1Copyright 2009. Jordan Lawrence. All rights reserved.
U. S. Privacy and Security Laws
DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE
April 1, 2009
Marty ProvinExecutive Vice President
Jordan [email protected]
2Copyright 2009. Jordan Lawrence. All rights reserved.
Privacy Breaches Happen Everyday
• March 24, 2009 Hospital employee left patients records on an train she was taking with her to do billing
work over the weekend. • March 18th, 2009
Names, dates of birth and Social Security numbers of roughly 28,000 state retirees were e-mailed without being encrypted by q pharmacy benefit provider.
• March 18th, 2009 1,300 university students and faculty members personal information was on a laptop
stolen from a professor traveling in Italy. • March 11th, 2009
University kept information (including Social Security numbers and salary information for employees of students), dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open.
• February 2, 2009 Medical records were disposed of in a dumpster behind the office.
• February 2, 2009 Hundreds of folders containing names, addresses, Social Security numbers and credit
card information were found in a dumpster. Source : Privacy Rights Clearinghouse
3Copyright 2009. Jordan Lawrence. All rights reserved.
After a Privacy Breach
• Safe Harbor Possible if data was encrypted Best Practice is to notify regardless
Credit monitoring and assistance
• PenaltiesFinesCivil right of action
4Copyright 2009. Jordan Lawrence. All rights reserved.
Cost of a Privacy Breach
• Hard Dollar Costs$6.6 m average expense to an organization
• Cost of notifying victims
• Maintaining information hotlines
• Legal, investigative, and administrative expenses
• Credit monitoring
• Reputational Harm31% of breach notice recipients terminate their business57% reported losing trust and confidence
Source: Ponemon Institute
5Copyright 2009. Jordan Lawrence. All rights reserved.
Why Companies Struggle
• Misguided “prevention” effortsLess then 20% of breaches involve unauthorized network accessMore then $5 billion spent on network security
• Fail to understand the most common risks 53 of 81 data breaches reported1 in 2009 have involved
• Lost or stolen laptops, computers or storage devices• Backup tapes lost by employees or third-party vendor• Employees’ handling of information• Dumpster diving
1Source : Privacy Rights Clearinghouse as of March 24th, 2009
6Copyright 2009. Jordan Lawrence. All rights reserved.
People and Policy
Its about policy awareness and policy compliance
• 54% of business representatives don’t think their companies privacy policy applies to email1
• 39% of business representatives report saving sensitive1 company data to personal computer and storage devices• One out of ten employees report having had a company computer or
storage device lost or stolen in last 12 months2
1Source: 2008 Jordan Lawrence Assessment Data 2Source :2008 Data Leakage Worldwide : The Insider Threat and the Cost of Data Loss by insightexpress
7Copyright 2009. Jordan Lawrence. All rights reserved.
Taking The First Step
Identify the necessary information
• What personally identifiable data does the company have• Where do they have it• How is it managed
8Copyright 2009. Jordan Lawrence. All rights reserved.
How Do You Get This Information
• Business Representatives understandThe types of sensitive information they work withWhat media its inWho they share it withHow they manage itWhat they do with it at end of life
• Subject Matter Experts understandEncryption services deployedBack-up processesDisposal processesThird party’s that have access to sensitive information
9Copyright 2009. Jordan Lawrence. All rights reserved.
What You Will Find
• 1,272 record type profiles with sensitive information
Type of Sensitive Data
Human Resources 29 :: on laptop (no encryption) 11 :: on flash drive 14 :: emailed outside organization
Accounting 18 :: on laptop (no encryption) 22 :: on flash drive 15 :: emailed outside organization
Security 10 :: on laptop (no encryption) 9 :: paper (no shred bin)
Location of Data
• Social Security Numbers
• Credit History Information
• Credit/Debit Account Information
• Employment Information
• Medical Information
• Name, Phone, Address
Source : Client data from a Jordan Lawrence Assessment
10Copyright 2009. Jordan Lawrence. All rights reserved.
Putting Policy Into Practice
• Develop a policy includingDefinition of what is considered sensitive informationHow to manage sensitive informationHow to dispose of sensitive informationAnnual acknowledgment Consequences for not complying
• Train all employeesConduct annual trainingMake it part of the hiring process
11Copyright 2009. Jordan Lawrence. All rights reserved.
Enforcing Policy
• Implement process for safeguarding sensitive information Information technology for technical safeguardsThe business for managing and destroying hardcopy
• Audit Formal audit processAnnual spot auditing of business areas
• Annually re-assess Identify new risks as business processes changeEnsure compliance with “New” and changing lawsCross border litigation
12Copyright 2009. Jordan Lawrence. All rights reserved.
Thank You Marty Provin
636-821-2250
Top Related