Breach Notification and Data Privacy in America

Presented by Steve GreenV.P. of Sales & Marketing CSR Privacy Solutions

p a g e .   2

CSR’s Current Footprint

Established in 1999

80+ Global Resellers

Singularly focused on regulatory complianceas it relates to data privacy and security

Providing right sized solutions for SMB’s to meet regulatory compliance requirements in a cost 

sensitive environment

North  Amer ica

Western  Europe

Austra l ia

100,000+ SMB’s are current users

p a g e .   3

“There are 2.5 quintillion bytes of data created each day at our current pace, but that pace is only accelerating with the growth of the Internet of Things (IoT). Over the last two years alone 90 percent of the data in the world was generated” Forbes Article , May 2018

Did You Know

CYBERSECURITY

DATA SECURITY/PRIVACY

p a g e .   4

Types Of Data Breaches

MALICIOUS 7% ACCIDENTAL 91%

NEFARIOUS 2%

"The email asked me to

enter my password, so I

did."

"I quit, and I’m taking the files

with me."

"Oops. I didn’t mean to send that

email."

p a g e .   5

• California S.B. 1386• California law regulating the privacy of personal information. The first of many U.S. and international security breach notification laws,

• Introduced February 12, 2002 

• Became operative July 1, 2003

In The Beginning…….

p a g e .   6

TODAY ‐ EVERYONE MUST COMPLY

MANDATORY: All businesses must report a breach & have a plan in place to protect against PII being breached

MANDATORY: All businesses must report a breach, have a plan in place to protect against PII being breached and must perform a risk assessment

MANDATORY: All businesses must report a breach

p a g e .   7

• California Started Making Data Breaches Notifications That Affected Their Residents Public Around 2009

• www.oag.ca.gov/ecrime/databreach/list

In The Beginning…….

p a g e .   8

Today – 14 States

California  Link Delaware  Link Hawaii Link Indiana  Link Iowa Link Maine  Link Maryland  Link

Massachusetts Link Montana  Link New Hampshire  Link Oregon  Link Vermont  Link Washington Link Wisconsin Link

p a g e .   99

Examples of PII

• Name• Address• Zip Code• Phone number• Email address

• Financial- Financial records- Account numbers- Credit/Debit cards

• Signature• Date of Birth

• Employment history• Employer HR records

• Education history• Education records

• Family names (ex. Mother’s maiden name)

• Origin, place of birth

• Religion

• Sexual orientation

• Ethnicity

• Medical information• Physical description

• Biometrics (DNA, fingerprint, iris scan, voice recognition files)

• Insurance information (any - auto, health, etc.)

• Pins & passwords• Security questions• Access codes

• Personal ID Numbers: - Social Security - Tribal Identification- Driver’s license- State issued ID card- Passport- Tax Identification

Personally Identifiable Information

9

p a g e .   1 0

Enforcement Organizations

p a g e .   1 1

Annual Fines Generated From Data Breaches

$0

$50,000,000

$100,000,000

$150,000,000

$200,000,000

$250,000,000

$4,925,780

$240,351,618

$205,060,776

p a g e .   1 2

• Iowa AG List of Data Breaches

• Click on a data breach listed

• Data Breach Notification

p a g e .   1 3

• California AG List of Data Breaches

• Click on a data breach listed

• Data Breach Notificatio

p a g e .   1 4

R e s o u r c e s

R e g u l a t o r s

August 1 2017, Class Action Lawsuit

Federal Circuit Court, Washington D.C.

Attias v. CareFirst, Inc

BR EA C H E S

L a w y e r s

L a w s u i t s

R e g u l a t o r s

P o p u l a t i o n

B R E A C H E S

Consumers may sue companies ‐ by class action or individualif they fail to safeguard personal data.

Companies must be able to demonstrate documented efforts to identify, prioritize, and remediate gaps in their DLCM (data life cycle management).

Establishes legal standing for data owners to bring an action for a data breach at any business or institutionwithout the necessity of alleging an actual loss or damage.‐ EX: identify theft

TheResult?

p a g e .   1 5

• Lincare Settles Lawsuit for Data Breach– Former Employees

– $ 875,000 settlement

– $ 240,000 fine from HHS/OCR

• Manatee School District Settles Lawsuit for Data Breach

– Former employees

– $ 300,000

• Tampa General Hospital Settles Lawsuit for Data Breach

– $10,000 to plantiffs

Lawsuits

p a g e .   1 6

“There are 2.5 quintillion bytes of data created each day at our current pace, but that pace is only accelerating with the growth of the Internet of Things (IoT). Over the last two years alone 90 percent of the data in the world was generated” Forbes Article , May 2018

Did You Know

ARE YOU PREPARED?

Thank you!

Questions?