1 / 32

Privacy Breach Exposures

Privacy Breach Exposures. MODERATOR : Laura Johnson , Vice President Euclid Managers Jay Foley , Executive Director Identity Theft Resource Center Randall J. Krause, Esq., CEO yourHRdepartment, Inc. Thomas Srail , Vice President Willis of New York, Inc. Privacy Breach Activities.

shlomo
Download Presentation

Privacy Breach Exposures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Breach Exposures • MODERATOR: Laura Johnson, Vice President Euclid Managers • Jay Foley, Executive Director Identity Theft Resource Center • Randall J. Krause, Esq., CEO yourHRdepartment, Inc. • Thomas Srail, Vice President Willis of New York, Inc.

  2. Privacy Breach Activities 5 Largest Incidents 2000 - 2007 • 01.17.07 - 94,000,000 - TJX • 06.19.05 - 40,000,000 - Visa, AmEx, Mastercard, CardSystems • 06.24.04 - 30,000,000 - America Online • 05.22.06 - 26,500,000 - VA • 11.20.07 - 25,000,000 - HMRC source: http://etiolated.org

  3. Privacy Breach Activities Common Sources of Breaches • Lost or stolen laptops • Records lost by third party partners • Misplaced/stolen back-up files • Malware programs source: Identity Theft Resource Center

  4. Privacy Breach Activities First Quarter, 2008 Breaches • 167 breaches • Affecting more than 8 million people • Industry breakdown chart: source: Identity Theft Resource Center

  5. Privacy Breach Activities Medical/Healthcare–3.8% Bank/Credit/ Finance–7.2% Business–35.9% Government/ Military–18% Educational–25.2% source: Identity Theft Resource Center

  6. Breach Analysis • Insider Theft • 28 breaches (6.3% of total) • 18.9 million records exposed • 14.9% of total records • Data on the Move • 46 breaches (20.5% of total) • Nearly 3.1 million records • 26% of total records

  7. Organizational Risks • Customer data • Employee data • Vendor data • Confidential information • Information in Insured’s care • Outsourcing

  8. Federal Data Privacy Laws • Silo-like approach—cover only certain types of data or certain types of entities • Gramm-Leach-Bliley Act of 1999—applies only to certain entities in financial or insurance industries

  9. Federal Data Privacy Laws • HIPAA—provides comprehensive data privacy and security standards, but applies only to certain types of health information and to certain “covered entities” • FMLA—limited to documents regarding medical certifications or medical histories of employees or their family members and requires separate files from personnel files

  10. Federal Data Privacy Laws • ADA—medical records to be kept confidential and separate from personnel files • FCRA—requires “reasonable measures” to protect against unauthorized access and possession of consumer information acquired by background checks

  11. Federal Data Privacy Laws • FCRA cont. • FCRA amendment—Fair & Accurate Credit Transactions Act of 2003 includes “disposal rule” if you collect consumer information for business purposes, dispose of it in a way to prevent unauthorized access and misuse of the data

  12. Proposed Federal Laws • HR 958 (Rush)—GENERAL EXEMPTION if, following a breach of security, there is no reasonable risk of identity theft, fraud, or other unlawful conduct • HR 1685 (Price)—applies only when reasonably likely to result in substantial harm or inconvenience

  13. Proposed Federal Laws • S 495 (Leahy/Specter)—No private right of action; some say most promising bill • S 3713 (Clinton)—Private right of action included

  14. State Law Overview State laws address • Protection of personal information (incl. AK, CA, MA, NV, NC, OR, RI, TX, UT) • Protection of social security numbers (incl. AZ, AK, CA, CO, CT, GA, IL, MD, MI, MN, MO, NJ, NY, NC, OK, RI, TX, VT, VA)

  15. State Law Overview State laws address • Protection of medical information (e.g. CA) • Destruction of records, ensuring personal information is undecipherable (incl. CA, NY, TX) • Notification of security breaches (currently 42 states)

  16. 42 States Require Data Breach Notification • Virginia, West Virginia, and South Carolina passed data breach notification laws recently • Oklahoma’s law applies only to public entities • The 8 states without any statute are AL, AK, IA, KY, MS, MO, NM, SD List available at www.NCSL.org/programs/lis/cip/priv/breachlaws.htm

  17. Recent State Developments • Alaska—H.B. 65 sent to Gov. Palin. If signed, effective July 1, 2009

  18. Recent State Developments • Virginia—Eff. July 1, 2008, requires VA businesses to notify individuals (and the AG) re: breach of computerized (unredacted, unencrypted) personal information only if the breach causes or is reasonably believed to cause identity theft or other fraud to VA resident • AG enforcement (up to $150,000 penalty per breach) • Private right of action only for direct economic damages

  19. Recent State Developments • West Virginia—signed 3-27-08, effective yesterday (5-6-08), requires WV businesses to notify individuals (and the AG) re: breach of computerized (unredacted, unencrypted) personal information is subjected to unauthorized access and acquisition • Exclusive AG enforcement (up to $150,000 per breach) • No penalty assessed unless court finds defendant engaged in “a course of repeated and willful violations”

  20. Recent State Developments • South Carolina—enacted on April 2, 2008, S.B. 453 covers data breach notification provisions, required methods for data disposal, and limits on use/disclosure of SSNs • Applies to paper-based & computerized personal information • Enforcement by Department of Consumer Affairs and/or affected individuals

  21. Recent State Developments • South Carolina cont. • Negligent violations: actual damages (or $1,000) per incident, and reasonable attorney's fees and costs • Knowing and willful violations: 3 times actual damages (or $3,000) per incident, and reasonable attorney's fees and costs

  22. Recent State Developments • California—Eff. January 1, 2008, A.B. 1298 expands the definition of “personal information” to include medical or health information

  23. International Regulations • Other countries ahead of the United States—many other countries have passed comprehensive data privacy laws • International laws stricter than U.S. laws (incl. state laws)—”personal data” usually means any data by which a person can be identified • Usually, an employee must “opt in” to allow the employer to store personal data

  24. International Regulations • Basic Principles (OECD Guidelines) • Collect data only by lawful and fair means w/knowledge or consent of the data subject • Data should be relevant and kept up-to-date • Disclose data only with consent of data subject • Implement reasonable security safeguards against unauthorized access or disclosure

  25. FTC Enforcement • TJX Companies • Life is good • Goal Financial • ChoicePoint, Inc. • DSW, Inc.

  26. Obligations • Securing information • Complying with privacy policy • Regulatory compliance

  27. Risk Mitigation • Steps companies can take to mitigate risk • Privacy policy • Employee training • Controls/procedures for data gathering, storage, access and disposal

  28. Risk Transfer • Traditional insurance coverage • Professional liability policies • GL/EPL • Property • Privacy/network security policies • Third party • First party • “Pre-claim” expense coverage

  29. Risk Transfer • Coverage enhancements • Regulatory defense • Regulatory fines/penalties • Information sharing with 3rd parties • Breach of corporate information • Notification/PR large subLimits

  30. Risk Transfer • Hot industries • Financial institutions • Healthcare • Retail/merchant • Technology • Professional services

  31. Resources Visit the PLUS website for a Resource Directory featuring links to more info on risk management, statistics and legislation. https://plusweb.org/index.cfm/p/Events.EventDetails/eventID/PRORISK2008

More Related