there(is(no(“oops”(clause(to( privacy(legislaon( · 2019-09-25 ·...
TRANSCRIPT
1
Presented by Robby Gulri, VP Products [email protected]
For product inquiries, Ryan Vaudry, Account Director [email protected]
Feb 27, 2013
There is no “oops” clause to Privacy LegislaFon
855.85HIPAA www.compliancygroup.com
Compliance Simplified – Achieve , Illustrate, Maintain Industry leading Educa2on
Cer2fied Partner Program
Todays Webinar
• Please ask ques2ons • Todays slides are available hGp://compliancy-‐group.com/slides023/ • Past webinars and recordings hGp://compliancy-‐group.com/webinar/
Privacy legisla2on is everywhere
3
Safe harbor bridges the “privacy gap”
4
Safe harbor • Policy agreement between the United States Department of Commerce and the European Union (E.U.)
• Regulates the way that U.S. companies export and handle the personal data of European ciFzens
• Before safe harbor it was almost illegal to transfer personal data outside of Europe
• Safe harbor sFpulates that companies collecFng personal data must: – inform the people that the data is being gathered – tell them what will be done with it – obtain permission to pass on the informaFon to a third party – allow people access to the data gathered – assure data integrity and security – guarantee a means of enforcing compliance must be guaranteed
5
Safe harbor framework • 7 Privacy Principles
– NoFce, Choice, Onward Transfer, Access, Data Integrity, Security, Enforcement
– 15 FAQ’s • Standards for Email Encryp2on • Series of leIers between the European Commission, Department of Commerce, Federal Trade Commission, and Department of TransportaFon
6
7
IT’S THE LAW!
Examples of highly enforced regula2ons • HIPAA mandates that all protected health informaFon should be encrypted on public
networks
• MassachuseIs encryp2on law states that all personal informaFon stored on laptops and other portable devices must be encrypted
• The Italian personal data protec2on code states that personal data shared between healthcare bodies and professionals must be performed using encrypFon technology
• California bill AB 1950 mandates all organizaFons that use personal electronic records must establish precauFonary measures to protect data
• Michigan encryp2on law states that personal idenFfying informaFon must be stored in an encrypted format
• The Spanish royal decree states that sensiFve data may only be transmiGed electronically if the data is encrypted first
• Nevada encryp2on law states that businesses must encrypt all informaFon transferred electronically
• Canadian department of jus2ce states that private informaFon should be locked in cabinets, protected with passwords and protected with encrypFon
8
Regula2ons are complex • Sectoral regulaFons are different for healthcare, financial services, banking, insurance, and more
• Federal regulaFons include HIPAA, PCI, SOX, Children On-‐Line InformaFon
• State Laws require data breach noFficaFons • Agency regulaFons include FTC, Office of Treasury, SEC, etc • Global laws include safe harboring and export laws
9
What exactly are we protec2ng An individuals personal informaFon or PI
• Name • IniFals • Address • SSN • Phone number • Email address • Photographs • Fingerprints • and more …
10
Data includes: • Personal details like salary, bank
balance, etc. • Consumer and employee e-‐mail • Internal reports • Expressions of interest on parFcular
topics • IT logs of originaFng IP addresses • Internet transmission data like
parFcular web pages viewed, etc.
Regulated versus non-‐regulated data
• Personal informaFon: – Health data: disease history, biometric idenFfies such as reFnal scans, DNA
– Financial data: pin codes, account numbers, billing details, credit card informaFon
– Personal data: social security numbers, fingerprints, race, ethnicity, sex/orientaFon, religious belief, poliFcal opinion, trade union membership, physical/mental health or condiFons, criminal record
11
• Intellectual property: – R&D – Technical Specs – DocumentaFon
– Source Code – Diagrams, formulas, and calculaFons
– Manufacturing and development processes
REGULATED DATA NON-‐REGULATED DATA
Key vulnerabili2es and risks • Third-party vendors who handle data transfers • Lost devices such as laptops, portable media and back-up tapes • Dumpster diving • Peer-to-peer networks such as iPods, file sharing, etc. • Email scams such as phishing • Internet routers that are not protected • Using SSNs for authentication and insecure storing of SSNs • Improper access to facilities and physical equipment • Mobile and home-based workforce without VPN controls, device
management, and remote security processes • Social Engineering risks and internal call centers not prepared to
handle these risks
12
Email poses the biggest risk • Email is s2ll the # 1 business communica2ons tool – Workers spend an average of 152 minutes
per day on email – Worldwide email accounts by 2014 are
projected at 3.8 billion
• Widespread misuse of email – 1 in 5 outgoing emails contain content that
poses a legal, financial, or regulatory risk
• High risk – 89% of unsolicited email contain malware – Email is the most common “aGack” method
for hackers – 75% of all corporate email contain some
Intellectual Property
13
Email poses the biggest risk • Embedded links and file aGachments all pose a high risk
• Highest profile of data breaches generally involve email and the intercepFon of email
• Ongoing educaFon is required for employees, partners, and customers
• An email encrypFon soluFon that “just works” is required to protect privacy and sensiFve informaFon – Email encrypFon technology must be easy to use and deploy – ComplexiFes of encrypFng email should be hidden from the end-‐user
– Email encrypFon soluFon must be standards based
– Email encrypFon soluFon must be powerful and military grade
14
Understanding data intercep2on • Spear Phishing – aGacks directed at high profile targets • Spoofing / Spam – Disguised email that introduces viruses and malware into systems to extract informaFon
• Phishing – Disguised email designed to acquire passwords and other confidenFal informaFon relaFng to privacy
• Cache Poisoning – DNS compromises for URL redirecFon
• Denial of Service – Bring down a mail server with high volume of emails to then extract informaFon
• Man in the Middle – Intercept outgoing email at various points of delivery to gain access to private informaFon
15
Three steps to compliance
Develop privacy policies
• Needs/risk assessment
• Define policies • Create clear rules for the distribuFon of confidenFal info • Provide and support an easy to use technical soluFon to enforce policies and procedures
Eliminate human error
• People make mistakes
• Most data is compromised inadvertently
• Up to 80% of breaches are caused internally
Protect confiden2al informa2on
• Apply encrypFon to all confidenFal info, across all plaoorms and devices
• Enforce encrypFon automaFcally using a policy engine
• Alternately encrypt emails directly from the desktop
16
Protec2ng confiden2al informa2on using
encryp2on puts you on the right track to
compliance
17
You can pay for encryp2on now … or pay more later
18
Country Cost per Record Cost of Breach
Australia $114 $1.83M
France $119 $2.53M
Germany $177 $3.44M
UK $98 $2.57M
USA $204 $6.75M
Average $142 $3.43M Source: Ponemon 2011
Consequences of non-‐compliance • Significant fines • Loss of reputaFon • Loss of customers • IntercepFon / disclosure of outgoing email • Likelihood of inbound email aGacks • Loss/thes of private informaFon
19
Disclosing data breaches • Before there was no law to disclose a data breach • Today all data breaches have to be disclosed to the effected parFes: • OrganizaFons must:
– Disclose any breach of security – Provide noFficaFon of the breach in the most expedient Fme possible
– Provide noFficaFon without unreasonable delay – Provide noFficaFon to a major media outlet – Data breaches on a data breach noFficaFon website – Individuals have to be compensated for their loss – IdenFty thes consFtute big dollar payout
20
California SB 1386 • If a breach occurs, the affected enFFes must:
– Disclose any breach of security of the system
– Following discovery with noFficaFon of the breach in the most expedient Fme possible and without unreasonable delay in wriFng to any resident in California whose unencrypted personal informaFon was or is reasonably believed to have been acquired by an unauthorized party
• A Model for most of the US State Data Breach noFficaFon laws
• A Model for many global data breach laws and privacy laws
21
Physical security • Don’t forget physical security • This is osen overlooked and neglected • Restrict and monitor access to servers
• Secure faciliFes and infrastructure • Alert on all systems disrupFons and outages
22
Compliance
• Compliance with certain laws does not equal Compliance with all laws
• Federal PCI Compliance does not equal compliance with State oriented PCI Laws. Each state has a different perspecFve on PCI
23
• OrganizaFons must acFvely manage ALL compliance regulaFons
• No shortcut for regulatory analysis
• Need an approach that scales – Many naFonal, state, and global regulaFons and more coming
• Email and Data Encryp2on is part of all these regula2ons
MisconcepFons Best PracFce
24
• 6,499 acFve HIPAA privacy rule invesFgaFons underway
• 23% of total HIPAA privacy complaints resulted in fines • PenalFes are based on “intent” behind the violaFon • Fines of up to $1.5 million • Mandatory audits by U.S.A. HHS
HIPAA
HIPAA
25
A licensed pracFcal nurse who pled guilty to wrongfully disclosing a paFent’s health informaFon for personal gain faces a maximum penalty of 10 years imprisonment, a $250,000 fine or both (2011) Andrea Smith, LPN, 25, of Trumann, Arkansas, and her husband, JusHn Smith, were indicted on federal charges of conspiracy to violate and substanHve violaHons of the Health Insurance Portability and Accountability Act (HIPAA) in December
Nearly three dozen hospital workers at Allina Hospitals were fired Thursday aser violaFng privacy rules involving a high-‐profile overdose case (2011) The reason for the firings is the same for all of them: Looking up medical informaHon about Trevor Robinson and the other people involved without permission. All these are classified as HIPAA violaHons
HIPAA
26
A former UCLA Health System employee became the first person in the naFon to be sentenced to federal prison for violaFng HIPAA Huping Zhou, 47, of Los Angeles, was sentenced to four months in prison on April 27, 2010 aUer pleading guilty in January to four misdemeanor counts of accessing and reading the confidenHal medical records of his supervisors and high-‐profile celebriHes, according to the U.S. AXorney’s Office for the Central District of California. Zhou was also fined $2,000
Cignet Health of Prince George’s County in Washington has been fined a total of $4.3 million for violaFons of HIPAA The Department of Health and Human Services Office of Civil Rights alleges Cignet violated 41 paHents’ rights in 2008 and 2009 by not providing them access to their medical records in a reasonable amount of Hme
HIPAA
27
HIPAA violaFons can be applied to both larger and smaller medical offices Phoenix Cardiac Surgery a small surgery center with 5 physicians was recently fined (April 2012) $100,000 by OCR for failing to protect paHent informaHon
California recently (Jan 2012) fined 14 hospitals a total of $850,000 for a variety of errors that put paFents and paFent data at risk The highest penalty of $100,000 was assessed on two hospitals: Mission Hospital Regional Medical Center, Mission Viejo, and Scripps Memorial Hospital La Jolla for various HIPAA violaHons. The rest of the penalHes were for $50,000 or $25,000. Most were for failure to follow best pracHces for PHI protecHon
HIPAA
• Controls physical security, data protecFon, policies and procedures • Must encrypt paFent health informaFon (PHI) transmiGed over public networks
• May use and disclose PHI only as permiGed
• May disclose PHI to business associates only if it obtains “saFsfactory assurance” that the business associate will properly safeguard the informaFon
• Not compliant if business associate agreement is not adequate, not in place, or not enforced
• More info: hGp://www.hhs.gov/ocr/privacy/
28
Gramm-‐Leach-‐Bliley act (GLBA) • Financial InsFtuFons can be fined up to $100,000 for each violaFon • ExecuFves could be fined up to $10,000 for each violaFon • Criminal penalFes may include up to five years in prison
• financial InsFtuFon must noFfy individuals if their personal financial informaFon is used or shared inappropriately
29
REQUIREMENTS • Data encrypFon with the ability to log and audit should be a key part of any GLBA compliance plan
• Regulators want to see clear proof that informaFon security policies are in place and are being enforced
EXAMPLE FTC cracked down on a mortgage company for violaFng the privacy rules of the GLBA The result: 10 years of company audits
Payment card industry (PCI) • PCI safeguards payment cardholder data
• 67% of PCI-‐regulated companies are sFll not in full compliance with the standard (InformaFon Week, April 2012)
• PCI data breaches increased from 79% in 2009 to 85% in 2012 (Ponemon 2012)
• Two of the largest Credit Card thess in history • Heartland CorporaFon: intruders broke into its systems and stole data of more than 130 million credit and debit cards (2012)
• TJ Maxx had 94 million cards compromised (2007)
30
Payment card industry requirements
31
Control Objec2ves PCI DSS Requirements
Build and Maintain a Secure Network
1. Install and maintain a firewall configuraFon to protect cardholder data 2. Do not use vendor-‐supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anF-‐virus sosware on all systems commonly affected by malware 6. Develop and maintain secure systems and applicaFons
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-‐to-‐know 8. Assign a unique ID to each person with computer access
Regularly Monitor and Test Networks
9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data
Maintain an InformaFon Security Policy
11. Regularly test security systems and processes 12. Maintain a policy that addresses informaFon security
Privacy & security globally • Examples of countries w/ Data ProtecFon
32
Countries with Data Privacy Laws
15 EU Members Hungary
ArgenFna Iceland
Australia Israel
Brazil New Zealand
Bulgaria Norway
Canada Paraguay
Chile Poland
Czech Republic Russia
Estonia Slovakia
Hong Kong Switzerland
Japan Taiwan
Privacy & security globally • Examples of countries with limited or no data protecFon
33
Countries without Data Privacy Laws
Most of Asia expect Russia Philippines
China Singapore (evolving)
India (in progress quickly) Central America
Africa Mexico
Malaysia Middle East except Israel
Global regula2ons
• HIPAA-‐Health Insurance Portability and Accountability Act
• HITECH-‐Health InformaFon Technology for Economic and Clinical Health Act
• FCRA-‐Fair Credit ReporFng Act-‐impacts employment re credit checks
• COPPA-‐Children’s Online Privacy ProtecFon Act-‐impacts markeFng to children
• CAN-‐SPAM-‐Controlling Assault on Non-‐Solicited Pornography and MarkeFng
• TSR-‐TelemarkeFng Sales Rule, DNC-‐Do Not Call, DNF-‐Do Not Fax
• GLBA-‐Gramm-‐Leach Bliley-‐impacts Financial informaFon
• FTC Act (unfair and decepFve pracFces) • GINA-‐GeneFc InformaFon
NondiscriminaFon Act
34
• Countries with Comprehensive Privacy laws (e.g. EEA, Japan, ArgenFna, Canada, Australia)
• Countries with sectoral laws or as part of their consFtuFon: Colombia, Paraguay, Venezuela, Ecuador, Uruguay
• EU-‐ Data ProtecFon DirecFve: Safe Harbor as it relates to EU DirecFve
U.S.A. Sectoral Laws Outside the U.S.A.
Privacy in Australia • Privacy in Australian law is the right of natural persons to protect their personal life from invasion and to control the flow of their personal informaFon.
• Privacy is not an absolute right; it differs in different contexts and is balanced against other compeFng rights and duFes.
• It is affected by the Australian common law and a range of Commonwealth, State and Territorial laws and administraFve arrangements.
35
Privacy in Australia • Privacy can be divided into a number of separate, but related, concepts: – InformaFon privacy, which involves the establishment of rules governing the collecFon and handling of personal data such as credit informaFon, and medical and government records. It is also known as 'data protecFon'
– Bodily privacy, which concerns the protecFon of people’s physical selves against invasive procedures such as geneFc tests, drug tesFng and cavity searches
– Privacy of communica2ons, which covers the security and privacy of mail, telephones, e-‐mail and other forms of communica2on
– Territorial privacy, which concerns the seyng of limits on intrusion into the domesFc and other environments such as the workplace or public space. This includes searches, video surveillance and ID checks
36
Privacy in Brazil • A Brazilian ciFzen's privacy is protected by the country's consFtuFon which states: – The inHmacy, private life, honor and image of the people are inviolable, with assured right to indenizaHon by material or moral damage resulHng from its violaHon
37
Privacy in Canada • Federal Personal Informa2on Protec2on and Electronic Documents Act (PIPEDA) governs the collecFon, use and disclosure of personal informaFon in connecFon with commercial acFviFes and personal informaFon about employees of federal works, undertakings and businesses
• Does not apply to non-‐commercial organizaFons or provincial governments
• Personal informa2on collected, used by the federal government is governed by the Privacy Act
• Many provinces have enacted similar provincial legislaFon such as the Ontario Freedom of InformaFon and ProtecFon of Privacy Act which applies to public bodies in that province
38
Privacy in India • New privacy rules and laws (June 2011)
– Any organizaFon that processes personal informaFon must obtain wriGen consent from the data subjects before undertaking certain acFviFes
• InformaFon Technology (Amendment) Act, 2008 – SecFon 43A deals with implementaFon of reasonable security pracFces for sensiFve personal data or informaFon and provides for the compensaFon of the person affected by wrongful loss or wrongful gain including encrypFon
– SecFon 72A which provides for imprisonment for a period up to 3 years and/or a fine up to Rs.5,00,000 for a person who causes wrongful loss or wrongful gain by disclosing personal informaFon of another person while providing services under the terms of lawful contract
39
Privacy in Taiwan
• Computer Processed Personal Informa2on Protec2on Act was enacted in 1995 in order to protect personal informaFon processed by computers
• The general provision specified the purpose of the law, defined crucial terms, prohibited individuals from waiving certain rights.
40
Resources • hGp://www.sc.gov/bcp/menus/consumer/data/child.shtm • hGp://www.sc.gov/bcp/menus/consumer/data/idt.shtm • hGp://www.sc.gov/bcp/menus/consumer/data/privacy.shtm • HIPAA Privacy Rule: hGp://privacyruleandresearch.nih.gov/ • Data Privacy Day: hGp://dataprivacyday2010.org/ • IAPP-‐InternaFonal AssociaFon of Privacy Professionals: hGps://www.privacyassociaFon.org/
• AICPA.org • hGp://www.hhs.gov/ocr/privacy/
41
855.85HIPAA www.compliancygroup.com
Compliance Simplified – Achieve , Illustrate, Maintain
Compliance Simplified!
Maintain
Illustrate
Achieve
Free Demo and 15 Day Evaluation
855.85HIPAA http://compliancy-‐group.com/
New & Past Webinars
http://compliancy-‐group.com/webinar/
HIPAA Compliance HITECH Attestation Meaningful Use core measure
15
43
Thank you
Presented by Robby Gulri, VP Products [email protected]
For product inquiries, Ryan Vaudry, Account Director [email protected]