1 / 25

Responding to a Data Security Breach

Responding to a Data Security Breach. Presented By : Gerald J. Ferguson gferguson@bakerlaw.com Twitter: @ JerryFergusonNY. A Simplified View of a Data Breach. What is a Data Breach?.

chava-mendoza
Download Presentation

Responding to a Data Security Breach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Responding to a DataSecurity Breach Presented By: Gerald J. Ferguson gferguson@bakerlaw.com Twitter: @JerryFergusonNY

  2. A Simplified View of a Data Breach

  3. What is a Data Breach? • Actual release or disclosure of information to an unauthorized individual/entity that relates to a person and that: • May cause the person inconvenience or harm (financial/reputational) • Names, home addresses, email addresses, usernames, passwords, family-member information, etc. • May cause inconvenience or harm to your patients, employees or business partners (financial/reputational) • Information that relates to patients (see above) • Information that relates to current/former employees & applicants • Information relating to internal matters (business plans, employment disputes, Union negotiations) • Paper or electronic

  4. Commonalities of Breaches • Lost laptop or device • Administrative error • External attack involving hacking and malware • Vulnerability created by third party vendor • Not detected for months • Breached entity will learn from third party • Initial exploit relatively simple and avoidable

  5. Compliance Complexity FERPA INDUSTRY SELF REGULATION

  6. State Laws • 46 states, D.C., & U.S. territories • Laws vary between jurisdictions • Varying levels of enforcement by state attorneys general • Limited precedent

  7. What is a Data Breach?(That may trigger state notification laws) • Unauthorized access to and acquisition of specific types of information associated with a named individual • SSN • Driver's license number • Credit card number • Bank account Information

  8. State Law Differences: P11 • Employee ID Numbers (N. Dakota) • User Name and Password (California) • Other numbers or information that would permit access to financial resources (Multiple) • Health Information (Multiple)

  9. State Law Differences (Triggers) • Acquisition or Access • Electronic Only or Paper • Risk of Harm Analysis • Encryption Safe Harbor

  10. Other State Law Differences • Notification of AG or Agency • Timing of Notice • 45 day rule • De facto 30 day rule • Early notice to AG or regulator • Law enforcement delay • Private Right of Action • Text of Notice

  11. Massachusetts Law • Written Information Security Program • Encryption Requirements • Chief Privacy Officer • Employee training • Business associate obligations

  12. FERPA • The intent of the Act is to protect the rights of students and to insure the privacy and accuracy of education records. • Act applies to all institutions that are recipients of federal aid administered by the Secretary of Education • No requirement to notify if education records are stolen/subject to unauthorized release, however, a record should be maintained for each disclosure (34 CFR 99.32(a)(1) • Students who are or have been “in attendance” at the institution, in person, or by paper correspondence, video conference, satellite, internet, or other electronic information and telecommunications technologies for students who are not physically present in the classroom regardless of their age or status in regard to parental dependency are protected by FERPA • Students who have applied to but have not “attended” an institution, and deceased students, are not protected by FERPA.

  13. FERPA • An “education record” is any record that is: • Directly related to a student; and • Maintained by an educational agency or institution, or by a party acting for the agency or institution. • Notification may be necessary for postsecondary institutions under the FTC’s Standards for Insuring the Security, Confidentiality, Integrity and Protection of Customer Records and Information (“Safeguards Rule”) in 16 CFR part 314. • Related to finanical aid records • Direct student notification may be advisable if the compromised data includes student SSNs and other identifying information that could lead to identity theft

  14. HIPAA / HITECH(“Acquisition” “Access” “Use” Trigger w/ Risk of Harm) • HIPAA Privacy Regulations (45 CFR §164): Breach by a Covered Entity • Applies To:A health plan, health care clearinghouse and health care provider who transmits any health information in electronic form in connection with a covered transaction. • Information Covered:Unsecured protected health information – individually identifiable health information that is transmitted or maintained in electronic media or any other form or media. • Definition of Breach:The acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule, which compromises the security or privacy of the PHI. • Who Must Be Notified:The patient or their personal representative, HHS and the media if more than 500 residents of a state or jurisdiction are affected. • Notification Timeframe: Without unreasonable delay and in no case later than sixty (60) calendar days after the breach is discovered • Preemption: Preempts state law to the extent it is more strict

  15. Definition of Breach in Final Rule • An acquisition, access, use, or disclosure of protected health information in a manner not permitted . . . is presumed to be a breach. • Unless, the Covered Entity can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment. • Compromise is not defined.

  16. Definition of Breach in Final Rule Risk Assessment • Documented • Based on at least 4 factors • The nature and extent of the PHI. • The unauthorized person involved. • Whether the PHI was actually acquired or viewed. • Extent to which any risk has been mitigated.

  17. HIPAA/HITECHNotification Contents • Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. • If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside. • If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means. • These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach • Individual notifications must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity. • Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.

  18. PCI DSS • A contractual framework • Card Brands • Acquirers • Merchants • Processors • Industry self-regulators • A data security standard

  19. Mandiant M-Trends 2013 Security Threat Report

  20. PCI DSS Breaches • Obligations after a PCI Breach • Rapid notification to Card Companies • PCI Forensic Examination • Fines and penalties

  21. Costs of Breach Response • Forensic investigators • Legal expenses • Mailing notifications to individuals • Call Centers • Credit Monitoring and other compensation • Crisis Management

  22. Costs After the Breach Notice • Regulatory inquiries and enforcement actions • Customer questions and demands • Lost profits • Lawsuits

  23. Decisions, Decisions, Decisions • Is it a breach? • Do you involve law enforcement? • Do you hire a forensics company? • Do you retain counsel? • Do you involve regulatory agencies? • Is crisis management necessary? • Do you offer credit monitoring? • Do you get relief from a “law enforcement” delay?

  24. Questions? • gferguson@bakerlaw.com • 212-589-4230 • Twitter: @JerryFergusonNY

More Related