1Copyright 2009. Jordan Lawrence. All rights reserved.

U. S. Privacy and Security Laws

DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE

April 1, 2009

Marty ProvinExecutive Vice President

Jordan Lawrencemprovin@jlgroup.com

2Copyright 2009. Jordan Lawrence. All rights reserved.

Privacy Breaches Happen Everyday

• March 24, 2009 Hospital employee left patients records on an train she was taking with her to do billing

work over the weekend. • March 18th, 2009

Names, dates of birth and Social Security numbers of roughly 28,000 state retirees were e-mailed without being encrypted by q pharmacy benefit provider.

• March 18th, 2009 1,300 university students and faculty members personal information was on a laptop

stolen from a professor traveling in Italy. • March 11th, 2009

University kept information (including Social Security numbers and salary information for employees of students), dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open.

• February 2, 2009 Medical records were disposed of in a dumpster behind the office.  

• February 2, 2009 Hundreds of folders containing names, addresses, Social Security numbers and credit

card information were found in a dumpster. Source : Privacy Rights Clearinghouse

3Copyright 2009. Jordan Lawrence. All rights reserved.

After a Privacy Breach

• Safe Harbor Possible if data was encrypted Best Practice is to notify regardless

Credit monitoring and assistance

• PenaltiesFinesCivil right of action

4Copyright 2009. Jordan Lawrence. All rights reserved.

Cost of a Privacy Breach

• Hard Dollar Costs$6.6 m average expense to an organization

• Cost of notifying victims

• Maintaining information hotlines

• Legal, investigative, and administrative expenses

• Credit monitoring

• Reputational Harm31% of breach notice recipients terminate their business57% reported losing trust and confidence

Source: Ponemon Institute

5Copyright 2009. Jordan Lawrence. All rights reserved.

Why Companies Struggle

• Misguided “prevention” effortsLess then 20% of breaches involve unauthorized network accessMore then $5 billion spent on network security

• Fail to understand the most common risks 53 of 81 data breaches reported1 in 2009 have involved

• Lost or stolen laptops, computers or storage devices• Backup tapes lost by employees or third-party vendor• Employees’ handling of information• Dumpster diving

1Source : Privacy Rights Clearinghouse as of March 24th, 2009

6Copyright 2009. Jordan Lawrence. All rights reserved.

People and Policy

Its about policy awareness and policy compliance

• 54% of business representatives don’t think their companies privacy policy applies to email1

• 39% of business representatives report saving sensitive1 company data to personal computer and storage devices• One out of ten employees report having had a company computer or

storage device lost or stolen in last 12 months2

1Source: 2008 Jordan Lawrence Assessment Data 2Source :2008 Data Leakage Worldwide : The Insider Threat and the Cost of Data Loss by insightexpress

7Copyright 2009. Jordan Lawrence. All rights reserved.

Taking The First Step

Identify the necessary information

• What personally identifiable data does the company have• Where do they have it• How is it managed

8Copyright 2009. Jordan Lawrence. All rights reserved.

How Do You Get This Information

• Business Representatives understandThe types of sensitive information they work withWhat media its inWho they share it withHow they manage itWhat they do with it at end of life

• Subject Matter Experts understandEncryption services deployedBack-up processesDisposal processesThird party’s that have access to sensitive information

9Copyright 2009. Jordan Lawrence. All rights reserved.

What You Will Find

• 1,272 record type profiles with sensitive information

Type of Sensitive Data

Human Resources 29 :: on laptop (no encryption) 11 :: on flash drive 14 :: emailed outside organization

Accounting 18 :: on laptop (no encryption) 22 :: on flash drive 15 :: emailed outside organization

Security 10 :: on laptop (no encryption) 9 :: paper (no shred bin)

Location of Data

• Social Security Numbers

• Credit History Information

• Credit/Debit Account Information

• Employment Information

• Medical Information

• Name, Phone, Address

Source : Client data from a Jordan Lawrence Assessment

10Copyright 2009. Jordan Lawrence. All rights reserved.

Putting Policy Into Practice

• Develop a policy includingDefinition of what is considered sensitive informationHow to manage sensitive informationHow to dispose of sensitive informationAnnual acknowledgment Consequences for not complying

• Train all employeesConduct annual trainingMake it part of the hiring process

11Copyright 2009. Jordan Lawrence. All rights reserved.

Enforcing Policy

• Implement process for safeguarding sensitive information Information technology for technical safeguardsThe business for managing and destroying hardcopy

• Audit Formal audit processAnnual spot auditing of business areas

• Annually re-assess Identify new risks as business processes changeEnsure compliance with “New” and changing lawsCross border litigation

12Copyright 2009. Jordan Lawrence. All rights reserved.

Thank You Marty Provin

636-821-2250

mprovin@jlgroup.com