1copyright 2009. jordan lawrence. all rights reserved. u. s. privacy and security laws delvacca...
TRANSCRIPT
![Page 1: 1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty](https://reader036.vdocuments.mx/reader036/viewer/2022062519/5697bffc1a28abf838cc194e/html5/thumbnails/1.jpg)
1Copyright 2009. Jordan Lawrence. All rights reserved.
U. S. Privacy and Security Laws
DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE
April 1, 2009
Marty ProvinExecutive Vice President
Jordan [email protected]
![Page 2: 1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty](https://reader036.vdocuments.mx/reader036/viewer/2022062519/5697bffc1a28abf838cc194e/html5/thumbnails/2.jpg)
2Copyright 2009. Jordan Lawrence. All rights reserved.
Privacy Breaches Happen Everyday
• March 24, 2009 Hospital employee left patients records on an train she was taking with her to do billing
work over the weekend. • March 18th, 2009
Names, dates of birth and Social Security numbers of roughly 28,000 state retirees were e-mailed without being encrypted by q pharmacy benefit provider.
• March 18th, 2009 1,300 university students and faculty members personal information was on a laptop
stolen from a professor traveling in Italy. • March 11th, 2009
University kept information (including Social Security numbers and salary information for employees of students), dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open.
• February 2, 2009 Medical records were disposed of in a dumpster behind the office.
• February 2, 2009 Hundreds of folders containing names, addresses, Social Security numbers and credit
card information were found in a dumpster. Source : Privacy Rights Clearinghouse
![Page 3: 1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty](https://reader036.vdocuments.mx/reader036/viewer/2022062519/5697bffc1a28abf838cc194e/html5/thumbnails/3.jpg)
3Copyright 2009. Jordan Lawrence. All rights reserved.
After a Privacy Breach
• Safe Harbor Possible if data was encrypted Best Practice is to notify regardless
Credit monitoring and assistance
• PenaltiesFinesCivil right of action
![Page 4: 1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty](https://reader036.vdocuments.mx/reader036/viewer/2022062519/5697bffc1a28abf838cc194e/html5/thumbnails/4.jpg)
4Copyright 2009. Jordan Lawrence. All rights reserved.
Cost of a Privacy Breach
• Hard Dollar Costs$6.6 m average expense to an organization
• Cost of notifying victims
• Maintaining information hotlines
• Legal, investigative, and administrative expenses
• Credit monitoring
• Reputational Harm31% of breach notice recipients terminate their business57% reported losing trust and confidence
Source: Ponemon Institute
![Page 5: 1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty](https://reader036.vdocuments.mx/reader036/viewer/2022062519/5697bffc1a28abf838cc194e/html5/thumbnails/5.jpg)
5Copyright 2009. Jordan Lawrence. All rights reserved.
Why Companies Struggle
• Misguided “prevention” effortsLess then 20% of breaches involve unauthorized network accessMore then $5 billion spent on network security
• Fail to understand the most common risks 53 of 81 data breaches reported1 in 2009 have involved
• Lost or stolen laptops, computers or storage devices• Backup tapes lost by employees or third-party vendor• Employees’ handling of information• Dumpster diving
1Source : Privacy Rights Clearinghouse as of March 24th, 2009
![Page 6: 1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty](https://reader036.vdocuments.mx/reader036/viewer/2022062519/5697bffc1a28abf838cc194e/html5/thumbnails/6.jpg)
6Copyright 2009. Jordan Lawrence. All rights reserved.
People and Policy
Its about policy awareness and policy compliance
• 54% of business representatives don’t think their companies privacy policy applies to email1
• 39% of business representatives report saving sensitive1 company data to personal computer and storage devices• One out of ten employees report having had a company computer or
storage device lost or stolen in last 12 months2
1Source: 2008 Jordan Lawrence Assessment Data 2Source :2008 Data Leakage Worldwide : The Insider Threat and the Cost of Data Loss by insightexpress
![Page 7: 1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty](https://reader036.vdocuments.mx/reader036/viewer/2022062519/5697bffc1a28abf838cc194e/html5/thumbnails/7.jpg)
7Copyright 2009. Jordan Lawrence. All rights reserved.
Taking The First Step
Identify the necessary information
• What personally identifiable data does the company have• Where do they have it• How is it managed
![Page 8: 1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty](https://reader036.vdocuments.mx/reader036/viewer/2022062519/5697bffc1a28abf838cc194e/html5/thumbnails/8.jpg)
8Copyright 2009. Jordan Lawrence. All rights reserved.
How Do You Get This Information
• Business Representatives understandThe types of sensitive information they work withWhat media its inWho they share it withHow they manage itWhat they do with it at end of life
• Subject Matter Experts understandEncryption services deployedBack-up processesDisposal processesThird party’s that have access to sensitive information
![Page 9: 1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty](https://reader036.vdocuments.mx/reader036/viewer/2022062519/5697bffc1a28abf838cc194e/html5/thumbnails/9.jpg)
9Copyright 2009. Jordan Lawrence. All rights reserved.
What You Will Find
• 1,272 record type profiles with sensitive information
Type of Sensitive Data
Human Resources 29 :: on laptop (no encryption) 11 :: on flash drive 14 :: emailed outside organization
Accounting 18 :: on laptop (no encryption) 22 :: on flash drive 15 :: emailed outside organization
Security 10 :: on laptop (no encryption) 9 :: paper (no shred bin)
Location of Data
• Social Security Numbers
• Credit History Information
• Credit/Debit Account Information
• Employment Information
• Medical Information
• Name, Phone, Address
Source : Client data from a Jordan Lawrence Assessment
![Page 10: 1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty](https://reader036.vdocuments.mx/reader036/viewer/2022062519/5697bffc1a28abf838cc194e/html5/thumbnails/10.jpg)
10Copyright 2009. Jordan Lawrence. All rights reserved.
Putting Policy Into Practice
• Develop a policy includingDefinition of what is considered sensitive informationHow to manage sensitive informationHow to dispose of sensitive informationAnnual acknowledgment Consequences for not complying
• Train all employeesConduct annual trainingMake it part of the hiring process
![Page 11: 1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty](https://reader036.vdocuments.mx/reader036/viewer/2022062519/5697bffc1a28abf838cc194e/html5/thumbnails/11.jpg)
11Copyright 2009. Jordan Lawrence. All rights reserved.
Enforcing Policy
• Implement process for safeguarding sensitive information Information technology for technical safeguardsThe business for managing and destroying hardcopy
• Audit Formal audit processAnnual spot auditing of business areas
• Annually re-assess Identify new risks as business processes changeEnsure compliance with “New” and changing lawsCross border litigation
![Page 12: 1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty](https://reader036.vdocuments.mx/reader036/viewer/2022062519/5697bffc1a28abf838cc194e/html5/thumbnails/12.jpg)
12Copyright 2009. Jordan Lawrence. All rights reserved.
Thank You Marty Provin
636-821-2250