Upload
annice-lawrence
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
1Copyright 2009. Jordan Lawrence. All rights reserved.
U. S. Privacy and Security Laws
DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE
April 1, 2009
Marty ProvinExecutive Vice President
Jordan [email protected]
2Copyright 2009. Jordan Lawrence. All rights reserved.
Privacy Breaches Happen Everyday
• March 24, 2009 Hospital employee left patients records on an train she was taking with her to do billing
work over the weekend. • March 18th, 2009
Names, dates of birth and Social Security numbers of roughly 28,000 state retirees were e-mailed without being encrypted by q pharmacy benefit provider.
• March 18th, 2009 1,300 university students and faculty members personal information was on a laptop
stolen from a professor traveling in Italy. • March 11th, 2009
University kept information (including Social Security numbers and salary information for employees of students), dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open.
• February 2, 2009 Medical records were disposed of in a dumpster behind the office.
• February 2, 2009 Hundreds of folders containing names, addresses, Social Security numbers and credit
card information were found in a dumpster. Source : Privacy Rights Clearinghouse
3Copyright 2009. Jordan Lawrence. All rights reserved.
After a Privacy Breach
• Safe Harbor Possible if data was encrypted Best Practice is to notify regardless
Credit monitoring and assistance
• PenaltiesFinesCivil right of action
4Copyright 2009. Jordan Lawrence. All rights reserved.
Cost of a Privacy Breach
• Hard Dollar Costs$6.6 m average expense to an organization
• Cost of notifying victims
• Maintaining information hotlines
• Legal, investigative, and administrative expenses
• Credit monitoring
• Reputational Harm31% of breach notice recipients terminate their business57% reported losing trust and confidence
Source: Ponemon Institute
5Copyright 2009. Jordan Lawrence. All rights reserved.
Why Companies Struggle
• Misguided “prevention” effortsLess then 20% of breaches involve unauthorized network accessMore then $5 billion spent on network security
• Fail to understand the most common risks 53 of 81 data breaches reported1 in 2009 have involved
• Lost or stolen laptops, computers or storage devices• Backup tapes lost by employees or third-party vendor• Employees’ handling of information• Dumpster diving
1Source : Privacy Rights Clearinghouse as of March 24th, 2009
6Copyright 2009. Jordan Lawrence. All rights reserved.
People and Policy
Its about policy awareness and policy compliance
• 54% of business representatives don’t think their companies privacy policy applies to email1
• 39% of business representatives report saving sensitive1 company data to personal computer and storage devices• One out of ten employees report having had a company computer or
storage device lost or stolen in last 12 months2
1Source: 2008 Jordan Lawrence Assessment Data 2Source :2008 Data Leakage Worldwide : The Insider Threat and the Cost of Data Loss by insightexpress
7Copyright 2009. Jordan Lawrence. All rights reserved.
Taking The First Step
Identify the necessary information
• What personally identifiable data does the company have• Where do they have it• How is it managed
8Copyright 2009. Jordan Lawrence. All rights reserved.
How Do You Get This Information
• Business Representatives understandThe types of sensitive information they work withWhat media its inWho they share it withHow they manage itWhat they do with it at end of life
• Subject Matter Experts understandEncryption services deployedBack-up processesDisposal processesThird party’s that have access to sensitive information
9Copyright 2009. Jordan Lawrence. All rights reserved.
What You Will Find
• 1,272 record type profiles with sensitive information
Type of Sensitive Data
Human Resources 29 :: on laptop (no encryption) 11 :: on flash drive 14 :: emailed outside organization
Accounting 18 :: on laptop (no encryption) 22 :: on flash drive 15 :: emailed outside organization
Security 10 :: on laptop (no encryption) 9 :: paper (no shred bin)
Location of Data
• Social Security Numbers
• Credit History Information
• Credit/Debit Account Information
• Employment Information
• Medical Information
• Name, Phone, Address
Source : Client data from a Jordan Lawrence Assessment
10Copyright 2009. Jordan Lawrence. All rights reserved.
Putting Policy Into Practice
• Develop a policy includingDefinition of what is considered sensitive informationHow to manage sensitive informationHow to dispose of sensitive informationAnnual acknowledgment Consequences for not complying
• Train all employeesConduct annual trainingMake it part of the hiring process
11Copyright 2009. Jordan Lawrence. All rights reserved.
Enforcing Policy
• Implement process for safeguarding sensitive information Information technology for technical safeguardsThe business for managing and destroying hardcopy
• Audit Formal audit processAnnual spot auditing of business areas
• Annually re-assess Identify new risks as business processes changeEnsure compliance with “New” and changing lawsCross border litigation
12Copyright 2009. Jordan Lawrence. All rights reserved.
Thank You Marty Provin
636-821-2250