1 / 19

Information Security – What’s New In the Law?

Information Security – What’s New In the Law?. Dino Tsibouris (614) 360-1160 dino@tsibouris.com. Trends for 2010. Increased federal and state regulation of information security Increased enforcement Increased costs to resolve a breach Increased “compliance complexity” as technology changes.

kaiya
Download Presentation

Information Security – What’s New In the Law?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security – What’s New In the Law? Dino Tsibouris (614) 360-1160 dino@tsibouris.com

  2. Trends for 2010 • Increased federal and state regulation of information security • Increased enforcement • Increased costs to resolve a breach • Increased “compliance complexity” as technology changes

  3. Examples • HITECH Act - Amendments to HIPAA by the Stimulus Act • Enforcement Actions under HITECH • Medical Data in the Cloud • Revisions to State Law Regarding PCI-DSS • Anonymization Becoming Difficult • Heartland and Countrywide Breaches

  4. HITECH ACT Amends HIPAA • New breach notification rules • New penalties • Increased levels of minimum security • State AG enforcement

  5. Connecticut Health Net Enforcement Connecticut Attorney General - HIPAA • Lost portable computer disk drive • Involves privacy of 446,000 Connecticut enrollees • Health information, social security numbers, and bank account numbers • Failed to notify on time

  6. Connecticut Health Net Enforcement Health Net failed to • Ensure the confidentiality and integrity of electronic protected health information • Implement technical policies and procedures for electronic information systems • Implement policies and procedures that govern the receipt and removal of hardware and electronic media

  7. Connecticut Health Net Enforcement Health Net failed to • Implement policies and procedures to prevent, detect, contain, and correct security violations • Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents • Effectively train all members of its workforce

  8. Medical Data in the Cloud • Data stored in the cloud more and more frequently • Third-party contractors more and more common • Security and background checks for companies a necessity • Conduct audits or obtain results • Ownership of data • Prohibiting sales to others • Return in appropriate format

  9. Anonymization • Privacy laws provide exceptions for anonymized data • It is now more difficult to anonymize data • Examples: • AOL search results release • Netflix million dollar prize release • MA health records release • Unique ID 87% of the US with ZIP, DoB, Sex

  10. Fallout from failed Anonymization • AOL CTO resigns • MA governor is embarrassed • Netflix is sued in court for outing a lesbian mother • DBs are permanently associated

  11. HHS Research • Current HHS regulations have detail on de-identification • HHS realizes the difficulty in anonymizing personal data • Funds research on technology to achieve anonymity while maintaining value to research • Future laws will likely keep these difficulties in mind

  12. HIPAA - Employee Snooping • UCLA employee • Accesses system 323 times in 3 weeks • Snoops on celebrity medical records • Similar incident in 2008 • UCLA reveals that 165 employees improperly viewed files in 13 years • 15 fired for viewing octuplet mom’s records

  13. MassachusettsData Security Regulations • Creates duty to protect personal data • Applies to the personal information of MA residents • Sophistication of safeguards increases with size and scope of business • Effective date delayed • March 1, 2010

  14. Nevada PCI-DSS • Effective Jan. 1, 2010 • Requires encryption when electronically transmitting personal data • Requires compliance with PCI-DSS • Similar to Minnesota law

  15. Heartland Payment Systems Breach • 6th Largest Payment Processor • Involved 330 Financial Institutions • Heartland was PCI-DSS certified • SQL injection attack • CC#s, expiration dates, stored magnetic stripe data • Lost ~130 million card numbers

  16. Heartland Payment Systems Breach • Removed from VISA CISP list • Reported $105 million in expenses • $90 million to Visa, MasterCard, Banks • $60 million to card issuers • $3.5 million to AmEx • Settles Cardholder Class Action for $2.4 million • Stockholder Class Action in NJ Dismissed

  17. Countrywide Breach • Countrywide Financial Services • Former employees • Downloaded and sold customer data • Every week for 2 years • 19,000 individuals notified of breach • Class action settles for over $10 million

  18. Trends for 2010 • Increased federal and state regulation of information security • Increased enforcement • Increased costs to resolve a breach • Increased “compliance complexity” as technology changes

  19. Questions & Answers Dino Tsibouris (614) 360-1160 dino@tsibouris.com

More Related