data breach 101 how to avoid a virtual catastrophe · today’s objectives: understand what a data...
TRANSCRIPT
![Page 1: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/1.jpg)
Data Breach 101—How to Avoid a Virtual Catastrophe
Presented byEduard Goodman, J.D., LL.M., CIPPChief Privacy Officer
1
In partnership with
IDentity Theft 911 is solely responsible for the content of this webinar
![Page 2: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/2.jpg)
Today’s objectives:
Understand what a data breach is from a regulatory perspective
Explore how a data breach can occur
Recognize your privacy and data risk exposures and liabilities
Identify some basic ways to assess, reduce and manage the risks
2
IDentity Theft 911 is solely responsible for the content of this webinar
![Page 3: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/3.jpg)
Under state breach notification laws, businesses must notify customers, patients and/or employees if there has been a breach that exposes their Personally Identifiable Information (PII).
What is a data breach?
3
![Page 4: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/4.jpg)
What is a data breach?Personally Identifiable Information (PII) includes …
Social Security Numbers
Driver’s License/State Issued ID Numbers
Payment Card Numbers
Financial Account Numbers/Routing Info
Health Information
Biometric Data
Secondary Identifiers (eg: mother’s maiden name, date of birth, etc.)
4
![Page 5: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/5.jpg)
What is a data breach?
Depending upon the applicable state law, PII includes various forms of information/data. Examples include …
Digital and hard copy data (or paper files);
Encrypted/unencrypted data;
Data lost by the business; and
Data lost by a third party vendor
5
![Page 6: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/6.jpg)
What is a data breach?
Notice is required in 50 jurisdictions in the United States (51 laws including Federal HIPAA/HITECH notice requirements)
• 46 states;
• District of Columbia;
• Puerto Rico;
• U.S. Virgin Islands; and
• Guam
6
![Page 7: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/7.jpg)
What is a data breach?
The only states currently without a notification law are:
Alabama;
Kentucky;
New Mexico; and
South Dakota
7
![Page 8: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/8.jpg)
Common ways a data breach can happen
Computer hacking
Stolen or lost laptop or computer disks
Stolen or lost paper documents / files
Stolen credit card information
Employee error or oversight
8
![Page 9: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/9.jpg)
What a data breach could mean for your business
Loss of customer and/or employee trust
Tarnished reputation
Lost revenue
9
![Page 10: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/10.jpg)
State Data Breach Notification Laws
In addition to notification requirements, most states typically have (broad) language around the treatment, security and/or disposal of personal information wrapped up into their data breach notification regulations
10
![Page 11: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/11.jpg)
Self Regulatory Security Requirements
Payment Card Industry Data Security Standards (PCI-DSS)
Set of security requirements and standards promulgated by the payment card issuers (Visa, MasterCard, Discover, American Express, and JCB) regarding the storage and security of payment card-related data.
11
![Page 12: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/12.jpg)
Consider the your business’ “data footprint”
What type of data is collected?
From whom?
From where?
For what purpose?
Who can access the data?
Where is data stored, processed, etc?
Immediate To-Do List (Assess Exposure)
12
![Page 13: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/13.jpg)
Immediate To-Do List
Assess and Cover Risk
Complete high level “data” audit to determine
• Type of personal information you retain
• What states do your customers/employees live in
Complete a Security audit to determine weaknesses
Determine if you have adequate insurance coverage for your risk (eg: limits)
13
![Page 14: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/14.jpg)
Immediate To-Do List
Help to reduce your risk or exposure
Don’t collect data on customers or employees unless you need it
• Why are you collecting Social Security Numbers?
Get rid of any data you collect as soon as you no longer need it. It’s toxic – it’s not an asset; it’s a liability.
Encrypt any private personal data
14
![Page 15: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/15.jpg)
Immediate To-Do List
Documentation / Programs
Written Information Security Program
Breach Response Plan
Business Continuity Plan
Data/Document Retention and Destruction Plan
Data Security and Privacy Awareness Program
15
![Page 16: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/16.jpg)
Immediate To-Do ListDocumentation / Programs
Develop a “privacy framework” for your business that fits
from a:
philosophical standpoint;
business standpoint; and
an operational standpoint
16
![Page 17: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/17.jpg)
For more data breach-related information …
17
Visit www.aahainsurance.org/ to
get information on how to
protect your practice with data
breach insurance coverage and
services. You will also receive a
follow-up email with additional
resources.
![Page 18: Data Breach 101 How to Avoid a Virtual Catastrophe · Today’s objectives: Understand what a data breach is from a regulatory perspective Explore how a data breach can occur Recognize](https://reader033.vdocument.in/reader033/viewer/2022052717/5f03c6f37e708231d40ab7f2/html5/thumbnails/18.jpg)
Presented by
Edi Goodman
Thank you!
Eduard Goodman, J.D., LL.M., CIPPChief Privacy OfficerScottsdale, Arizona
480.355.4940 [email protected] 18
In partnership with