminates radiologist and his access
to the computer systems
• Patients call hospital with complaints
• Audit reveals access to one terminal
• Ex-radiologist uses usernames and passwords
of other radiology employees for 1 month
• Accesses ~1000 records
• Solicits patients for service at another hospital
HIPAA - Employee Snooping
•
•
•
•
•
UCLA employee
Accesses system 323 times in 3 weeks
Snoops on celebrity medical records
Similar incident in 2008
UCLA reveals that 165 employees improperly
viewed files in 13 years
• 15 fired for viewing octuplet mom’s records
Medical Data in the Cloud
• Data stored in the cloud more and more
frequently
• Third-party contractors more and more common
– Security and background checks for companies
a necessity
– Conduct audits or obtain results
– Ownership of data
– Prohibiting sales to others
– Return in appropriate format
Anonymization
• Privacy laws provide exceptions for anonymized
data
• It is now more difficult to anonymize data
• Examples:
• AOL search results release
• Netflix million dollar prize release
• MA health records release
• Unique ID 87% of the US with ZIP, DoB, Sex
Fallout from failed Anonymization
• AOL CTO resigns
• MA governor is embarrassed
• Netflix is sued in court for outing a lesbian
mother, settles case, ends prize program
• DBs are permanently associated
HHS Research
• Current HHS regulations have detail on deidentification
• HHS realizes the difficulty in anonymizing
personal data
• Funds research on technology to achieve
anonymity while maintaining value to
research
• Future laws will likely keep these difficulties in
mind
Massachusetts
Data Security Regulations
• Creates duty to protect personal data
• Applies to the personal information of MA
residents
• Sophistication of safeguards increases with
size and scope of business
• Requires encryption for transmission of
personal data over public networks
• Effective date March 1, 2010
Nevada PCI-DSS
• Effective Jan. 1, 2010
• Requires encryption when electronically
transmitting personal data
• Requires compliance with PCI-DSS
• Similar to Minnesota law
Washington PCI-DSS
• Applies to entities processing more than 6
million payment card transactions per year
• Liability may result in reimbursement of card
issuing costs for banks
• Includes Safe Harbors for encryption and PCI
compliance at the time of breach
• Effective July 1, 2010
Heartland Payment Systems Breach
•
•
•
•
•
6th Largest Payment Processor
Involved 330 Financial Institutions
Heartland was PCI-DSS certified
SQL injection attack
CC#s, expiration dates, stored magnetic stripe
data
• Lost ~130 million card numbers
Heartland Payment Systems Breach
• Removed from VISA CISP list
• Reported $105 million in expenses
– $90 million to Visa, MasterCard, Banks
– $3.5 million to AmEx
• Settles Cardholder Class Action for $2.4
million
• Stockholder Class Action in NJ Dismissed
Countrywide Breach
•
•
•
•
•
•
Countrywide Financial Services
Former employees
Downloaded and sold customer data
Every week for 2 years
19,000 individuals notified of breach
Class action settles for over $10 million
Dave & Buster’s FTC Enforcement
• Dave & Buster’s loses 130,000 credit and debit
card numbers
• Failed to take sufficient measures to protect
credit card information
• Failed to limit access by third parties
• Settles with the FTC
Dave & Buster’s FTC Enforcement
• Consent agreement requires D&B to:
– Appoint responsible employee
– Conduct Risk assessment
– Develop of security program and safeguards
– Develop of criteria for selecting 3rd party
access to information
– Obtain biennial third-party audits for 10
years
Trends for 2010
• Increased federal and state regulation of
information security
• Increased enforcement
• Increased costs to resolve a breach
• Increased “compliance complexity” as
technology changes
Questions & Answers
Dino Tsibouris
(614) 360-1160
dino@tsibouris.com
Related documents
Changes in the Law, Cost, and Complexity of Responding to Breaches
Changes in the Law, Cost, and Complexity of Responding to Breaches
Information Security: Changes in the Law, Cost, and Complexity of
Information Security: Changes in the Law, Cost, and Complexity of
Review, Grammar and Test
Review, Grammar and Test
Nassar Nizami Chief Information Security Officer
Nassar Nizami Chief Information Security Officer
Fee for Intervention
Fee for Intervention
Investigations and enforcement - Environment Institute of Australia
Investigations and enforcement - Environment Institute of Australia
Remedies for Breach of Contract pages 210-214
Remedies for Breach of Contract pages 210-214
Mending Fences After a Breach - Centre for Information Policy
Mending Fences After a Breach - Centre for Information Policy
Data Privacy and Data Security Compliance Issues
Data Privacy and Data Security Compliance Issues
Module 4 - HHS HIPAA Training for State Attorneys General
Module 4 - HHS HIPAA Training for State Attorneys General
OCR - Barbara Holland
OCR - Barbara Holland
Mandatory Electronic Prescribing
Mandatory Electronic Prescribing
Download